Language:

BAKER & MCKENZIE S.A.S. PERSONAL DATA PROCESSING POLICY

I. PURPOSE

Baker & McKenzie S.A.S. (hereinafter "Baker & McKenzie" or "the Firm") has prepared this Personal Data Processing Policy (hereinafter "Processing Policy") of employees, partners, candidates and third natural persons (hereinafter the "Data Subject") in order to delimit any operation on personal data, such as the collection, storage, use, circulation or deletion of information linked or that may be linked to one or more specific or determinable natural persons (hereinafter "Personal Information").

Baker & McKenzie will manage Personal Information for purposes of processing, as defined below, and in accordance with the principles and provisions contained in the applicable regulations.

II. DEFINITIONS

i. Authorization: Prior, express and informed consent of the Data Subject to carry out the Personal Data Processing.

ii. Database: Organized set of Personal Data, subjected to Processing.

iii. Personal Data: Any information linked to or associated with one or more specific or determinable natural persons.

iv. Private Data: It is the data that due to its intimate or reserved nature, is only relevant for the Data Subject.

v. Public Data: Data that is not semi-private, private or sensitive. Public data include, among others, data pertaining to the marital status of people, their profession or craft, and their capacity of trader or public servant. Given their nature, public data may be contained, among others, in public records, public documents, gazettes and official bulletins, and judicial rulings duly executed, not subjected to confidentiality.

vi. Sensitive Personal Data: Sensitive Personal Data includes the data that affect the intimacy of the Data Subject or which undue use may give rise to their discrimination, such as those that disclose their race or ethnic background, political preference, religious or philosophical convictions, affiliation to unions, social, human rights organizations, or entities that guarantee the rights and guarantees of opposition political parties, as well as the data pertaining to health, sexual life and biometric data.

vii. Data Processor: Natural or legal person, whether public or private, which by itself or together with others, conducts the Personal Data Processing on behalf of the Data Controller.

viii. Data Controller: Natural or legal person, whether public or private, which by itself or together with others decides on the Database and/or Data Processing.

ix. Data Subject: Natural person whose Personal Data is subject to Processing.

x. Transfer: The data transfer takes place when the Data Controller and / or processor located in Colombia, sends the information or Personal Data to a recipient, who in turn is the Data Controller and is inside or outside the country.

xi. Transmission: Processing of Personal Data that implies the communication thereof within or outside the territory of the Republic of Colombia, when aimed at the Processing by the Processor on behalf of the Controller.

xii. Processing: Any operation, or set of operations with Personal Data, such as collection, storage, use, circulation or deletion.

III. PRINCIPLES

Baker & McKenzie will process Personal Information in accordance with the following principles:

i. Purpose principle: The Processing of Personal Data and Sensitive Personal Data collected by Baker & McKenzie must obey a legitimate purpose, which must be informed to the Data Subject.

ii. Principle of freedom: The Processing can only be carried out with the prior, express and informed consent of the Data Subject.

Personal Data and Sensitive Personal Data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent;

iii. Principle of veracity or quality: The information subject to Processing must be truthful, complete, accurate, updated, verifiable and understandable.

Processing of partial, incomplete, fractional or error-inducing data is prohibited.

iv. Principle of transparency: The Processing must guarantee the right of the Data Subject to obtain from Baker & McKenzie, at any time and without restrictions, information about the existence of data pertaining thereto;

v. Principle of access and restricted circulation; Personal data and Sensitive Personal Data, except for public information, may not be available on the Internet or other means of massive communication or disclosure, unless access is technically controllable to provide restricted knowledge only to the Data Subjects or third parties authorized.

vi. Principle of security: The information subject to Processing by Baker & McKenzie, must be protected through the use of the technical, human and administrative measures needed to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access;

vii. Principle of confidentiality: All persons who intervene in the Personal Data Processing are obliged to guarantee the reservation of the information, even after the end of their relationship with any of the tasks included in the Processing.

