POLICIES OF PERSONAL DATA PROCESSING
EMPRESA DE ENERGÍA DEL PACÍFICO S.A. E.S.P.,
Empresa de Energía del Pacífico S.A. E.S.P., (Hereinafter, "EPSA" or the "Company"), pursuant to the provisions of Law 1581 of 2012 and Regulatory Decree 1377 of 2013 governing the collection and processing of personal data, issued the following document which develops policy processing of personal data of the Company, subject to the following:
CLAUSES
1. Article 15 of the Colombian Constitution states that "(...) Everyone has the right to personal and family privacy and good name, and the State must respect and ensure respect. Similarly, the right to know, update and rectify information gathered about them in databases and archives of public and private (...) entities ". This constitutional provision establishes three fundamental rights autonomous, namely privacy, good name and Habeas Data. The constitutional provision that is developed in this paper is "Habeas Data", which is the law that guarantees and protects everything related to knowledge, updating and correction of personal information in databases and files, which has been developed and protected by the Statute Law 1581 of 2012 and Regulatory Decree 1377 of
2013, regulations under which the manual, which can be adjusted to the extent develops the legislature, the National Government or EPSA incorporate changes that affect it.
2. The right of Habeas Data must then be understood as an autonomous fundamental right which consists of computer self-determination and freedom.
3. That applies to both directives EPSA, and their employees and third party contractors, observe, abide by and comply with the orders and instructions of the organization imparts particularly with respect to personal information the disclosure or misuse can generate injury to the holders thereof pursuant to the rights contained in Article 15 of the Political Constitution of Colombia, Law 1581 of
2012 and Decree 1377 of 2013.
4. That the laws relating to personal data establish economic, trade and custodial sanctions, which is essential cooperation between EPSA and recipients of these policies in order to ensure compliance with the rights to privacy, habeas data and the protection of personal data, preventing damage to any party and / or third parties.
5. The regulation of security policies of information, particularly regarding labor relations and service delivery must include the protection of personal data related to human resource, respecting the minimum rights and guarantees employees and service providers, failing which the provisions do not produce any effect.
6. That according to labor law arises for the employer's duty to protect employees and for these arises the duty of obedience and loyalty to EPSA, so that they contribute to the safe management of personal information.
7. That these policies complement and not contrary to the obligations of the employee and EPSA contained in labor legislation.
8. It is the duty of employees to with EPSA, give full cooperation in case of disaster or imminent risk that affects or threatens to information assets, especially those related to personal information that guards EPSA, so it is provided due cooperation requires the Company to investigate, analyze and capture evidence of security incidents that compromise this information, whether or not legal vocation, accepting to do the instructions contained in the protocol chain of custody of EPSA.
Based on the above considerations underlying the protection of personal data in EPSA, the following provisions are formulated for treatment and are mandatory for recipients of these policies.

I. DEFINITIONS.
For the purposes of this document, unless stipulated otherwise, capitalized terms used herein shall have the meanings assigned to such terms in the Act 1581 of 2012 and Decree 1377 of 2013.
Database. It is any organized set of personal data which undergoes treatment.
Custodian of the database. It is the individual who has custody of the basis of personal data within
EPSA.
Personal Data. Any information linked or can be associated with one or more identified or identifiable natural person.
Public Data. It is the data than semi-private or sensitive. Public Data are considered, among others, the data concerning the civil status of persons, their profession or trade, and as a merchant or public servant. By its nature, public data can this content among others, in public records, public records, journals, official gazettes and duly executory judgments which are not subject to reservation.
Sensitive data. Sensitive information is defined as those affecting the privacy of the Contractor or whose misuse can generate their discrimination, such as those revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, trade union membership, social organizations, human rights or promotes interests of any political party or to guarantee the rights and guarantees of opposition political parties, as well as data concerning health, sexual life, since biometrics.
Data Processor. Natural or artificial, public or private, which by itself or in association with others, perform the Processing of personal data on behalf of controllers.
Habeas Data. Fundamental right of everyone to know, update, rectify and / or cancel the information and personal data which it has been collected and / or
Bases treated in public or private data, under the provisions of the Act and other applicable regulations.
Principles for Data Processing. Are the fundamental rules of law and order and / or case, that inspire and guide the treatment of personal data, from which actions and criteria are determined to resolve the possible conflict between the right to privacy, Habeas Data and protection of personal data and the right to information.
