SOUTH AMERICAN PLASTIC SURGERY (hereinafter, “SAPS”), according to Law 1581 of 2012 and Article 13 of Decree 1377 of 2013, by which provisions are made for the protection of personal data, makes known to the Owners of the Personal Data that are treated in any way by SAPS within the academic events and the scientific activities developed through SAPS EDUCATIONAL ACADEMY (from now on, the “SAPS ACADEMY”), this policy of treatment of the information (the “Policy”).The main purpose of this Policy is to inform Personal Data Holders of their rights, the procedures and mechanisms provided by SAPS ACADEMY to make effective those rights of the Holders, and to inform them of the scope and purpose of the Processing to which the Personal Data will be submitted in case the Holder gives its express, prior and informed authorization.

SAPS ACADEMY is committed to compliance with the above-mentioned regulations and the protection of the rights of individuals and informs its stakeholders that it adopts the following policies on the collection, processing, and use of personal data.

LEGAL FRAMEWORK

Political Constitution, Article 15.

Law 1266 of 2008.

Law 1581 of 2012.

Regulatory Decrees 1727 of 2009, 2952 of 2010, 1377 of 2013 and 886 of 2014.

Ruling C-748 of 2011 of the Constitutional Court.

DEFINITIONS

By the legislation in force on the matter, the following definitions are established, which will be applied and implemented taking into account the criteria of interpretation that guarantee a systematic and integral application, and under the technological advances, technological neutrality; and the other principles and postulates that govern the fundamental rights that surround, orbit and surround the right of habeas data and protection of personal data.

a) Authorization: Prior, express, and informed consent of the owner to carry out the processing of personal data.

b) Authorized: It refers to all the people that under the responsibility of the Company or its Managers can carry out Personal Data Processing.

c) Privacy Notice: Verbal, written or sent the communication through any technological means in force, generated by the Responsible or by any third party designated by this for the effects, addressed to the Holder for the Treatment of his Personal Data, through which is informed about the existence of the Personal Data Treatment policies that will apply to him, the way to access them and the purposes of the Treatment that is intended to give to the personal data provided.

d) Database: Organized set of personal data that is the object of Processing.

e) Personal data: Any information linked or likely to be linked to one or more specific or identifiable natural persons.

f) Private Data: It is intimate or reserved in nature and is only relevant to the Holder.

g) Sensitive data: Sensitive data are data that affect the privacy of the data subject or the misuse of which could lead to discrimination, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, membership of trade unions, or social organizations, human rights or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties as well as data relating to health, sex life and biometric data, including still or moving image capture, fingerprints, photographs, iris, voice, facial or palm recognition, etc.

h) In charge of the Treatment: Natural or legal person, public or private, who by himself/herself or in association with others, carries out the processing of personal data on behalf of the data controller.

i) Responsible for the Treatment: Natural or legal person, public or private, who by himself/herself or in association with others, decides on the database and/or the processing of the data.

j) Holder: Natural person whose personal data is processed.

k) Processing: Any operation or set of operations concerning personal data, such as collection, storage, use, circulation, or deletion of data.

PRINCIPLES:

SAPS ACADEMY will define its Personal Data Processing policy according to the following principles.

Principle of purpose: The Processing of Personal Data must obey a legitimate purpose under the Political Constitution of Colombia and the Law, which must be informed to the Data Subject.

Principle of freedom: Treatment can only be exercised with the prior, express, and informed consent of the Data Subject. The Personal Data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves the consent.

Principle of truthfulness or quality: The information subject to treatment must be accurate, complete, exact, updated, verifiable, and understandable. Processing of partial, incomplete, fractionated, or misleading data is prohibited.

Principle of transparency: The right of the Data Subject to obtain, at any time and without restriction, information about the existence of data concerning him/her must be guaranteed in the processing.

Principle of access and restricted circulation: Personal Data, except for public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the Holder is or third parties authorized under the Law.

Principle of security: The information subject to processing must be handled with the technical, human, and administrative measures necessary to provide security to the records, avoiding its adulteration, loss, consultation, unauthorized or fraudulent use or access.