IV. PERSONAL INFORMATION GATHERING

Baker & McKenzie may collect the following categories of Personal Information:

i. For candidates, employees and partners

a) Personal and Family Information: information that includes, but is not limited to, name (including any previous names); photo or image captured by our security cameras or at events of the Firm; contact information (address, phone number and email); date and place of birth; gender; citizenship card numbers, professional card and other government identification numbers; bank account number and other financial information; marital and family status; visas; background checks; personal and work references; academic certificates, information on relatives and dependents (name, date of birth, relationship with the Data Subject); name, address and contact telephone number in case of emergency.

b) Employment information: information that includes, but is not limited to, previous jobs; position or title; location; address and phone number of the work site; job starting and ending date; name of the hierarchical superior; organization chart of the company or chain of command; nature of employment (full time or part time); salary; bonuses; information on employment benefits; job performance and other information related to the Data Subject's evaluation; information on payroll or compensation payment; registration of vacations, absences, leaves and disabilities; education and information related to training, vocational training, certificates and job skills.

c) Sensitive Information: biometric data, such as fingerprints, photographs, videos and voice recordings; medical and occupational health information; membership in unions or social organizations; socioeconomic condition; racial or ethnic origin; information related to work disabilities for benefits management purposes; information related to health status.

ii. For natural person suppliers or their natural person representative

a) Personal Information: information that includes, but is not limited to, name (including any previous names); photo or image captured by our security cameras; contact information (address, phone number and email); citizenship card number; unique tax record; tax identification number; social security contribution form; bank account number and other bank and financial details; visas; judicial records; business and employment references; position within the company where you work;

b) Labor information: Information that is sent to us by the Data Subject or by a duly authorized third party; Information found through databases of platforms in which the Data Subject has published his Personal Data, including, but not limited to: previous jobs, job title or position, job starting and ending date; name of the hierarchical superior;

iii. For natural person clients or their natural person representative

a) Personal Information: information that includes, but is not limited to, name (including any previous names); photo or image captured by our security cameras; contact information (address, phone number and email); citizenship card number; unique tax record; tax identification number; bank account number and other bank and financial details; visas; background checks.

iv. For visitors

a) Personal Information: information that includes, but is not limited to, name (including any previous names); photo or image captured by our security cameras; contact information (address, phone number and email); citizenship card number; unique tax record; tax identification number; health condition-related information.

V. PURPOSE OF PERSONAL INFORMATION PROCESSING

Baker & McKenzie may use the aforementioned Personal Information for the following purposes (hereinafter "Purpose of the Processing"):

i. For candidates

(1) To assess the candidate as a potential Baker & McKenzie employee; (2) To evaluate and to verify the information contained in their resume and information on professional experience and academic trajectory provided by the Data Subject; (3) To store and to classify their Personal Information to facilitate the access and identification thereof; (4) To provide information to the competent authorities when required by said authorities in the exercise of their functions and legal powers, in compliance with a legal duty or to protect the rights of the Firm; (5) To provide information to internal or external auditors within the framework of the purposes described herein; (6) To share events of interest or new calls for other jobs; (7) verify the information contained in risk lists - restrictive and non-restrictive - and binding and non-binding for Colombia, as explained in chapter VI of this policy; and all other activities that are compatible with these purposes.

ii. For employees and partners

(1) Administration and management of the contractual relationship; (2) management and processing of payroll and / or compensation (including decisions regarding compensation and calculation of bonuses, when applicable); (3) the monitoring of financial and remuneration indicators; (4) the preparation of budgets; (5) management of fringe benefits, social security affiliations of the employee / partner and their family nucleus, extralegal benefits (prepaid medicine, business agreements, among others), and licenses and disabilities, when appropriate; (6) professional planning and development; (7) To provide information to the competent authorities when required by said authorities in the exercise of their functions and legal powers, in compliance with a legal duty or to protect the rights of the Firm; (8) social welfare and recreational activities; (9) management, review and evaluation of performance and productivity, when appropriate; (10) support of recruitment, talent management, communication and replacement planning activities; (11) computer services, telephone assistance and technical support; (12) monitoring and adopting measures to ensure compliance with the Firm's policies, procedures and other activities; (13) To provide adequate work spaces according to the needs of each employee or partner; (14) To verify the information contained in risk lists - restrictive and non-restrictive - and binding and non-binding for Colombia, as explained in chapter VI of this policy; and all other activities compatible with these purposes.