Responsible for treatment. Natural or artificial, public or private, which by itself or in association with others, decide on Database and / or the treatment of the data.
Holder. It is the individual whose data are subject to treatment.
Treatment. Any operation or set of operations on personal, such as collection, storage, use, data movement or deletion.
Transfer. The data transfer occurs when the charge and / or charge of the Processing of Personal
Data, located in Colombia, sends the information or personal data to a receiver which in turn is responsible for the data and is located inside or outside the country.
II. OBJECT.
(I) To adopt and establish the rules applicable to the treatment of personal data collected, processed and / or stored by EPSA developing its corporate purpose, either as Responsible and / or Data
Processor.
The rules contained in these policies give effect to the provisions of Act 1581 of 2012, Decree 1377 of 2013, Article 15 of the Political Constitution of Colombia, in terms of ensuring the privacy of individuals, exercise Habeas Data and Protection of Personal Data, in accordance with the right to information, so that these rights are regulated proportionally EPSA and can prevent the violation thereof.
(Ii) notify the Holder of Personal Data, policies in information that will be applicable to your Personal
Information; and

(Iii) Explain how to access their personal data, in addition to determining the way how to give treatment and further use to them.
III. SCOPE.
These policies apply to the processing of personal data carried out in Colombia, or when policies will apply to the Head and / or Manager located outside Colombia, under international treaties, contractual relations, among others.
The principles and provisions contained in these policies of Personal Data, will apply to any Personal
Data Base is in custody of EPSA, either as Responsible and / or Data Processor.
All EPSA organizational processes involving the treatment of personal data, should be subject to the provisions of these policies.
IV. RECIPIENTS OF POLICIES.
These policies apply and therefore require the following:
4.1. All internal staff EPSA, legal representatives, executives or not, their care and try Databases containing Personal Data.
4.2. Contractors and natural or legal persons providing services to EPSA under any type of contractual arrangement under which any Personal Data Processing is performed.
4.3. All others established by law.
V. APPLICABLE TO THE PROCESSING OF PERSONAL DATA PRINCIPLES.
Protection of Personal Data EPSA shall be subject to the following fundamental principles or rules, based shall determine the internal processes related to the Processing of Personal Data and construed in harmony, comprehensive and consistent with Colombian Laws way in which.
5.1. Informed consent or principle of freedom.
The treatment of personal data within EPSA, can only be done with the consent prior, express and informed Holder pursuant to Law 1581 of 2012 and Decree 1377 of 2013. Personal Data may not be procured, processed or disclosed Holder except if authorized by law or court order to supply the consent of the Contractor.
5.2. Legality.
Treatment Act 1581 to 2012 is concerned, is a regulated activity must be subject to the provisions in it and the other provisions implementing.
5.3. Purpose of Personal Data.
The Processing of Personal Data, you must obey a legitimate aim, according to the Constitution and the law, which must be reported to the Head of Personal Data such, and as required by the 1581 Act and its Regulation.
5.4. Accuracy or quality of Personal Data.
The Personal Data collected by EPSA must be truthful, complete, accurate, verifiable, understandable and stay current. Treatment of partial, split, incomplete or misleading data is prohibited.
5.5. Transparency.
In the Processing of Personal Data Right Holder's Personal Data will be guaranteed to get and know the Responsible and / or Data Processor at any time without restrictions, about the existence of data concerning him.
5.6. Relevance of Personal Data.
In the collection of personal data by EPSA should take into account the purpose of treatment and / or the Database; therefore must be adequate, relevant and not excessive or disproportionate to the

objective data. Personal Data collection disproportionate to the purpose for which they are obtained is prohibited.
5.7. Access and restricted circulation.
The Personal Data that collects or attempts EPSA will be used by the Company only in the field of purpose and authorization granted by the Head of Personal Data.
The Personal Data EPSA custody may not be available on the Internet or any other means of mass, unless access is technically controllable and safe, and to provide knowledge restricted only to holders or third parties authorized pursuant to disclosure in the law and the principles that govern matter.
5.8. Duration of Personal Data.
Exhausted the purpose for which it was collected and / or treated by Personal Data, EPSA shall cease to use and thus take the necessary safety measures. To this end, the obligations of commercial law on conservation of trade books and correspondence merchant will be considered.
5.9. Security of Personal Data.
EPSA, as Responsible or Data Processor Personal Data, as appropriate, adopt safety measures physical, technological and / or administrative provisions necessary to ensure the attributes of integrity, authenticity and reliability of personal data. The Company, under the classification of personal data, implement security measures to medium low high level, or apply as appropriate, to prevent tampering, loss, leakage, consultation, use or unauthorized access or fraudulent .
