TECNOGLASS S.A. PERSONAL DATA PROCESSING POLICY

1. GENERAL

Tecnoglass S.A.,under its responsibility in the Processing of Personal Data and in compliance with applicable law and rules, Tecnoglass S.A, under its responsibility in the Processing of Personal Data and in compliance with applicable rules, in particular Articles 15 and 20 of the Political Constitution of Colombia,Statutory Act 1581 of 2012, its Regulatory Decree 1377 of 2013, adopts by thisdocument its Policy Processing of Personal data (hereinafter the”Policy”).

The Policy applies to all personal information of all third partiesTecnoglass S.A.  interacts, including, but not limited to customers, employees, suppliers or any other person who, for some reason, provides information to Tecnoglass S.A.

This Policy will be available to interested parties on Tecnoglass’ website http://www.tecnoglass.com/habeas-data Also, any updates thereof will be reported and loaded to public in general by publication in the mentioned website.

2. DEFINITIONS

In accordance with applicable law on the matter the following definitionsapply and will be implemented in the processing of personal data.

a) Authorization: Prior,express and written permission from Data Owner for the processing of personaldata.

b) Privacy Notice: physical or electronic document generated by the Controller, which isavailable to the each Data Owner with the information regarding the existenceof personal data processing policy applicable to that information, how toaccess it and the characteristics of the policy that is intended to givepersonal data.

c) Database: Structureset of personal data subject of the Policy.

d) Personal Data: Alland any information that allows or may be associated with one or more naturalpersons, determined or determinable. Data can be public, semi-private orprivate.

e) Private Data: All and any information that by nature is confidential or sensitive,relevant for the Data Owner.

f) Public Data: The information classified as such under the law or the Constitution. It isconsidered as public information, among others, data contained in publicdocuments, final court judgments not subject to legal reserve and thoseregarding to civil status of persons..

g) Semiprivate Data: Defined as the data that has no sensitive, reserved or public nature andwhose knowledge or disclosure may interest not only to its owner but also acertain group of persons or society in general, such as financial and credit informationor commercial activity.

h) Sensitive Data: Any and all data related to Data Owner intimacy such as those which reveal racialor ethnic origin, political ideas, religious or philosophical beliefs, tradeunion, social or human rights organizations memberships, or promotes interestsof any political party or to guarantee the rights of opposition political parties,as well as data related health to sexual life, biometrics such as fingerprints,photographs, iris, voice recognition, facial or hand palm.

i) Data Processor: naturalor legal person, public or private, which by itself or in association with othersperforms the processing of personal data on behalf of the Controller.

j) Controller: naturalor legal person, public or private, which by itself or in association withothers decides the use on the database and / or processing of the data.

k) Data Owner: Naturalperson whose personal data are processed according to this Policy.

l) Processing: Anyoperation or set of operations on Personal Data, such as collection, storage,use, movement or deletion of those data.

3. PRINCIPLES APPLICABLE TOPERSONAL DATA PROCESSING

Tecnoglass S.A. will apply in a comprehensivemanner, the following guiding principles in the collection, handling, use,
processing, storage and exchange of personal data:

a) a) Data Processing Rule ofLaw:  Tecnoglass S.A. willcomply to applicable and enforceable and standards and laws governing theprocessing of personal data and other related basic rights.

b) Principle of purpose: ProcessingData will obey a legitimate purpose in accordance with the PoliticalConstitution and laws, which will be reported to the Data Owner.

c) Principle of Freedom: ThePersonal Data Processing will be only exercised with prior, express andinformed consent of the Data Owner. Personal data will not be obtained ordisclosed without prior authorization or in the absence of legal or judicialmandate relieve consent.

d) Principle of accuracy orquality of Data: The information subject to the processing ofpersonal data must be truthful, complete, accurate, current, verifiable andunderstandable. Processing of partial, incomplete, split or misleading data isprohibited.

e) Principle of transparency: Inthe Processing of Personal Data, the Controller will ensure the right of theData Owner to obtain from Tecnoglass S.A., at any time and without limitation,information about the existence of data concerning them.

