TREE GROUP CONSULTING PERSONAL DATA
PROCESSING POLICY

GENERAL

TREE GROUP CONSULTING LLC («Tree Group») in compliance with applicable rules, adopts this Personal Data Processing Policy (hereinafter the «Policy»).

The Policy applies to all personal information of third parties with whom Tree Group interacts, including, but not limited to customers, employees, suppliers, or any other person who provides information to TREE GROUP CONSULTING LLC.

This Policy is available to all interested parties on Tree Group website. Any updates thereof will be reported and in the mentioned website.

DEFINITIONS

In accordance with applicable laws the following definitions apply and will be implemented in the processing of personal data.
a) Authorization: Prior, express and written permission from Data Owner for the
processing of personal data.
b) Privacy Notice: Physical or electronic document generated by the Controller, which is made available to each Data Owner with the information regarding the existence of the Policy applicable to that information, how to access it and the characteristics of the treatment that is intended for said personal data.
c) Database: Organized set of personal data subject to the Policy.
d) Personal Data: All and any information that allows or may be associated with one or more natural persons, determined or determinable. Data can be public, semiprivate or private.
e) Confidential Data: All and any information that by nature is confidential or sensitive, relevant for the Data Owner.
f) Public Data: The information classified as such under the law or the Constitution. It is considered as public information, among others, data contained in public documents, final court judgments not subject to legal reserve and those regarding to civil status of persons.
g) Semiprivate Data: Defined as the data that has no sensitive, reserved or public
nature and whose knowledge or disclosure may interest not only to its owner but also
a certain group of persons or society in general, such as financial and credit
information or commercial activity.
h) Sensitive Data: Any and all data related to Data Owner intimacy such as those
which reveal racial or ethnic origin, political ideas, religious or philosophical beliefs,
trade union, social or human rights organizations memberships, or promotes
interests of any political party or to guarantee the rights of opposition political parties, as well as data related health to sexual life, biometrics such as fingerprints,
photographs, iris, voice recognition, facial or hand palm.
i) Data Processor: natural or legal person, public or private, which by itself or in
association with others performs the processing of personal data on behalf of the
Controller.
j) Controller: Individual or legal entity, public or private, which by itself or in association with others decides the use of the database and / or processing of the data.
k) Data Owner: Individual whose personal data is processed according to this Policy.
l) Processing: Any operation or set of operations of Personal Data, such as collection, storage, use, movement or deletion of data.

PRINCIPLES APPLICABLE TO PERSONAL DATA PROCESSING

Tree Group will apply in a comprehensive manner, the following guiding principles in the collection, handling, use, processing, storage and exchange of personal data:
a) Data Processing Rule of Law: Tree Group will apply and enforce applicable
standards and laws governing the processing of personal data and other related
basic rights.
b) Principle of purpose: Processing Data will obey a legitimate purpose in accordance with the United States Constitution and laws, which will be reported to the Data Owner.
c) Principle of Freedom: The Personal Data Processing will be only exercised with prior, express and informed consent of the Data Owner. Personal data will not be obtained or disclosed without prior authorization or in the absence of legal or judicial mandate.
d) Principle of accuracy or quality of Data: The information subject to the processing of personal data must be truthful, complete, accurate, current, verifiable and understandable. Processing of partial, incomplete, split or misleading data is
prohibited.
e) Principle of transparency: In the Processing of Personal Data, the Controller will ensure the right of the Data Owner to obtain from Tree Group, at any time and
without limitation, information about data concerning them.
f) Principle of restricted access and movement: The Processing of Personal Data is subject to limits arising from the nature of the Personal Data and to current and enforceable rules and laws governing the processing of Personal Data and other
related rights. In this sense, Personal Data, except public information may not be
available on the Internet or other mass media unless access is technically
controllable to provide a limited knowledge communication only to Data Owner or
third parties authorized under the law.
g) Security principle: The information subject to processing by Tree Group will be
handled with existing technical, human and administrative measures necessary to
provide security of records, avoiding adulteration, loss, consultation, use, or
unauthorized or fraudulent access.
h) Principle of Confidentiality: All persons involved in the administration,
management and updating or those who have access to information that is kept in
databases and are not public, are obliged to ensure the confidentiality of information,
even after the end of their relationship with some of the tasks which includes the
processing of information, only being able to perform supply or communication of
personal data when this is in the development of activities authorized in force and
applicable rules governing the processing of personal data and other related
fundamental rights.
All persons who currently work or those to be hired subsequently for the administration and management of databases, must include in their employment or services contract a provision to ensure the compliance of said obligation.