5.10. Confidentiality.
EPSA and all persons involved in the processing of personal data, have a professional obligation to keep and maintain the confidentiality of such data, including after the end of his relationship with one of the tasks comprising the treatment and can only perform supply or communication Personal
Data when this is the development of activities authorized by law and the terms thereof. EPSA implement in their contractual relations, data protection clauses in this regard.
5.11. Duty of information.
EPSA inform the Holders of Personal Data and Accountable and Responsible Treatment of data protection regime adopted by the organization as well as about the purpose and other principles governing the treatment of such data. Also it discloses the existence of Personal Data Bases custodie, rights and the exercise of Habeas Data by Holders of Personal Data, proceeding to the record required by law and the regulatory decree.
5.12. Special Protection of Sensitive Data.
EPSA will not collect or attempt Personal Data exclusively linked to political ideologies, union membership, religious beliefs, sexual life, ethnicity, and health data, unless authorized by the
Contractor and in cases of law in which no required consent. Personal sensitive information that can be derived from a process of recruitment, will be protected by high security measures.
VI. RIGHTS OF DATA HOLDERS.
Holders Personal Information contained in the Personal Data Bases for placing in EPSA information systems have the rights described in this paragraph in accordance with the fundamental rights enshrined in the Constitution and the law.
The exercise of these rights free and unrestricted by the Holder of Personal Data, subject to legal provisions governing the exercise thereof.
The exercise of Habeas Data, expressed in the following rights, is a very personal authority and shall be exercised by the Holder of data exclusively, with the exceptions of Law.
6.1. Right of access.
This right includes the right Holder's Personal Data to obtain all the information on their own personal data, whether partial or complete, the treatment applied to, for the purpose of treatment, the location of the databases that contain your Personal Data and on the communications and / or assignments made about them, whether authorized or not.

6.2. Upgrade right.
This right includes the right of the Holder of data to update your Personal Data if they have had any variation.
6.3. Right of rectification.
This right includes the right Holder's Personal Data to amend the Personal Data that are inaccurate, incomplete or nonexistent.
6.4. Right of cancellation.
This right includes the right Holder's Personal Data to cancel them or delete them if they are excessive, irrelevant, or treatment contrary to the rules, except in cases falling as exceptions or required by law and / or necessary in a specific contractual framework.
For cancellation request authorization from the Processing of Personal Data relating to the provision of electricity services, the Company will indicate that no such authorization EPSA could not have it in the database and therefore not be could provide the service of electricity.
6.5. Right to revoke the consent.
The holder of personal data has the right to revoke the consent or authorization which authorizes
EPSA for Treatment particular purpose, except in cases falling as exceptions by law and / or necessary in a specific contractual framework.
In the case of an application for revocation of the authorization of the treatment of personal data related to the provision of electricity services, the Company will indicate that no such authorization
EPSA could not have it in the database and therefore not be could provide the service of electricity.
6.6. Right to object.
This right includes the right Holder's Personal Data to oppose the treatment of your personal data, except where such right does not carry legal provision or infringe general interests above particular interest. EPSA, based on the legitimate rights asserting the Holder of Personal Data, will make a judgment of proportionality or weighting to determine the prominence or not the particular right
Holder's Personal Data about other rights, eg, the right to information .
In the case of opposition to the treatment of personal data related to the provision of electricity services, the Company will indicate that no such authorization EPSA could not have it in the database and therefore he could not provide the service electrical energy.
6.7. Right to file grievances and complaints or seek remedies.
The Head of Personal Data entitled to submit to the Superintendency of Industry and Commerce, or the entity that was competent and complaints, as well as actions which would appear relevant to the protection of their data once the consultation should have exhausted or claim to the charge of processing or Data Processor. EPSA will respond to requests by the competent authorities in relation to these rights of the Holders of Personal Data.
6.8. Right to grant authorization for the treatment of data.
In implementing the principle of informed consent, the Holder of the data has the right to grant permission to treat your Personal Data in EPSA.
