Data processing

INDEPENDENCE DRILLING S.A., identified with the Tax Identification Number, TIN, 890.110.188-7, together with its subsidiaries, affiliates, and branches (hereinafter referred to as “INDEPENDENCE” and/or the “COMPANY”), makes available its Personal Information Processing Policy (hereinafter the “POLICY”). This policy has been adopted in compliance with Colombian regulations: Article 15 of the Political Constitution, which establishes the fundamental right to habeas data, Statutory Law 1581 of 2012, its Regulatory Decree 1377 of 2013, and other regulations that may develop, add, complement, and/or modify it.

1. OBJECT

To regulate the processing of personal information in its various stages, including collection, storage, use, administration, transfer, transmission, updating, rectification, deletion, and protection of data received by INDEPENDENCE in the course of its activities.

2. SCOPE

The POLICY applies to personal information stored in the COMPANY’s databases.

3. DEFINITIONS

To ensure clarity for the recipients of this POLICY regarding the terms used throughout it, the following definitions from the General Data Protection Law, Law 1581 of 2012, are included, as well as those related to data classification according to the Special Law, Law 1266 of 2008, which are applicable by express provision of the Constitutional Court and, therefore, must be taken into account in this POLICY.

Authorization: prior, express, and informed consent of the Data Subject to carry out the processing of their personal data.

Privacy Notice: verbal or written communication issued by the Data Controller, addressed to the Data Subject for the processing of their personal data. It informs them about the existence of the information processing policies that apply, how to access them, and the purposes of the processing.

Database: an organized set of personal data subject to processing.

Personal Data: any information linked or that can be associated with one or more identified or identifiable natural persons.

Processor: a natural or legal person, public or private, who, alone or in association with others, processes personal data on behalf of the Data Controller.

Data Controller: a natural or legal person, public or private, who, alone or in association with others, decides on the database and/or the processing of data.

Data Subject: a natural person whose personal data is subject to processing.

Transfer: the transfer of data occurs when the Data Controller and/or Processor of personal data, located in Colombia, sends the information or personal data to a recipient, who in turn is the Data Controller and is located inside or outside the country.

Transmission: processing of personal data involving the communication of such data within or outside the territory of the Republic of Colombia when its purpose is the processing by the Processor on behalf of the Data Controller.

Processing: any operation or set of operations carried out on personal data, such as collection, storage, use, circulation, transfer, or deletion.

Classification of data under the General Law: private, semi-private, sensitive, and public.

Private Data: data that, due to its intimate or reserved nature, is only relevant to the Data Subject.

Semi-private Data: data that is not of an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to the Data Subject but also to a certain sector or group of people or society in general.

Sensitive Data: data that affects the privacy of the Data Subject or whose misuse may lead to discrimination, such as those revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or that promotes the interests of any political party or guarantees the rights and guarantees of opposition political parties, as well as data related to health, sexual life, and biometric data.

Public Data: data defined residually as that which is not semi-private, private, or sensitive. Public data is data qualified as such according to the mandates of the law or the Political Constitution and all those that are not semi-private or private in accordance with the Special Law.

4. PRINCIPLES

It is the commitment of INDEPENDENCE, in the development of its management and corporate purpose, to understand, apply, and develop harmoniously the principles established in the General Data Protection Law, those of Regulatory Decree 1377 of 2013, and those indicated in the regulations that develop, add, complement, and/or modify the subject matter of this POLICY.

Principle of legality in the processing of data: the processing of personal information is subject to what is established in the norms and regulations of the Colombian legal system.

Purpose principle: the purpose of data processing will be informed to the Data Subject, will be legitimate, and will comply with the Constitution and the Law.

Freedom principle: the processing of personal data and its disclosure will only be carried out with the prior and express consent of the Data Subject unless there is a legal or judicial mandate that replaces their consent.

Truthfulness or quality principle: the information of the Data Subject subject to processing will be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.

Transparency principle: the Data Subject will obtain, at any time and without restriction from the Data Controller or Processor, information about the data that concerns them.

Access and restricted circulation principle: the processing of personal data will only be carried out by persons authorized by the Data Subject or as provided by law, limited to the nature of these data and in accordance with the provisions of the law and the Constitution.

Security principle: personal information will be handled with the technical, human, and administrative measures required to provide security to the records in order to prevent their alteration, loss, consultation, use, or unauthorized or fraudulent access.

Confidentiality principle: individuals involved in the processing of personal data, not of a public nature, are obliged to guarantee the confidentiality of the information, even after finishing their relationship with the activities covered by the processing, except in cases where by law they can provide or communicate the personal data of the Data Subject.

