Politica de tratamiento de datos personales

1. INTRODUCTION

In accordance with the provisions of Article 15 of the Colombian Political Constitution, as well as Law 1581 of 2012, which established general provisions for the protection of personal data, and aware of the need to guarantee an adequate environment for the right of individuals to know, update and rectify the information collected about them in databases and files, BMI Colombia, as the Data Controller of the personal data used in the development of its corporate purpose, adopts the following Internal Manual of Policies and Procedures to guarantee adequate compliance with the Law and, in particular, for the handling of queries and complaints.

2. GENERAL OBJECTIVE AND SPECIFIC OBJECTIVES

2.1. GENERAL OBJECTIVE

Through this Manual, BMI Colombia informs you about the existence of the Information Processing Policies and the processing purposes adopted by the Company.

2.2. SPECIFIC OBJECTIVES

Inform Data Subjects of the principles to which BMI Colombia applies the processing of personal data.
- Inform Data Subjects of their data protection rights.
- Establish and communicate the procedure for Data Subjects to consult their information or request its correction, update, or deletion.

3. SCOPE

The provisions of this Manual shall apply to the personal data of our consumers (clients, potential clients, users), intermediaries, employees, and suppliers.

All BMI Colombia employees are covered by this policy. Likewise, our business partners, suppliers, and contractors who, in the course of their work, have access to personal data of data subjects, whether they have provided it to BMI Colombia or received it from them, are required to comply with the law and this Policy.

4. LEGAL FRAMEWORK

Article 15 of the Political Constitution of Colombia.
- Law 1581 of 2012.
- Decree 1377 of 2013.
- Decree 886 of 2014.
- The others that develop and/or modify them.

5. DEFINITIONS

TOortorganization: Prior, express and informed consent of the Owner to carry out the Processing of personal data;
BDatabase: Organized set of personal data that is the subject of
- Treatment;
Dpersonal data: Any information linked to or that can be associated with one or more specific or determinable natural persons.
Dsensitive data: Those that affect the privacy of the Data Subject or whose misuse may lead to discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.
ANDData Controller: Natural or legal person, public or private, who, by itself or in association with others, carries out the processing of personal data on behalf of the Data Controller;
RData Controller: Natural or legal person, public or private, who by itself or in association with others, decides on the database and/or the processing of the data;
TItemular: Natural person whose personal data are subject to processing;
Ttreatment: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

6. PRINCIPLES

Pprinciple of freedom: Data processing by BMI Colombia may only be carried out with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial order that waives consent.
Pprinciple of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited;
Pprinciple of transparency: In the Processing process, the right of the Data Subject to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data concerning him/her must be guaranteed;
PPrinciple of access and restricted circulation: This may only be done by persons authorized by the Data Subject. Personal data, except for public information or information mandated by law, may not be made available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the Data Subjects or authorized third parties in accordance with this law.
Psecurity principle: The information subject to processing by the Data Controller or Data Processor referred to in this law must be handled with the technical, human and administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access;
Pprinciple of confidentiality: All persons involved in the processing of non-public personal data are required to ensure the confidentiality of the information, even after their relationship with any of the tasks involved in the processing has ended. They may only provide or communicate personal data when this is necessary for the development of the activities authorized by this law and under the terms thereof.

7. RIGHTS OF THE OWNER

Contact BMI Colombia, through the channels established for this purpose, to access, update, and rectify your personal data. This right may be exercised, among others, in the case of data that is partial, inaccurate, incomplete, fragmented, misleading, or whose processing is expressly prohibited or unauthorized;
Request from BMI Colombia, through the channels established for this purpose, proof of the authorization granted to the Data Controller, except when expressly exempted as a requirement for processing, in accordance with the provisions of Article 10 of Law 1581 of 2012.
Be informed by BMI Colombia, upon request, regarding the use of your personal data.
Submit complaints to the Superintendency of Industry and Commerce for violations of the provisions governing the fundamental right to Habeas Data.
 Revoke authorization and/or request data deletion when the processing does not respect constitutional and legal principles, rights, and guarantees. Revocation and/or deletion will be required when the Superintendency of Industry and Commerce has determined that the Controller or Processor has engaged in conduct contrary to this law and the Constitution in the processing. Access your personal data that has been processed free of charge.