Exceptionally, this authorization will not be required in the following cases:
6.8.1. When required by public or administrative entity in pursuit of their statutory tasks, or court order.
6.8.2. In the case of Public Information. 6.8.3. In cases of medical or health emergency.
6.8.4. Where treatment information authorized by law for historical, statistical or scientific purposes.
6.8.5. In the case of personal data related to the Registry of people.
6.8.6. Databases and files whose purpose is the national security and defense, as well as the prevention, detection, monitoring and control of money laundering and terrorist financing;
6.8.7. Databases that are intended to contain information and intelligence and counterintelligence;
6.8.8. Databases and archives of news reporting and other editorial content;
6.8.9. Databases and regulated by Law 1266 of 2008 records; and 6.8.10. Databases and regulated by Law 79 of 1993 files.

In these cases, although it does not require the approval of the Contractor, whether they will apply other principles and laws on the protection of personal data.
VII. DUTIES OF RECIPIENTS OF THESE S POLICY REGARDING THE FOUNDATIONS OF PERSONAL DATA
QUALITY WHEN bearing LEADERS AND MANAGERS.
7.1. Duties Responsible for Treatment.
When EPSA or any of the recipients of these policies, as Responsible assume the processing of personal data in their custody, must meet the following duties without prejudice to the other provisions of the Act and other governing its activity: a) Ensure the Holder of Personal Data, at all times, the full and effective exercise of the right of
Habeas Data. b) Order and maintain, as provided in Law 1581, 2012 and Decree 1377 of 2013, a copy of their authorization and consent granted by the Owner of Personal Data. c) Inform the Contractor duly Personal Data on the purpose of the collection and the rights given by virtue of the authorization granted. d) Keep Personal Data under security conditions necessary to prevent tampering, loss, consultation, use or unauthorized or fraudulent access. e) Ensure that the information supplied to the Data Processor is truthful, complete, accurate, current, verifiable and understandable. g Update information, communicating the Data Processor timely manner, all the news in the data previously supplied him and take other necessary steps to ensure that information provided to it is kept current measures. g) Rectify the information as incorrect and communicate pertinent to the Data Processor. h) Provide the Data Processor, as appropriate, only data whose treatment is previously authorized in accordance with the provisions of the Act. i) Require the Data Processor at all times, respect the security and privacy of information of the
Contractor. j) To deal with inquiries and complaints made under the terms stated in this policy and the law. k) To adopt an internal manual of policies and procedures to ensure proper compliance with the Act and in particular to the attention of inquiries and complaints.
I) Report Data Processor to the fact that certain information is under discussion by the Contractor, after the complaint was filed and not yet completed the respective procedure. m) Inform the request of the holder of personal data on the use given to them. n) Inform the data protection authority when violations of security codes are present and there are risks in information management Holders of Personal Data. o) Comply with the instructions and requirements which imparts the Superintendency of Industry and Commerce or the competent authority on the subject.
7.2. Duties of Managers of Personal Data Processing.
When EPSA or any of the recipients of these policies assume custodians quality processing of personal data must comply with the following duties without prejudice to the other provisions of the
Act and other governing its activity: a) Ensure the Contractor, at any time, the full and effective exercise of the right of Habeas Data. b) Keep the information on security conditions necessary to prevent tampering, loss, consultation, use or unauthorized or fraudulent access. c) Conduct timely updating, rectification or erasure of personal data under the terms of Law 1581 of
2012 and Decree 1377 of 2013. d) Update the information reported by the controllers within five (5) working days from receipt. e) To deal with inquiries and complaints made by the Holders under the terms stated in this policy,
Act 1581 of 2012 and Decree 1377 of 2013.

g Adopt an internal manual of policies and procedures to ensure proper compliance with Act 1581 of
2012 and Decree 1377 of 2013 and, in particular, for answering inquiries and complaints from the
Holders of Personal Data. g) Record in the Database Legend "claim pending" in the way it is regulated by Law 1581 of 2012 and
Decree 1377 of 2013, in respect of those complaints or claims unresolved presented by Full Data
Personal. h) Insert Into Database Legend "information on legal argument" once notified by the competent authority over judicial proceedings related to the quality of Personal Data. i) To refrain from circulating information that is being contested by the Holder and whose lock has been ordered by the Superintendency of Industry and Commerce in accordance with the provisions of Law 1581 of 2012 and Decree 1377 of 2013. j) Provide access to information only to persons who may have access to it. k) Inform the Superintendency of Industry and Commerce as violations of safety codes are presented and there are risks in information management Holders.
I) Comply with the instructions and requirements be provided by the Superintendency of Industry and Commerce.
