Video surveillance policy

Policy Statement

TOUR VACATION HOTELES AZUL SAS BIC, with registered office in the city of BOGOTÁ at Calle 100 # 7 A -81, 6th Floor, Phone: 601 3904884, which for the purposes of this policy shall be referred to as the Company, and its website www.onvacation.com, which from this moment on shall be referred to as the Portal, hereby announces its video surveillance policy and informs that it uses a closed-circuit television system (hereinafter, “CCTV”) on its premises. The purpose of this policy is to establish the position of TOUR VACATION HOTELES AZUL SAS BIC regarding the management, operation, and use of CCTV at its facilities.

This policy applies to all passengers, guests, customers, employees, contractors, individuals under surveillance, third parties, users, and visitors to the facilities of TOUR VACATION HOTELES AZUL SAS BIC, as well as to all other individuals whose images may be captured by the CCTV system.

This policy takes into account all applicable laws and guidelines, including:

1991 Constitution of Colombia. Right to Habeas Data.

Law No. 1581 of October 17, 2012, establishing general provisions for the protection of personal data.

The Superintendency of Industry and Commerce’s Guide on the Protection of Personal Data in Video Surveillance Systems.

Purpose of the CCTV

The primary purpose of CCTV video surveillance is to capture and/or process images to ensure the safety of people and property. However, the widespread adoption of these systems has expanded their scope of application.

The data collected by our staff and video surveillance cameras (content stored on specialized recording devices) is intended to maintain a record of entry into the establishment’s facilities; in the case of entry logs, this includes (name, ID number, HR number, name of contact person and emergency phone number, EPS and ARL information, details of the computer equipment brought in, position, department, and name of immediate supervisor, along with an image). This information in the logs is safeguarded through physical access control, and in the case of security videos, they are protected by physical access control to data centers, wiring centers, and communications racks; furthermore, these devices have a username and password known only to the relevant technology administrators. Images and videos will be stored for no longer than fifteen (15) calendar days, and the information from the forms will be stored for no longer than two (2) years, after which time this physical information will be permanently disposed of.

The main ones are listed below:

Use for the purpose of ensuring the safety of property and individuals to provide a safe and secure environment, including the monitoring of security situations involving passengers, guests, customers, employees, contractors, and visitors: This purpose includes the capture of images to monitor public safety, traffic safety, access to private areas, etc.

Use in business settings for the purpose of workplace monitoring, to ensure compliance with safety, health, and occupational risk prevention regulations; and to monitor employees’ adherence to work schedules: In this case, the use of cameras is intended to provide the employer with information regarding the employee’s fulfillment of their work obligations and duties. This right to verify has its limits and cannot be exercised in a manner that infringes on employees’ right to privacy.

For the investigation of incidents related to the protection of minors.

To prevent loss or damage to the buildings and/or property of TOUR VACATION HOTELES AZUL SAS BIC.

To help prevent crime and cooperate with the National Police, the Public Prosecutor’s Office, law enforcement agencies, and judicial investigative authorities in the apprehension of criminals.

To prevent violence, racism, xenophobia, and intolerance during activities held at TOUR VACATION HOTELES AZUL SAS BIC.

Inventory verification and transfer, receipt conditions, status, and shipment.

Other applications. The rise of these systems has led to their use in other fields, such as tourism promotion, research, behavioral studies, and so on.

Transparency

Signs will be posted to inform people that they are in an area where CCTV is in operation.

Transparent information regarding CCTV monitoring will be made available to the public upon request in the form of a Privacy Notice at all of the Company’s reception areas, service desks, and information counters.

Treatment of images as personal data

The processing of personal data has been defined as “any operation or set of operations performed on personal data, such as collection, storage, use, dissemination, or deletion.” In the case of electronic security activities, the processing specifically involves personal data consisting of images and, in some cases, biometric data of identified or identifiable individuals, through operations such as capture, recording, transmission, storage, retention, or reproduction in real time or at a later time, among others. These operations are considered processing of personal data and are subject to the General Personal Data Protection Framework.

