We recognize the importance of security, privacy and confidentiality of personal information that Holders of the information provide our Companies through various channels (including websites, applications, physical documents and others), and we are committed to adequately protect and treat it, pursuant to the personal date legal protection regime available in each territory where we operate.

Communicate Holders of personal information, the type of data, the purpose of Treatment, the protection and the rights they have as Holders of information and the procedures to exercise them.

Responsible for treatment: Aerovias del Continente Americano S.A. Avianca
Tax ID. No.: 890.100.577-6 NIT
Postal address: Calle 26 # 59-15 (Colombia)
Phone: 5877700
E-mail: habeasdata@avianca.com

Directorate of Risk, Security and Compliance with Information.

4.1 Who we are?

4.1.1 The companies

Aerovías del Continente Americano S.A. Avianca a commercial company incorporated in the Republic of Colombia acting in its capacity as employer, directly or through its legally incorporated branches in the territories of Argentina, Aruba, Colombia, Brazil, Curacao, Spain, London, Panamá and Venezuela.

Tampa Cargo S.A.S., a commercial company incorporated in the Republic of Colombia acting in its capacity as employer, directly or through its legally incorporated branches in the territories of Colombia and The United States.

Taca International Airlines S.A., a commercial company incorporated in the Republic of El Salvador acting in its capacity as employer, directly or through its legally incorporated branches in the territories of El Salvador and Guatemala.

Trans American Airlines S.A., a commercial company incorporated in the Republic de Perú acting in its capacity as employer, directly or through its legally incorporated branches in the territories of Argentina, Bolivia, Brazil, Guatemala, Paraguay, Perú.

Avianca Ecuador S.A., a commercial company incorporated in the Republic of Ecuador acting in its capacity as employer in the territory of Ecuador.

Líneas Aéreas Costarricenses S.A. Lacsa, a commercial company incorporated in the Republic of Costa Rica, acting in its capacity as employer, directly or through its legally incorporated branches in the territories of Costa Rica, Cuba, Dominican Republic and Venezuela.

Aviateca S.A., a commercial company incorporated in the Republic of Guatemala de Guatemala, acting in its capacity as employer in the territory of Guatemala.

Aviaservicios S.A., a commercial company incorporated in the Republic of Guatemala de Guatemala, acting in its capacity as employer in the territory of Guatemala.

Pitasa S.A., a commercial company incorporated in the Republic of Guatemala de Guatemala, acting in its capacity as employer in the territory of Guatemala.

American Central Corporation a commercial company incorporated in The United States de América acting in its capacity as employer, directly or through its legally incorporated branches in the territories of The United States, Canada and Puerto Rico.

Grupo Taca de Chile S.A., a commercial company incorporated in the Republic of Chile, acting in its capacity as employer in the territory of Chile.

Isleña de Inversiones, S.A. de C.V., a commercial company incorporated in the Republic de Honduras acting in its capacity as employer in the territory of Honduras.

Servicio Terrestre, Aéreo and Rampa S.A., a commercial company incorporated in the Republic of Costa Rica, acting in its capacity as employer in the territory of Costa Rica.

Servicios Aéreos Nacionales S.A., a commercial company incorporated in the Republic of Costa Rica, acting in its capacity as employer in the territory of Costa Rica.

Servicios Aeronáuticos PilotCrew-CR S.A., a commercial company incorporated in the Republic of Costa Rica, acting in its capacity as employer in the territory of Costa Rica.

Servicios Misceláneos Australes S.A., a commercial company incorporated in the Republic of Costa Rica, acting in its capacity as employer in the territory of Costa Rica.

Tripulantes de Taca S.A., a commercial company incorporated in the Republic of Costa Rica, acting in its capacity as employer in the territory of Costa Rica.

Vu-Marsat S.A., a commercial company incorporated in the Republic of Costa Rica, acting in its capacity as employer in the territory of Costa Rica.

Taca de Costa Rica S.A., a commercial company incorporated in the Republic of Costa Rica, acting in its capacity as employer in the territory of Costa Rica.

Pilotos de Taca S.A. de C.V., a commercial company incorporated in the Republic of El Salvador acting in its capacity as employer in the territory of El Salvador.

Technical and Training Services, S.A. de C.V., a commercial company incorporated in the Republic of El Salvador acting in its capacity as employer in the territory of El Salvador.

Avianca Inc., a commercial company incorporated in The United States de América acting in its capacity as employer in the territory of The United States.

Taca de Honduras S.A. de C.V., a commercial company incorporated in the Republic de Honduras, acting in its capacity as employer in the territory of Honduras.

Grupo Taca Panamá S.A., a commercial company incorporated in the Republic of Panamá, acting in its capacity as employer in the territory of Panamá.

Nicaragüense de Aviación S.A., a commercial company incorporated in the Republic de Nicaragua, acting in its capacity as employer in the territory of Nicaragua.

Taca de México S.A., a commercial company incorporated in The United States de México, acting in its capacity as employer in the territory of México.

C.R. Int'l Enterprises, Inc., a commercial company incorporated in The United States de América acting in its capacity as employer in the territory of The United States.

All of them hereinafter individually and collectively referred to as the Companies, who, for the purpose of the provision and commercialization of passenger and product air transport services and related services such as tour packages, air and/or land cargo transport services, express courier and courier services, airport services, training services, loyalty programs, can act under the trademarks AVIANCA, AVIANCA ECUADOR S.A., AVIATECA, LACSA, TACA, AVIANCA CARGO, AVIANCA SERVICES, AVIANCA TOURS, DEPRISA, PREFERENCIA "Corporate Travel Program", AVIANCA EXPERIENCE AIRPASS, AVIANCA STORE, or solely under the trademark AVIANCA, each and all of them respectively and as corresponds Responsible and/or In Charge of Treatment of information and personal data

4.2  Acceptance of this Privacy Policy and Purpose of Treatment of Information

For purposes of this Policy, the term "treatment" is understood as any operation or set of operations over personal data and information such as, use, collection, storage, disclosure, distribution or deletion thereof.

Acceptance of this Privacy Policy and of the Treatment of personal data and information pursuant to the terms thereof takes effect when the Candidate and/or Applicant, Collaborator bound by a labor agreement, Related Third Party, Retired Collaborator, provides his or her personal data through any channel or mean set forth by The Companies for the proper performance of various Human Talent processes and procedures.

As defined in this document, a collaborator related by labor agreement and or related third party, who provides their personal data and/or personal data of Holders in his or her family group and/or beneficiaries, accepts that the Companies will treat his or her personal information, for the purposes provided in this Policy, guaranteeing transparency and compliance with current regulations and the Organization’s internal policies, when the collaborator bound by a labor agreement and/or related third party act in representation or on behalf of the other or for another, it is understood they do so in good faith.

By accepting this Privacy Policy, and when executing the authorization at the agreements execution, each of the Holders of the information (including those in his or her family group and/or beneficiaries of the Collaborator bound by a labor agreement and/or related third party) expressly authorize the Companies to Treat said information, partially or fully, including collection, storage, recording, use, distribution, Treatment, deletion, transmission and or transfer, domestic or international, and only for the purposes described herein:

4.2.1 Management of Processes Related to Human Talent within The Companies

• Treating personal information for the adequate handling of all processes related to Human Talent in The Companies as well as sending the information through the channels established for that purpose, such as: promoting verification and evaluation procedures of applicants during selection processes of the Companies, control and follow-up of the hiring process, support and performance of the collective benefits derived from a labor agreement, such as, but not limited to: registration of the collaborator and his or her beneficiaries in the AVIAJAR system to issue benefit tickets, payroll stubs or payment tickets, registration and payment of contributions to the comprehensive social security system, registration and/or update of beneficiaries before the comprehensive social security system, managing the workplace security and health system during performance of various work activities and/or any other type of information directly or indirectly related to compliance of the obligation derived from the labor agreement, civil or commercial agreement and the administration of Human Talent.
• Providing personal data and information to national and international oversight and supervision, administrative, police and judicial authorities, under a legal or regulatory requirement and/or using, sharing or disclosing this personal data and information in defense of the rights and/or ownership of the Companies, their customers, our websites or its users, to guarantee compliance with regulations that apply to The Companies, for fraud detection or prevention, money laundering, terrorist financing, avoidance of conflict of interest, detection of publicly or politically exposes persons (PEPs), criminal prosecution or when the Companies in good faith consider that the delivery of information and personal data is in their best interest to fraud safety.
• Allowing access to personal data and information to auditors or third parties hired to perform internal or external audit processes of the commercial activities carried out by us.
• Checking and updating personal data and information, at any time, in order to keep this information updated.
• Outsourcing the storage and/or processing of personal data and information for the proper execution of Human Talent processes and procedures, under the security and confidentiality standards which we bind us.
• Transmitting personal data to countries other than those where information is collected, in which case the Companies will seek to protect such data in accordance with the security and confidentiality standards set forth herein.
• Transferring your personal data and information, in the event of a change of control in one or more Companies or in any of the business units due to merger, acquisition, bankruptcy, demerger, or creation, to the new entity controlling the Companies or their business units. If, as a result of the change of control, there is a change of the Person in Charge of the treating of personal data and information, such situation will be reported to the Holders of the personal data and information, in order for them to exercise their rights under the relevant applicable law. The conditions under which the owners of personal data and information may exercise their rights will be indicated when reporting the change of control.

4.3  Scope of application

This Personal Data Privacy Policy, as well as the above-described purposes, apply to Holders of information acting under any of the capacities described below.

4.3.1 Candidates and/or applicants for a vacancy or position in the Companies (hereinafter “candidate”)

A candidate is a natural person who expresses, through any means provided by the Companies, his or her interest in participating in the processes of human talent attraction. By accepting this Privacy Policy, each of the candidates, acting in his or her capacity as Holder of the information, authorizes the Companies to partially or totally treat such personal data and information, which includes the collection, storage, recording, use, distribution, processing, deletion, transmission and/or transfer to third parties under the terms of this Privacy Policy for the purposes described in numeral 6.1 and especially for:

• Sending emails, information related to selection processes, administration of vacancies available at the Companies, hiring processes and/or any other type of information directly or directly or indirectly related to the fulfillment of the obligations of the labor, civil or commercial contract and with Human Talent management.
• Verifying and checking the truthfulness of the information, personal and/or job references, disciplinary and/or criminal records related to risk restriction lists, prevention of money laundering, bribery and terrorist financing.
• Checking and updating personal data and information, at any time.

4.3.2 Collaborator bound by labor agreement

The Collaborator bound by a Labor Agreement, is the person bound by a labor agreement to any of The Companies (hereinafter “Collaborator bound by a Labor Agreement”). By accepting this Privacy Policy, the Collaborator bound by a Labor Agreement, acting in his or her capacity as Holder of the information, authorizes the Companies to partially or totally treat such personal data and information, which includes the collection, storage, recording, use, distribution, processing, deletion, transmission and/or transfer to third parties under the terms of this Privacy Policy for the purposes described in numeral 6.1 and especially for:

• Sending information related to Human Talent processes and procedures, such as: payroll stubs or payment tickets, collective benefits derived from a labor agreement, requesting information relevant for the Company, withholding at the source certificates, data update request, information of interest, document requests, scheduling of work schedules, circulars, policies, manuals, training courses, reservation and pre-reservation for benefit tickets, corporate conventions, voucher confirmation for the use of transportation and/or any other type of information directly and indirectly related to fulfillment of the obligations derived from the existence of a labor agreement.
• Verifying and checking the truthfulness of the information, personal and/or job references, disciplinary and/or criminal records related to risk restriction lists, prevention of money laundering, bribery and terrorist financing.
• Checking and updating personal data and information, at any time.

4.3.3 Related Third Parties

A related third party any is a natural person, other than a collaborator bound by a labor agreement, who provides services or supports the execution of some processes in the Companies or who works for members of the Companies’ Boards of Directors, or who are at the service of a contractor or supplier of goods and services –whether such contractor or supplier is a natural or legal person, that has entered into a civil or commercial contract with the Companies– and who under the provisions of any of such contract, carries out operational-support, technical, administrative or commercial functions (hereinafter “Related third party”).

By accepting this Privacy Policy, the Related Third Party, acting in his or her capacity as Holder of the information, authorizes the Companies to partially or totally treat such personal data and information, which includes the collection, storage, recording, use, distribution, processing, deletion, transmission and/or transfer to third parties under the terms of this Privacy Policy for the purposes described in numeral 6.1 and especially for:

• Sending information related to Human Talent processes and procedures, such as: confirmation of reservations and pre-reservations generated through the Organization’s systems, corporate conventions and/or any other type of information directly and indirectly related to fulfillment of the obligations derived from the existence of a labor agreement.
• Query and update information and personal data, at any time, to keep said information updated.

