Book

Policy for the treatment of personal data

Oshpitality Group SAS

Table of Contents

Content 

1. Introduction. 

Through the right of Habeas Data, enshrined in the Political Constitution of Colombia, all person are recognized with the fundamental right to their personal privacy and to know, update and rectify the information that has been collected about them in data banks and files of public and private entities. By means of Law 1581 of 2012, general provisions were issued for the protection of Personal Data subject to Processing within Colombian territory by the Controllers and Processors. Likewise, through Decrees 1377 of 2013, 886 of 2014, 1081 of 2015 and 255 of 2022, Law 1581 of 2012 was partially regulated and, among others, provisions were established regarding the manner in which the Controllers must demonstrate the implementation of appropriate and effective measures to comply with the obligations established in Law 1581 of 2012. 

In order to comply with its obligations regarding the protection of Personal Data, and to effectively comply with the internal policies for the protection of Personal Data of OSHPITALITY GROUP SAS (hereinafter by its name, “OSH HOTELS” or the “Company “), OSH HOTELS designed the following policy for the treatment of personal Data, which will be reviewed and updated regularly. 

The purpose of this Policy is to establish the minimum guidelines and standards required in the Processing of Personal Data carried out by OSH HOTELS, so as to guarantee the existence of an administrative structure for the adoption of internal policies, the adoption of  internal mechanisms to implement the Data Protection Policies, and internal procedures to address the queries and complaints from data controllers regarding the Processing of their Personal Data. 

2. Definitions. 

In accordance with article 3 of Law 1581 of 2012, and article 3 of Decree 1377 of 2013, for the purposes of this Policy, the defined terms will have the meaning indicated below: 

 

  • Authorization: It is the prior, express and informed consent of the data subjecty  to carry out the Processing of his/her Personal Data.  

 

  • Privacy Notice: It is the verbal or written communication generated by the Controller , addressed to the Data subject for the Processing of their Personal Data, through which they will be informed about the existence of the Data Protection Policies that will be applicable to him, the way to access them and the purposes of the processing  that is intended to be given to the Personal Data. 

 

  • Database: It is the organized set of Personal Data that is subject to Processing.  

 

  • Substantial Changes: Substantial Changes to the Personal Data Processing Policy are those  related to the purpose of the Database, the Data Processor, the channels of attention to the Data subject, classification or types of Personal Data stored in each DataBase. of Data, the information security measures implemented, the Information Processing Policy and the International Transfer and Transmission of Personal Data. 

 

  • Personal Data: It is any information linked or that can be associated with one or several specific or determinable natural persons. 

 

  • Public Data: It is data that is not semi-private, private or sensitive. Public Data is considered, among others, data related to the marital status of individuals, their profession or trade, and their status as a merchant or public servant. 

 

  • Sensitive Data: It is the data or those data that affect the privacy of the Data subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in trade unions, social organizations, human rights or that promote the interests of any political party or that guarantee the rights and guarantees of opposition parties, as well as data related to health, sexual life, and biometric data. 

 

  • Data of Children and Adolescents: These are the Personal Data of those under 18 years of age. 

 

  • Data Processor: The natural or legal person, public or private, that by itself or in association with others, carries out the Processing of Personal Data on behalf of the Data Controller . 

 

  • Policy: This is the Personal Data Processing Policy contained herein. 

 

  • Data Controller : It is the natural or legal person, public or private, that by itself or in association with others, decides on the Database and/or the Processing of Personal Data. For all purposes related to the Policy, OSH HOTELS shall be understood as the Data Controller . 

 

  • Data subject: It is the natural person whose Personal Data is subject to Processing. For all purposes related to the Policy, it shall will be understood as clients, suppliers, employess, and any other natural person whose personal data is found in the OSH HOTELS Databases. 

 

  • Processing: Any operation or set of operations on Personal Data, such as collection, storage, use, circulation or deletion. 

 

  • Transfer: The Transfer of Personal Data takes place when the Controller and/or Data Processor, located in Colombia, sends the information or Personal Data to a recipient, who in turn is the Data controller and is located inside or outside the country. . 

 

  • Transmission: It is the processing of Personal Data that involves the communication of the same within or outside the territory of Colombia when its purpose is the performance of a processing by the processor on behalf of the Data Controller . 