The General Personal Data Protection Act establishes two categories regarding the processing of personal data:

The data controller is, by definition, the natural or legal person who makes decisions regarding the database and/or the processing of data. The law imposes various obligations on the data controller, in particular to ensure the protection of data subjects’ rights with respect to the collection, storage, use, and disposal of their personal data. In the field of electronic security, such data consists of images and biometric data of the data subjects.

The data processor is a third party—a natural or legal person other than the data controller—who processes personal data on behalf of the data controller. In the field of electronic security, specifically in cases of CCTV video surveillance, when the implementation of video surveillance systems is carried out by a third party—such as private security and surveillance companies that use, among other things, technological means to provide their services—these third parties act as both the Data Processor and the client.

Depiction of children and adolescents

The processing of images of children and adolescents must respect their prevailing rights and may only be carried out when (i) it serves and respects their best interests, and (ii) it ensures respect for their fundamental rights.

As data controllers responsible for processing images of children and adolescents, there are special rules governing such processing, including the following:

Obtain the authorization of the minors’ parents or legal guardians and their consent, taking into account the minors’ maturity, autonomy, and ability to understand the matter.

Inform parents or legal guardians about the purpose of the processing of minors’ personal data and how it will be handled, as well as the rights to which they are entitled.

Limit the collection and further processing of images to what is proportionate and appropriate in light of the previously disclosed purpose.

Ensure the security and confidentiality of minors' personal data.

Restrict access to and circulation of the images, in accordance with the law.

TOUR VACATION HOTELES AZUL SAS BIC, in its capacity as the data processor for images of children and adolescents, will require those responsible to fulfill their obligations.

Authorization

TOUR VACATION HOTELES AZUL SAS BIC must obtain prior, express, and informed consent from the data subjects whose personal data it intends to process; such consent may be implied through unambiguous conduct that reasonably leads to the conclusion that consent has been granted, except in the cases defined in Article 10 of Law 1581 of 2012.

Prior authorization means that consent must be given by the data subject no later than at the time the personal data is collected.

"Express consent" means that the data subject's consent must be explicit and specific; open-ended or non-specific authorizations are not valid. The data subject is required to expressly indicate their willingness to authorize TOUR VACATION HOTELES AZUL SAS BIC to process their personal data.

The Account Holder may express this intention through various mechanisms made available by TOUR VACATION HOTELES AZUL SAS BIC., such as:

In writing, for example, by filling out an authorization form.

Orally, for example, during a phone call or a video conference.

Through unambiguous conduct that leads to the conclusion that the individual gave their consent, for example, by entering the company’s premises, which are equipped with a video surveillance system and signs indicating its presence.

With regard to authorizations for video surveillance systems—since these systems can be installed in locations such as retail establishments, condominiums, buildings, hotels, booths, shopping centers, and other similar venues—data subjects will be informed in all cases that they are in a video surveillance area, and their authorization will be obtained for the

handling of such data. To this end, distinctive signs or notices may be used in areas under video surveillance, primarily at the entrances to and inside the premises being monitored. Audio announcements may also be used. In cases where audio recording is taking place, data subjects will also be informed of this fact.

Privacy notices or statements include the following information, namely:

Information about the Data Controller and their contact details

Statement of rights as rights holders

Information on where the Video Surveillance Policy and the Privacy and Confidentiality Policy for Personal Data – Data Protection are published.

Data controllers

TOUR VACATION HOTELES AZUL SAS BIC processes personal data in the following categories: public, semi-private, and private, with the exception of certain sensitive data, regarding the following data subjects:

Employee, Customer, Driver, Supplier, Third Party

Prospective customer, Applicant, Former customers

Job applicant Former employee

Family member of the employee Prospective supplier Inactive suppliers

Visitors

Monitored Clients Monitored Employees Shareholders

Members of the Aprendiz Sena Board of Directors

Intern Passengers Guests

Government officials Users

Rights of the owner

Your rights as a data subject are those provided for in the Constitution and in Law 1581 of 2012, specifically the following:

Access, free of charge, the data provided that has been processed.

Request an update or correction of your information if it is incomplete, inaccurate, fragmented, misleading, or if its processing is prohibited or has not been authorized.