7.3. Common Duties Responsible Treatment and custodians.
In addition to the duties described above in head EPSA and any other person having charge or his status as Data Processor, complementary assume the following duties whatever their status: a) Apply the security measures according to the classification of the Personal Data is EPSA. b) Adopt disaster recovery procedures applicable to database containing Personal Data. c) Adopt procedures Backup or Back Up the Database containing Personal Data. d) Audit periodically compliance with these policies by recipients thereof. e) Manage safely Databases containing Personal Data. g Keeping a central register of databases containing personal data comprising history since its creation in information and cancellation database. g) Manage safely access to Personal Data Bases contained in information systems, which act as
Responsible or Data Processor. h) Have a method for managing security incidents regarding Databases containing Personal Data. i) Regular contracts with third parties access to databases containing personal data.
VIII. DATA HABEAS PROCEDURE FOR THE EXERCISE OF THE RIGHTS OF INFORMATION, ACCESS,
UPDATE, CORRECTION, CANCELLATION AND OPPOSITION.
In furtherance of the constitutional guarantee of Habeas Data regarding the rights of access, updating, rectification, cancellation and opposition Holder Personal or interested legally qualified data, that is, their successors and legal representatives, EPSA adopts the following procedure :
8.1. The Holder of the data and / or interested in exercise any of these rights, credited this condition by copy of the relevant document and identity document, which may be provided by physical or digital means. If the Contractor is represented by a third party must cleave the respective power, which must have signature recognition and content notary public. The attorney must also prove their identity as set out above.
8.2. The request to exercise any of these rights must be made in writing support, be it physical or digital. The request to exercise those rights may apply to the main direction of EPSA located on the street 15 No. 29B-30 freeway Cali Yumbo (Yumbo) or Commercial Offices and Point of Care and
Payment of EPSA in different municipalities Valle del Cauca, or email servicioalcliente@epsa.com.co.
EPSA in its sole discretion, may have other means for the Holder of Personal Data exercising their rights.
8.3. The request to exercise any of these rights include the following information:
8.3.1. Name of Head of Personal Data and their representatives, if applicable.

8.3.2. Specific and accurate information, access, update, modify, cancel, opposition or revocation of consent request. In each case the request shall be reasonably grounded for EPSA proceed as Head of
Personal Data Base to respond.
8.3.3. Physical and / or electronic address for service. 8.3.4. Documents supporting the request.
8.3.5. Signature of the request by the Head of Personal Data.
(I) shall fail if any of the requirements listed above, EPSA and shall notify the applicant within 5 days of receipt of the application, so that they are corrected. If, within two (2) months without submitting the required information, it is understood that it has withdrawn its application. EPSA may have physical formats and / or digital for the exercise of this right and they indicate whether it is a query or a complaint by the person concerned.
(Ii) Within two (2) business days following receipt of the complete application, EPSA indicate that a claim is pending. In the respective database must state a box in which the following legends indicated: "Claim pending" and "resolved Claim".
(Iii) EPSA, where Responsible Management of Database of Personal Data contained in its information systems, will respond to the request within ten (10) working days in the case of a query; and fifteen
(15) working days in the case of a claim. In the same term shall decide when checking in information systems has not Personal Data concerned to exercise any of the rights listed.
(Iv) In case of query, if not possible to respond within ten (10) business days, be informed about the reasons for delay and the date on which the report will be addressed, which in no case may exceed five (5) working days following the expiration of ten (10) business days.
(Iv) In case of complaint, if it is not possible to respond within fifteen (15) working days shall be informed about the reasons for delay and the date on which the report will be addressed, which in no case may exceed eight (8) business days following the expiration of fifteen (15) working days.
(V) EPSA, where they stop condition Data Processor inform such a situation the Contractor or interested in the Personal Data and shall inform the Head of Personal Data application, so that it responds to the request for Inquiries or complaints submitted. Copy of such notice shall be addressed to the Head of Personal Data or interested, to have knowledge about the identity of the
Head of Personal Data and consequently the principal guarantee the exercise of its right.
(Vi) EPSA document and store the requests made by the Holders of the Personal Data or those interested in exercising any right, as well as responses to such requests. This information will be treated in accordance with the rules applicable to the correspondence of the organization.
(Vii) To attend the Superintendency of Industry and Commerce in exercise of the legal actions referred to Holders of data or concerned, it must first exhaust the processing of inquiries and / or complaints described here.