DATA OWNER´S APPROVAL

Without prejudice to the exemptions provided in force and applicable rules and laws in Processing Data a prior express and informed approval by the Data Owner is required, which must be obtained by means that may be subject to consultation and subsequent verification, as a physical or electronic document, a data message or any technical or technological mechanism to express or obtain consent.
Acceptance of this Personal Data Policy and of the processing of personal data pursuant to the terms thereof also takes effect when a job candidate or applicant, potential customer, or supplier, provide his or her data through any channel or mean set forth by Tree Group. for the proper performance of their internal processes and procedures accordingly.

PRIVACY NOTICE

The Privacy Notice is the physical or electronic document or any other known or unknown format, by which the Data Owner becomes aware of information regarding the existence of processing of personal data policy applicable to that information, how to access it and the characteristics of the Policy that is intended to give personal data.
The Privacy Notice at least shall include the following information:
a) The identity data, address and contact details of the Controller.
b) The type of processing to which the data will be submitted and the purpose of that
information.
c) The general mechanisms provided by the Controller to guarantee the Data Owner
knows Processing of Personal Data Policy and the substantial changes that may
occur on it from time to time.

EVENTS WHEN NO PRIOR APPROVAL IS REQUIRED

No prior approval of Data Owner will be required when:
d) The information is required by a public or administrative entity in the exercise of their legal functions or by court order.
e) In case of public data nature.
f) Cases involving of medical or health emergencies.
g) Information whose processing has been authorized by law for historical, statistical or scientific purposes.
h) In case of data related to the Civil Registry of Persons.

DATA OWNERS RIGHTS

Any procedure that involves the processing by any company area or division personnel of personal data from customers, employees, suppliers and generally any third party with which Tree Group holds commercial and labor relations, should consider the rights of the Data
Owner, which are listed below:
a) Right to know, update, consult or rectify the Personal Data at any time, before
Tree Group, with respect to any information considered partial, inaccurate,
incomplete, split and / or misleading.
b) Right to request at any time a proof of the authorization granted to Tree Group.
c) Right to be informed by Tree Group , when requested, the use that has been given to such information.
d) Right to revoke the authorization and / or request removal of any information when it is considers that Tree Group has not respected the constitutional rights and
guarantees of Data Owner.
e) Right to access for free to the Personal Data voluntarily chosen to be shared with
Tree Group, for which the Controller is responsible for preserving and keeping safely
and reliably authorizations for each Data Owner duly granted.

PROCESSING OF SENSITIVE DATA

Tree Group may process the data classified as sensitive when:
a) The Data Owner has given its prior consent to such processing, except in cases
when authorization is not required by law.
b) Processing of Data is necessary to protect the interest of the Data Owner and this is physically or legally incapacitated. At these events, the legal representatives must
give their authorization.
c) The Processing is carried out during legitimate activities with appropriate guarantees by a foundation, NGO, association or any other non-profit organization whose purpose is political, philosophical, religious or trade union, provided that is related exclusively to its members or to persons who have regular contact because of their purpose. In these events, the data cannot be provided to third parties without the authorization of the owner.
d) Data Processing relates to information necessary for the establishment, exercise or
defense of a right in judicial proceedings.
e) Processing has a historical, statistical or scientific purpose. In this event, the
Controller shall take all measures leading to the delete of identity of the Data Owners.

UNDERAGED CHILDREN PERSONAL DATA

In the Processing of Personal Data kept in the Tree Group Databases related to children and teenagers, the rights of minors will be ensured.
In any case, any and all use of data related to underaged children registered in the
company’s databases or, eventually requested, must be expressly authorized by the legal representative of the child or teenager previous exercise the minor’s right to be heard, opinion which will be assessed in terms of maturity, autonomy and ability to understand the matter.
Furthermore, Tree Group shall provide underaged children’s legal representatives the possibility of exercising their rights of access, cancellation, rectification and opposition of their protected data.

THIRD PARTIES

Databases or files will not be provided to third parties, unless authorized by the Data Owner or by law. In such a case the transfer and / or sharing personal data of customers, employees or suppliers of Tree Group with third parties, will be made exclusively for purposes related to sending correspondence and communications of Tree Group.

PURPOSE OF PERSONAL DATA

Tree Group will only use the Personal Data previously and expressly authorized by the Data Owner, according to the purpose of Personal Data and the corporate purpose of Tree Group and respecting the rights to privacy, good name, image and other Constitutional rights.
Information about customers, suppliers, and employees, current or past, is obtained and preserved in order to facilitate, promote, allow or maintain labor, civil and commercial relations. The purposes of the databases will depend on the person who provides that personal data and in accordance with that, he/she will be expressly informed at the time of requesting for authorization.

