Privacy Policy and Personal Data Processing

This privacy policy is a binding document for Suramericana SA as the party responsible for the data to be processed, as well as for the affiliates, subsidiaries and companies economically linked to Suramericana SA in Colombia and abroad, which act as data processors, such as: Seguros Generales Suramericana SA, Seguros de Vida Suramericana SA, EPS Suramericana SA, Servicios de salud IPS Suramericana SAS, Consultoría en Gestión de Riesgos Suramericana SAS, Diagnóstico y Asistencia Médica SAS, Operaciones Generales Suramericana SAS Inversiones Suramericana Colombia SAS and Servicios Generales Suramericana SAS, among others in the region, hereinafter THE COMPANIES.

In order to ensure greater transparency for the Data Subject and to avoid possible confusion, Suramericana SA has been designated as the sole controller of the data subject to whom the data may be addressed, since all Sura Colombia companies share the same brand.

Data of the person responsible: Suramericana SA, with main address in the city of Medellín, at Calle 49B No. 63-21, 1st floor, communication through the customer service line 437 88 88 from Medellín, Bogotá and Cali, or at 01 8000 51 888 in the rest of the country, or at the email protecciondedatos@suramericana.com.co.

Information we collect and store from our customers: Depending on the relationship that the owner has with THE COMPANIES, the information that is collected or stored may include the following:

• Public data: This is data that is not private or sensitive. For example: ID number and type, information contained in public documents, marital status, occupation or profession, corporate telephone number and email.
• Private data: These are data that, due to their intimate or reserved nature, are only relevant to the holder. For example: income level, financial data, debt capacity, gross assets, dependents, family composition, hobbies or interests, property owned, work information, social media preferences, driving habits, consumer habits, as well as contact information such as address, telephone number and personal email.
• Sensitive data: category of personal data that is limited to the most intimate and sensitive category of its owner, the inappropriate handling of which may lead to discrimination and/or the suffering of serious harm that is difficult to repair. For example: biometric data and medical history or data related to health in general.

Processing to which personal data will be subjected: THE COMPANIES will use their clients' personal information for the purposes authorized and informed to the owner and those indicated in this policy, provided that the processing obeys a legitimate purpose and is proportional according to the client's relationship, particularly for what is necessary for the provision of the commissioned services, such as executing and fulfilling the contract. The authorization for the processing of sensitive data is optional.

Purposes for which the data will be processed: In order to obtain a better service for employees, clients or suppliers, authorizes Suramericana SA, as controller, as well as THE COMPANIES, as processors, to process your data, including biometric or health data, which are sensitive, and may or may not use cloud computing, for the following activities:

Purposes inherent to the contractual object or authorized by regulations.

1. Share information with strategic partners, reinsurers and insurance intermediaries for the contracting of products and services, risk management, claims handling and commercial management.
2. Share and consult credit and financial behaviour data with information and risk centres, insurers and providers to prevent and control fraud and select risks.
3. Consult and obtain a copy of the medical history or clinical data, which are sensitive data, for the purpose of evaluating and underwriting policies, as well as managing risks that may affect health, well-being, quality of life, and occupational performance. (*This purpose applies only to the use of health and life solutions contracted with THE COMPANIES.) (This purpose applies only to the use of health and life solutions contracted with THE COMPANIES).
4. Transmit and/or transfer personal data for the purpose of attracting, assessing, retaining, capturing and/or studying market behavior and customer service; as well as for the execution of those contracts that are necessary to support the operation of THE COMPANIES and/or the achievement of the corporate strategy.
5. Provide health services and perform quality audits and medical accounts, integrating clinical information available from different providers. (*This purpose applies only to the use of health and life solutions contracted with THE COMPANIES.)
6. Conduct scientific research, committing to disseminate the results anonymously.
7. Process the data to address any claim made regarding the contracted product or proactive attention to it, as well as to collect premiums or contributions owed.
8. Share information with providers or suppliers authorized by THE COMPANIES, for the coordination of a service or request, with the limitations and rules of this policy.
9. Facilitate comprehensive knowledge and the development of value proposals through the use of databases containing both private and sensitive data.
10. Conduct evaluations on the quality of the products and services offered by THE COMPANIES
11. Defend THE COMPANIES in legal proceedings brought against them.

Purposes inherent to the operation of THE COMPANIES

1. Processing the data of collaborators, employees or applicants for the purpose of their relationship with THE COMPANIES, the performance of their duties or the provision of their services, retirement or termination. This processing includes, among others: selection process and binding activities, development plans, recognition and payment of legal and extra-legal benefits, internal and external communications, processing of information in different technological applications installed on company servers or in the cloud, compensation.
2. Make payments and affiliations to the General Comprehensive Social Security System for employees.
3. Processing health data by the Occupational Health and Safety area of ​​THE COMPANIES, to prevent work-related illnesses or accidents, and to monitor the activities of the Occupational Health and Safety Management System.
4. Process the data for the surveillance and security of the people, assets and facilities of THE COMPANIES, which may be carried out by capturing images in video surveillance systems and using said information in different work and administrative processes and procedures, such as fraud investigation, fraud prevention and/or disciplinary and sanctioning processes.