Request proof of the authorization granted.

File complaints with the Superintendency of Industry and Commerce (SIC) regarding violations of current regulations.

Withdraw consent and/or request the deletion of the data, unless there is a legal or contractual obligation requiring the retention of the information.

Please refrain from answering questions about sensitive information or information regarding children and adolescents.

Access to images by data subjects

Data subjects are entitled to exercise their right to access images processed through video surveillance systems. To do so, data subjects who wish to access the images must include the following in their request:

In addition to the requirements mentioned above, please include the date, time, and location to facilitate locating the image and minimize its exposure to third parties as much as possible.

System Description

There are two CCTV systems in operation:

Analog system comprising a perimeter security system that covers the outer perimeter and entry points to the facilities of TOUR VACATION HOTELES AZUL SAS BIC; this same system monitors the interior areas of the facilities, including hotels, offices, and hallways.

An IP-based digital system that serves as a recording system for the cash registers at the various locations of TOUR VACATION HOTELES AZUL SAS BIC.

Each system has been installed on a separate local area network that cannot be accessed externally (systems with external access are those previously authorized by the steering committee of TOUR VACATION HOTELES AZUL SAS BIC, for the purpose of monitoring these locations for specific processes or special cases); Access to recordings, whether internal or external, may only be authorized by the Technology Department and/or a person delegated by that department.

Camera locations

Proportionality will be taken into account before considering the installation of a CCTV system, as well as with regard to the number of cameras to be used and their type (analog or IP), whether they are fixed cameras or PTZ cameras. All CCTV cameras will be positioned in such a way as to fulfill the purposes described in section 2 above.

Wherever possible, cameras will not be positioned in such a way as to record areas not intended to be monitored. TOUR VACATION HOTELES AZUL SAS BIC will make every effort to ensure that the outdoor CCTV captures only the minimum street area necessary to fulfill the intended purposes.

Cameras will not be installed in areas where people expect a high degree of privacy, such as changing rooms, restrooms, or bedrooms.

Management and access

The perimeter CCTV system will be managed by the Administrative and Technology Management Department of TOUR VACATION HOTELES AZUL SAS BIC, which will act as the data controller for its specialized recording devices.

The CCTV system will not be connected to an alarm monitoring station or an external control center until the planned configuration has been reviewed and the necessary access authorizations have been granted.

Recorded footage stored by the analog perimeter and indoor CCTV systems, and digital IP footage from the cash registers, will have restricted access and may only be accessed by the technology department and/or the administration department with technology oversight (or persons delegated by them), who will arrange and authorize the reproduction and delivery of videos required by other areas of the company, court and administrative orders, and the data subjects.

No other person shall have the right to view or access the CCTV footage except as provided for in the terms of this policy regarding the disclosure of such footage.

CCTV systems undergo preventive maintenance and, when necessary, corrective maintenance, and are regularly inspected by IT staff to ensure they are functioning effectively.

Storage and preservation of images

All images recorded by the CCTV system will be retained for a maximum of 15 calendar days.

Images will only be retained for longer periods when necessary for an ongoing investigation, in compliance with the relevant legal obligations, and, in particular, with the obligation to make them available to the competent authority within the legally prescribed timeframe.

In this case, and only with the explicit authorization of the legal representative of TOUR VACATION HOTELES AZUL SAS BIC and/or the Data Protection Officer, the images will be retained for the duration of the investigation and legal proceedings.

Safety measures

TOUR VACATION HOTELES AZUL SAS BIC will ensure that appropriate security measures are in place to prevent the unlawful or accidental disclosure of recorded images. Existing measures include:

The placement of CCTV recording systems in restricted-access areas.

Encryption or password protection for the CCTV system.

Policies that restrict permissions to certain user roles within the company who have the ability to make copies (system administrators).

All CCTV equipment is configured with access credentials that limit the risk of unauthorized access.

The workstations for accessing CCTV footage will be located in secure areas such as the IT department, security stations, and the conference room.

TOUR VACATION HOTELES AZUL SAS BIC maintains records of requests and all access to CCTV footage, including the date, time, and the person who accessed the footage through ServiceTonic’s Help Desk Software.