IX. PROCESSING OF PERSONAL DATA.
The operations that constitute Processing of Personal Data by EPSA, as Responsible or Guardian thereof, shall be governed by the following parameters and have the following purposes.
9.1. Personal data related to Human Resource Management.
9.1.1. Personal Data Processing before the contractual employment relationship. EPSA will treat personal data of its employees, as well as on those who are running for seats in three stages namely before, during and after the employment relationship and / or services.
EPSA informed, in advance, to those interested in participating in a selection process, the rules applicable to the Processing of Personal Data furnished by the person concerned and with respect to those obtained during the selection process.
EPSA, once exhausted the selection process, report the negative outcome and deliver people unselected supplied, except Personal Data Holders of Personal Data in writing authorize the destruction thereof, where the holder of Personal Data not is selected. Information obtained by

EPSA respect of whom were not selected, sicotécnicas results of tests and interviews will be removed from their information systems, thus fulfilling the principle of finality.
EPSA when hiring personnel selection processes with third parties in contracts regulate the treatment that should be given to the Personal Data provided by stakeholders as well as the destination of personal information obtained from respective process.
The personal data and information obtained regarding the selection process of selecting staff to work in EPSA, will be stored in the personal folder, using this information levels and high security measures, under the potentiality of such information contains character data sensible.
The purpose of delivering the data supplied by those interested in vacancies EPSA and personal information obtained in the selection process is limited to participation therein; therefore, its use for other purposes is forbidden.
9.1.2. Data processing during the contractual employment relationship. EPSA store personal data and personal information obtained in the process of selection of employees in a folder identified with the name of each. This physical or digital portfolio only be accessed and processed by Human
Resources and in order to manage the contractual relationship between EPSA and employee.
The ESPA treatment that will give Personal Data, will aim to meet contractual obligations under the employment relationship, including but not limited to personnel management that involves including payment and payroll administration (salaries, benefits legal and extralegal, benefits, bonuses, rebates, insurance, make the deductions allowed by law, a judicial authority or by the employee); make contributions to the Comprehensive Social Security System; the assignment of work items such as communications equipment and computing, workplace, email and other required by the particularities of charge; insurance contracts; staff development; ensure the safety and health of employees; ensure compliance with confidentiality obligations and other employee benefits; guarantee the right of freedom of association; contact their families when required; issuing labor certifications, advertising campaigns by own business issues; security and image identification; for internal or external audits. Likewise any other purpose that is compatible and can be considered analogous to those listed.
Use of the information used for various administration of the contractual relationship purposes, is prohibited in EPSA. The different use of data and personal information of employees only proceed by order of competent authority, provided that it filed such power. This, unless prior written authorization document the consent of the Holder of Personal Data or legal provision on the subject.
9.1.3. Data processing after completion of the contractual employment relationship. Terminate the employment relationship, whatever the cause, EPSA proceed to store personal data obtained in the selection process and documentation generated in the development of employment in a central file by submitting such information measures and high levels of security, under the employment potential of information may contain sensitive data.
The personal data of former employees and / or retirees, their aim is to fulfill the obligations arising from the employment relationship existed, including but not limited to the issue of labor certifications; recognition of pension and / or pension substitutions, issuing certificates for settlement of pension bonds, certificates for collection and payment of pension contributions parts, actuarial calculations, benefits and recognition for internal or external audits.
EPSA is prohibited from assigning such information to third parties for such fact can configure a shift in the purpose for which they were given personal data for their Owners. This, unless prior written authorization document the consent of the Holder of Personal Data or legal provision on the subject.
9.2. Processing of Personal Data shareholders. The personal data of shareholders of the Company, shall be considered confidential information, as it is registered in the books of trade and has the character of reserves required by law. Consequently, access to such personal information will be held under the rules contained in the Commercial Code, Act 964 of 2005, Decree 2555 of 2012 and other rules that apply on the matter, including public market. EPSA will only use the personal data of shareholders for the purposes arising from the existing statutory relationship.

9.3. Processing of Personal Data Provider. EPSA only collect your personal data providers as necessary, relevant and not excessive for the purpose of selection, evaluation and execution of the contract that may be required. When you are required to EPSA by legal nature the disclosure of individual provider because of a hiring process, this shall be done with the provisions giving effect to the provisions of these policies and to prevent third parties for the purpose of information is disclosed.
EPSA its suppliers collect the personal data of employees of the latter, as necessary, relevant and not excessive, which for safety reasons must analyze and evaluate, taking the characteristics of the services contracted provider.