f) Principle of restricted accessand movement: The Processing of Personal Data is subject tolimits arising from the nature of the personal data and to current andenforceable rules and laws governing the processing of personal data and otherrelated basic rights. In this sense, personal data, except public informationmay not be available on the Internet or other mass media unless access istechnically controllable to provide a limited knowledge communication only toData Owner or third parties authorized under the law.

g) Security principle: Theinformation subject to processing by Tecnoglass S.A. will be handled with existingtechnical, human and administrative measures necessary to provide security torecords, avoiding adulteration, loss, consultation, use, or unauthorized orfraudulent access.

h) Principle of Confidentiality: Allpersons involved in the administration, management and updating or those whohave access to information that kept in databases and do not have the nature ofpublic, are obliged to ensure the confidentiality of information, even afterthe end of their relationship with some of the tasks which includes theprocessing of information, only being able to perform supply or communicationof personal data when this is in the development of activities authorized inforce and applicable rules governing the processing of personal data and otherrelated fundamental rights.

All persons who currently work or those to behired subsequently for this purpose, in the administration and management ofdatabases, must sign an amendment to their employment contract or provision ofservices in order to ensure the compliance of that obligation.

4. CONTROLLEROF PERSONAL DATA PROCESSING

The Controller of personal data is TecnoglassS.A., with business address in Av. Circunvalar a 100 metros de la Vía 40, LasFlores, Barranquilla, Atlantico, contact email habeas.data@tecnoglass.com and
phone: (+575) 3734000.

5. DATA OWNER´SAPPROVAL

Without prejudice to the exemptions provided inforce and applicable rules and laws in Processing Data a prior express andinformed approval by the Data Owner is required, which must be obtained by anymeans that may be subject to consultation and subsequent verification, as aphysical or electronic document, a data message or any technical ortechnological mechanism to express or obtain consent by that mean.

6. PRIVACYNOTICE

The Privacy Notice is the physical or electronicdocument or any other known or unknown format, by which the Data Owner becomesaware of information regarding the existence of processing of personal datapolicy applicable to that information, how to access it and the characteristicsof the policy that is intended to give personal data.

The Privacy Notice at least shall include thefollowing information:

a)The identity data, address and contact details of the Controller.

b)The type of processing which data will be submitted and the purpose of that information.

c)The general mechanisms provided by the Controller to guarantee the Data Ownerknows Processing of Personal Data Policy and the substantial changes that mayoccur on it from time to time.

7. EVENTS WHEN NO PRIOR APPROVAL IS REQUIRED

No prior approval of Data Owner will be required when:

a) The information is required bya public or administrative entity in the exercise of their legal functions orby court order.

b) In case of public data nature.

c) Cases involving of medical orhealth emergencies.

d) Information whose processinghas been authorized by law for historical, statistical or scientific purposes.

e) In case of data related to theCivil Registry of Persons.

8. DATA OWNERSRIGHTS

Any procedure that involves the processing by any company area or divisionpersonnel of personal data from customers, employees, suppliers and generallyany third party with which Tecnoglass S.A. holds commercial and laborrelations, should take into account the rights hold by the Data Owner, whichare listed below:

a) Right to know, update, consultor rectify the Personal Data at any time, before Tecnoglass SA, with respect toany information considered partial, inaccurate, incomplete, split and / ormisleading.

b) Right to request at any time aproof of the authorization granted to Tecnoglass S.A.

c) Right to be informed byTecnoglass S.A., prior Data Owner request, the use that has given to suchinformation.

d) Right to file to the ColombianSuperintendence of Industry and Commerce complaints it deems appropriate toenforce the fulfillment of these rights by Tecnoglass S.A.

e) Right to revoke theauthorization and / or request removal of any information when it is considersthat Tecnoglass S.A. has not respected the constitutional rights and guaranteesof Data Owner.

f) Right to access for free to thePersonal Data voluntarily choses to be shared with Tecnoglass S.A., for whichthe Controller is responsible for preserving and keeping safely and reliablyauthorizations for each Data Owner duly granted.