Sharing of the images with the minors' parents or guardians

Any person whose image is recorded by CCTV is considered a data subject for the purposes of data protection laws and has the right to request access to those images.

Any person who requests access to their own images shall be deemed to have submitted a request for access to their data, in accordance with the provisions of Law 1581 of 2012, the General Data Protection Framework. This request must be sent immediately to atencionalcliente@onvacation.com so that it can be processed in accordance with the established procedure within the maximum retention period set forth in this policy. Please note that due to storage capacity limitations, the various establishments of TOUR VACATION HOTELES AZUL SAS BIC may have storage periods shorter than the maximum period stated herein.

When such a request is made, the administrative department and the technology department (or their designees) will review the CCTV footage for the relevant time periods, as appropriate, in accordance with the request.

If the recording includes only the person who made the request, then that person will be permitted to view the recording; however, if the recording contains images of minors, the protection of the minors’ rights and freedoms shall take precedence in all cases. If necessary, disclosure will only be permitted if the images can be distorted, or if the legal guardians of the minors have given their consent for the disclosure of the images, or if disclosure has been required by a government authority. A record of all access requests will be maintained through ServiceTonic’s Help Desk Software and the OSIRIS platform, specifying:

When was the request made?

The process used to determine whether the images contained third parties.

Considerations regarding whether access to such images is permitted or not, and, if so, the reasons for that decision.

Who has been allowed to view the images and when.

Whether a copy of the images was provided, and if so, to whom, when, and in what format.

Procedure for exercising your rights as a data subject

Department responsible for requests, inquiries, and complaints regarding personal data

The department responsible for handling requests, inquiries, and complaints from data subjects regarding their rights to access, update, correct, and delete their data, as well as to revoke their consent, is the Customer Service Department.

The law has established two ways to exercise these rights: the first is through consultations, and the second is through complaints.

Inquiries will be addressed within a maximum of ten (10) business days from the date of receipt.

If it is not possible to address the inquiry within that timeframe, the interested party will be informed of the reasons and notified of the new date by which the inquiry will be resolved, which shall not exceed five (5) business days following the expiration of the initial timeframe.

Complaints will be addressed within a maximum of fifteen (15) business days, starting from the day following the date of receipt. TOUR VACATION HOTELES AZUL SAS BIC may extend the response period in special cases, provided it notifies the interested party. This new period shall not exceed eight (8) business days.

Customer service channels

TOUR VACATION HOTELES AZUL SAS BIC has an information desk dedicated to ensuring that customer requests are properly addressed, particularly inquiries and complaints regarding data protection, in order to guarantee the exercise of the rights enshrined in the Constitution and the law.

For this reason, data subjects may submit their inquiries and complaints through the following channels:

The customer and/or user has the right at any time to revoke this authorization and/or request the deletion, updating, or correction of their data authorized for processing, by contacting us via email at atencionalcliente@onvacation.com. They may also send a physical letter to the address: Calle 100 # 7 A -81, 6th Floor, Bogotá, addressed to the CUSTOMER SERVICE department of TOUR VACATION HOTELES AZUL SAS BIC. The company will respond to the request within the timeframe stipulated by Law 1581 of 2012. If it is not possible to address the inquiry within that timeframe, you will be notified in a timely manner, stating the reasons for the delay and indicating the date by which it will be addressed.

Please note that a request for deletion or removal will not be granted if there is a contractual or legal obligation to retain the information in our database. This is the case, for example, with outstanding receivables.

All of the above channels are staffed by personnel trained to perform their duties and are equipped with the necessary control systems to ensure that any updates to personal information requested by users are documented and can be verified.

However, please note that TOUR VACATION HOTELES AZUL SAS BIC will only disclose personal data in connection with an inquiry or complaint to the following individuals:

The data subject, their successors, or their legal representatives, provided that they can prove their status as described in the “Definitions” section of this document.

To persons authorized by the data subject.

To persons authorized by court order or law.