4.3.4 Family Group and/or Beneficiary

A Family Group is comprised of all those natural persons with a relationship of consanguinity and/or civil with any Collaborator bound by labor agreement or related third party who enjoy the benefits directly granted by the Companies. A beneficiary is a natural person who has been registered in the Human Talent administration systems by a Collaborator bound by labor agreement or related third party in order to grant them the benefits directly granted by The Companies (hereinafter “Family Group and/or beneficiary”).

4.3.5 Removed Collaborator

A natural person who had an employment relationship generated by a labor agreement with one of The Companies and that ended by reason of any established legal grounds (hereinafter “Removed Collaborator”.

By accepting this Privacy Policy, the Removed Collaborator, acting in his or her capacity as Holder of the information, authorizes the Companies to partially or totally treat such personal data and information, which includes the collection, storage, recording, use, distribution, processing, deletion, transmission and/or transfer to third parties under the terms of this Privacy Policy for the purposes described in numeral 6.1 and especially for:

• Sending information related to Human Talent processes and procedures that may arise after termination of a labor agreement, such as: confirmation of reservations and pre-reservations generated through the Organization’s systems, corporate conventions and/or any other type of information directly and indirectly related to fulfillment of the obligations derived from the existence of a labor agreement.

4.3.6 Retired Collaborator

A natural person who had an employment relationship generated by a labor agreement with any of the Companies and that ended by reason of acknowledgment of his or her right to retire, directly by The companies or acknowledged by the Social Security System (hereinafter “Retired Collaborator”).

By accepting this Privacy Policy, the Retired Collaborator, acting in his or her capacity as Holder of the information, authorizes the Companies to partially or totally treat such personal data and information, which includes the collection, storage, recording, use, distribution, processing, deletion, transmission and/or transfer to third parties under the terms of this Privacy Policy for the purposes described in numeral 6.1 and especially for:

• Sending information related to Human Talent processes and procedures that may arise after termination of a labor agreement, such as: confirmation of reservations and pre-reservations generated through the Organization’s systems, corporate conventions and/or any other type of information directly and indirectly related to fulfillment of the obligations derived from the existence of a labor agreement.

4.3.7 Any other interested Holder of the information that reside in the personnel administration files (hereinafter “Other interested”)

By accepting this Privacy Policy, Any Other Interested Holder, acting in his or her capacity as Holder of the information, authorizes the Companies to partially or totally treat such personal data and information, which includes the collection, storage, recording, use, distribution, processing, deletion, transmission and/or transfer to third parties under the terms of this Privacy Policy for the purposes described in numeral 6.1 and especially for:

• Sending information related to Human Talent processes and procedures that may arise after termination of a labor agreement, such as: confirmation of reservations and pre-reservations generated through the Organization’s systems, corporate conventions and/or any other type of information directly and indirectly related to fulfillment of the obligations derived from the existence of a labor agreement.

4.4  Personal information and data we treat

The Companies may collect personal data and information from: candidates, collaborators bound by labor agreements, related third parties, family group and/or beneficiary, removed collaborator, retired collaborator, and/or any other interested Holder, which information may vary according to the requirements of local authorities, technological facilities, nature of the products or services provided, among others. For that purpose, the following personal data and information may be collected and stored and/or processes in servers located in computer centers, whether owned or contracted with third parties, that may be located in the cloud or in various countries:

In the case of candidates for a position in The Companies, the following information is treated: Names and surnames, type and identification number, nationality, birthdate, gender, civil status,fixed and mobile telephones of contact of the candidate and of the personal and labor references that he informs in his resume, postal and electronic addresses of the candidate and of the personal and work references he or she reports on his or her resume, fax (personal and / or work), profession or occupation, academic profile, professional profile.

In the case of active employees, retired employees, and other persons who have had a labor agreement with The Companies: names and surnames, type and identification number, birthdate, gender, civil status, home phone, cell phone, fax (personal and / or work), profession or occupation, academic profile, professional profile, admission date, nationality, department, blood type, mother's name, father's name, name of family group members to include as ticket beneficiaries, previous job, disabilities, relationship with an official - degree of kinship, type of contract, term of the contract, transportation voucher, ing for pax, contribution union, position, salary, function, job profile, weekday worked, monthly day, weekday, type of pay, bank account for payroll payments, payment agency, severance fund, health fund, pension fund, family compensation fund, healthcare provider eps, prepaid medical entity, certifications of medical, admission, periodic and retirement exams.

Other information necessary to formalize the contractual relationship

For related third parties (including: natural persons, other than collaborators bound by labor agreement, that provide services to the Companies under a contract other than a labor agreement, that provide their service to the Companies under an agreement other than a labor agreement, or who are at the service of a contractor or supplier of goods and services –whether such contractor or supplier is a natural or legal person, that has entered into a civil or commercial contract with the Companies, and that by reason of these agreements fulfills operational, technical, administrative or commercial support tasks or duties): names and surnames, type and identification number, birthdate, gender, civil status, home phone, cell phone, postal and electronic addresses (personal and / or work), fax (personal and / or work), profession or occupation, academic profile, professional profile, nationality, department, relationship with an official - degree of kinship, type of contract, term of contract.

For family group and beneficiaries (referring to information of family members to enjoy benefit tickets or extralegal benefits pursuant to the information in the resume and the registration form “Beneficiary Documents”): beneficiary name, identification document, effective start date (date of entry of the collaborator to the company), date of birth (of beneficiary), nationality, department, country, gender, relationship with collaborator.

Holders of personal data and information will not be required in any case to authorize the Treatment of sensitive data. Notwithstanding the to allow for the proper administration of Human Talent processes, Holders who provide sensitive personal information to the Companies, authorize its use for the express purposes outlined herein, which shall be treated pursuant to the company’s security policy.

In addition, for security purposes, the Companies may collect, store, share and compare personal data and information with different national or international administrative, control and supervising, police and judicial authorities, domestic and international, the personal data and information, including biometric data, obtained through any image, audio or video recording device, located in our facilities (such as administrative offices, points of sale, VIP lounges, airport modules for customer service, call centers). The Companies will inform the general public about this by publishing Privacy Warnings, in the locations where this personal data and information is collected.

4.5  Validity of treatment of personal data and information

Information provided by candidates to occupy a vacant position within the Companies, will be stored for a term of up to one (1) year after the date of the last Treatment, to be considered for future selection processes in which the candidate participates.

The information provided by active employees, removed employees, retired employees and other persons who had a direct labor relationship with The companies, shall remain stored for up to two (2) years as of the date of the last Treatment, incompliance with their legal and/or contractual obligations, or for the necessary time to respond to related applicable provisions and to administrative, accounting, tax, legal and historic information matters, or in any case provided by the law.

After the precautionary term of two (2) years, labor history is physically stored, in electronic means or other means provided by The Companies for that purpose, for the time necessary to respond to legal and/or contractual provisions, especially in corporate policies, legal and/or contractual obligations and the time necessary to respond to related applicable provisions and to administrative, accounting, tax, legal and historic information matters, or in any case provided by the law.

4.6  Truthfulness of the Information

The interested Holder has the duty of providing THE COMPANIES with truthful personal information for processes of: attraction of human talent and formalization of the labor relationship, as well as to make rendering of the contracted personnel service possible, the administration of benefits and legal and extralegal labor obligations of the Companies as employers, conditions under which they accept to provide the required information.

The Companies presume the accuracy of the information provided and are not under the obligation to verify identity of the Holders, or the truthfulness, validity, adequacy and authenticity of the data provided by each one of them. Therefore, we shall assume no liability for any damages of any nature that may originate due to the lack of truthfulness, adequacy, sufficiency or authenticity of the personal data and information, including damages derived from homonyms or identity theft. All of the above, notwithstanding the administrative / disciplinary sanctions and legal consequences derived from the existence of a labor relationship and that may be implemented by the Companies, pursuant to the provisions of labor legislation and internal policies.

4.7  Information of children and underage teenagers

THE COMPANIES, may hold information of children and minor teenagers, with a kinship or consanguinity relationship or who are simply part of the family group of the collaborator bound by a labor agreement, a related third party, family group and/or beneficiary, removed collaborator, retired collaborator or any other interested Party in the Companies. In the event that their parents or guardians of these children become aware of an unauthorized data Treatment, they may submit their inquiries or complaints to habeasdata@avianca.com. The Companies shall ensure the proper use of personal data of children and underage teenagers, guaranteeing that treatment of their data complies with applicable laws, as well as the protection of their best interests and fundamental rights where possible, taking into account their opinions as holders of their personal data.

4.8  Use of cookies

The Companies may use cookies and other similar technologies on their websites, mobile applications, electronic kiosks and electronic devices used to access them, in order to learn the origin, increase functionality and accessibility to websites, verify that users meet the required criteria to process their requests and adapt their products and services to Users’ needs, being able to obtain the following general information:

1. The type of browser and operating system used

2. La dirección IP.

3. IP address

4. Duration of browsing

5. Device language

6. Accessed links

7. The last website visited before accessing www.avianca.com.

These cookies and other similar technologies can be disabled and deleted by the Users whenever they want. For this purpose, the candidate, collaborator bound by labor agreement, family group and/or beneficiary, retired collaborator and/or any other interested Holder, may verify and/or request help on the Internet browser they are using.

Check our Cookies Policy and learn how we use your personal data for a better user experience.     

4.9  Protection, security and confidentiality of personal information and data

Protection, security and confidentiality of the personal data and information of information Holders is highly important for THE COMPANIES. Policies, procedures and information security standards, which may change at any time at their discretion and which aim to protect and preserve the integrity, confidentiality and availability of personal data and information, regardless of its nature or format, its temporary or permanent location or how it is transmitted. Therefore, we rely on technological security tools and comply with renowned industry security practices, including: transmission and storage of sensitive information through secure mechanisms, such as encryption, use of secure protocols, safeguarding technological components, restriction of access to the information only to authorized personnel, data backup, safe development of software, among others.

Any contract entered into by The Companies with any third party (contractors, external consultants, temporary collaborators, etc.) which involves the Treatment of personal data and information of the candidate, collaborator bound by a labor agreement, related third-party, gamily group and/or beneficiary, removed collaborator, retired collaborator or any other interested Holder, includes a confidentiality agreement that specifies their commitments to the protection, care, safety and preservation of confidentiality, integrity and privacy thereof.

4.10 Rights of the Information Holder

The Information Holder is hereby informed of the rights granted by applicable laws as a Holder of personal data and which are listed below:

• To know, update and rectify their personal data and information before the entity that is responsible or in charge of the Treatment of their personal data and information.
• To request proof of the authorization granted to the entity that is responsible for the Treatment of their personal data and information, unless such request constitutes an express exception for such Treatment.
• To be informed, upon request, by the entity that is responsible for the Treatment of their personal data and information about how such personal data and information have been used.
• To file complaints before competent authorities for violations to the applicable personal data protection regime.
• To revoke the authorization and/or request the removal of the personal data and information under the terms of this Privacy Policy.
• To access their personal data and information that was subject to Treatment, upon previous request to The Companies and under the provisions of the corresponding valid and applicable regulations. If the requests exceed one per calendar month, the Companies will charge the Holder requesting such information for its shipment, reproduction and, if applicable, certification costs.

4.11 General procedure to exercise the rights of Clients, Travelers and Users as holders of personal information.

The candidate and/or applicant, collaborator bound by a labor agreement, related third-party, gamily group and/or beneficiary, removed collaborator, retired collaborator or any other interested Holder are entitled to know the details of their personal data treatment and to exercise their rights as Holders thereof, under the terms of applicable data protection regulations and pursuant to the provisions of this Privacy Policy.

For the purpose of the above, this policy defines the general procedure for Holders of information to exercise their rights, notwithstanding the enforcement of specific stipulations and procedures of domestic laws in each territory. In the event of a discrepancy between the general procedure and the specific stipulations or procedures contained in applicable local regulations in each territory, the specific regulations shall prevail.

The Personal Data Privacy area is the responsible department within the Organization to promote and enforce the Personal Data Protection Program. For this purpose, the Organization has enabled specific service channels for interested parties to exercise their Personal Data protection rights, such as the habeasdata@avianca.com email address.

4.11.1 Queries

a) The Holder of the Information and/or the person exercising the right on his or her behalf, must prove Ownership to avoid loss, query, unauthorized or fraudulent use or access by a person other than the Interested Party and/or whoever has the power to act on its behalf.