Principle of confidentiality: All persons involved in the processing of Personal Data are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing, and may only provide or communicate Personal Data when this corresponds to the development of activities expressly authorized by law.

TREATMENTS AND OBJECTIVES

SAPS ACADEMY will carry out the Processing of Personal Data for the fulfillment of the activities inherent to its corporate purpose, all in accordance with the provisions of Law 1581 of 2012, Regulatory Decree 1377 of 2,013, Decree 1074 of 2015, and other complementary provisions. Processing may be carried out through electronic, physical, automated, and/or using any known or yet to be known digital means, which may vary depending on the form of information collection.

The treatment of the personal data of any person with whom SAPS ACADEMY has established or established a relationship, permanent or occasional, will be carried out in the legal framework that regulates the matter and by virtue of its condition of academic association for reconstructive and aesthetic plastic surgeons around the world.

4.1. The Personal Data processed by SAPS ACADEMY must be strictly and solely submitted to the purposes indicated below. Likewise, the ones in charge or third parties that have access to the Personal Data by Law or contract will maintain the Processing within the following purposes:

The proper development of its corporate purpose, including the use of data for the execution of its activities.

Validate the information in compliance with the legal requirement of customer knowledge applicable to SAPS ACADEMY;

To adequately provide high-quality training and education services for reconstructive and aesthetic plastic surgeons worldwide;

Advance collection and portfolio recovery actions, in case of delay in the payment of services;

For the development of market research, statistics, etc., that allows the competitiveness of SAPS ACADEMY;

To effectively and timely address health requirements and/or emergencies that may occur during the provision of service;

For the development of advertising campaigns, promotional material, etc., in social networks and media.

Manage all the necessary information to comply with tax obligations and commercial, corporate and accounting records of SAPS ACADEMY.

Comply with SAPS ACADEMY’s internal processes for managing suppliers, and contractors.

The transmission of data to third parties with whom contracts have been concluded for this purpose, for commercial, administrative, marketing, and/or operational purposes, including but not limited to the issuance of cards, personalized certificates, and certifications to third parties, in accordance with the legal provisions in force.

Maintain and process by computer or other means, any type of information related to the health of the patient in order to provide the relevant services and products.

Security and improvement of the service and experience of the Holder through any web portal used by SAPS ACADEMY.

The other purposes determined by those responsible for the process of obtaining Personal Data for its Processing and that are communicated to the Data Holders at the time of collection of personal data.

4.2. Processing of sensitive data. Data classified as sensitive may be used and processed when

The Holder has given explicit authorization to such treatment, except in cases where the granting of such authorization is not required by law.

The processing is necessary to safeguard the vital interest of the holder and the holder is physically or legally incapacitated. In these events, the legal representatives must grant their authorization.

The treatment has a historical, statistical or scientific purpose. In this event, the measures leading to the suppression of the identity of the Cardholders must be adopted.

4.3. Data processing of children and adolescents Treatment will ensure respect for the prevalent rights of minors. The processing of personal data of minors is prohibited, except for those data that are of a public nature. It is the task of the State and educational institutions of all kinds to provide information and train legal representatives and guardians on the possible risks faced by minors with regard to the improper processing of their personal data, and to provide knowledge about the responsible and safe use by children and adolescents of their data, their right to privacy and the protection of their personal information and that of others.

Consequently, SAPS ACADEMY will be strict in handling the personal data of all underage students, and will only collect and process the personal data of those children where the parents and/or guardians in charge have explicitly expressed their written consent for the purposes indicated in the respective privacy notice.

First Paragraph: The Personal Data provided by the Holder will be treated and used only for the purposes provided herein, and for a period of time counted from the moment the authorization was granted until the term determined for the validity of SAPS ACADEMY.

Second Paragraph: The information provided by the Holder may be shared with agencies, information managers, service providers, business partners, allies of these, and third parties in general that provide services to SAPS ACADEMY or third parties on behalf and for the account of SAPS ACADEMY.