Employee Personal Data collected by providers EPSA, will only moral purpose verify suitability and competence of employees; therefore, once verified this requirement, EPSA may return such information to the supplier, except where necessary to preserve this data.
When EPSA deliver personal data of its employees to suppliers, they must protect the personal data supplied in accordance with the provisions of these policies. For this purpose the respective audit forecast in the contract or document that legitimizes the delivery of personal data will be included.
EPSA verify that the requested information is necessary, relevant and not excessive in relation to the purpose to substantiate the request for access to them.
9.4. Processing of Personal Data in procurement processes. Third parties in hiring, alliances and cooperation agreements with EPSA, access, use, treat and / or store personal data of employees of
EPSA and / or third parties relating to such contractual processes, will take in the relevant provisions of these policies and security measures to indicate EPSA depending on personal data treated.
To this end, the respective audit forecast in the contract or document that legitimizes the delivery of personal data will be included. EPSA verify that the requested information is necessary, relevant and not excessive in relation to the purpose of treatment.
9.5. Processing of Personal Data of customers or users of public services of electricity supplied by
EPSA. Contents related Personal Data in the Database Company whose treatment is related to the provision of electricity services and collections that are allowed to perform through the invoice by the Contractor, shall be designed to: (i) reading counters service users; (Ii) billing and collection service for the provision of electricity, street lighting, toilet and expressly authorized by the Holder;
(Iii) conducting management charge for the electricity service; (Iv) shipment and sale of products and services of the Company (ie promotions, advertising campaigns, events, competitions, sales
Multiservices, offers, etc.); (Y) surveys, studies and market research; and (vi) in general, everything necessary for the proper provision of electricity service in accordance with the Laws 142 and 143 of
1994.
9.6 Processing of Personal Data of the community in general. Personal collection of individuals who try EPSA developing community-related activities, either because of corporate social responsibility or any other activity data will be subject to the provisions of these policies. For this purpose, previously EPSA inform and obtain the consent of the Holders of personal data in documents and instruments used for effect and relating to these activities.
In each of the cases described above, the organization areas that develop business processes in which personal data are involved, should consider in their action strategies formulation of rules and procedures to comply with and enforce the policies adopted here, and prevent possible legal sanctions.
X. PROHIBITIONS.
In developing these policies to safeguard personal information EPSA, the following prohibitions and penalties as a result of your breach established.
10.1. EPSA prohibits access, use, management, transfer, communication, storage and any other processing of personal data of a sensitive nature unauthorized Holder's Personal Data and / or EPSA.

• Violation of this prohibition by EPSA employees will be considered a serious offense, which may result in the termination of the employment relationship. The foregoing is without prejudice to any legal action that may be required.
• Violation of this prohibition by providers that contract with EPSA will be considered a serious cause to end the contract, without prejudice to any action that may be required.
• In contracts with suppliers, where the contracted matter dealing with Personal Informatio n, a forecast will be agreed in relation to the damage that can potentially cause a EPSA as a result of the imposition of fines, operational sanctions, among others, the competent authorities and as a result of reckless and negligent act supplier.
10.2. EPSA prohibits the sale, communication or movement of personal data without the prior, express written Holder's Personal Data or unauthorized EPSA. The transfer or communication of personal data shall be recorded in the central registry of EPSA Personal Data and have the authorization of the Custodian of the database.
10.3. EPSA prohibits access, use, transfer, communication, treatment, storage and any other processing of personal data of a sensitive nature which may come to be identified in an audit procedure pursuant to rule on the proper use of computing resources of the organization and / or other rules and / or policies issued by EPSA for these purposes.
Sensitive data identified would be reported to the Holder thereof to the appropriate to remove them; not possible this option, EPSA proceed to remove safely.
10.4. EPSA prohibits recipients of these policies any processing of personal data that can give any of the acts described in the 1273 Computer Crimes Act 2009 instead.
10.5. EPSA prohibits the Processing of Personal Data of Children and adolescents under age, unless authorized by their legal representatives. Any treatment that cometh to do about data minors, shall be secured prevalent rights that the Constitution recognizes these, in harmony with the Code for
Children and Adolescents.
Xl. INTERNATIONAL DATA TRANSFER.
It is forbidden to transfer personal data to countries that do not provide adequate levels of data protection. Safe countries are meant to meet the standards set by the Superintendency of Industry and Commerce.