iii. For natural person suppliers or their natural person representative

(1) Administration, management, compliance and execution of the contractual relationship with the supplier; (2) management of supplier accounts, which includes compliance with legal requirements related to commercial and accounting books, handling billing and payment transactions, making financial closings, reports to management and, in general, to ensure internal monitoring of the account; (3) To carry out satisfaction surveys, as well as supplier performance reports; (4) to provide information to the competent authorities when required by said authorities in the exercise of their functions and legal powers, in compliance with a legal duty or to protect the rights of the Firm; (5) management of billing, portfolio, collection, and payments for required services; (6) to verify the information contained in risk lists, restrictive and non-restrictive, and binding and non-binding for Colombia, as explained in chapter VI of this policy; and all other activities considered compatible with these purposes.

iv. For natural person clients or their natural person representative

(1) To provide our services and products through the management and execution of the commercial relationship; (2) to achieve efficient communication related to our services; (3) to report changes on our products or services; (4) management of client accounts, which includes compliance with legal requirements related to commercial and accounting books, management of billing and payment transactions, making financial closings, management reports and, in general, to ensure the internal monitoring of the account; (5) to conduct satisfaction surveys; (6) to communicate newsletters, events and products; (7) to provide information to the competent authorities when required by said authorities in furtherance of their functions and legal powers, in compliance with the legal duty or to protect the rights of the Firm; (8) to verify the information contained in risk lists - restrictive and non-restrictive - and binding and non-binding for Colombia, as explained in chapter VI of this policy; and all other activities compatible with these purposes.

v. For visitors or other third natural persons

(1) To ensure security inside our offices by controlling access to the facilities; (2) to protect our employees and prevent the commission of crimes; (3) to detect violations of the Firm's policies; (4) to prevent inappropriate and inadequate use of the facilities; (5) to verify that the Firm's systems and facilities are accessed only by authorized persons; (6) to provide information to the competent authorities when required by said authorities in furtherance of their functions and legal powers, in compliance with a legal duty or to protect the rights of the Firm; (7) management and processing of any type of remuneration if necessary; (8) to verify the information contained in risk lists, restrictive and non-restrictive, and binding and non-binding for Colombia, as explained in chapter VI of this policy; and all other activities compatible with these purposes.

VI. VERIFICATION OF RISK LISTS - RESTRICTIVE AND NON-RESTRICTIVE - AND BINDING AND NOT BINDING FOR COLOMBIA

Within the obligations established by law, Baker & McKenzie must establish whether its employees, partners, family members or close people qualify as Politically Exposed Persons (hereinafter "PEP").

Therefore, Baker & McKenzie has the obligation to verify, request and/or search the Personal Information of the Data Subjects in risk lists - restrictive and non-restrictive - and binding and non-binding for Colombia, through any search engine such as, but not limited to, the platforms of the Administrative Entities of the Comprehensive Social Security System, the Judicial Authorities and the National Police, the Procuraduría General de la República, the Comptroller General's Office or any other legally constituted source of information or through other search engines designed to verify their current employment status, academic qualifications, and other pertinent information for the aforementioned purposes. Baker & McKenzie will carry out these processes directly, or through its subsidiaries or strategic allies with whom it agrees to carry out these activities. Similarly, Baker & McKenzie may advance the consultation process, based on its Personal Information, through the Thompson Reuters World-Check database and other similar ones.

Furthermore, and in accordance with the Law, the Data Subject is informed that in the event that a family member or close person holds the capacity of PEP or acquires it, the Data Subject must notify Baker & McKenzie of this situation, indicating the identification data of said relative or close person, including their full name and the relationship they have and the position they hold or performed within the previous two (2) years. In the cases in which the Firm must carry out the processing of Personal Data of third parties provided by the Data Subject, the latter must have the authorization of those persons for their Personal Information to be delivered to Baker & McKenzie and to be processed in accordance with this Processing Policy.