• Proof by the Holder shall be confirmed by submission of: a physical or digital company of the pertinent identification document and passport (identification number on international flights), depending on the method of submission of the query.
• When the request is made by a person other than the Holder, the third party must duly prove power of attorney to act on behalf of the Holder by sending any supporting documents.

b) The request to exercise any of the rights listed in numeral 10 must be submitted: in writing, on a physical and/or digital mean through the channels enabled by the Organization for that purpose and identified in this Privacy Policy.

c) The request to exercise any of the aforementioned rights must contain at least the following information:

• Name of the interest party, his or her representative and/or the person exercising the right on his or her behalf.
• Concrete, accurate and justified request of the invoked right.
• Physical and/or electronic address for notifications.
• Documents that support the request (if applicable).
• Signature of the requesting party depending on the method of request.

d) The request will be handled by the area and/or delegate within the organization in charge of protection of personal data only when Ownership of the information is proven and it meets the abovementioned requirements.

4.11.2 Claims

a) The Holder of the Information and/or the person exercising the right on his or her behalf, must prove Ownership to avoid loss, query, unauthorized or fraudulent use or access by a person other than the Interested Party and/or whoever has the power to act on its behalf.

• Proof by the Holder shall be confirmed by submission of: a physical or digital company of the pertinent identification document and passport (identification number on international flights), depending on the method of submission of the query.
• When the request is made by a person other than the Holder, the third party must duly prove power of attorney to act on behalf of the Holder by sending any supporting documents.

b) The request to exercise any of the rights listed in numeral 10 must be submitted: in writing, on a physical and/or digital mean through the channels enabled by the Organization for that purpose and identified in this Privacy Policy.

c)  The request to exercise any of the aforementioned rights must contain at least the following information:

• Name of the interest party, his or her representative and/or the person exercising the right on his or her behalf.
• Concrete, accurate and justified request of the invoked right.
• Physical and/or electronic address for notifications.
• Documents that support the request (if applicable).
• Signature of the requesting party depending on the method of request.

d) The request will be handled by the area and/or delegate within the organization in charge of protection of personal data only when Ownership of the information is proven and it meets the abovementioned requirements.

4.11.3 Security Violation

a) When the Holder’s request identifies a violation that may lead to a regulatory breach or the violation of a right associated to personal data, the process in the previous numerals shall be followed along with the following specifications and exceptions:

Classification of the type of incident:

Critical Level: involves sensitive data, or disclosure of private or semi-private data without authorization of the Holder that leads to a possible loss of confidentiality of the information.

Intolerable Level: involves private or semi-private data associated to improper handling pursuant to contractual obligations or the authorization granted by the Holder.

b) Mitigation actions pursuant to the Internal Information Privacy and Handling Manual.

4.11.4 Terms.

The following general terms of reference shall be used, however, the region of origin of the Holder of the information must be considered, response times and requirements may vary, therefore, depending on the region, the construal of this numeral must be made jointly with the annexes and reference must be made to those that are pertinent.

Query: they will be handled within a maximum of ten (10) working days as of reception of the query. When it is not possible to respond within said term, we will inform of the reasons for the delay and the date on which the query will be answered, which in no case may exceed five (5) working days after expiration of the first term.

Claims: they will be handled within a maximum of fifteen (15) working days as of reception of the duly supported claim. When it is not possible to respond to the claim within said term, we will inform of the reasons for the delay and the date on which the query will be answered, which in no case may exceed eight (8) working days after expiration of the first term.

If the claim in incomplete, the Holder will be asked to cure any faults within the following five (5) days. After two (2) months of the date of the request, without receiving the required information from the interested party, we will understand that the claim has been desisted

4.11.5 Channels enabled to handle queries and claims

To exercise their rights, Applicants, related collaborators, related third parties and other Holders of information may enforce their rights to know, update, rectify and eliminate personal data or information by sending a request to habeasdata@avianca.com depending on the business unit or service.

In the event that any candidate and/or applicant, collaborator bound by a labor agreement, related third-party, gamily group and/or beneficiary, removed collaborator, retired collaborator or any other interested Holder considers that the use of content in any of our communication channels, such as websites, mobile applications and kiosks constitutes a breach to their intellectual property rights, they shall notify us by sending a communication with the following information to the abovementioned email address:

• Personal data: name, address, telephone number and e-mail address of the claimant.
• Authentic signature, with the personal data of the Holder of the intellectual property rights subject to infringement or of the person authorized to act on behalf of the Holder of the intellectual property rights subject to infringement.
• Accurate and complete indication of the content that is protected by the intellectual property rights infringed and its location.
• Express and clear statement of the fact that such content has been used without the authorization of the Holder of its intellectual property rights.
• Express and clear statement, and under the responsibility of the claimant, that the information provided is accurate and that the use of such content is an infringement to the intellectual property rights thereof.
• The claims arising from these facts shall be subject to proper Treatment and resolution under the applicable legal proceedings, pursuant to the nature and applicability thereof.
• The request for deletion of information and the revocation of the authorization or the request to restrict the use and disclosure of personal data will not proceed when the Holder is legally or contractually bound to remain in the database, under the terms set forth by the applicable laws.
• Notwithstanding the enforcement of the general procedure set forth in this Privacy Policy, we have identified some territories where specific provisions are set out by local laws. For the purpose of consulting these specific provisions, please refer to Section 5. Annexes.

4.12 Modifications to the Privacy Policy

THE COMPANIES reserve the right to make changes or updates to this Privacy Policy at any time in compliance with new legislations, internal policies or new requirements in order to provide or offer their services or products.

These modifications will be made available to the public through the following channels: visible notices on their premises or customer service centers, on our websites, smartphone applications (Smartphones) or electronic kiosks (Privacy Notice) or through the last e-mail provided.

Subject to applicable laws, the Spanish version of this Privacy Policy shall prevail over any other version disclosed in any language. In the event that there is any inconsistency between the Spanish version and any translation of this Privacy Policy in another language, the Spanish version shall prevail.

4.13 Validity of Treatment of personal information and data

The validity of the information depends upon fulfillment of the purpose and use, therefore, information provided by candidate and/or applicant, collaborator bound by a labor agreement, related third-party, gamily group and/or beneficiary, removed collaborator, retired collaborator or any other interested Holder shall remained physically stored, in electronic or other means provided by the Companies for that purposes, the necessary time to respond to applicable provisions and administrative, accounting, fiscal, legal and historic information aspects, or in any case, pursuant to the provisions of Article 246 of the Substantive Labor Code.

4.14 Review of occupational medical history

Article 14 of Resolution 2346 from 2007 issued by the Ministry of Labor in Colombia, defines occupational medical history as the unique set of private, mandatory and confidential documents that chronologically register a person’s health conditions, the medical acts and other procedures performed by a healthcare team that intervenes in its assistance. It can result from one or more occupational medical evaluations. It contains and lists the labor background and exposure to risk factors of a person during its labor history, as well as environmental measurement results and professional events. The occupational history is part of the general medical history and the legal dispositions that regulate the latter shall therefore apply.

4.15 Ethics Hotline

The Organization has an Ethics Hotline, managed by Navex Global Inc., a company incorporated under the laws of Delaware, USA, and independent from The Organization so that collaborators, related third parties, suppliers, shareholders, Travelers, Clients, Users and the general public to submit complaints or inquiries, reveal conflicts of interests , which shall be treated confidentially. The Ethics Hotline guarantees anonymity in the event that the reporting party wished to hide his or her identity.

The Ethics Hotline is available 24/7 at aviancaholdings.ethicspoint.com and on several phone lines available on this link.

Treatment of personal data and protection of privacy will be performed by companies integrated into Avianca Holdings, S.A., with the purpose of investigating claims, absolving queries and taking administrative or legal action. This treatment will be performed pursuant to the Privacy Policies, available on the “Policies” section of the Ethics Line portal.

Colombia

5.1 Colombia Annex.

Regarding information and personal data treated in Colombia, the procedures to exercise of the rights of the holders of such information will be the one set out by Law 1581 from 2012 and its regulatory decrees.

Pursuant to Article 10 of Decree 1377 from 2013, the AIRLINES request your authorization to continue Treatment of your personal data and information under the terms set forth by this Privacy Policy. In addition, pursuant to paragraph a) of article 26 of Law 1581 from 2012, we inform you that by expressly accepting this Privacy Policy, you grant us permission to transmit and/or transfer your personal data and information to other countries in which we operate, where different levels of protection of personal data to those required in Colombia may exist, including El Salvador, Peru, Ecuador, Bolivia, Guatemala, Brazil, Costa Rica, USA, Uruguay, Paraguay and Argentina.

​You can exercise your rights to know, update, modify and/or delete your personal data and information by sending an email to habeasdata@avianca.com, pursuant to the general procedures indicated in numeral 12 of this General Privacy Policy. To exercise their rights, travelers, clients or users may exercise their right to know, update, rectify or suppress their personal information or data by sending a request to habesdata@avianca.com, or through the Suggestions and Claims service at www.avianca.com, or through our Call Centers in Bogota 4013434 or in other cities in Colombia on 018000953434, in accordance with this Privacy Policy.

The contact information for THE AIRLINES in Colombia are:

Address: Avenida Eldorado No. 59 – 15, Bogota
Phone Number in Bogota: 4013434
Other cities in Colombia: 018000953434
E-mail: habeasdata@avianca.com.

Mexico

5.2 Mexico Annex.

Regarding information and personal data treated in Mexico, the procedures for the exercise of the rights of the holders of such information will be the ones set out by Federal Law on Protection of Personal Data Held by Individuals (DOF 05-07-2010), and its respective Regulations (DOF 21-12-2011).

Procedures for exercising ARCO rights in Mexico:

Pursuant to the provisions of Mexican law, holders of personal data and information have the right to access, rectify, cancel or oppose the Treatment of their personal data, for which purpose the following procedure shall be carried out: The area responsible for the Treatment of personal data (Direction and Intelligence of Information) may be contacted through the following channels in order to send the required information and documentation:

Address: Avenida Eldorado No. 59 – 15, Bogota, Colombia
E-mail: habeasdata@avianca.com.

The request to access, rectify, cancel or oppose shall include, at least:

• Full name and address of the holder of the personal data and information, or provide any other means to response to the request.
• Documents proving the identity or legal representation of the holder of the personal data and information.
• Clear and accurate description of the personal data and information subject to the enforcement of the aforementioned rights.
• Any other item or document that facilitates the location of personal data and information.
• Indicate the modifications to be made and/or limitations on the use of personal data and information.
• Provide documentation to support your request. THE AIRLINES shall communicate the adopted resolution to holder owner of the personal data and information, within a term not exceeding 20 working days from the date of receipt of the request. If necessary, this term may be extended on a single occasion for an equal term.

Based on the above, and in accordance with the provisions of the Law, THE AIRLINES shall inform the owner of the personal data and information the meaning and motivation of the resolution, through the same means through which the request was carried out, and that resolution shall be accompanied with relevant evidence, if any. If the request is appropriate, it will be executed by THE AIRLINES within 15 working days following the communication of the adopted resolution.

The holder may file a request for data protection with the Federal Institute of Access to Information (IFAI). Such request shall be submitted by the owner within 15 working days from the date the AIRLINES communicate the response to the owner, and shall be subject to the provisions of the Law.

For requests of access to personal data and information, the petitioner or their legal representative shall be required to prove their identity.

The obligation of access to information shall be fulfilled when THE AIRLINES make available the personal data and information to the owner or when such information is provided in form of photocopies or electronic documents.

In the event that a traveler, client or user requests access to their personal data and information under the assumption that THE AIRLINES are the responsible entities thereof, and it is ultimately concluded that THE AIRLINES are not responsible thereof, the AIRLINES shall communicate this to the owner through any means for the request to be considered fulfilled.

The response to the request for access, rectification, deletion or opposition of personal data will be free of charge. Our customers, Travelers or Users should only cover the reasonable costs of shipping or reproduction of copies or other formats, which will be informed in due time.

In the event that the same client, traveler or user restates the request for access, rectification, deletion or opposition of personal data and information in less than 12 months from the date of the last request, the response may have an additional cost indicated by the AIRLINES, in accordance with the provisions of Article 35 of the Federal Law on Protection of Personal Data.

The AIRLINES may refuse total or partial access to personal data and information or the rectification, deletion or opposition to the Treatment thereof in the following cases:

• If the petitioner is not the owner or legal representative or is not authorized.
• If the petitioner’s personal data and information is not contained in the databases of the AIRLINES.
• If the rights of any third party are violated.
• If there exists any legal impediment or resolution by an authority.
• If the rectification, deletion or opposition was previously carried out and the request is no longer pertinent.
  