 

3. Principles of Treatment. 

 

The Controllers and Data Processors shall ensure that the following principles contained in Law 1581 of 2012 (the “Principles”) in the Processing of Personal Data: 

  • Principle of legality in matters of Data Processing : The Processing of Personal Data must be subject to the provisions of the rules governing the protection of Personal Data. Notwithstanding  the existence of other rules that regulate the matter, the main applicable rules are set out below : 
  • Law 1581 of 2012. 
  • Decree 1377 of 2013. 
  • Decree 886 of 2014. 
  • Chapter 25 and 26 of Decree 1074 of 2015. 
  • Decree 1081 of 2015. 
  • Circular 001 of 2016 of the Superintendency of Industry and Commerce. 
  • External Circular 005 of 2017 of the Superintendence of Industry and Commerce. 
  • Decree 255 of 2022. 

 

  • Principle of purpose: The Processing must obey a legitimate purpose in accordance with the Constitution and the Law, which must be informed to the Owner. 

 

  • Principle of freedom: Processing may  only be carried out with the prior, express and informed consent of the Data Subject. Personal Data may not be obtained or disclosed without prior authorization, nor in the absence of a legal or judicial mandate that requires consent. 

 

  • Principle of truthfulness or quality: The information subject to Processing must be truthful, complete, accurate, updated, verifiable and understandable. The Processing of Personal Data that is partial, incomplete, fractioned or misleading  personal Data is prohibited. 

 

  • Principle of Temporality: OSH HOTELS will not use the  information of the Data Subject beyond the reasonable period of time required by the purpose for wich Data Subject was informed of the of the Personal Data. 

 

  • Principle of transparency: The right of the Data Subject to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data that concerning him/her  or her must be guaranteed. 

 

  • Principle of restricted access and circulation: Porcessing is subject to the limits derived from the nature of the Personal Data, the provisions of this Law and the Political Constitution. In this sense, the Processing may only be carried out by persons authorized by the Data Subject and/or by the persons provided for in the Law. Personal Data, except for public information, may not be available on the Internet or other means of dissemination or communication. unless access is technically controllable to provide knowledge restricted only to the Data controller or authorized third parties in accordance with the Law. 

 

  • Security principle: The information subject to Processing by the Data Controller or Data Processor shall be handled with the technical, human and administrative measures that are necessary to provide security to the records, avoiding their adulteration, loss, consultation, unauthorized or fraudulent access.  

 

  • Principle of confidentiality: All persons involved in the Processing of Personal Data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the Processing, and may only provide or communicate Personal Data when this corresponds to the development of activities authorized by Law. 

 

  • Principle of demonstrated responsibility ( accountability ): Data Controllers shall be able to demonstrate, at the request of the Superintendency of Industry and Commerce (the “SIC”), that they have implemented appropriate and effective measures to comply with the obligations set forth in the Law 1581 of 2012, Decree 1377 of 2013 and other concordant  regulations. 

 

  • Principle of Individuality: OSH HOTELS will maintain the databases in which it is the Data controller  from those for which it is the Data Processor. 
4. Administration and management in the Processing of Personal Data . 
  1. Person responsible for the administration and management of Personal Data 

The Personal Data Protection Officer (PDPD) will be the person in charge of ensuring the proper development, adoption, implementation, execution, disclosure and observance of the OSH HOTELS Personal Data Processing Policy. Consequently, the OPDP will have the following obligations: 

    1. Carry out continuous monitoring of the Processing of Personal Data carried out by the different areas within OSH HOTELS. 
    2. To keep an inventory of the Personal Data Bases created by OSH HOTELS. 
    3. Ensure that the collection and processing of Personal Data complies with legal provisions, especially in relation to authorizations and compliance with the purposes of each type of Personal Data subject to Processing within OSH HOTELS. 
    4. Promote a culture of protection of Personal Data within OSH HOTELS. 
    5. Serve as liaison and coordinator with the other areas of OSH HOTELS in relation to the Processing of Personal Data. 
    6. Conduct training programs on the protection of Personal Data within OSH HOTELS. 
    7. To Measure the participation and level of knowledge acquired through training on the Personal Data protection carried out within OSH HOTELS. 
    8. To make known and familiarize the Personal Data Treatment Policies within OSH HOTELS so that all areas within the Company are aware of them and apply them. 
    9. Receipt and centralization of the file in which the Authorizations granted by the personal Data Controller are stored. 
    10. To deal with any  queries that OSH HOTELS employees have in relation to the Processing of Personal Data and the application of the Personal Data Processing Policies. 
    11. Implement internal audit plans in order to verify compliance with this Policy and the different OSH HOTELS manuals related to Personal Data. 
    12. Ensure that the complaints, queries and claims submitted by the holders are addressed within the terms established in the Law and in this Policy. 
    13. Perform the registration on the Databases in the National Registry of Databases (“RNBD”) and update the registry as required. 
    14. To process incidents that may affect the security of Personal Data and inform the SIC when necessary, in accordance with the provisions of the Law.
  2. Person responsible for processing queries, complaints and claims from the Holders 