8. AUTHORIZATION

Without prejudice to the exceptions provided for in the Law, processing requires the prior and informed authorization of the data subject, which must be obtained by any means that can be subsequently consulted.

Such authorization is not necessary when it concerns:

Information required by a public or administrative entity in the exercise of its legal functions or by court order.
Data of a public nature.
Cases of medical or health emergencies.
Processing of information authorized by law for historical, statistical or scientific purposes.
Data related to the person's civil registry.

9. PURPOSE

9.1. General Purpose.

Among the general purposes for processing personal data, BMI Colombia will have the following, which will apply to financial consumers, intermediaries, suppliers, contractual counterparties, and employees:

The process of requesting affiliation as a financial consumer, contractual counterparty, employee, and/or supplier.
The contract negotiation process with BMI Colombia, including premium determination and risk selection.
Fraud control and prevention.
Control compliance with the requirements for accessing the General Comprehensive Social Security System
The preparation of technical-actuarial studies, statistics, surveys, market trend analysis, and, in general, insurance technology studies.
Conducting surveys on satisfaction with the services provided by BMI Colombia and/or the insurance intermediary.
Sending financial information of taxpayers in the United States to the Internal Revenue Service (IRS), under the terms of the Foreign Account Tax Compliance Act (FATCA),
Exchange of tax information under international treaties and agreements signed by Colombia.

The prevention and control of money laundering and terrorist financing.
In general, the comprehensive management of contracts entered into with BMI Colombia, whether these are insurance contracts, intermediation contracts, supplier contracts, employment contracts, or commercial agreements or alliances.

9.2. Purpose of Financial Consumer data.

Their purpose is to use this information to properly provide the service or product purchased by the data subject. BMI Colombia may also inform the data subject about its products and services, and announce improvements or changes to its customer service channels and the complementary services and products offered.

It will also be used to send you information about the offers it has developed with business partners.

Likewise, its purpose will be to settle and pay claims and everything related to the comprehensive management of the insurance contract, as well as to send information related to financial education, customer satisfaction surveys, and commercial insurance offers, as well as other services inherent to the insurance business.

9.3. Purpose of data from suppliers, intermediaries and contractual counterparties.

The purpose of processing this data is to obtain up-to-date, reliable, and sufficient information about individuals who are, or would like to be, suppliers, intermediaries, and contractual counterparties. It also serves to verify the various eligibility requirements for a contractual relationship with BMI Colombia.

9.4. Purpose of employee data.

The processing of employee data seeks to keep employees' information up-to-date so that the employment relationship can be carried out appropriately. Your contact information may be shared with legal entities that are subsidiaries, affiliates, or related entities, or with the parent company of BMI Colombia, so that our employees have access to the benefits of purchasing products and services from the organization's companies.

Likewise, the data of former employees will be retained for the purpose of making them available to the authorities and the data subjects themselves for the period established by labor law.

9.5. Processing of sensitive data.

BMI Colombia will not collect, incorporate or store sensitive data from its financial consumers, employees or third parties unless there is a

Prior authorization from the data subject. The aforementioned authorization will only be requested when necessary and proportional to the execution of the contractual relationship with the data subject, provided that the law requires or permits access to the data subject's sensitive information. Authorization for the processing of sensitive data will be requested prior to its incorporation. The authorization will specify the purpose for which the data is being incorporated, indicate that responding to questions about sensitive data is optional, and include the other elements described in this policy for obtaining authorization for the processing of information. Sensitive data may not be processed for purposes other than those authorized by the data subject. Access, circulation, and processing of sensitive data will be restricted and limited to what is expressly authorized by the data subject and as stipulated by law.

10. PROCEDURES

10.1. Queries.

Data Subjects or their successors in title may consult the Data Subject's personal information held by BMI Colombia. Accordingly, BMI Colombia must provide them with all information contained in the individual record or linked to the Data Subject's identification.

The query will be made via email to the address contactenos@BMICOS.com.

The query will be answered within a maximum of ten (10) business days from the date of receipt. When it is not possible to answer the query within this period, the interested party will be informed, stating the reasons for the delay and indicating the date on which their query will be answered, which in no case may exceed five (5) business days following the expiration of the first term.