  

The cancellation of personal data and information will result in a lockout period after which the deletion of the data will be performed. Once the personal data and information are cancelled, the AIRLINES shall notify the owner thereof.

Once the aforementioned process is completed, the AIRLINES may keep the personal data solely for the purposes of the Treatment obligations arising from this policy. If the personal data and information are transmitted to third parties or entities in charge before the rectification or deletion and if they are subject to Treatment by such third parties, the AIRLINES shall inform such third parties about the request filed by the owner in order to make such rectifications and deletions.

The AIRLINES are not under any obligation to cancel the personal data and information in cases where the provisions set out by Article 26 of the Federal Law on Protection of Personal Data are applicable, or when the owner has a legal or contractual duty to remain in the database, under the terms set forth by the law. In addition, once the collected personal data and information are no longer necessary for the compliance with the purposes set forth by this policy and with the applicable legal provisions, such personal data and information will be cancelled from the databases of the AIRLINES.

Mechanisms and procedures to revoke your consent:

Holders may at any time revoke their consent to the Treatment of their personal data and information. In order to do so, the owner shall send an e-mail written in Spanish to the following address: habeasdata@avianca.com, which shall include the same requirements previously indicated for the exercise of ARCO rights, indicating the personal data and information subject to such revocation. The AIRLINES will perform such revocation within fifteen (15) working days from the date of receipt of the e-mail.

Options provided to the owner to limit the use or disclosure of personal data and information:

Holders may at any time limit their consent to the Treatment of their personal data and information for marketing and promotional purposes by sending an e-mail to the following address: habeasdata@avianca.com​, mentioning such limitations. The AIRLINES will stop sending information within ten (10) working days from the date of receipt of the e-mail.

Contact details THE AIRLINES in Mexico are:

Address: Avenida Paseo de la Reforma 195-301, Colonia Cuauhtémoc, CP 06500, México, D.
Phone Number in Mexico : 01800 1233120
E-mail: habeasdata@avianca.com.

European Union

5.3 European Union Annex.

In compliance with applicable legislation and through this Annex: European Union – Policy, we hereby inform Employees of our Companies in the European Union, their Beneficiaries and Candidates to personnel selection process of said Companies, of how we treat personal data and the rights related thereto.

5.3.1   Scope.

This personal data Privacy Policy applies to the following categories of interested parties:

• Candidates and/or applicants to a vacancy or position in the Companies: natural persons who express through any Means provided by the Companies their interest of participating in personnel selection processes (hereinafter “Candidate(s)”).
• Employees: persons who are or have been bound to any of the Companies through a labor agreement under a service provision regime (hereinafter “Employee(s)”).
• Related Third Parties: natural persons, other than Employees, who provide services or support the execution of processes in the Companies, including members of Boards of Directors, or who are at the service of a contractor or supplier of goods and services, whether they are a legal or natural person, under a civil or commercial agreement with the Companies that, by reason of this agreement, performs duties or functions of operating, technical, administrative or commercial assistance (hereinafter “Related Third Party”).
• Beneficiaries: natural persons who, as a result of being employed by the Companies, or being removed or retired, or by a relationship of consanguinity and/or civil relationship with any Employee, enjoy the benefits directly granted by the Companies. beneficiary is a natural person who has been registered in the Human Talent administration systems by a Collaborator bound by labor agreement or related third party in order to grant them the benefits directly granted by The Companies (hereinafter “Family Group and/or beneficiary”).

5.3.2 Who is responsible for treatment of your personal data?

The Person Responsible for Treatment shall be one of the Companies for whom the Employee and/or Related Third Party works or to which a Candidate applies, and whose personal information will be collected in the corresponding agreement. Specifically, our Companies in the European Union are:

• Aerovías del Continente Americano S.A. Avianca Sucursal en España
  Registration NIF A4801001A
  Postal Address: C/ Castelló, nº 23 – 4º Izquierda Madrid (España)
  Phone +34 91 758 91 22
  E-mail: habeasdata@avianca.com.
• Aerovías del Continente Americano S.A. Avianca UK Branch
  Postal Address: 36 Kennington Road, Lambeth, Londres (Reino Unido)
  Phone: +44 800 0314206
  E-mail: habeasdata@avianca.com.

5.3.4 Purpose of Personal Data Treatment

Complementing the purposes listed in numeral 5 herein, THE AIRLINES treat personal data for the following reasons:

• To enter into and manage a contractual relationship: perform evaluations and selection of potential suppliers; Establish business relationships to purchase goods or services. Control and payment of received goods and service; Qualitative and quantitative service level evaluations of services received by suppliers; communication of policies and procedures about how to do business with suppliers; accounting control and registration processes of obligations entered into with suppliers; queries, audits and revisions derived from a business relationship with a supplier; Any other activity necessary for the effective compliance of the commercial relationship between the supplier and The Companies. Treating the personal information and data that has been provided for the adequate handling of processes related to the Companies’ Human Talent, as well as to send information related to those process through the communication channels provided for that purpose, such as: administration of available vacancies in The companies, information related to the selection process, the hiring process, collective benefits derived from a labor agreement, requesting information relevant for the Company, withholding at the source certificates, data update request, information of interest, document requests, scheduling of work schedules, circulars, policies, manuals, training courses, reservation and pre-reservation for benefit tickets, corporate conventions, voucher confirmation for the use of transportation and/or any other type of information directly and indirectly related to fulfillment of the obligations derived from the existence of a labor agreement, civil or commercial agreement and the administration of Human Talent. Query and update personal information and data, at any time to keep said information updated.
• Personnel Selection: treat personal information and data that has been provided to adequately handle all processes related to Human Talent of the companies, as well as to send information related to those process through the communication channels provided for that purpose, such as: administration of available vacancies in The companies, information related to the selection process, the hiring process, and/or any other type of information directly and indirectly related to the fulfillment of the obligations derived from administration of Human Talent.
• Verify the accuracy of the information provided: verifying and checking the truthfulness of the information, personal and/or job references, disciplinary and/or criminal records related to risk restriction lists, prevention of money laundering, bribery and terrorist financing.
• Compliance with legal obligations: compliance with legal obligations as an employer of collaborators bound by a labor agreement before entities, such as but not limited to, social security, governmental such as Ministries, taxes, fiscal and legal aspects with government and regulatory entities; Respond to legal procedures, make reports or respond to requirements from various domestic and international control and surveillance authorities, policy and judicial authorities, fraud identification and prevention of money laundering and other illicit activities; Ethics Hotline. Allow access to personal data and information to auditors or third parties contracted to perform internal or external audit procedures related to the commercial activity we carry out.
• Security and Access Control: security at the Companies’ facilities and access control.
• Benefits: processing of reservation and pre-reservations using benefit tickets and enjoyment of other benefits, such as sending communications related thereto.

5.3.5 Validity of treatment of information

Personal data provide by Candidates shall be stored for a term of one (1) year as of the date of last Treatment, to be taken into consideration for future selection processes in which the candidate participate. Personal data provide by Employees and by Beneficiaries who have been Employees at the companies but have resigned or retired, shall be physically stored, in electronic means and other means provided by the Companies for that purpose, during the term of the labor relationship with the Companies and for the time deemed necessary to respond to legal and/or contractual obligations, especially those in corporate policies, legal and/or contractual obligations and for the necessary time to respond to applicable provisions and administrative, accounting, fiscal, legal and historic information aspects, or in any case, pursuant to the provisions of the Law.

5.3.6 Legitimation for treatment of your data

In the case of Employees of the Companies and Related Third Parties, the legal fundamental grounds that allows us to Treat this information is performance of the contract, from which the rights and obligations of the parties are derived. There are also legal obligations (among others, contained in current local labor regulations / statutes) that obligate us to perform certain treatment of data. For example, the law requires affiliation of the comprehensive social security system of the corresponding country where the services are rendered.

In some cases, treatment is performed with a legitimate corporate interest, such as access control to the Companies’ facilities, as long as the interests or rights and freedoms of suppliers do not prevail. Likewise, in some cases, we will seek express consent of Employees of the Companies to for certain Treatments (vehicle leasing, Employee benefits, loans). IN the case of Candidates and Beneficiaries, the legal grounds that legitimize Treatment of their data is consent. In any case, they will have the right to withdraw their consent at any time, which we will duly inform upon provision thereof.

In order to carry out a labor agreement, as well as to fulfill certain legal requirements, indispensable data must be collected. The Employee is under the obligation to provide certain personal data (true and updated) legally required and necessary to execute the contract. If they are not provided, we will not be able to manage and perfect the contractual relationship. Once contracting is carried out, he or she will be informed of which data is obligatory and which are not, so that failure to communicate that which is mandatory will assume the impossibility of carrying out the contract.

5.3.7 Third Party and/or Recipients to whom your data will be disclosed

Information of our suppliers may be legitimately communicated to the following third parties:

• For management of a contractual relationship: to the companies of the group of our Companies in the European Union: Aerovías del Continente Americano S.A. Avianca Tampa Cargo S.A.S, Avianca Ecuador S.A., Taca International Airlines S.A., Líneas Aéreas Costarricenses S.A. Lacsa, Trans American Airlines S.A., Aviateca S.A., Servicios Aéreos Nacionales, Sociedad Anónima (SANSA), Isleña de Inversiones, S.A. de C.V.; suppliers of security tools to process banking transactions, banking entities, insurers, our representatives or agents, third parties with whom we contract storage and/or processing of personal information and data for the proper performance of our Human Talent processes and procedures.
• To comply with legal obligations: national employment services, social security, mutual, labor and tax authorities, administrative, legal, fiscal and/or regulatory authorities, security forces and bodies and regulatory entities, when the law so requires.
• To manage the Ethics Hotline: Navex Global Inc., a company incorporated under the laws of Delaware, USA, is in charge of Treatment of our Ethics Hotline. Likewise, in cases where the corresponding interested parties so consent: to third-party collaborators of the Companies to provide benefits to Employees / Beneficiaries, such as companies of the group of which our Companies in the European Companies are a part of, associated airlines, LifeMiles, vehicle leasing companies, private health insurance, restaurant voucher companies.

Many of our Companies of the Avianca Group are located outside the European Union and therefore many of our dependents are too. It is possible that in some cases, recipients of the personal data and information are located outside the European Union, only to comply with contractual obligations. If data is transferred outside the European Economic Area, it shall be done pursuant to current regulations (Regulation (EU) 2016/679 issued by the European Parliament and the Council, April 27, 2016, in relation to Protection of Physical Persons regarding personal data treatment and free circulation of this data and whereby Directive 95/46/CE is repealed – General Data Protection Regulations – as well as national legislations of Member States in relation to his matter). In countries that do not have a decision that adapts to the European Commission, Avianca has adopted the appropriate guarantees pursuant to applicable regulations.

5.3.8   Types of Personal Data Treated

In the case of Beneficiaries that belong to the family group of Employees of the Companies and in relation to Employees who provide data to Companies so that they may enjoy benefits, the data includes that which is collected in the corresponding registration form known as “Beneficiary Documents”:

• Name (beneficiary).
• Identification document.
• Date of validity (date of entry of the Collaborator to the Company).
• Date of birth (beneficiary).
• Nationality.
• Department.
• Country.
• Gender.
• Relationship with the collaborator.

5.3.9 What are your rights when you provide your data

We will eventually request our Employees and Candidates to review and update the information we have about them. Likewise, Employees and Candidates may request any change to the information they provided and to exercise their legal rights as Holders of personal data by contacting habeasdata@avianca.com.

Our Employees and Candidates have the rights to obtain confirmation of whether or not their personal data is being treated.

Likewise, they have the right to access their personal data, as well as to request rectification of inaccurate data or, in any case, to request its suppression when, among other reasons, data is no longer necessary for the purpose for which it was collected.

In certain cases, our Employees and Candidates may request to limit treatment of their data, in which case, except for its preservation, we will only treat it to formulate, exercise or defend claims and other motives set forth in applicable legislation.

In certain circumstances and for reasons related to your specific situation, our Employees and Candidates may oppose data treatment. We will stop treating your data, except tor imperious legitimate purposes, or to formulate, exercise or defend possible claims.