Personal Data have the right to make queries, complaints and claims in relation to the Processing of their personal Data by OSH HOTELS. The ODPD shall be responsible for the internal processing of queries, complaints and claims submitted by the Data Subject to the Company in relation to the Processing of Personal Data. 

 

5. Processing of Personal Data. 

 

 1.  Nature of Personal Data

In order to determine whether or is a Personal Data, it is necessary to identify whether or not it is possible to identify the person with the information or the set of information we have about a person. 

By way of illustration, the main examples of Personal Data are, among others: name, surname, email, residence address, telephone number, etc. Additionally, images contained in photographs and recordings are considered Personal Data. On the other hand, people’s corporate data, such as: corporate email, are public personal data. 

If you are not sure whether or not the information you are processing is Personal Data, contact the ODPD . 

2. Categories of Personal Data 

Once it is certain that it is front a Personal Data, it is necessary to determine its nature, according with the classification presented by the Colombian regulation of Personal Data protection. This is of vital importance, since the Authorization forms and the applicable security measures will depend on the category to which the Personal Data  to be Processed belongs. 

 

 

  • Public Data: is any Personal Data that is contained in public records, public documents, official gazettes and bulletins, and court rulings. The rules have given some examples of public data, such as: data relating to the marital status of a person, their profession, trade or quality of public servant. Authorization is not required for the processing such data. However, public Personal Data are subject to the application of the other principles and obligations provided set forth in the Personal Data protection regulation. For example, the citizenship card, the names and surnames of the people. 

 

  • Semi-private data : is all financial, commercial and credit information that is mainly used in credit risk analysis. In order to process this data, an express Authorization from the Data Subject  is required. Eg. Financial and credit data. 

 

  • Private Data: Any Personal Data that is neither public nor semi-private . These data are subject to confidentiality and its processing  affects the privacy of the Data Subject. In order to process this  data, an express, prior and informed Authorization is required from the Data Subject. E.g. Education level of Schooling of the Data Subject.  

 

  • Sensitive Data: is any Personal Data that affects the privacy of the Data Subject or whose use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, membership in unions, as well as those relating to health, sex life and biometric data, among others. These data are of restricted access require express and unequivocal Authorization that complies with certain special requirements, among others, informing the holder that since it is sensitive data, he/she is not obliged to authorize their processing. No activity may be conditioned to the provision of sensitive Personal Data by the Data Subject.  

 

 

  • Data of Children and Adolescents (under 18 years of age): Personal Data of children and adolescents  under 18 years of age is understood as a special category due to the restrictions implied by its Processing. The Processing of Personal Data of children under 10 years of age is restricted to specific purposes related to the best interests of the minor and only with the express consent of the parents or legal representatives of the minor. 

 

  • Video surveillance systems: OSH HOTELS uses surveillance means, such as video or monitoring, in its offices, which informs by means notices in visible places, using the information collected in order to safeguard the integrity of its staff, visitors, as well as protect your assets and facilities. The Holder understands and accepts such purpose and consequently its use. The Company may subcontract the performance of certain functions to third parties. When providing your personal information to these service providers as Processors, they will be warned about the duty to protect said personal information with appropriate security measures. In additiion, they are prohibited from disclosing and/or circulating their personal information and using it for their own purposes other than those authorized by the Owner. 

 

6. Authorization request. 

 

The Processing of any Personal Data – other than public Personal Data – collected by OSH HOTELS must be previously Authorized by the Data Subject. The Authorization may be verbal, written or through unequivocal conduct by the Data Ssubject that allows it to be reasonable conclusion that he/ she has  granted his/her Authorization. In no case shall silence be assimilated to unequivocal conduct. Notwithstanding the way in wich  the Authorization is obtained, it is important that the consent is documented or recorded in a way as to allow its subsequent consultation and that it serves as a means of proof at any time. 

 

OSH HOTELS has generated forms to obtain Data Subject Authorizations according to the type of Personal Data  being collected. The Authorization request forms can be consulted in the Company’s documentation repository. 