Exceptionally International transfers may be made EPSA data when:
11.1. The Holder of the data has given its prior, express and unequivocal authorization to perform the transfer.
11.2. The transfer is necessary for the performance of a contract between the Contractor and EPSA as Responsible and / or Data Processor.
11.3. The case of banking and securities transfers according to the law applicable to such transactions.
11.4. Be it data transfer under international treaties that are part of the Colombian legal system.
11.5. Transfers legally required to safeguard public interest.
When introducing an international transfer of personal data, after sending or receiving them, EPSA will sign agreements that regulate in detail the obligations, burdens and obligations arising for the parties involved.
Agreements or contracts concluded must pay the provisions of these policies and legislation and applicable case law regarding the protection of personal data.
XII. ROLES AND RESPONSIBILITIES IN COMPLIANCE WITH THE PROTECTION OF PERSONAL DATA.
The responsibility for the proper treatment of personal data within EPSA, is at the head of all employees and managers.

Consequently, within each area to handle business processes that involve processing of personal data, shall adopt rules and procedures for the implementation and enforcement of policies present, given its status as custodians of the personal information contained in the EPSA information systems.
If in doubt regarding the Processing of Personal Data, will attend the Responsible area of information security and / or the Legal Department to indicate the guideline to follow, as appropriate.
XIII. TIMELINESS OF PERSONAL DATA.
In the treatment of personal data carried out by EPSA, the permanence of the data in their information systems will be determined by the purpose of such treatment. Consequently, exhausted the purpose for which the data were collected, EPSA be destroyed or returned, as appropriate, or to keep them in accordance with the Act, taking technical measures to prevent improper treatment.
XIV. SAFETY.
In the treatment of personal data subject to regulation in these policies, adopt EPSA physical, logical and administrative, which are classified into high, medium and low, as the risk that may arise from the criticality of Personal Data treaties.
In implementing the principle of security of personal data, EPSA adopt a general guideline on these measures, which will be mandatory compliance by recipients of these policies.
It is the obligation of the recipients of these policies inform EPSA any suspicion that may involve a violation of the security measures taken by the organization to protect personal data entrusted to it, and any improper treatment of them, once they are aware of this situation.
In these cases, EPSA notify the supervisory authority such situation and shall manage the respective security incident regarding Personal Data in order to establish the legal implications thereof, whether on a criminal, labor or civil level, disciplinary .
XV. PROCEDURES AND SANCTIONS.
EPSA announced the recipients of these policies the penalties provided for by Law 1581 of 2012
Article 23, which embodies the risks assumed by improper treatment of personal data:
. "ARTICLE 23. Penalties The Superintendency of Industry and Commerce may impose Accountable and Responsible Treatment Treatment the following sanctions: a) personal and institutional Fines up to the equivalent of two thousand (2,000) monthly legal minimum wages at the time of the imposition of the sanction character. Fines may be as long as there successive failure that resulted. b) Suspension of activities related to the treatment up to a term of six (6) months. In the event of suspension corrective to be taken are indicated c) Temporary closure of operations related to the treatment once the term of suspension has elapsed without it has taken corrective ordered by the Superintendency of Industry and Commerce. d) immediate and definitive closure of the transaction involving the treatment of sensitive data. "
Notification of any investigation procedure by any authority, related to the processing of personal data shall be communicated immediately to the Legal Department of the Company, to take measures to defend the actions of the entity and avoid the imposition of sanctions under Colombian law, including those set forth in Title VI, Chapter 3 of the 1581 Act, 2012 as described above.
Consequence of the risks assumed by EPSA well as Responsible and / or Data Processor of personal data, the failure of these policies by their recipients, is considered a serious offense and will result in the termination of the respective contract without prejudice other actions that are legally due.

XVI. DELIVERY OF PERSONAL DATA TO AUTHORITIES.
When the state authorities to request access EPSA and / or delivery of Personal Data contained in any databases, the legality of the petition verify the relevance of the data requested in relation to the purpose expressed by the authority, and delivery of personal information requested anticipating that it complies with all its attributes (authenticity, reliability and integrity), and noting the duty of protection on these data, both the officer making the request, the recipient shall be documented, and the entity to which these working. It will prevent the authority requiring personal information on safety measures that apply to Personal Data delivered and risks involving misuse and inappropriate treatment.
The content of the proceedings shall comply at all times with the provisions in force concerning security of personal data.
This manual is effective as of July 26, 2013.
END OF DOCUMENT