VII. PERSONAL INFORMATION ON FAMILY MEMBERS AND / OR THIRD PARTIES

If the Data Subject provides Baker & McKenzie Personal Information about his/her family members and / or other third parties (for example, contacts in case of emergency or for profit allocation purposes), the Data Subject will inform them of their rights in relation to the protection of their Personal Data and Sensitive Personal Data. Unless the Data Subject has notified Baker & McKenzie otherwise, he/she declares that he/she has obtained the express, prior and informed consent of said persons - it being understood that said persons have the legal capacity to authorize it - to provide this information to Baker & McKenzie and for the subsequent processing, including transmission of said information as established in this Processing Policy.

VIII. ACCESS TO PERSONAL INFORMATION

At Baker & McKenzie, access to Personal Information is restricted to certain persons in the cases strictly necessary and legally permitted or as required by the competent authority. All employees and partners will have access to the internal employee and partner directory.

IX. TRANSMISSION OF PERSONAL INFORMATION

Baker & McKenzie may transmit Personal Data and Sensitive Personal Data to third parties located in Colombia or abroad, who will carry out the processing on behalf of Baker & McKenzie and in accordance with the Purpose of the Processing as indicated in this Policy. These third parties will assume the role of Data Processors and the relationship will be documented in a data transmission contract.

Baker & McKenzie will take the necessary measures in order to guarantee the adequate data security and protection requirements on the part of said recipients and will ensure that the Personal Information is duly protected in accordance with this Processing Policy and the legal provisions applicable.

X. RIGHTS OF THE DATA SUBJECTS

In accordance with article 8 of Law 1581 of 2012, the rights of the Data Subjects of Personal Data and Sensitive Personal Data are:

i. To know, to update and to rectify Personal Data and Sensitive Personal Data for the Data Controllers or the Data Processors. This right may be enforced, among others, with respect to partial, inaccurate, incomplete, split data inducing to error, or those whose Processing is expressly prohibited, or was not authorized;

ii. To request proof of the authorization granted to the Data Controller except when expressly excepted as a requirement for the Processing;

iii. To be informed by the Data Controller or the Data Processor, upon request, regarding the use given to Personal Data and Sensitive Personal Data;

iv. To submit before the Superintendence of Industry and Commerce complaints for infractions to the provisions of the Law regarding the information processing;

v. To repeal the authorization and/or request suppression of data, when the Processing does not respect the constitutional and legal principles, rights and guarantees. The repeal and/or deletion shall proceed when the Superintendence of Industry and Trade had determined that in the Processing, the Controller or Processor have incurred in conducts contrary to Law and the Constitution;

vi. To freely access the Personal Data and Personal Sensitive Data subject to Processing.

XI. PROCEDURE TO EXERCISE THE RIGHTS

Baker & McKenzie will process any inquiry or complaint in relation to Personal Information collected and processed in accordance with the Law. To do this, Data Subjects must send a written description of their inquiries or complaints to: protecciondatos.colombia@bakermckenzie.com, taking into account the following procedures:

i. Inquiries

In accordance with the provisions of article 14 of Law 1581 of 2012, the Data Subjects can enquire their personal information found in any Baker & McKenzie database.

Therefore, Baker & McKenzie will guarantee the right of inquiry, providing the Data Subject or his/her successors with all the information contained in the individual record or that is linked to the identification of the Data Subject as a subject of Personal Data.

When it comes to inquiries, Baker & McKenzie will guarantee that they are attended within a maximum period of ten (10) business days from the day following the date of receipt. When it is not possible to answer the inquiry within said period, the interested party will be informed before the expiration of 10 days, indicating the reasons for the delay and indicating the date on which the inquiry will be attended, which in no case may exceed five (5) business days after the expiration of the first term.

ii. Complaints

In accordance with the provisions of article 15 of Law 1581 of 2012, the Data Subjects, when they consider that the information contained in a database must be subject to correction, updating or elimination, or when they evidence the alleged breach of any of the duties contained in Law 1581 of 2012, can file a claim with Baker & McKenzie.

The maximum term to attend the claim will be fifteen (15) working days from the day following the date of receipt. When it is not possible to deal with it within that term, you will be informed, prior to the expiry of the mentioned term, of the reasons for the delay and the date on which the claim will be addressed, which in no case may exceed eight (8) business days following the expiry of the first term.

XII. LAST REVISION

This Processing Policy will take effect as of October 14, 2020 and will be in force as long as Baker & McKenzie collects and processes Personal Information.