To do so, they must submit their written request, attaching a document that certifies their identity, to the email address habeasdata@avianca.com or by physical mail to the address of the person responsible for treatment for who they work or to who they have requested a position:

• Aerovías del Continente Americano S.A. Avianca Sucursal en España
  Registration NIF A4801001A
  Postal Address: C/ Castelló, nº 23 – 4º Izquierda Madrid (España)
  Phone +34 91 758 91 22
  E-mail: habeasdata@avianca.com.
• Aerovías del Continente Americano S.A. Avianca UK Branch
  Postal Address: 36 Kennington Road, Lambeth, Londres (Reino Unido)
  Phone: +44 800 0314206
  E-mail: habeasdata@avianca.com.

If you wish to obtain more information regarding your rights, if you are not satisfied with the exercise of your rights and/or if you wish to present a claim, you must do so by addressing the data protection control authority (Agencia Española de Protección de Datos). Contact information available at: http://www.agpd.es/portalwebAGPD/CanalDelCiudadano/contacteciudadano/index-ides-idphp.php.

5.3.10 Ethics Hotline

We have made an Ethics Line available to our collaborators, suppliers, related third parties, shareholders, travelers, clients, users and the general public, to submit claims or queries related to the enforcement of the Ethics Code and Business Conduct, the Anti-bribery Policy and other corporate policies adopted by Avianca. We have contracted the Ethics Line with Navex Global, Inc., who has provided a web portal aviancaholdings.ethicspoint.com and various phone lines for its operation.

For the purpose of legal obligations derived from the personal data protection and privacy regulations as it is collected through the Ethics Hotline, Navex Global Inc., acts as a Responsible Person in Charge of Treatment and will treat said information on behalf of the integrated Companies, who will jointly be Responsible parties. Avianca Holdings S.A. will not directly treat collected personal data. Treatment shall be performed by its integrated Companies, with the purpose of investigating claims, absolving queries and taking administrative or legal action. This treatment will be performed pursuant to the Privacy Policies, available on the “Policies” section of the Ethics Line portal.

5.3.11 Changes to the Privacy Policy

The Companies reserve the right to make changes or updates to this Privacy Policy at any time in compliance with new legislations, internal policies or new requirements in order to provide or offer their services or products.

Subject to applicable laws, the Spanish version of this Privacy Policy shall prevail over any other version disclosed in any language. In the event that there is any inconsistency between the Spanish version and any translation of this Privacy Policy in another language, the Spanish version shall prevail.

5.3.12 Validity

This General Privacy Policy shall enter into force on the day it is published. The last published revision is dated May 25, 2018.

Peru

5.4  Peru Annex.

Regarding information and personal treated in Peru, the procedures for the exercise of the rights of the owners of such information will be the ones set out by Law 29733 and Supreme Decree 003-2013-JUS (hereinafter “the Law and its regulations”).

Travelers, Clients and Users are entitled to see and know the details of the Treatment of personal data and information we perform, to know the collected personal data and information, to oppose if necessary, to request their rectification if inaccurate or incomplete and to cancel them if not used according to the law, the terms and conditions of the purchased product or service, the corresponding contract or the terms set forth by this Privacy Policy.

By accepting this Privacy Policy, you freely and expressly state that you were previously informed about the following rights to which you are entitled as the owner of your personal data and information under Peruvian law:

• Access.
• Information.
• Rectification and Updating.
• Deletion.
• Opposition.

In order to exercise such rights, a request shall be sent to THE AIRLINES including the following information:

• Names and last names and certification of the petitioner’s identity (copy of their ID or passport).
• Specific reasons for the request.
• Address or electronic address for the purposes of response notifications.
• Documents supporting the request (in the case of the right to rectify, cancel or oppose).
• Signature of the petitioner.

The procedures to exercise your rights are the following:

1.  Right to access and information:

Owners may exercise the right to access the data contained in our database, in which case they will be provided with requested access information.

The access request will be answered within a maximum term of twenty (20) working days from the day of receipt of the request.

If processing of the claim within this term is not possible, they will be informed of the reasons for the delay and the term for the response will be extended to twenty (20) additional working days.

The holder of the data may exercise their right to information to know the manner in which such information has been collected. Such request will be answered within a maximum term of eight (8) working days from the day of receipt of the request. If the request to exercise the right of access or information is incomplete, the owner will be required to correct the information within a term of five (5) days from the date of receipt of the claim.

If the required information is not presented after such 5-day term, the request shall be deemed not filed.

2. Right to rectify, update, oppose or cancel:

If the holder considers that the information contained in a database must be subject to correction, updating or deletion, they may file a duly supported request, which will be processed under the following rules: If the request is incomplete, the owner will be required to correct the information within a term of five (5) days from the date of receipt of the claim.

If the required information is not presented after 5 days from the date of the request, the request shall be deemed not filed.

On the other hand, if the information or documents supporting the request are insufficient, the AIRLINES may require additional documentation to process the request within seven (7) days from the date of receipt of the request and such information shall be submitted by the owner within ten (10) working days. In addition, if you have not submitted the required information after such term, such information shall be deemed not submitted.

During the rectification or deletion processes, the AIRLINES or the responsible entities will block third-party access to the data.

The maximum term to process a request of rectification, updating, opposition or deletion will be ten (10) working days from the date of receipt of the request. If Treatment the claim within this term is not possible, you will be informed of the reasons for the delay and the date your claim will be processed, which shall not exceed the ten (10) working days from the date of receipt of the request.

Contact details for THE AIRLINES in Peru are:

Address: Avenida Jose Pardo 831 (4th Floor) Miraflores Lima Peru
Phone Number in Peru (Lima): 2136060
E-mail: habeasdata@avianca.com.

Canada

5.5 Canada Annex.

Regarding information and personal data treated in Canada, the procedures to exercise the rights of holders of such information will be the ones set out by the Personal Information Protection and Electronic Documents Act, also known as PIPEDA or the Act, which constitutes a federal statute for the establishment of rules governing collection, use and distribution of personal information in Canada. This Act applies to Canadian territory, except for the provinces of British Columbia, Alberta and Quebec, since such provinces are exempt from the application of this statute since they have their own local regulations, which are substantially similar to the provisions of PIPEDA.

PIPEDA orders all organizations to collect, use and distribute personal information for purposes that are reasonable and appropriate to the circumstances. In addition, PIPEDA sets out a list of 10 principles with which every private organization must comply when collecting, using or distributing personal information of any traveler, client or user, which can be seen at PIPEDA.

If requested any contact electronic address, Users may reject the option to receive any kind of information related to the services of the AIRLINES and may, at any time, unsubscribe from the information services in which they have signed up.

Owners of personal data and information may exercise their rights by sending a request, complaint or claim to habeasdata@avianca.com, which will be processed in accordance with the terms set out by this Privacy Policy and any other applicable law.

United States

5.6  United States Annex.

The Department of Transportation of the United States of America (hereinafter DOT) states that THE AIRLINES shall adequately report the collection, use and disclosure of personal data and information of Travelers, Clients or Users.

Although there is no federal statute that specifically regulates the Treatment of personal data and information in this country, the DOT may investigate and prevent any practice related to trading air transport services, which also covers the Treatment of the personal data and information of our Travelers, customers or Users.

The AIRLINES commit to comply the Children's Online Privacy Protection Act in the United States of America (also known as COPPA).

The COPPA Act regulates the protection of the privacy of children in the United States and authorizes the DOT to investigate any online use of the personal data and information of those under 13.

In the event that a person under 13 provides personal data and information without their parents or guardians’ consent, they may contact the AIRLINES through habeasdata@avianca.com​, in which case the AIRLINES will process the request, complaint or claim under the terms set out by this Policy and the provisions set out by applicable laws.

Additionally, and as applicable, you can check our Privacy and Data Protection Policies:

• If you are a supplier of one of THE AIRLINES and wish to check the privacy conditions that apply to your personal data and information, please check the Privacy Policy for Suppliers.
• If you are an active employee, retired employee, related third party, beneficiary or candidate to a position with THE AIRLINES and you wish to check the privacy conditions that apply to your personal data and information, please check our Privacy Policy for Collaborators.
• If you are a shareholder of Avianca S.A. and you wish to check the privacy conditions that apply to your personal data and information, please check our Privacy Policy of Aerovias el Continente Americano S.A. for Personal Data Protection of Shareholders and Investors.
• If you are a shareholder of Avianca Holdings S.A. and you wish to check the privacy conditions that apply to your personal data and information, please Privacy Policy of Avianca Holdings S.A. for Personal Data Protection of Shareholders and Investors.
• If you have a hearing and/or speech disability and you require personalized service, please call our toll-free line (1 866) 998-3357 or write to us at habeasata@avianca.com. Remember that you can request special services for persons with disabilities during our online purchase process.

These annexes apply in accordance to and are an integral part of the General Privacy Policy for the protection of Personal Data of Travelers, Clients and Users.

For the purposes of this Policy, the following words and expressions will have the meaning ascribed:

• Common Shares: shares issued by the Company which carry voting rights.
• Common Shareholder: an individual or entity that holds one or more Common Shares.
• Bonds: common bonds issued by the Company in 2009.
• Investor: an individual or entity that holds one or more Bonds.
• Direct Depositors: brokers authorized by the Financial Superintendence, who act as intermediaries in exchange operations of Bonds and who act on behalf of the Investor before DECEVAL.
• Processing: in this Policy, Processing is any operation or set of operations over the personal data of each Common Shareholder and Investor, for the purposes set forth in this Policy.
• Entities in charge of the Processing: legal entities affiliated to the Company, who act on its behalf in handling administrative and/or accounting process that involve processing of personal data related to Common Shares, Bonds, and each Common Shareholder and Investor and (ii) DECEVAL, the entity responsible for the administration of Bonds on behalf of the ISSUING COMPANY, in accordance with the provisions of the Manual of Policies for Personal Data Processing available on the DECEVAL’s website, under the Commercial Offer of Deposit and Administration of the Dematerialized Issuance of Ordinary Bonds, presented by the Colombian Central Securities Depository, DECEVAL S.A. and accepted through purchase order by Aerovías del Continente Americano S.A. Avianca, regarding processing of personal data of each Investor.
• Entity responsible for the Processing: the Company.

This Policy applies to the Processing of personal data of Common Shareholders and Investors carried out by Avianca as the entity responsible for the Processing.

In addition, this Policy applies to the Processing that the following companies carry out as affiliates of Avianca Holdings S.A. and as Entities in charge of Processing:

• Aerovías del Continente Americano S.A. Avianca, incorporated in the Republic of Colombia.
• Taca International Airlines S.A., incorporated in the Republic of El Salvador.
• Líneas Aéreas Costarricenses S.A. Lacsa, incorporated in the Republic of Costa Rica.
• Taca Costa Rica S.A. incorporated in the Republic of Costa Rica.

On the other hand, since the administration of personal data of Investors of the Company is carried out through the Central Securities Depository DECEVAL S.A., as the Entity in charge of the Processing, the Company acts in its capacity of Entity Responsible for the Processing of such data, which have been collected through banking or brokerage institutions, who act as Direct Depositors on behalf of Investors before DECEVAL and who, due to the functions legally carried out by them, are also Entities in charge of the Processing, collect such data on behalf of the Company and submit them directly to DECEVAL under the contractual relation they maintain with such Entity.

The POLICY MANUAL – PROCESSING OF PERSONAL DATA adopted by DECEVAL applies to the Processing carried out by DECEVAL as the Entity in charge of the Processing of personal data of Investors under the contract entered into between such entity and the Company. Such policy manual is available at deceval.com.co.

Personal data of each Common Shareholder and Investor is partially or totally processed by the Company, including the collection, storage, recording, use, distribution, processing, deletion, transmission under the terms of this Privacy Policy and/or transfer of the collected data within the country or to other countries for the purposes set out in the privacy policies of any third parties to whom such personal data is transferred. By accepting this Privacy Policy each Common Shareholder and Investor acting as owner of the collected personal data and information authorizes the processing of such data for the purposes set out herein and, particularly, for:

• Keeping the records of its Shareholders and Investors.
• Accessing and updating the personal data of its Shareholders and Investors.
• Contacting and sending information regarding the Company.
• Issuing certifications required by Shareholders or Investors.
• Paying dividends and yields.
• Processing inquiries, claims and complaints.
• Carrying out accounting records.
• Managing correspondence and e-mail communications or telephone calls.
• Processing and/or initiating legal proceedings.
• Recording the transfer of shares or bonds.
• Recording levies on shares and bonds.
• Responding to the requirements of different national and international oversight and supervision, administrative, police and judicial authorities.
• Requesting information to Credit Reporting Agencies.
• Verifying and requesting criminal or disciplinary records and the existence of administrative sanctions.
• Verifying and accessing restrictive lists.
• Responding to the requirements of banking institutions and/or insurance companies, which maintain contractual or business relations with the Company.
• Using or disclosing them in defense of the rights and/or property of the Company.
• Using or disclosing them for fraud detection or prevention or criminal prosecution.
• Allowing access to personal data and information to auditors or third parties hired by the Company to perform internal or external audit processes of the commercial activities carried out by the Company.
• Contracting third parties for the storage and/or processing thereof under safety and confidentiality standards.
• Transmitting them national or international entities to which the Company will commission processes related to shares or bonds.
• Transmitting them to third parties interested in investing in the Company or in any integration process under any legal form provided by law.
• Transferring them to national or international entities during business or corporate situations that involve change of the Entity Responsible for the Processing of personal data, in which case such situation will be informed to the owners of personal data in order for them to exercise their rights in accordance with the law.
• In general, to carry out any other proceeding in charge of by Company in connection with shares or bonds.