10.2. Claims.

The Owner or their successors in title who consider that the information contained in a database should be corrected, updated or deleted, or when they notice the alleged non-compliance with any of the obligations of the rules that regulate the fundamental right of Habeas Data or this Manual, may file a claim with BMI Colombia, which will be processed under the following rules:

1. The claim will be made by means of a request addressed to the email address contactenos@BMICOS.com, with the identification of the Holder, the description of the facts that give rise to the claim, the address, and accompanying the documents that are to be asserted. If the claim is incomplete, the interested party will be required within five (5) days following receipt of the claim to correct the deficiencies. After two (2) months from the date of the request, if the applicant does not present the required information, it will be understood that he has withdrawn the claim.

In the event that the person receiving the claim is not competent to resolve it, he/she will forward it to the appropriate person within a maximum period of two (2) business days and inform the interested party of the situation.

2. Once the complete claim has been received, a legend stating "claim in process" and the reason for the claim will be added to the database within a period of no more than two (2) business days. This legend must remain in effect until the claim is decided.

3. The maximum term for addressing the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to address the claim within this term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term.

11. INTERNATIONAL TRANSMISSION OF PERSONAL DATA.

In order to provide a better service, and to execute the purposes described in this Policy, the personal data of the Holders may be transmitted to servers hosted in foreign countries, under security conditions that will guarantee compliance with the provisions of Law 1581 of 2012, Regulatory Decree 1377 of

2013.

12. PROVISION OF PERSONAL INFORMATION TO SERVICE PROVIDERS.

In order to comply with the contractual relationship that BMI Colombia maintains with the Data Subject, the information may be delivered or shared with suppliers for the purposes authorized by the subject or those provided for by law, such as claims adjusters, researchers, healthcare institutions and/or professionals, call centers, distributors and prevention professionals, insurance intermediaries, natural or legal persons who provide their professional services to perform statistics, actuarial calculations, software development and any other activity to carry out the corporate purpose of BMI Colombia and correctly provide the service.

Whenever information is provided or shared with suppliers, BMI Colombia will ensure that conditions are established that bind the supplier to this Policy, ensuring that customers' personal information is protected.

Likewise, confidentiality agreements will be established for the handling of information and obligations between the person responsible and the person in charge when the type of delivery warrants it.

13. DUTIES OF THE DATA CONTROLLER.

BMI Colombia, as Data Controller, must comply with the following obligations, without prejudice to other provisions established by law and other provisions governing its activity:

Guarantee the Holder, at all times, the full and effective exercise of the right to habeas data.

Request and retain, under the conditions provided by law and this Manual, a copy of the respective authorization granted by the Owner.

Properly inform the Owner about the purpose of the collection and the rights to which he or she is entitled by virtue of the authorization granted.

Keep information under the necessary security conditions to prevent its alteration, loss, unauthorized or fraudulent consultation, use, or access.

Ensure that the information provided to the Data Processor is truthful, complete, accurate, up-to-date, verifiable and understandable.

Update the information, promptly communicating to the Data Processor any new developments regarding the data previously provided and adopting any other measures necessary to ensure that the information provided to the Data Processor remains up-to-date.

Rectify information when it is incorrect and notify the Data Controller as appropriate.

Provide the Data Processor, as the case may be, only with data whose processing has been previously authorized in accordance with the provisions of this law.

Demand that the Data Processor respect the security and privacy conditions of the Data Subject's information at all times.

Process queries and complaints submitted in accordance with the terms set forth in this law.

Adopt an internal manual of policies and procedures to ensure proper compliance with this law and, in particular, to address inquiries and complaints.

Inform the Data Processor when certain information is being disputed by the Data Subject, once the claim has been filed and the respective process has not been completed.

Inform the Owner, upon request, about the use given to their data.

Inform the data protection authority when security code violations occur and when there are risks in the management of Data Subjects' information.

Comply with the instructions and requirements issued by the Superintendency of Industry and Commerce.

14. DATA OF THE CONTROLLER

Company Name: BMI Colombia Life Insurance Company SANIT 901061386-7

Address: Carrera 11 No. 84-09, South Side | Office 903, Bogotá, Colombia

Email: contactenos@BMICOS.com

15. VALIDITY AND MODIFICATIONS

BMI Colombia reserves the right to modify this Policy at any time, a circumstance that will be promptly reported on the Company's website.