 

Once the consent of the Data Subject is obtained, the Authorization shall be sent to the ODPD for filing. 

 

  • Notwithstanding the Exceptions provided for in the Law or this Policy, no Personal Data collected by OSH HOTELS may be processed without the due Authorization of the Data Subject. The Authorization must be obtained at the latest, at the time the information is collected. Personal Data must be complete, accurate, update, verifiable and understandable. 

 

  1. Exceptions to the applications for Authorization (the “ Exceptions ”) . 

The Authorization of the Data Subject  for the Processing of Personal Data will not be necessary when: 

  1. The information is required by a competent public authority in the exercise of its legal functions or by court order. 
  2. The purpose of the databases is the prevention, detection, monitoring and control of money laundering, the financing of terrorism or the proliferation of weapons of mass destruction. 
  3. Public Data is involved; 
  4. Medical or health emergency cases; 
  5. To carry out Processing for historical, statistical or scientific purposes. 
  6. In case of data related to the civil registry of persons.  

 

However, notwithstanding that the Processing of the above data does not require authorization by the Owners, OSHPITALITY GROUP SAS shall treat such information in accordance with the Principles provided by  Law and in this Policy. 

7. Registration of Personal Databases in the RNBD . 

 

OSH HOTELS shall register and update all Personal Data Bases in the RNBD. Any Personal DataBase that is created after this date must be registered in the RNBD within the following two (2) months, counted from its creation. 

 

The registry must be updated as indicated below: 

 

  • When Substantial Changes are made to the registered information (e.g. Changes in purposes, changes in Managers, etc.), these changes must be registered within the first ten (10) business days of each month. 
  • When non-substantial changes are made to the registered information (e.g. Number of Database Owners, Owner service channels), these changes must be registered annually, between January 2 and March 31. 
  • When claims are submitted by the Holders of Personal Data, the update must be carried out within the first fifteen (15) business days of the months of February and August of each year. 
  • When security incidents occur related to the violation of security codes or the loss, theft and/or unauthorized access of information from a Database managed by OSH HOTELS, you must report it to the RNBD within fifteen (15) business days following the moment in which they are detected and brought to the attention of the ODPD. 

 

  1. Inventory of Personal Data Bases . 

 

For the purposes of registration in the RNBD, OSHPITALITY GROUP SAS must make  an inventory of Databases, for which the following information will be taken into account: 

 

  • Number of Databases with personal information. 
  • Number of Owners for each Database. 
  • Detailed information on the channels or media that are planned to attend the Data Holders.  
  • Type of Personal Data contained in each Database to which Processing  is performed, such as: identification, location, socioeconomic, sensitive or other data. 
  • Physical location of the Databases (storage in own means, such as filling cabinets or servers, internal or external to the physical facilities of OSH HOTELS). 
  • Identification and location data of the Data Processors. 
  • Security measures and/or controls implemented in the Database to minimize the risks of inappropriate use of the Personal Data processed. 
  • Information on the Authorization of the Owners of the data contained in the Databases. 
  • How the data is obtained (directly from the Data Controller or through third partines) 
  • When a tranfer  or international Transmission of the Database has been carried out, the basic information of the recipient will be requested. 
  • If the Database has been transferred, the transferee’s basic information will be requested. 

 

8. Purposes of the processing of Personal Data. 

In the development of its activities, OSHPITALITY GROUP SAS processes the following Personal Data for the following purposes: 