Third Paragraph: SAPS ACADEMY guarantees that the mechanisms through which it makes use of the Personal Data are safe and confidential, since they have computer security mechanisms and the appropriate technical means to ensure that they are stored in such a way as to prevent unwanted access by third parties.

SAPS ACADEMY OBLIGATIONS

In its capacity as Data Processing Manager, SAPS ACADEMY, is obliged to the Holders of the Personal Data to

To guarantee the Owner of the information, at all times, the full and effective exercise of the right of habeas data;

Maintain and process by computer or other means, any type of information related to the business to provide the relevant services and products;

Request and keep a copy of the respective authorization granted by the holder for the processing of personal data;

Duly inform the holder about the purpose of the collection and his rights under the authorization granted;

Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access;

Update the information promptly, thus taking into account all the news regarding the holder’s data;

Correct the information when it is incorrect;

To process the consultations and claims formulated in the terms indicated by the present policy of Personal Data Processing of SAPS ACADEMY;

To inform on request of the holder about the use given to his data;

Informing the data protection authority when there are violations of security codes and risks in the administration of the information of the Holders;

To comply with the instructions and requirements given by the Superintendence of Industry and Commerce;

Refrain from circulating information that is being disputed by the Owner and whose blocking has been ordered by the Superintendence of Industry and Commerce;

Use only data whose processing is previously authorized in accordance with the provisions of Law 1581 of 2012;

To Inform, through any electronic means, the new mechanisms implemented for the Data Owners to enforce their rights, as well as any modification to the Personal Data Processing Policy.

Ensure the appropriate use of personal data of children and adolescents, in those cases where the processing of their data is authorized by their representative;

All other legal and contractual obligations.

RIGHTS OF THE HOLDER OF PERSONAL DATA

In accordance with current legislation, Personal Data Holders have the following rights:

To know, update and rectify your Personal Data before SAPS ACADEMY or the persons in charge of their processing. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, or misleading data, or data whose processing is expressly prohibited or has not been authorized;

Request proof of Authorization granted to SAPS ACADEMY unless the Law indicates that such Authorization is not required;

Submit requests to SAPS ACADEMY or the Data Controller regarding the use you have made of your Personal Data, and to have such information delivered to you;

To file complaints with the Superintendence of Industry and Commerce for violations of the Law.

Revoke your Authorization and/or request the removal of your Personal Data from the databases of the Institute, when the Superintendence of Industry and Commerce has determined through a final administrative act that the Institute or the controller has engaged in conduct contrary to the Law or when there is no legal or contractual obligation to keep the Personal Data in the database of the Responsible party.

Request access and free access to their Personal Data that has been processed under article 21 of Decree 1377 of 2013.

To be aware of the modifications to the terms of this Policy prior and efficiently to the implementation of the new modifications or, failing that, of the new information processing policy.

Have easy access to the text of this Policy and its modifications.

Access in an easy and simple way to the Personal Data that are under the control of SAPS ACADEMY to effectively exercise the rights that the Law grants to the Holders.

To know the dependency or person authorized by SAPS ACADEMY to whom you can present complaints, consultations, claims, and any other request about your Personal Data. Holders may exercise their legal rights and carry out the procedures established in this Policy employing their citizenship card or original identification document. Minors can exercise their rights personally, or through their parents or tutors that represent them at SAPS ACADEMY. Also, they will be able to exercise the rights of the holder and the successors that accredit the above-mentioned quality, the representative and/or proxy of the holder with the corresponding accreditation.

AUTHORIZATIONS AND CONSENT.

The collection, storage, use, circulation or suppression of personal data by SAPS ACADEMY, requires the free, previous, express and informed consent of the Holder of the same. In fulfillment of the effective legislation, SAPS ACADEMY has arranged the following mechanisms to obtain the authorization or ratification on the part of the Holder of the Personal Data:

7.1. Methods and manifestations for granting the Authorization.

The Authorization may be contained in a physical document, electronic document, data message, Internet, websites, in any other format that can guarantee its subsequent consultation, or employing a suitable technical or technological mechanism, which allows to express or obtain the consent of the Holder, by means of which it can be concluded unequivocally that if the Holder’s conduct had not been provided, the data would never have been captured and stored in the database.

