Entities Responsible for the Processing of Personal Data:
Nit. 811.012.440-1
Address: Calle 32D 80B 12 Telephone: 2500402
Address: Medellin
E-mail: servicliente@provimarcas.com

I.    Purpose
To guarantee the constitutional right that all persons have to know, update and rectify the information that has been collected about them in the databases or files that Provimarcas S.A.S. has collected for the purposes foreseen in the respective authorization. For the purposes of this Manual, each Company shall be considered responsible for the information collected.

II. Scope of Application
The Policy Manual will be applicable to the personal data registered in any database that makes them susceptible to processing by Provimarcas S.A.S.

III. Scope
This Policy Manual applies to all levels of the Companies and to all personal data bases held by Seguros del Estado S.A., Seguros de Vida del Estado S.A. and the Data Processors acting on behalf of the Companies.

IV. Background
With Law 1581 of October 17, 2012, the National Congress established General Provisions for the Protection of Personal Data, including the regime of rights of the holders of the information and the obligations of those responsible and in charge of its treatment, thus constituting the general framework of the Protection of Personal Data in Colombia. Likewise, last June 27, 2013, the National Government issued Decree 1377 of 2013, with which the aforementioned Law is regulated, in order to facilitate its implementation in aspects related to the authorization of the holder of the information, the Processing Policies of the Controllers and Processors, the exercise of the rights of the holders of the information, the Transfers of Personal Data and the Demonstrated Responsibility regarding the Processing of Personal Data.

V. Purpose of the Database
The collection of Personal Data by Provimarcas S.A.S. will have the following purposes:
1. Processing of the request for entailment as a financial consumer.
2. The process of negotiation of contracts with Provimarcas S.A.S., including the determination of premiums and risk assessment.
3. Execution and fulfillment of the contracts entered.
4. Control and prevention of fraud.
5. Settlement and payment of claims.
6. Integral management of the insurance contracted.
7. Compliance with the requirements to access the General System of Integral Social Security.
8. Preparation of technical-actuarial studies, statistics, surveys, analysis of market trends and, in general, technical studies related to insurance .
9. Conveying information related to financial education, customer satisfaction surveys and commercial insurance offers, as well as other services inherent to the insurance activity. Conveying financial information of taxpayers in the United States to the Internal Revenue Service (IRS), under the terms of the Foreign Account Tax Compliance Act (FATCA).
10. Exchange of tax information under international treaties and agreements signed by Colombia.
11. Prevention and control of money laundering and financing of terrorism.

VI. Treatment of Personal Data
In accordance with the provisions of Law 1581 of 2012 and in accordance with the authorizations given by the owners of the information, Provimarcas S.A.S. will perform operations or set of operations that include data collection, storage, use, circulation and / or deletion. This data processing will be carried out exclusively for the purposes authorized and foreseen in this Policy Manual. In the same way, Personal Data Processing will be carried out when there is a legal or contractual obligation to do so.

VII. Rights of Personal Data Holders
In the Processing of Personal Data by Provimarcas S.A.S., the rights of the owners of Personal Data will be respected at all times, which are:

1. To know, update and rectify the data before Provimarcas S.A.S. or those in charge of the Data Processing. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized.

2. To request proof of the authorization granted, or any other authorization signed by the owner of the Personal Data for this purpose, except when expressly excepted as a requirement for the Processing of data in accordance with the law, such as: a) Information required by a public or administrative entity in the exercise of its legal functions or by court order. b) Data of a public nature. c) Cases of medical or health emergency. d) Processing of information authorized by law for historical, statistical or scientific purposes. e) Data related to the Civil Registry of Persons.

3. To be informed by Provimarcas S.A.S. or the Data Processor, upon request, regarding the use given to the data.

4. To file before the Competent Authority complaints for infringements to the provisions of the law and other regulations that modify, add or complement it.

5. To revoke the authorization and/or request the deletion of the data when the processing does not respect the principles, rights and constitutional and legal guarantees. The revocation and/or suppression will proceed when the Competent Authority has determined that Provimarcas S.A.S. or those in charge of the Processing of Personal Data have incurred in conduct contrary to the law and the Constitution. The revocation will proceed as long as there is no legal or contractual obligation to keep the personal data.