  • Administrative purposes: Attention to authorities’ requirements; maintenance by itself or through a third party of the Databases; management of consultations and requirements formulated by the Holders in the exercise of their rights; management of the subscription carried out by the Holder in the records of OSH HOTELS; use of Personal Data to carry out internal processes of linking clients, suppliers and contractors. 
  • Risk prevention purposes: To carry out risk control and mitigation, OSH HOTELS, through an authorized third party, will make  relevant consultations in credit bureau, databases and binding and restrictive lists related to Money Laundering, Financing Terrorism, Financing the Proliferation of Weapons of Mass Destruction, Corruption and Transnational Bribery. 
  • Labor Purposes : Payroll management; admission and selection processes for OSH HOTELS personnel or third parties; linkage to the social security system in favor of the Holder and his/her family members as required; occupational health; safety at work; feeding of the information required by the health and social security management systems; to establish contact with former employees; and to carry out the activities required to comply with the Law and labor and social security obligations. Likewise, the Personal Data of the Owners may be used to create, preserve and update historical records; maintain contact with the Holder; verify, check or validate the data provided; collect, hold, handle, use and study the information provided to carry out invitations to work processes; carry out and organize selection processes that are carried out to evaluate the existence of an employment or service relationship; use Personal Data for training activities and activities aimed at evaluating the connection of the Holder with OSH HOTELS; as well as to carry out professional profile analysis. 
  • Contractual and financial purposes: Processes for admission, selection and engagement  of contractors, suppliers and clients of OSH HOTELS, and achieving efficient communication with the parties involved in the contracts entered into  the development of the corporate purpose of OSH HOTELS; as well as to perfect and fulfill contractual obligations. 
  • Commercial  Purposes : To answer requests for services; to process requests for information or services; to maintain existing contractual and pre-contractual relationships; to offer services; and send promotions and/or products from OSH HOTELS; as well as to provide information of interest. 
  • Purposes for the provision of services. OSH HOTELS will process the Personal Data collected by any means to comply with the obligations undertaken with the Personal Data  Holders; to carry out activities related to the corporate purpose of OSH HOTELS and execute contractual relationships, share, transfer and transmit Personal Data to third party service providers who are responsible for the Processing of Personal Data when required, who may store, process, protect and maintain the Personal Data provided, attend to and manage the requests and suggestions made by the Data Controller regarding the services provided, deliver the Data to government entities when they request it; comply with applicable regulations and meet administrative and judicial requirements when required; bill for services renderer, send information related to OSH HOTELS products or services; and generate an organized scheme to safeguard the private, semi-private, public and sensitive data of its owners. When Personal Data is obtained from children and adolescents, Authorization will be obtained from the parents or whoever exercises the legal representation of the minor. 
9. Sensitive data and data of children and adolescents. 

 

  • OSH HOTELS may access and make use Sensitive Data. For these purposes, It will apply the legal provisions on the processing of Sensitive Data will apply, including the obligation to obtain explicit Authorization from the Data Subjetc for the Treatment, informing of the optional nature of the same. This Authorization Shall  be implemented in all collections of Sensitive Data, except in the following cases in which Authorization is not required by law: 

 

  1. The Treatment is necessary to safeguard the vital interest of the Data Subject and He/she  is physically or legally incapacitated. In these events, the legal representatives must grant their Authorization. 
  2. The Processing is carried out in the course of legitimate activities and with due guarantees by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, provided that its  refers exclusively to to its members or to people who maintain regular contacts due to their purpose. In these events, Personal Data cannot be provided to third parties without the authorization of the Owner. 
  3. The Treatment refers to Personal Data that is necessary for the recognition, exercise or defense of a right in a judicial process. 
  4. The Processing has a historical, statistical or scientific purpose. In this event, measures leading to the suppression of the identity of the Data Controllers must be adopted.  

 

  • OSH HOTELS May process Data Processing of Childrens and Adolescents. This information shall be collected in accordance with the requirements established by the rule of protection of personal indicated in the Law and in this Policy, for the following purposes: 

 

  1. Identification of the children of an employee candidate`s children during visits and interviews at the candidate’s home. 
  2. Fulfillment of legal obligations arising from the employment relationship, such as carrying out all the necessary procedures for the registration of beneficiaries, before the authorities, such as before the Social Security System, or any other activity derived from the applicable legislation. . 
  3. Communicate to employees the wellness activities that OSH HOTELS has organized for their children. 
  4. Communicate to employeess  the birth of children of OSH HOTELS. 
 
10. Confidentiality. 

All OSH HOTELS employees must maintain the confidentiality of the Personal Data that is being Processed by the Company. All contracts entered in OSH HOTELS  with its employees or with third parties who will have access to the Personal Data contained in the Company’s Databases, shall contain a confidentiality clause with respect to such Personal Data. Personal Data may only be processed for the purposes described in this OSH HOTELS Personal Data Processing Policy. 

If you have concerns about the confidentiality of certain information, please contact the ODPD or responsible person so that they can clarify any special duties  of care that may exist regarding certain information. 

11. Penalties for breach of the duty of confidentiality. 

 

Any breach of the confidentiality  obligation by employees shall be considered a violation of the Internal Labor Regulations, and will be subject to the labor sanctions contained therein. 