The Company recognizes that once a share or bond issued by the Company is acquired by a Common Shareholder or Investor, they authorize the processing of their personal data for the aforementioned purposes.

Rights of Shareholders and Investors in connection with the processing of their personal data

Shareholders and Investors are entitled to see and know the details of the processing and use of personal data required carried out by the Entity Responsible of the Processing or the Entities in charge of the Processing, as well as to rectify them if inaccurate or incomplete, to file complaints with the relevant authorities and to revoke the authorization and request their deletion if not processed under constitutional and legal principles, rights and guarantees, before the due process, and in particular to:

• Know, update and rectify their personal data and information with the Entity Responsible of the Processing or the Entities in charge of the Processing of their personal data and information.
• Request proof of authorization granted to the Entity Responsible for the Processing, except when expressly disregarded as a requirement for the processing.
• Be informed by the Entity Responsible of the Processing or the Entities in charge of the processing about how such personal data and information have been used.
• File complaints with the relevant authorities in the event that the applicable provisions regarding personal data protection are violated.
• Revoke authorization and/or request the deletion of personal data and information under the terms of this Privacy Policy.
• Access the personal data and information that have been subject to processing, upon previous request to the Company and under the valid and applicable regulations.

Procedure to Exercise their Rights

The Company has established the following procedure for the exercise of rights by Shareholders and Investors, without prejudice to the application of specific provisions set out by local laws in each territory. In case of a disagreement between the general procedure herein and the specific provisions set out by local laws, specific provisions shall prevail.

Processing requests to update and access personal data:

Common Shareholders or Investors or their successors, may file claims, inquiries and requests to update their personal data, as follows:

The Common Shareholder shall file their claims, inquiries and requests to update the information via e-mail or through written communication directed to the President or Secretary General of the Company.

Investors who own bonds shall file their claims, inquiries and/or requests to update the information through the channels provided by DECEVAL to carry out this process.

Upon receiving a request to update the information, the Company or the Entity in charge, which may be a company affiliated to Avianca Holdings S.A., will validate if such request correspond to a Shareholder or Investor and will perform the update within fifteen (15) working days following the date of the request. If such update or change of the information of the Shareholders or Investors involves changing the name or marital status, or in the cases of legal entities, a change of business name or partners, they shall attach the legal supporting documents to prove the new situation.

Inquiries will be processed by the Company or the Entity in charge, which may be a company affiliated to Avianca Holdings S.A., within a maximum term of ten (10) working days from the date of receipt thereof. In the event such request cannot be processed within said term, the Company or the Entity in charge will inform the reasons for the delay, indicating the date on which the request will be processed, which in no case shall exceed five (5) working days from the expiry of the first term.

If an Entity in charge is not an affiliated company of Avianca Holdings S.A., requests and inquiries regarding personal data will be processed according to the procedure established by such Entity, under its own privacy policies.

Processing claims about personal data

If the Common Shareholder or Investor, or they successors, consider that the personal data related their Shares or Bonds must be corrected or deleted, or if they become aware of a potential breach to any of the duties set forth in the regulations or in this Policy, they may file a claim, which will be processed as follows:

The Common Shareholder shall file their claims via e-mail or through written communication directed to the President or Secretary General of the Company taking into consideration the following rules:

The claim shall be accompanied with their identification, the description of the facts related to the claim, their address, and the accompanying documents they want to enforce. If the claim is incomplete, the Company will require the missing information within five (5) days from the date of receipt thereof in order to rectify the information. If after two (2) months from the date of request the Common Shareholder has not filed the required information, the Company will consider the claim as abandoned.

If the Company is not able to resolve the claim, it will be forwarded to the appropriate entity within a maximum term of two (2) business days and the Common Shareholder will be promptly informed thereof.

The maximum term to process the claim will be fifteen (15) working days from the day following the date of the appropriate receipt thereof. If it is not possible to satisfy the claim within this term, the Common Shareholder will be informed of the reasons for the delay and the date their claim will be processed, which in no case may exceed eight (8) working days following the expiry of the first term.

Common Shareholders may exercise their rights to know, update, rectify and/or delete their personal data via e-mail to ir@avianca.com, in accordance with the terms of this Privacy Policy. The contact details of the Company in Colombia are: Avenida El dorado No. 59 – 15, Bogota.

Investors who own bonds shall file their claims, inquiries and/or requests to update the information through the channels provided by DECEVAL to carry out this process.

The protection, security and confidentiality of the personal data and information of Share-holders and Investors are highly important for the Company. We have set forth policies, procedures and standards for information security, which may change at any time at the discretion of the Companies and which aim to protect and preserve the integrity, confiden-tiality and availability of personal data and information, regardless of their nature or format, their temporary or permanent location or the way in which they are transmitted. Therefore, we rely on technological security tools and carry out safety industry practices, including: transmission and storage of sensitive information through secure mechanisms, such as encryption, use of secure protocols, safeguarding technological components, allowing ac-cess to the information only to authorized personnel, data backup, safe development of software, etc.

Third parties contracted by the Company are equally bound to comply with this privacy policy, as well as with the policies and manuals of information safety of the Company and the safety protocols applied to all of our processes.

Any contract entered into by the Company with any third party (contractors, external con-sultants, temporary employees, etc.) which involves the processing of personal data and information of travelers, clients and users includes a confidentiality agreement detailing their commitments to the protection, care, safety and preservation of confidentiality, integri-ty and privacy thereof.

Avianca Holdings S.A. has contracted Navex Global Inc., a company incorporated under the laws of Delaware, USA, to manage the Compliance Hotline established by the Company and its affiliated companies, in order for employees, related third parties, suppliers, shareholders, travelers, customers, users and the general public to submit complaints or inquiries related to the application or breaches to the Code of Ethic and Business Conduct Guidelines, Anticorruption Policy and other corporate policies adopted by the Organization*. Navex Global Inc. has set out the website Ethicspoint.com and different telephone lines for the operation of the Compliance Hotline.

For the purposes of the legal obligations set out by the rules related to the privacy and protection of personal data collected through the Compliance Hotline, Navex Global Inc. acts as Manager and shall carry out the processing thereof on behalf of Avianca Holdings S.A. and its affiliated companies, who will jointly act as the Responsible Entities. Avianca Holdings S.A. will not carry out any direct processing of personal data collected. The processing will be carried out by its affiliated companies in order to investigate complaints, answer inquiries and take the corresponding administrative or legal actions. Such processing will be carried out in accordance with this Privacy Policy, which is available for consultation in the “Policies” section of such website.

The Company reserves the right to make changes or updates to this Privacy Policy at any time in compliance with new legislations, internal policies or new requirements in order to provide or offer their services or products. These amendments will be made available to the public at avianca.com.

The personal information of Shareholders and Investors may remain stored and processed in accordance with this Policy, for up to twenty (20) years from the date of the last processing, to enable the Company compliance with legal and/or contractual obligations or for the time set out by law if such period is longer, in order to comply with the provisions applicable, in particular, to the administrative, accounting, tax-related, legal and historical aspects related to the shares or bonds.

This General Privacy Policy is effective as of the day of its publication. The latest published revision was made on June 22, 2016.

Additionally, as applicable, you may check our Privacy and Data Protection Policies.

• If you are a supplier of any AIRLINE and wish to check the privacy policies applicable to your personal data and information, please see our Privacy Policy for Suppliers.
• If you are an active employee, retiree, pensioner, related third party, beneficiary or candidate to a position in any of the AIRLINES and wish to check the privacy policies applicable to your personal data and information, please see our Privacy Policy for Employees.
• If you are a traveler, customer or user of our services and wish to check the privacy policies applicable to your personal data and information, please see our General Privacy Policy for the Protection of the Personal Data of Travelers, Customers and Users.
• If you are a shareholder of Avianca Holdings S.A. and wish to check the privacy policies applicable to your personal data and information please see Avianca Holdings S.A.’s Privacy Policy for the Protection of the Personal Data of Shareholders and Investors.

Confidentiality and due protection of the personal information trusted to the Companies is highly important. Pursuant to their Code of Ethics, all the companies that act under the Avianca trademark are committed to process the data of their supplier in a responsible manner.

The Companies need to collect certain personal data in order to carry out the activities related to their commercial operation. The Companies have the legal and social obligation to comply with the legal and safety measures set out to protect the personal data collected for the purposes described in this privacy policy, which can be found on our website avianca.com.

In Responsible for treatment: Aerovias del Continente Americano S.A. Avianca
Tax ID. No.: 890.100.577-6 NIT
Postal address: Calle 26 # 59-15 (Colombia)
Phone: 5877700
E-mail: habeasdata@avianca.com

Directorate of Risk, Security and Compliance with Information.

4.1 Who we are?

4.1.1 The Companies:

The airlines Aerovías del Continente Americano S.A. Avianca, Tampa Cargo S.A., trading companies incorporated in the Republic of Colombia, Avianca Ecuador S.A., a limited liability company incorporated in the Republic of Ecuador, Taca International Airlines S.A., incorporated in the Republic of El Salvador, Líneas Aéreas Costarricenses S.A. Lacsa, incorporated in the Republic of Costa Rica, Trans American Airlines S.A.S, incorporated in the Republic of Peru, Aviateca, S.A., a company incorporated under the laws of Guatemala, Servicios Aereos Nacionales, a limited liability company (SANSA), incorporated in the Republic of Costa Rica, Isleña de Inversiones S.A. de C.V., incorporated in the Republic of Honduras, each and all of them hereinafter individually and collectively referred to as THE AIRLINES, who, for the purpose of providing and marketing passenger air transportation services and of related products and services such as tourism packages, air and/or ground transportation services, express and courier messenger services, airport service, express courier and courier services, airport services, training services, loyalty programs, can act under the trademarks AVIANCA, AVIANCA ECUADOR S.A., AVIATECA, LACSA, TACA, AVIANCA CARGO, AVIANCA SERVICES, AVIANCA TOURS, DEPRISA, PREFERENCIA "Corporate Travel Program", AVIANCA EXPERIENCE AIRPASS, AVIANCA STORE, or solely under the trademark AVIANCA, each and all of them respectively and as corresponds Responsible and/or In Charge of Treatment of information and personal, under the terms of applicable personal data protection regulations.

4.2  Personal information and data we treat

The Companies may collect personal information and data to effectively comply with the obligations derived from the purchase of goods or contracting of services, which makes it necessary to compile certain information from our suppliers such as:

• Corporate names or names of natural persons.
• Names.
• Tax and fiscal identification information.
• Banking information for electronic transfers.
• Contacts.
• Copies of tax and banking support information.
• Postal address, email, phone number and/or fax number of the supplier.
• Financial information (for suppliers subject to purchase policy).

Any other supporting document required due to the nature of the purchase or service which is performed when the suppliers provide their information and their consent for the Companies to maintain in their records all information provided through any means to obtain their personal data and control.

4.3  Purpose of data treatment

The collected information may be used for the following purposes:

• Assessing and selecting potential suppliers.
• Complying with fiscal and legal obligations set forth by governmental or regulatory entities.
• Establishing business relations in order to purchase goods or services. Controlling and paying the supplied goods or services.
• Qualitative and quantitative evaluations of the services provided by the suppliers.
• Communicating policies and procedures on business conduct regarding suppliers.
• Processes of control and accounting recording of the obligations established with the suppliers.
• Inquiries, auditing and reviews arising from the business relations established with suppliers.
• Any other activity that is necessary to comply with the business relation between the supplier and the Companies.
• Verification on risk lists.
• Financial analysis (for suppliers subject to purchase policy).