6. Access free of charge to the Personal Data that has been subject to Processing.

VIII. Area Responsible for the Attention of Petitions, Inquiries and Claims.
The petitions, queries and claims formulated by the holders of Personal Data under Processing of Provimarcas S.A.S. to exercise their rights to know, update, rectify and delete data, or revoke the authorization shall be addressed to: Customer Service Department servicliente@provimarcas.com Address: Calle 32D 80 B 12 Telephone: 574-2500402.

The aforementioned area will be the contact of the holders of Personal Data, for all purposes provided for in the authorization granted in this Manual, in accordance with the procedure set forth below.

IX. Procedures for the Exercise of the Rights of the Owners of the Information.
The owners of Personal Data, regardless of the type of relationship they have with Provimarcas S.A.S., may exercise their rights to know, update, rectify and delete information and/or revoke the authorization granted in accordance with the following procedures:

A. Procedure to request proof of the authorization granted. The request shall be filed with the Head Office of Financial Consumer Service through the contact information mentioned herein, indicating at least the full name of the owner of the information and its identification number, place, or physical or electronic address to which a response will be given. Once the request is received, a copy of the authorization will be sent within ten (10) working days from the day following the date of receipt of the request. When it is not possible to respond within said term, the interested party shall be informed of the reasons for the delay and the date on which it will ber; in no case may it exceed eight (8) business days following the expiration of the first term.

B. Procedure for updating information. The holder of the Personal Data who is interested in updating the information provided and under Processing by Provimarcas S.A.S. or the Data Processor may send the updated information through any of the channels established for such purpose such as the website, e-mail of the area in charge of the Processing of Personal Data or Branches.

C. Procedure to rectify and delete information and/or revoke authorizations. When the owner of the information intends to rectify, suppress and/or revoke authorizations for the Processing of Personal Data, he/she shall submit a request in accordance with the following:

  1. The request must be addressed to the Head Office of Financial Consumer Service, with the identification of the Data Subject, the description of the facts that give rise to the request, the address and accompanying the documents to be asserted.
  2. If the request is incomplete, the interested party shall be required within five (5) days following the receipt thereof to correct the faults. After two (2) months from the date of the requirement, if the applicant has not submitted the required information, it shall be
    understood that he/she has withdrawn.
  3. In the event that the person receiving the request is not competent to resolve it, he/she shall transfer it to the appropriate person within a maximum term of two (2)
    working days and shall inform the interested party of the situation.
  4. Once the complete request has been received, a note will be included in the database stating “claim in process” and the reason for the same, within a term not exceeding two
    (2) business days. Said note shall be maintained until the request is decided.
  5. The maximum term to attend a request shall be fifteen (15) business days beginning from the day following the date of its receipt. If it is not possible to process the request within such term, the interested party shall be informed of the reasons for the delay and the date on which the request will be processed, which in no case may exceed eight (8) working days following the expiration of the first term.

X. Obligations of Provimarcas S.A.S.
1. To guarantee the Holder, at all times, the full and effective exercise of his rights.
2. To request and keep a copy of the respective authorization granted by the Data Subject.
3. To duly inform the Data Subject about the purpose of the collection and the rights that he/she has by virtue of the authorization granted.
4. Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
5. Ensure that the information provided to the Data Processor is truthful, complete, accurate, current, verifiable and understandable.
6. Update the information, communicating in a timely manner to the Data Processor, all developments with respect to the data previously provided and take other necessary measures to ensure that the information provided is kept up to date.
7. Rectify the information when it is incorrect and communicate the relevant information to the Data Processor.
8. To provide the Data Processor only data whose Processing is previously authorized in accordance with the provisions of this Manual.
9. To require the Data Processor at all times to respect the security and privacy conditions of the Data Subject’s information.
10. To process queries, claims and requests made under the terms set forth in the law or in this Manual.
11. Adopt an internal Manual of policies and procedures to ensure proper compliance with Law 1581 of 2012 and especially for the attention of queries, claims and requests.
12. Inform the Data Processor when certain information is under discussion by the Data Subject, once the request has been submitted and the respective process has not been completed.
13. To inform, at the request of the Data Subject, about the use given to his/her data.
14. To inform the data protection authority when there are violations to the security codes and there are risks in the administration of the data subjects’ information.
15. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

XI. Period of Validity of the Databases
The PROVIMARCAS S.A.S. Data Bases will have a period of validity that corresponds to the purpose
for which its treatment was authorized or, in its absence, ten (10) years.