 

12. Procedures for the attention of PQRSF related to the Processing of Personal Data. 

 

  1. Procedure for access and consultation 

 

The Consultations of the information contained   in the Databases in the possession of OSHPITALITY GROUP SAS may only be processed by the Company when the Data Subejct of the Personal Data, his successors in title, legal representatives or attorneys-in-fact request it. OSHPITALITY GROUP SAS will not be able to process complaints and queries from people other than those indicated above. 

 

To process requests and complaints regarding Personal Data, the Owners of the Personal Data must send the following information: 

 

  1. The identification of the Holder,  assignee,  title, legal representative or attorney-in-fact. 
  2. Contact information (physical and/or electronic address and contact telephone numbers). 
  3. The documents  proving the identity of the Holder, or the representation of his representative. 
  4. The clear and precise description of the personal data with respect to which the Data Subject seeks to exercise any of the rights. 
  5. The description of the facts that give rise to the request. 
  6. The documents to be asserted. 
  7. Signature and identification number. 
  8. Filing in original. 

 

When requests and complaints are incomplete, OSH HOTELS shall: 

 

  1. Require the interested party within five (5) business days following receipt of the request to correct the deficiencies. After two (2) months from the date of the request, without the applicant presenting the required information, it will be understood that he or she has withdrawn from the application. 
  2. If the area that receives the query and complaint is not the area responsible for resolving it, it must be transferred to the appropriate person within a maximum period of two (2) business days and the interested party will be informed of the situation. 
  3. The term for addressing requests or complaints must be a maximum of ten (10) business days from the date of receipt. When it is not possible to attend to the query within said term, the interested party will be informed, expressing the reasons for the delay and indicating the date on which their query will be attended to, which in no case may exceed five (5) business days following the expiration of the first term 

  

  1. Procedure to request update, correction, deletion, revocation of authorization or to file complaints 

 

Requests for updating, correction, deletion, revocation of authorization may only be processed by OSH HOTELS when the Owner of the Personal Data, his successors in title, legal representatives or attorneys-in-fact request it. OSH HOTELS will not be able to process requests from people other than those indicated above. 

 

To process requests and complaints regarding Personal Data, the Owners of the Personal Data must send the following information: 

 

  1. The identification of the Owner, successor in title, legal representative or attorney-in-fact. 
  2. Contact information (physical and/or electronic address and contact telephone numbers). 
  3. The documents that prove the identity of the Owner, or the representation of his representative. 
  4. The clear and precise description of the personal data with respect to which the Owner seeks to exercise any of the rights. 
  5. The description of the facts that give rise to the request. 
  6. The documents that you want to assert. 
  7. Signature and identification number. 
  8. Filing in original. 

 

When the requests made by the Personal Data Holders are incomplete, OSH HOTELS must: 

 

  1. Require the interested party within five (5) business days following receipt of the request to correct the deficiencies. After two (2) months from the date of the request, without the applicant presenting the required information, it will be understood that the claim has been abandoned. 
  2. If the area that receives the query and complaint is not the area responsible for resolving it, it must be transferred to the appropriate person within a maximum period of two (2) business days and the interested party will be informed of the situation. 
  3. Once the complete claim is received, a legend that says “claim in process” and the reason for it will be included in the database within a period of no more than two (2) business days. Said legend must be maintained until the claim is decided. 
  4. The maximum term to address the claim will be fifteen (15) business days counted from the day following the date of receipt. When it is not possible to address the claim within said term, the interested party will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight (8) business days following the expiration of the first term. 

 

13. Training of officials on the protection of Personal Data . 

 

The person in charge of implementing this Policy has made its content available to all OSH HOTELS employees. In addition to this, the Company’s personnel will be invited to participate in training on the subject with the purpose of maintaining permanent and updated training on Data Protection. 

 

14. Validity. 

This Policy comes into effect as of October 16 , 2023 and may be modified by OSHPITALITY GROUP SAS through its Shareholders’ Meeting at any time. The provisions contained in this document have been prepared in accordance with the regulations in force in Colombia regarding the protection of personal data. 

  • Calle 31 N° 10 - 77, Calle de la Magdalena
  • Getsemaní, Cartagena de Indias, Colombia.
  • Front Desk
  • (+605) 649 9280 | (+57) 300 9127936
  • Booking
  • (+57) 304 254 9463
  • reservas@oshhotels.com
  • RNT
  • 144655

Legal information

Instagram Facebook Tiktok

® 2024 - Oshpitality Group SAS. All rights reserved

Booking

Formulario de Reserva
Guests:
Child:
Open chat
1
Scan the code
Hello! ???? How can we help you?