In the latter case, one must take into account the Constitutional Court’s ruling in Case C-748 of 2011 regarding requests for information from public or administrative entities:

The public or administrative entity must justify its request by explaining the connection between the need to obtain the data and the fulfillment of its constitutional or legal duties.

Second, upon submission of the information, the public or administrative entity will be notified that it is responsible for complying with the obligations and requirements imposed by Law 1581 of 2012, either as the data controller or, in certain cases, as the data processor.

The receiving administrative entity must comply with all applicable legal requirements in effect as of the date the information is received, particularly the principles of purpose, legitimate use, restricted circulation, confidentiality, and security.

Following established channels is the key to a prompt response

Data subjects may access, update, and correct the personal information stored in the databases of TOUR VACATION HOTELES AZUL SAS BIC.

The procedures for data subjects to exercise their rights are set forth in each of the data processing policies included in the Comprehensive Data Management Program; however, please note that the response period will begin once TOUR VACATION HOTELES AZUL SAS BIC has actual knowledge of the data subject’s request, provided the request was received through the established channels.

Requirements for Inquiries and Complaints Regarding Personal Data

Regardless of the method the applicant chooses to submit their application, it must be addressed to TOUR VACATION HOTELES AZUL SAS BIC and include at least the following items:

Include the data subject’s identification (name and identification number). Include a description of the events giving rise to the inquiry or complaint. The purpose of the request.

Specify the Data Subject's contact address, whether physical or electronic (email).

Attach the documents you wish to submit. (Especially for claims)

If the inquiry or complaint is submitted in person, the account holder must submit their request or complaint in writing, subject to no formal requirements other than those specified in the previous section.

We care about your satisfaction

If the data subject believes that the response does not meet their needs, they have fifteen (15) business days from the date of receipt to request a reassessment in cases where the response was unfavorable to their interests.

Authorizations for third parties

The account holder must provide TOUR VACATION HOTELES AZUL SAS BIC, either in person or via a previously registered email address, with the appropriate authorization authorizing a third party to view, update, or correct their information. This requirement is intended solely to protect the information and restrict access to it by unauthorized third parties.

This authorization must include at least the following: Identification of the authorizing party

Copy of the holder's ID card

Name and identification information of the authorized person.

The period during which you may access, update, or correct the information (once only, for one year, for the duration of the legal relationship, or until further notice, etc.).

The voluntary and optional nature of the authorization.

Disclosure of images to third parties

TOUR VACATION HOTELES AZUL SAS BIC will only disclose CCTV footage to third parties when permitted to do so under data protection laws.

CCTV footage will only be disclosed to law enforcement authorities in accordance with the purposes for which the CCTV system was established.

If a request for the release of CCTV footage is received from a law enforcement authority (Public Prosecutor’s Office, Judicial Police, investigative agencies, judges, or courts), the Legal Representative must follow the same procedure outlined above regarding requests from data subjects. In such cases, TOUR VACATION HOTELES AZUL SAS BIC will verify that such requests are made for valid reasons and that the release of the footage is proportionate to the purpose of the request.

The above information must be recorded in connection with any disclosure.

If a court issues an order for the release of CCTV footage, that order must be complied with. However, it is important to carefully review exactly what the court order requires.

Review of the CCTV policy and system

This policy will be reviewed annually and, in any case, whenever legislative changes make it necessary.

The CCTV system and the associated privacy impact assessment will be reviewed annually by the Comprehensive Data Committee, or sooner if a significant change in the system’s installation or configuration makes such a review necessary.

Misuse of CCTV systems

Misuse of the CCTV system may constitute a criminal offense.

Any employee of TOUR VACATION HOTELES AZUL SAS BIC who violates this policy may be subject to disciplinary action.

Validity

This video surveillance policy is effective from the day of its publication for ten (10) years until December 31, 2023, a period that will be automatically renewed unless there is a request from the owner of the information to proceed to its deletion. The databases of images and videos will be stored for a maximum period of 5 calendar days, with the exception of the equipment that allows to have a duration longer than fifteen (15) calendar days, the information of the spreadsheets will be stored for a period not longer than two (2) years, time in which a final disposition will be made to this physical information.