PROCEDURES FOR THE EXERCISE OF PERSONAL DATA OWNERS RIGHTS.

Data Owners may exercise their right to know, update, rectify and delete the personal data they have provided to Tree Group, by sending a communication, at any time and free of charge to the following email: admin@Tree Groupgroup.com
In accordance with Article 20 of Decree 1377 of 2013, the rights of the Data Owners
established in the Law may be exercised by:
a) The Data Owner must prove his/her identity by the means provided the Controller.
b) By their successors, who must prove such condition.
c) By the representative and/or duly authorized attorney of the Data Owner, prior proof of the representation or power of attorney.
The requests submitted by Data Owner should contain as minimum:
a) Full name of Data Owner.
b) Contact information for notices.
c) Documents proving duly representation or power to act, if necessary.
d) Clear and precise description of the personal data for which the Data Owner seeks
to exercise any of his/her rights.
These rights can be exercised, among others, against partial, inaccurate, incomplete, split data, or those whose processing is prohibited or not authorized by the Owner

CONSULTATIONS

Data Owners, their successors or representatives may consult the personal information kept in any database of Tree Group, providing the company all information contained in the individual record or that is linked to the identification of Data Owner. The request shall be made in writing, by the means indicated in this policy, provided that it is made by the Data Owner or his/her representative.

DATA RECTIFICATION OR UDPATE

When Data Owners, their successors or representatives consider that the
information contained in a database of Tree Group should be subject to correction or update, they are entitled to file a request before Tree Group, which will be processed under the following rules:
The request shall be addressed to Tree Group by the means set forth in Section 13th
above, with the following information:
a) Full name of Data Owner.
b) Contact information for notices.
c) Documents proving duly representation or power to act, if necessary.
d) Description of the facts giving rise to the claim.
e) Clear and precise description of the personal data for which the Data Owner seeks
rectification or update.
f) The documents considered as evidence.

DATA DELETION

Data Owners, their successors or representatives may request, at any time and for free to Tree Group, deletion of Personal Data when:
a) They believe the data is not being processed in accordance with the principles, duties and obligations under current regulations and in this Policy.
b) Data is no longer necessary or relevant for the purpose for which it was collected.
c) The time required to fulfill the purposes for which the information was collected has expired

This deletion involves partial or total removal of personal data, according to the request of Data Owners, their successors or representatives on records, files and databases managed by Tree Group.
The claim shall be addressed to Tree Group, by the means set forth in this policy,
containing at least the following information:
a) Full name of Data Owner.
b) Contact information for notices.
c) Documents proving duly representation or power to act, if necessary.
d) Description of the facts giving rise to the claim.
e) Clear and precise description of the personal data for which the Data Owner seeks
deletion.
f) The documents considered as evidence.
However, it is important to consider that the right of data suppression is not absolute, and Controller may deny the exercise thereof when:
a) The Data owner has a legal or contractual duty to remain in the database.
b) When data removal hinders judicial or administrative proceedings related to tax
obligations, investigation and prosecution of crimes or updating administrative
sanctions.
c) When data is necessary to protect the legal interests of the Data Owner to perform
an action in the public interest or to fulfill an obligation legally acquired by the Owner.

REVOCATION OF APPROVAL

Data Owners, their successors or their representatives may, at any time and for free, revoke consent to the Processing of Personal Data, as long as it is not prevented by legal or contractual provision.
To this end, the Data Owner may revoke his/her consent through the same means by which it was granted.
It should be noted that there are two types of revoking consent: One is given on all
consensual purposes and the other is given on some specific types of data processing.

DUTIES OF PROCESSING OF PERSONAL DATA CONTROLLER

Tree Group will be directly responsible for the processing and custody of personal data, directly or indirectly, collected and stored. However, it reserves the right to delegate to a third party such treatment, which will require the manager’s attention and implementation of policies and appropriate procedures for the protection of
personal data and strict confidentiality.

SECURITY MEASURES ADOPTED REGARDING THE PROCESSING OF
PERSONAL DATA

Tree Group shall adopt the technical, human and administrative measures to ensure the security and confidentiality of the data and to prevent alteration, loss, consultation, use, or unauthorized access. Personal Data that Owner provides to Tree Group under any means, shall be managed confidentially according to constitutional, legal and other regulations governing the protection of Personal Data.

EFFECTIVE DATE OF PERSONAL DATA PROCESSING POLICY

This Processing of Personal Data Policy is effective as of August 18th, 2020 and in force as long as Tree Group performs its corporate purpose.