For these purposes, an Authorization is understood to be given through technological mechanisms such as, but not limited to, a “click” of acceptance of our Terms and Conditions and the Policy for the Treatment of Personal Data, at the moment of entering your data for the sending of emails, or “Newsletter”; the filling out of forms on the site [https://sapsacademy.com/] and/or by means of subscription through third party applications such as, but not limited to, Facebook, Instagram or LinkedIn.

With this procedure of consented Authorization, it is expressly guaranteed that the Holder of the Personal Data knows and accepts that SAPS ACADEMY will collect, store, use, debug, analyze, circulate, transmit, transfer, update or suppress in the terms of Law, the information for the purposes that to the effect it informs him prior to the granting of the authorization, and for the purpose contained in this document.

The Authorization requested by SAPS ACADEMY shall at least be established in the

The full identification of the person from whom the Personal Data is collected;

The Authorization referred to in paragraph 6.1;

The purpose of the Processing of Personal Data, and;

The rights to access, correct, update or delete the Personal Data provided by the Data Subject.

7.2. Evidence of Authorization.

SAPS ACADEMY will use the mechanisms it currently has in place and will implement and adopt the necessary and tending actions to maintain records or technical or technological mechanisms suitable for when and how it obtained authorization from the holders of personal data for the Processing of the same. To comply with the above, physical files or electronic repositories may be established, either directly or through third parties contracted for this purpose.

7.3 Privacy Notice.

For data collected before the issuance of Decree 1377 of 2013, on June 27, 2013, will be sent an email to all people regarding whom SAPS ACADEMY has Personal Data informing them about the implementation of the Policy of Personal Data Processing SAPS ACADEMY and how to exercise their rights.

Following the law, the Privacy Notice is the physical, electronic, or any other format known or to be known, which is made available to the Data Subject for the processing of his/her data. Through this document, the Holder is informed about the existence of the information processing policies that will apply to him/her, the way to access them, and the characteristics of the treatment that is intended to be given to the personal data.

7.4. Extent and content of the Privacy Notice.

The Privacy Notice shall, at a minimum, contain the following information:

The identity, address and contact details of the data controller;

The type of processing to which the data will be submitted and the purpose of the processing;

The general mechanisms provided by the person responsible so that the Owner is aware of the Information Processing policy and any substantial changes in it. In all cases, the Head must be informed of how to access or consult the information processing policy.

RESPONSIBLE AREA AND PROCEDURE FOR THE EXERCISING OF THE RIGHTS OF THE HOLDER

The Holder, his representative, his successor in title, or his attorney-in-fact may at any time submit queries, requests, and/or complaints to SAPS ACADEMY to know, update, rectify, request the deletion of his Personal Data and/or revoke the authorization. For this reason, it is the responsibility of the entire team of direct and indirect employees of SAPS ACADEMY, without exception, to comply with the Information Processing Policy, and especially with due attention to the requests, complaints, and claims that the Holder submits to the company for this concept.

To exercise their rights, the Holder or whoever acts on their behalf and representation, may submit their requests, complaints, and/or claims to SAPS ACADEMY by the following means:

By email to: [management@sapsacademy.com]

Telephone: +57 314 728 8635

Written communication by electronic means through the website [https://sapsacademy.com/].

The area responsible for the handling and processing of the databases, as the case may be, will always be the head of the customer service department who will be in charge of attending to the requests, complaints, and claims made by the Data Subject in the exercise of his/her rights. Whatever the means, the Manager will keep proof of the consultation and its response.

The attention of a consultation, request, complaint, or claim (QPR), received in writing, by e-mail, by telephone, or verbally, will be processed according to the following procedure:

8.1 Enquiry

When the main claim is a query, that is, to consult the personal information of the Holder that is stored in the SAPS ACADEMY database, the procedure shall be as set forth herein:

The consultation will be formulated by filling in the SAPS ACADEMY PQR formats contained in the web page or by e-mail: sapsmeeting@gmail.com

Once the consultation has been received, a response must be given to the Holder, whatever it may be, within ten (10) working days from the date of receipt of the consultation.