Non-compliance with the POLICY and the provisions defined in Law 1581 of 2012 and others that develop, clarify, or modify it will be considered a serious offense by the workers and/or collaborators of the COMPANY.

5. DATA CONTROLLER

INDEPENDENCE is the data controller for personal data.

Main domicile: Bogotá, D.C. Address: Main Office. Calle 100 No 7-33 Tower 1 19th floor of Bogotá Telephone: (57 – 1) 5 87 53 33. Channel to exercise the right to habeas data: protecciondatos@independence.com.co

6. AUTHORIZATION

Without prejudice to the exceptions provided for in the Law, the processing of personal data requires the prior, express, and informed consent of the Data Subject, which must be obtained by any means that may be subject to consultation and verification in the future.

The COMPANY, in its capacity as Data Controller, will inform the Data Subject about the purpose of the processing and the rights that assist them, at the latest at the time of collecting their data.

The COMPANY will keep the respective proof of authorization granted by the Data Subject for the processing of their personal data.

7. PURPOSE OF DATA PROCESSING

INDEPENDENCE may collect, store, use, circulate, transfer, transmit, update, and delete personal data for the following purposes:

1. Compliance with legal, contractual, and constitutional obligations.
2. Development of commercial activities.
3. Provision of services.
4. Marketing of products and services.
5. Research and development of new products and services.
6. Notification of new products and services.
7. Evaluation of the quality of products and services.
8. Internal administrative processes.
9. Human resources management.
10. Attention to queries, complaints, and claims.

In the case of sensitive data, their processing will be limited to the purposes that justify their treatment, and their collection will require the express authorization of the Data Subject, except in cases provided for by law.

INDEPENDENCE may use third parties, whether natural or legal persons, to carry out any type of activity or procedure in which personal data are processed. In these cases, INDEPENDENCE will ensure that these third parties comply with the provisions of this POLICY.

8. PROCEDURE FOR EXERCISING THE RIGHT TO HABEAS DATA

The Data Subject or their successors may exercise the right to know, update, rectify, and delete their personal data, as well as revoke the authorization granted for their processing, by submitting a written request to INDEPENDENCE. This request must be submitted to the following email address: protecciondatos@independence.com.co or to the main office address indicated in point 5 of this POLICY.

The request for the exercise of the right to habeas data must contain at least the following information:

1. The name and identification of the Data Subject.
2. The description of the facts that give rise to the request.
3. Contact information (physical and/or electronic address) for notifications.

If the request is incomplete, INDEPENDENCE will request the interested party to correct the deficiencies within five (5) days of receiving the request. After two (2) months from the date of the request without the applicant submitting the required information, the request will be considered abandoned.

The maximum term to attend to the request for the exercise of the right to habeas data is fifteen (15) business days from the day following the date of receipt. When it is not possible to attend to the request within said term, the interested party will be informed, stating the reasons for the delay and indicating the date on which their request will be attended to, which in no case may exceed eight (8) business days following the expiration of the first term.

9. REVOCATION OF AUTHORIZATION

The Data Subject may revoke the authorization and/or request the deletion of the data when they consider that the principles, rights, and constitutional and legal guarantees were not respected in the data processing. The revocation and/or deletion will proceed when INDEPENDENCE has not initiated the fulfillment of its legal or contractual obligations.

The revocation may be total or partial. Total revocation implies the total withdrawal of the Data Subject from the INDEPENDENCE database and will proceed when there is no legal or contractual obligation that prevents it. Partial revocation implies the exclusion of certain data requested by the Data Subject from the INDEPENDENCE database.

To exercise the right of revocation and/or deletion, the Data Subject must submit a request in the terms indicated in point 8 of this POLICY.

10. VALIDITY

This POLICY is effective as of [Effective Date] and will remain in force until its modification, which may occur at any time. Any substantial modification will be informed through the means that the COMPANY deems appropriate, which may be through its website or other means of communication.

The Data Subject declares that they have been informed of the terms of this POLICY, which constitutes an informed and express acceptance of the same.

DOCUMENTS APPLICABLE CORPORATE INTEGRITY CODE

Prepared by: Ronal Gómez Sánchez
Position: Lawyer
Date: 31-03-2020

Reviewed by: Ronal Gómez Sánchez
Position: Lawyer
Date: 31-03-2020

Approved by: Maria Nella Marquez Romero
Position: Legal Manager
Date: 31-03-2020