The necessary information will be collected in order to comply with the legal and contractual obligations and to carry out processes related to suppliers, including the purposes set out in this document and those authorized by them.

4.4 Data transfer and transmission

The information provided by suppliers will be processed in accordance with the provisions of this privacy policy for suppliers, unless such suppliers authorize in written form the use of such information for different purposes. The physical and electronic access to the provided data will be limited to officers that need to access such data in order to comply with the established purposes.

The Companies commit to ensuring the compliance with all the legal principles of protection regarding data transmission under the terms of this privacy policy and/or transfer of the collected data within the country or to other countries for the purposes set out in the privacy policies of any third parties to whom such personal data is transferred.
Since we are part of a corporate group that operates at the international level, the information provided by suppliers needs to be available to all the companies that are part of the Group, in order to carry out the processes binding suppliers.

We are often under the legal obligation of providing part of your information to administrative, legal, fiscal and regulatory authorities.

Suppliers accept that their personal identification information may be subject to transfer in the event that the Companies are partially or totally subject to sale, merge or any other form of transfer to a different entity.

4.5  Update or deactivation of information

The Companies may eventually request their suppliers to check and update the information collected about them.

In addition, suppliers may request any change in the provided information and exercise the legal rights to which they are entitled as owners of personal information by sending their request to habeasdata@avianca.com.

Suppliers may at any time and under legitimate reasons object in any written form the processing of their personal data. If their request is applicable, the Companies will no longer process such data.

The Companies have a policy to conduct periodic debugging of information belonging to providers whose business relation with the Companies have been terminated or interrupted.

4.6  Validity of Personal Data and Information Processing

The information provided by suppliers will remain stored for up to ten (10) years from the date of the last processing, to enable the us to comply with legal and/or contractual obligations under their charge, particularly in tax, fiscal and accounting matters.

4.7  Protection, Safety and Confidentiality of the Information

The information of suppliers of products and/or services is highly important for the Companies, therefore, we have set forth policies, procedures and standards for information security, which aim to protect and preserve the integrity, confidentiality and availability of such information, regardless of the medium or format in which they are stored, their temporary or permanent location or the way in which they are transmitted under the terms set out in this privacy policy and/or the way in which they are transferred within the country or to other countries for the purposes set out in the privacy policies of any third parties to whom such personal data is transferred.

Therefore, we rely on technological tools and carry out safety industry practices, including: transmission and storage of sensitive information through secure mechanisms, such as encryption, use of secure protocols, safeguarding technological components, allowing access to the information only to authorized personnel, data backup, safe development of software, etc.

4.8  Changes to the Privacy Policy

This privacy policy may be amended if deemed necessary by the Companies. We reserve the right to update and make significant amendments to this policy, as well as to the practices we implement to process information. Suppliers are entitled to request at any time a copy of the current privacy policy and are also entitled to exercise their rights as owners of personal data in accordance with the valid and applicable laws.

4.9 Ethics Hotline

Avianca Holdings S.A. has contracted Navex Global Inc., a company incorporated under the laws of Delaware, USA, to manage the Compliance Hotline established by the Company and its affiliated companies, in order for employees, related third parties, suppliers, shareholders, travelers, customers, users and the general public to submit complaints or inquiries related to the application or breaches to the Code of Ethic and Business Conduct Guidelines, Anticorruption Policy and other corporate policies adopted by the Organization*. Navex Global Inc. has set out the website aviancaholdings.ethicspoint.com and different telephone lines for the operation of the Compliance Hotline.

For the purposes of the legal obligations set out by the rules related to the privacy and protection of personal data collected through the Compliance Hotline, Navex Global Inc. acts as Manager and shall carry out the processing thereof on behalf of Avianca Holdings S.A. and its affiliated companies, who will jointly act as the Responsible Entities. Avianca Holdings S.A. will not carry out any direct processing of personal data collected. The processing will be carried out by its affiliated companies in order to investigate complaints, answer inquiries and take the corresponding administrative or legal actions. Such processing will be carried out in accordance with this Privacy Policy, which is available for consultation in the “Policies” section of such website.

Colombia

5.1 Colombia Annex.

Regarding information and personal data treated in Colombia, the procedures to exercise of the rights of the holders of such information will be the one set out by Law 1581 from 2012 and its regulatory decrees.

Pursuant to Article 10 of Decree 1377 from 2013, the AIRLINES request your authorization to continue Treatment of your personal data and information under the terms set forth by this Privacy Policy. In addition, pursuant to paragraph a) of article 26 of Law 1581 from 2012, we inform you that by expressly accepting this Privacy Policy, you grant us permission to transmit and/or transfer your personal data and information to other countries in which we operate, where different levels of protection of personal data to those required in Colombia may exist, including El Salvador, Peru, Ecuador, Bolivia, Guatemala, Brazil, Costa Rica, USA, Uruguay, Paraguay and Argentina.

​You can exercise your rights to know, update, modify and/or delete your personal data and information by sending an email to habeasdata@avianca.com, pursuant to the general procedures indicated in numeral 12 of this General Privacy Policy. To exercise their rights, travelers, clients or users may exercise their right to know, update, rectify or suppress their personal information or data by sending a request to habeasdata@avianca.com, or through the Suggestions and Claims service at www.avianca.com, or through our Call Centers in Bogota 4013434 or in other cities in Colombia on 018000953434, in accordance with this Privacy Policy.

The contact information for THE AIRLINES in Colombia are:

Address: Avenida Eldorado No. 59 – 15, Bogota
Phone Number in Bogota: 4013434
Other cities in Colombia: 018000953434
E-mail: habeasdata@avianca.com 

Mexico

5.2 Mexico Annex.

Regarding information and personal data treated in Mexico, the procedures for the exercise of the rights of the holders of such information will be the ones set out by Federal Law on Protection of Personal Data Held by Individuals (DOF 05-07-2010), and its respective Regulations (DOF 21-12-2011).

Procedures for exercising ARCO rights in Mexico: pursuant to the provisions of Mexican law, holders of personal data and information have the right to access, rectify, cancel or oppose the Treatment of their personal data, for which purpose the following procedure shall be carried out: The area responsible for the Treatment of personal data (Direction and Intelligence of Information) may be contacted through the following channels in order to send the required information and documentation:

Address: Avenida Eldorado No. 59 – 15, Bogota, Colombia
E-mail: habeasdata@avianca.com 

The request to access, rectify, cancel or oppose shall include, at least:

Full name and address of the holder of the personal data and information, or provide any other means to response to the request.

Documents proving the identity or legal representation of the holder of the personal data and information.
Clear and accurate description of the personal data and information subject to the enforcement of the aforementioned rights.

Any other item or document that facilitates the location of personal data and information.
Indicate the modifications to be made and/or limitations on the use of personal data and information.

Provide documentation to support your request. THE AIRLINES shall communicate the adopted resolution to holder owner of the personal data and information, within a term not exceeding 20 working days from the date of receipt of the request. If necessary, this term may be extended on a single occasion for an equal term.

Based on the above, and in accordance with the provisions of the Law, THE AIRLINES shall inform the owner of the personal data and information the meaning and motivation of the resolution, through the same means through which the request was carried out, and that resolution shall be accompanied with relevant evidence, if any. If the request is appropriate, it will be executed by THE AIRLINES within 15 working days following the communication of the adopted resolution.

The holder may file a request for data protection with the Federal Institute of Access to Information (IFAI). Such request shall be submitted by the owner within 15 working days from the date the AIRLINES communicate the response to the owner, and shall be subject to the provisions of the Law.

For requests of access to personal data and information, the petitioner or their legal representative shall be required to prove their identity.

The obligation of access to information shall be fulfilled when THE AIRLINES make available the personal data and information to the owner or when such information is provided in form of photocopies or electronic documents.

In the event that a traveler, client or user requests access to their personal data and information under the assumption that THE AIRLINES are the responsible entities thereof, and it is ultimately concluded that THE AIRLINES are not responsible thereof, the AIRLINES shall communicate this to the owner through any means for the request to be considered fulfilled.

The response to the request for access, rectification, deletion or opposition of personal data will be free of charge. Our customers, Travelers or Users should only cover the reasonable costs of shipping or reproduction of copies or other formats, which will be informed in due time.

In the event that the same client, traveler or user restates the request for access, rectification, deletion or opposition of personal data and information in less than 12 months from the date of the last request, the response may have an additional cost indicated by the AIRLINES, in accordance with the provisions of Article 35 of the Federal Law on Protection of Personal Data.

The AIRLINES may refuse total or partial access to personal data and information or the rectification, deletion or opposition to the Treatment thereof in the following cases:

• If the petitioner is not the owner or legal representative or is not authorized.
• If the petitioner’s personal data and information is not contained in the databases of the AIRLINES.
• If the rights of any third party are violated.
• If there exists any legal impediment or resolution by an authority.
• If the rectification, deletion or opposition was previously carried out and the request is no longer pertinent.

The cancellation of personal data and information will result in a lockout period after which the deletion of the data will be performed. Once the personal data and information are cancelled, the AIRLINES shall notify the owner thereof.

Once the aforementioned process is completed, the AIRLINES may keep the personal data solely for the purposes of the Treatment obligations arising from this policy. If the personal data and information are transmitted to third parties or entities in charge before the rectification or deletion and if they are subject to Treatment by such third parties, the AIRLINES shall inform such third parties about the request filed by the owner in order to make such rectifications and deletions.

The AIRLINES are not under any obligation to cancel the personal data and information in cases where the provisions set out by Article 26 of the Federal Law on Protection of Personal Data are applicable, or when the owner has a legal or contractual duty to remain in the database, under the terms set forth by the law. In addition, once the collected personal data and information are no longer necessary for the compliance with the purposes set forth by this policy and with the applicable legal provisions, such personal data and information will be cancelled from the databases of the AIRLINES.

Mechanisms and procedures to revoke your consent:

Holders may at any time revoke their consent to the Treatment of their personal data and information. In order to do so, the owner shall send an e-mail written in Spanish to the following address: habeasdata@avianca.com, which shall include the same requirements previously indicated for the exercise of ARCO rights, indicating the personal data and information subject to such revocation. The AIRLINES will perform such revocation within fifteen (15) working days from the date of receipt of the e-mail.

Options provided to the owner to limit the use or disclosure of personal data and information:

Holders may at any time limit their consent to the Treatment of their personal data and information for marketing and promotional purposes by sending an e-mail to the following address: habeasdata@avianca.com​, mentioning such limitations. The AIRLINES will stop sending information within ten (10) working days from the date of receipt of the e-mail.

Contact details THE AIRLINES in Mexico are:

Address: Avenida Paseo de la Reforma 195-301, Colonia Cuauhtémoc, CP 06500, México, D.
Phone Number in Mexico: 01800 1233120
E-mail: habeasdata@avianca.com 

Peru

5.3 Peru Annex.

Regarding information and personal treated in Peru, the procedures for the exercise of the rights of the owners of such information will be the ones set out by Law 29733 and Supreme Decree 003-2013-JUS (hereinafter “the Law and its regulations”).

Travelers, Clients and Users are entitled to see and know the details of the Treatment of personal data and information we perform, to know the collected personal data and information, to oppose if necessary, to request their rectification if inaccurate or incomplete and to cancel them if not used according to the law, the terms and conditions of the purchased product or service, the corresponding contract or the terms set forth by this Privacy Policy.

By accepting this Privacy Policy, you freely and expressly state that you were previously informed about the following rights to which you are entitled as the owner of your personal data and information under Peruvian law:

• Access.
• Information.
• Rectification and Updating.
• Deletion.
• Opposition.

In order to exercise such rights, a request shall be sent to THE AIRLINES including the following information:

• Names and last names and certification of the petitioner’s identity (copy of their ID or passport).
• Specific reasons for the request.
• Address or electronic address for the purposes of response notifications.
• Documents supporting the request (in the case of the right to rectify, cancel or oppose).
• Signature of the petitioner.
  
  

The procedures to exercise your rights are the following:

1. Right to access and information: owners may exercise the right to access the data contained in our database, in which case they will be provided with requested access information.

The access request will be answered within a maximum term of twenty (20) working days from the day of receipt of the request. If processing of the claim within this term is not possible, they will be informed of the reasons for the delay and the term for the response will be extended to twenty (20) additional working days. The holder of the data may exercise their right to information to know the manner in which such information has been collected. Such request will be answered within a maximum term of eight (8) working days from the day of receipt of the request. If the request to exercise the right of access or information is incomplete, the owner will be required to correct the information within a term of five (5) days from the date of receipt of the claim. If the required information is not presented after such 5-day term, the request shall be deemed not filed.

