Updating the National Database Registry by the year 2022

Since the issuance of Law 1581 of 2012 in Colombia, the National Registry of Databases (hereinafter the "RNBD" or the "Registry") was created as a directory of personal databases susceptible to processing by public or private entities and is mandatory for: (i) companies and non-profit entities with total assets exceeding 100,000 UVT, as well as for (ii) all legal entities of a public nature.

The following is a summary of the updates that must be made this year and the due date for their completion:

1. Annual update

 Updating that implies a sweep through all the registered information, even if there are no modifications.

Term: Must be completed between January 2 and March 31.

2. Report of new developments due to claims filed by the owners.

This report corresponds to the consolidation of claims filed by policyholders with the Company (or third parties acting as agents) during the semesters July to December and January to June, respectively. In the event that no claims have been filed, the option to report negatively in the system must be verified.

Term: Must be presented on two occasions: (i) this February 21 and (ii) on August 22.

3. News report for security incidents with personal information.

 This report corresponds to situations involving a breach of security, loss, theft and/or unauthorized access to personal information of the Company or third parties acting as Agents.

Term: It must be performed within 15 working days from the moment a security incident is detected or brought to our attention.

4. Updating due to substantial changes in the recorded information

This report must be made when there are substantial changes in the information recorded; such changes are related to: the purpose of the database, data processors, channels of attention to the owners, classification or types of personal data stored in the databases, the security measures that have been adopted, the Personal Data Processing Policy and the transfer or transmission of data abroad.

Term: It must be made within the first 10 business days of each month, only when there is a substantial change in the information.

Finally, it is worth mentioning that the update is done directly on the RNBD platform and that the Superintendence of Industry and Commerce has sanctioning powers for non-compliance.