If it is not possible to attend the consultation within this term, the Holder will be informed, expressing the reasons for the delay and indicating the date on which the consultation will be attended, which cannot exceed five (5) working days after the expiration of the first term.

8.2 Claim

When the main claim is a claim, that is to say, when the Holder considers that the information contained in the SAPS ACADEMY Databases must be corrected, updated or suppressed, or when he notices the breach of any of the duties contained in Law 1581 of 2012 by SAPS ACADEMY, the procedure will be the one established here:

The claim will be formulated employing a request addressed to the person in charge or in charge of the Information, with the identification number of the Holder, the description of the facts that give rise to the claim, the address, and the documents considered necessary.

If the claim is incomplete, the Cardholder or the person acting on his behalf will be required within five (5) working days of receipt of the claim to correct the errors.

If after two (2) months from the date of the request for rectification, the Holder or the person acting on his behalf does not submit the required information, it shall be understood that he has withdrawn the claim.

Once a claim is received with the full requirements, it must be included in the databases within a term not exceeding two (2) working days identifying it with a legend that says “claim in process” and the reason for it. This legend shall be maintained until the claim is decided.

If after two (2) months from the date of the request for rectification, the Holder or the person acting on his behalf does not submit the required information, it shall be understood that he has withdrawn the claim.

The maximum term to attend the claim will be fifteen (15) working days from the day following its receipt. When it is not possible to attend to the claim within this term, the interested party shall be informed of the reasons for the delay and the date on which the claim will be attended to, which may not exceed eight (8) working days following the expiration of the term.

In case SAPS ACADEMY receives a complaint and is not competent to resolve it, it will give transfer, as far as possible, to whom it corresponds in a maximum term of two (2) working days and will inform the interested party of the situation.

Where the application is made by a person other than the Holder and it is not proved that the application is acting on behalf of the Holder, it shall be deemed not to have been filed.

CORRECTION, UPDATING, AND ELIMINATION OF PERSONAL DATA:

In accordance with point AREA RESPONSIBLE AND PROCEDURE FOR THE EXERCISE OF THE HOLDER’S RIGHTS above, SAPS ACADEMY will rectify, update or delete at the request of the Holder, any type of information, according to the procedure and terms indicated in the previous article. In the case of rectification and/or updating, the proposed corrections must be duly justified.

Paragraph: The Holder of the information will have the right to request the total or partial elimination of his/her Personal Data at any time and for this purpose the procedure established in point AREA RESPONSIBLE AND PROCEDURE FOR THE EXERCISE OF THE HOLDER’S RIGHTS above will be followed. SAPS ACADEMY can only deny the deletion when

The Holder has a legal and/or contractual duty to remain in the database;

The deletion of the data would impede ongoing judicial or administrative proceedings, and;

In the other cases referred to in Article 10 of Law 1581 of 2012, where applicable.

INFORMATION SECURITY MEASURES

SAPS ACADEMY will adopt the technical, human, and administrative measures that are necessary to grant security to the registries avoiding their adulteration, loss, consultation, use, or non-authorized or fraudulent access; such measures will respond to the minimum requirements made by the effective legislation.

DESIGNATION OF THE PERSON IN CHARGE

SAPS ACADEMY designates the department of customer service or whoever acts as such, to comply with the function of protection of Personal Data, as well as to process the requests of the Owner is, for the exercise of rights of access, consultation, rectification, updating, deletion and revocation referred to in Law 1581 of 2012, Decree 1377 of 2013 and other rules that regulate or complement it and the Policy on Treatment of Personal Data.

VALIDATION

This Policy is effective as of [date]. The Personal Data stored, used, or transmitted will remain in our Database, based on the criteria of temporality and necessity, for as long as it is necessary for the purposes mentioned in this Policy, for which it was collected.

The databases in which personal data is recorded will be in effect as long as the information is maintained and used for the purposes described herein. Once those purposes are met and provided there is no legal or contractual duty to retain your information, and your data will be removed from our databases.

Sincerely,

SOUTH AMERICAN PLASTIC SURGERY – SAPS