2. Right to rectify, update, oppose or cancel: if the holder considers that the information contained in a database must be subject to correction, updating or deletion, they may file a duly supported request, which will be processed under the following rules: If the request is incomplete, the owner will be required to correct the information within a term of five (5) days from the date of receipt of the claim. If the required information is not presented after 5 days from the date of the request, the request shall be deemed not filed. On the other hand, if the information or documents supporting the request are insufficient, the AIRLINES may require additional documentation to process the request within seven (7) days from the date of receipt of the request and such information shall be submitted by the owner within ten (10) working days. In addition, if you have not submitted the required information after such term, such information shall be deemed not submitted. During the rectification or deletion processes, the AIRLINES or the responsible entities will block third-party access to the data.

The maximum term to process a request of rectification, updating, opposition or deletion will be ten (10) working days from the date of receipt of the request. If Treatment the claim within this term is not possible, you will be informed of the reasons for the delay and the date your claim will be processed, which shall not exceed the ten (10) working days from the date of receipt of the request.

Contact details for THE AIRLINES in Peru are:

Address: Avenida Jose Pardo 831 (4th Floor) Miraflores Lima Peru
Phone Number in Peru (Lima): 2136060
E-mail: habeasdata@avianca.com 

European Union

5.4 European Union Annex.

The provisions of this annex, which applies in relation to the General Privacy Policy for the Protection of Personal Data of Travelers, Clients and Users and is an integral part thereof, shall apply for Travelers, Clients and Users residing in a member country of the European Union, as well as for passengers who buy their tickets in a member country of the European Union.

5.4.1 What is the purpose of treating your personal data?

We use your personal data for the following purposes:

• ENTERING INTO AND MANAGING THE CONTRACTUAL RELATIONSHIP: assessing and selecting potential supplier; Establishing business relations in order to purchase goods or services. Controlling and paying the supplied goods or services; Qualitative and quantitative evaluations of the services provided by the suppliers; Communicating policies and procedures on business conduct regarding suppliers; Processes of control and accounting recording of the obligations established with the suppliers; Inquiries, auditing and reviews arising from the business relations established with suppliers; Verification on risk lists; Financial analysis (for suppliers subject to purchase policy); Any other activity that is necessary to comply with the business relation between the supplier and the Companies.
• COMPLIANCE WITH LEGAL OBLIGATIONS: compliance with fiscal and legal matters with government and regulatory entities; Respond to legal procedures, make reports or respond to requirements from various domestic and international control and surveillance authorities, policy and judicial authorities, fraud identification and prevention of money laundering and other illicit activities; Ethics Hotline.

5.4.2 How long do we keep your personal data?

Personal data provided by suppliers will be kept during the duration of the commercial relationship and for the time necessary to comply with legal obligations, especially regarding accounting, tax and fiscal matters, being kept for a term of up to ten (10) years. In any case, in order to maintain the information update, we perform periodic depuration of information for those suppliers who have finalized or interrupted their business relationship.

5.4.3 What is the legitimacy for treatment of your data?

The fundamental legal grounds that allows us to treat the data of our suppliers is performance of the agreement, from where rights and obligations of both parties are derived. There are also legal, fiscal, aeronautical, among others, obligations that obligate us to treat certain data. In some cases, treatment hast legitimate corporate interest, such as prevention of fraud, as long as the interests or rights and liberties of suppliers don’t prevail. In order to contract or render the purchased services, as well as in compliance with certain legal requirements, certain indispensable data must be collected. The supplier is under the obligation to provide personal data (truthful and updated) required by the legal requirement and that which is necessary to execute the agreement. If it fails to do so, we may not manage and perfect the contractual relationship. Upon contracting, they will be informed of which data is mandatory and which is not, so that failure to communicate that which is mandatory will assume the impossibility of carrying out the contract.

5.4.4 Recipients to whom your data will be disclosed

Information of our suppliers may be legitimately communicated to the following third parties:

For management of a contractual relationship: to the companies of the group of our Companies in the European Union: Aerovías del Continente Americano S.A. Avianca Tampa Cargo S.A.S, Avianca Ecuador S.A., Taca International Airlines S.A., Líneas Aéreas Costarricenses S.A. Lacsa, Trans American Airlines S.A., Aviateca S.A., Servicios Aéreos Nacionales, Sociedad Anónima (SANSA), Isleña de Inversiones, S.A. de C.V.; suppliers of security tools to process banking transactions, banking entities, insurers, our representatives or agents, third parties with whom we contract storage and/or processing of personal information and data for the proper performance of our Human Talent processes and procedures. To comply with legal obligations: administrative, legal, fiscal and/or regulatory authorities, security forces and bodies and regulatory entities, when the law so requires. To manage the Ethics Hotline: Navex Global Inc., a company incorporated under the laws of Delaware, USA, is in charge of Treatment of our Ethics Hotline.

Many of our Companies of the Avianca Group are located outside the European Union and therefore many of our dependents are too. It is possible that in some cases, recipients of the personal data and information are located outside the European Union, only to comply with contractual obligations. If data is transferred outside the European Economic Area, it shall be done pursuant to current regulations (Regulation (EU) 2016/679 issued by the European Parliament and the Council, April 27, 2016, in relation to Protection of Physical Persons regarding personal data treatment and free circulation of this data and whereby Directive 95/46/CE is repealed – General Data Protection Regulations – as well as national legislations of Member States in relation to his matter).

In countries that do not have a decision that adapts to the European Commission, Avianca has adopted the appropriate guarantees pursuant to applicable regulations.

5.4.5 What are your rights when you provide your data

We will eventually request our suppliers to review and update the information we have about them. Likewise, Suppliers may request any change to the information they provided and to exercise their legal rights as Holders of personal data by contacting habeasdata@avianca.com. Our Suppliers have the right to obtain confirmation of whether or not their personal data is being treated. Likewise, they have the right to access their personal data, as well as to request rectification of inaccurate data or, in any case, to request its suppression when, among other reasons, data is no longer necessary for the purpose for which it was collected. In certain cases, our Suppliers may request to limit treatment of their data, in which case, except for its preservation, we will only treat it to formulate, exercise or defend claims and other motives set forth in applicable legislation. In certain circumstances and for reasons related to your specific situation, our Suppliers may oppose data treatment. We will stop treating your data, except tor imperious legitimate purposes, or to formulate, exercise or defend possible claims. They may find the forms to exercise their rights here. To do so, they must submit their written request, attaching a document that certifies their identity, to the email address afiliacion.proveedores@avianca.com, habeasdata@avianca.com or by physical mail to the address of the person responsible for treatment for who they work or to who they have requested a position:

Specifically, our Companies in the European Union are:

• Aerovías del Continente Americano S.A. Avianca Sucursal en España
  Registration No.: NIF A4801001A
  Postal Address: C/ Castelló, nº 23 – 4º Izquierda Madrid (España)
  E-mail: habeasdata@avianca.com
• Aerovías del Continente Americano S.A. Avianca UK Branch
  Postal Address: 36 Kennington Road, Lambeth, London (United Kingdom)
  E-mail: habeasdata@avianca.com 
  
  

If you wish to obtain more information regarding your rights, if you are not satisfied with the exercise of your rights and/or if you wish to present a claim, you must do so by addressing the data protection control authority (Agencia Española de Protección de Datos). Contact information available at: http://www.agpd.es/portalwebAGPD/CanalDelCiudadano/contacteciudadano/index-ides-idphp.php.

5.4.6 Left Blank

5.4.7 Ethics Hotline

We have made an Ethics Line available to our collaborators, suppliers, related third parties, shareholders, travelers, clients, users and the general public, to submit claims or queries related to the enforcement of the Ethics Code and Business Conduct, the Anti-bribery Policy and other corporate policies adopted by Avianca. We have contracted the Ethics Line with Navex Global, Inc., who has provided a web portal aviancaholdings.ethicspoint.com and various phone lines for its operation.

For the purpose of legal obligations derived from the personal data protection and privacy regulations as it is collected through the Ethics Hotline, Navex Global Inc., acts as a Responsible Person in Charge of Treatment and will treat said information on behalf of the integrated Companies, who will jointly be Responsible parties. Avianca Holdings S.A. will not directly treat collected personal data. Treatment shall be performed by its integrated Companies, with the purpose of investigating claims, absolving queries and taking administrative or legal action. This treatment will be performed pursuant to the Privacy Policies, available on the “Policies” section of the Ethics Line portal.

5.4.8 Person in charge of treatment

At Avianca we select only persons in charge of treatment who offer sufficient guarantees that they will apply the appropriate technical and organizational measures, so that treatment of personal data is performed pursuant to EU Regulation 2016/379 and guarantees the protection of the rights of the interest party for which we are liable. IN cases when, as party of the services suppliers render to the Companies, they treat personal data on their behalf, they must enter into the corresponding agreement with Avianca for those in charge of treatment pursuant to the applicable regulation, and, especially, the provisions of Article 28 of EU Regulation 2016/379. In said case, our suppliers, in their condition as responsible party, must duly comply with the provisions thereof – especially article 28 – and applicable regulations in member states, making all the necessary information to demonstrate compliance with these obligations available to use and to allow audits to be carried out by us.

5.4.9 Changes to the Privacy Policy

This Privacy Policy may be modified when we consider necessary. We reserve the right to update and make significant changes to this policy.

5.4.10 Validity of this Policy

This General Privacy Policy shall enter into force on the day it is published. The last published revision is dated May 25, 2018.

Canada

5.5 Canada Annex.

Regarding information and personal data treated in Canada, the procedures to exercise the rights of holders of such information will be the ones set out by the Personal Information Protection and Electronic Documents Act, also known as PIPEDA or the Act, which constitutes a federal statute for the establishment of rules governing collection, use and distribution of personal information in Canada. This Act applies to Canadian territory, except for the provinces of British Columbia, Alberta and Quebec, since such provinces are exempt from the application of this statute since they have their own local regulations, which are substantially similar to the provisions of PIPEDA.

PIPEDA orders all organizations to collect, use and distribute personal information for purposes that are reasonable and appropriate to the circumstances. In addition, PIPEDA sets out a list of 10 principles with which every private organization must comply when collecting, using or distributing personal information of any traveler, client or user, which can be seen at PIPEDA.

If requested any contact electronic address, Users may reject the option to receive any kind of information related to the services of the AIRLINES and may, at any time, unsubscribe from the information services in which they have signed up.

Owners of personal data and information may exercise their rights by sending a request, complaint or claim to habeasdata@avianca.com, which will be processed in accordance with the terms set out by this Privacy Policy and any other applicable law.

United States

5.6 United States Annex.

The Department of Transportation of the United States of America (hereinafter DOT) states that THE AIRLINES shall adequately report the collection, use and disclosure of personal data and information of Travelers, Clients or Users.

Although there is no federal statute that specifically regulates the Treatment of personal data and information in this country, the DOT may investigate and prevent any practice related to trading air transport services, which also covers the Treatment of the personal data and information of our Travelers, customers or Users.

The AIRLINES commit to comply the Children's Online Privacy Protection Act in the United States of America (also known as COPPA).

The COPPA Act regulates the protection of the privacy of children in the United States and authorizes the DOT to investigate any online use of the personal data and information of those under 13.

In the event that a person under 13 provides personal data and information without their parents or guardians’ consent, they may contact the AIRLINES through habeasdata@avianca.com​, in which case the AIRLINES will process the request, complaint or claim under the terms set out by this Policy and the provisions set out by applicable laws.

Additionally, and as applicable, you can check our Privacy and Data Protection Policies:

• If you are a supplier of one of THE AIRLINES and wish to check the privacy conditions that apply to your personal data and information, please check the Privacy Policy for Suppliers.
• If you are an active employee, retired employee, related third party, beneficiary or candidate to a position with THE AIRLINES and you wish to check the privacy conditions that apply to your personal data and information, please check our Privacy Policy for Collaborators.
• If you are a shareholder of Avianca S.A. and you wish to check the privacy conditions that apply to your personal data and information, please check our Privacy Policy of Aerovias el Continente Americano S.A. for Personal Data Protection of Shareholders and Investors.
• If you are a shareholder of Avianca Holdings S.A. and you wish to check the privacy conditions that apply to your personal data and information, please Privacy Policy of Avianca Holdings S.A. for Personal Data Protection of Shareholders and Investors.
• If you have a hearing and/or speech disability and you require personalized service, please call our toll-free line (1 866) 998-3357 or write to us at habeasdata@avianca.com. Remember that you can request special services for persons with disabilities during our online purchase process.