Other purposes:

1. Provide or receive information from entities such as FASECOLDA, INVERFAS, ACEMI or others, for the purpose of advancing activities and projects in the insurance and health sector.
2. Be contacted for the delivery of commercial offers and advertising information.
3. Study digital behavior (social networks, websites, applications) to provide comprehensive advice on products and services and create a profile of consumer interests and habits.
4. Obtain data on driving and mobility for the development and contracting of products and services, risk management, claims handling and commercial management.
5. Be contacted for the delivery of academic information, current regulatory issues, for the provision of regulatory management services, and for invitations to academic events and programs sponsored by THE COMPANIES or their strategic allies.

Rights of the holders: In accordance with the provisions of Law 1581 of 2012, data subjects have the right to authorize the processing of their personal data, revoke the authorization, know the data being processed, update it, rectify it when it is considered that there is a deficiency in its quality, and finally request the deletion of data as long as there is no legal or contractual obligation to continue with the processing (article 2.2.2.25.2.8 Decree 1074 of 2015), for example in the case of purposes that are inherent to the contracted object and without which its execution is not possible or those inherent to the operation of THE COMPANIES.

Exercise of rights over personal data: The holders of the information may exercise their rights at any time, for which they may contact the customer service line at 437 88 88 from Medellín, Bogotá and Cali, or at 01 8000 51 888 in the rest of the country, send an email to protecciondedatos@suramericana.com.co or establish contact with THE COMPANIES through the different means they have available for this purpose, such as the website, social networks and customer service offices.

General principles adopted to ensure the protection of personal data of THE COMPANIES' clients: Within the legal and corporate commitment of THE COMPANIES to guarantee the confidentiality of the personal information of their clients, the following general principles are established for the treatment of information, in development of those already present in Law 1581 of 2012 and Chapter 25 of Decree 1074 of 2015, and other applicable regulations:

• Principle of legality: There will be no processing of clients' personal information without observing the rules established in current regulations.
• Purpose principle: The incorporation of data into the physical or digital databases of THE COMPANIES must obey a legitimate purpose, which will be duly informed to the owner in the authorization clause for the treatment and in the privacy policy.
• Principle of freedom: THE COMPANIES will process their clients' personal data when they have their authorization or when there is a legal authority to do so, in accordance with the terms of art. 3° literal a) and 6° literal a) of Law 1581 of 2012, as well as section II of chapter 25 of Decree 1074 of 2015.
• Principle of truthfulness and quality: THE COMPANIES will strive to ensure that their clients' information is accurate and up-to-date, for which they will have efficient means for updating and correcting personal data.
• Principle of transparency: Within the mechanisms established for the exercise of the rights of the holders of personal information, the holder and his successors in title, as well as third parties authorized by him, will be guaranteed access to information on personal data that concerns him.
• Principle of access and restricted circulation: THE COMPANIES undertake to ensure that only authorised persons may access personal information. Furthermore, its circulation will be limited to the exercise of the purposes authorised by the user or by regulations. THE COMPANIES will have contractual means to guarantee the confidentiality and restricted circulation of the information.
• Safety Principle: THE COMPANIES will take all technical, administrative and human measures to ensure that the personal information of the holders, stored in physical or digital databases, does not circulate or is not accessed by unauthorized persons.
• Principle of confidentiality: All persons involved in the processing of personal data that are not public in nature are required to ensure the confidentiality of the information, even after their relationship with any of the tasks that comprise the processing has ended, and may only provide or communicate personal data when this corresponds to the development of the activities authorized by law and under the terms thereof.

Provision of personal information to service providers: It is possible that in order to comply with the contractual relationship that THE COMPANIES have with the owner of the information, this may be delivered or shared with suppliers for the purposes authorized by the owner or those provided for by law, such as claims adjusters, researchers, institutions, health professionals, call centers, distributors and prevention professionals, insurance intermediaries and natural or legal persons who provide professional services to perform statistics, actuarial calculations, software development and any other activity to carry out the corporate purpose of THE COMPANIES and correctly provide care. Whenever your information is delivered or shared with suppliers, THE COMPANIES will ensure that conditions are established that bind the supplier to their privacy and information security policies in such a way that the personal information of the owners is protected. Likewise, confidentiality agreements will be established for the management of the information and obligations between the person responsible and the person in charge when the type of delivery so warrants.

Validity of data processing: The information provided by the owners will remain stored for the time determined by the owner or indicated by law for the fulfillment of the purposes for which it was incorporated.

Modifications to the privacy policy and processing of personal data: THE COMPANIES reserve the right to modify the confidentiality and data protection rules in order to adapt them to new legal, jurisprudential, technical requirements and, in general, when necessary to provide a better service.

Acceptance of this privacy policy: The owner of the information accepts the processing of his/her personal data, in accordance with the terms of this privacy policy, when he/she provides the data through our channels or service points and when he/she purchases, acquires, joins or uses any of our products or services.

The approval of this policy is the responsibility of the Board of Directors, or the highest corporate body, as appropriate, of THE COMPANIES and any modification must be approved by these same bodies.

THE COMPANIES' data officer or whoever takes his place will be the entity responsible for the governance and application of this policy.

Decision-making bodies in matters of personal data protection will be subject to the definitions of THE COMPANIES' data officer or whoever takes his place, the work regulations and the applicable current regulations.

This policy will be binding and must be published to all interest groups, within the sites defined by THE COMPANIES.

THE COMPANIES' data officer or whoever takes his place will be responsible for the administration of this policy and, to that extent, will manage its disclosure, compliance and updating with the areas involved.