9. PROCESSINGOF SENSITIVE DATA

TecnoglassS.A. may processthe data classified as sensitive when:

a) The Data Owner has given itsprior consent to such processing, except in cases when authorization is notrequired by law.

b) Processing of Data isnecessary to protect the interest of the Data Owner and this is physically orlegally incapacitated. At these events, the legal representatives must givetheir authorization.

c) The processing is carried outin the course of legitimate activities with appropriate guarantees by a foundation,NGO, association or any other non-profit organization whose purpose ispolitical, philosophical, religious or trade union, provided that is relatedexclusively to its members or to persons who have regular contact because oftheir purpose. In these events, the data cannot be provided to third partieswithout the authorization of the owner.

d) Data Processing relates toinformation necessary for the establishment, exercise or defense of a right injudicial proceedings.

e) Processing has a historical,statistical or scientific purpose. In this event, the Controller shall take allmeasures leading to the delete of identity of the Data Owners.

10. MINORS’PERSONAL DATA

In the Processing of Personal Data kept in the Tecnoglass’ Databasesrelated to children and adolescents, the rights of minors will be ensured.

In any case, any and all use of data minors registered in the company’sdatabases or, eventually requested, must be expressly authorized by the legalrepresentative of the child or adolescent previous exercise the minor’s rightto be heard, opinion which will be assessed in terms of maturity, autonomy andability to understand the matter.

Furthermore, Tecnoglass S.A. shall provide minors’ legal representativesthe possibility of exercising their rights of access, cancellation,rectification and opposition of their protected data.

11. THIRD PARTIES

Databases or files will not be provided to third parties, unless authorizedby the Data Owner or by law. In such a case the transfer and / or sharingpersonal data of customers, employees or suppliers of Tecnoglass S.A. withthird parties, will be made exclusively for purposes related to sendingcorrespondence and communications of Tecnoglass S.A.

12. PURPOSE OF PERSONAL DATA

TecnoglassS.A. will onlyuse the Personal Data previously and expressly authorized by Data Owner,according to the purpose of Personal Data and the corporate purpose ofTecnoglass S.A. and respecting the rights to privacy, good name, image andother Constitutional rights.

Information about customers, suppliers, and employees, current or past, isobtained and preserved in order to facilitate, promote, allow or maintain labor,civil and commercial relations. The purposes of the databases will depend onthe person who provides that personal data and in accordance with that, he/shewill be expressly informed at the time of requesting for authorization.

13. PROCEDURES FOR THE EXERCISE OFPERSONAL DATA OWNERS RIGHTS.

Data Owners may exercise their right to know, update, rectify and delete thepersonal data they have provided to Tecnoglass SA, by sending a communication,at any time and free of charge to the following email: habeas.data@tecnoglass.com

In accordance with Article 20 of Decree 1377 of 2013, the rights of theData Owners established in the Law may be exercised by:

a) The Data Owner must provehis/her identity by the means provided the Controller.

b) By their successors, who mustprove such condition.

c) By the representative and / orduly authorized attorney of the Data Owner, prior proof of the representationor power of attorney.

The requests submitted by Data Owner should contain as minimum:

a) Full name of Data Owner.

b) Contact information fornotices.

c) Documents proving duly representationor power to act, if necessary.

d) Clear and precise descriptionof the personal data for which the Data Owner seeks to exercise any of his/herrights.

These rights can be exercised, among others, against partial, inaccurate,incomplete, split data, or those whose processing is prohibited or notauthorized by the Owner

14. CONSULTATIONS

Data Owners, their successors or representatives may consult the personalinformation kept in any database of Tecnoglass S.A., providing the company allinformation contained in the individual record or that is linked to theidentification of Data Owner. The consultation shall be made in writing, by themeans indicated in this policy, provided that it is made by the Data Owner orhis/her representative.

15. DATA RECTIFICATION OR UDPATE

When Data Owners, their successors or representatives consider that theinformation contained in a database of Tecnoglass S.A. should be subject tocorrection or update, they will be entitled to file a complaint againstTecnoglass S.A., which will be processed under the following rules:

The claim shall be made addressed to Tecnoglass S.A., by the means setforth in Section 13th above, with the following information:

a) Full name of Data Owner.

b) Contact information fornotices.

c) Documents proving dulyrepresentation or power to act, if necessary.

d) Description of the factsgiving rise to the claim.

e) Clear and precise descriptionof the personal data for which the Data Owner seeks rectification or update.

f) The documents considered asevidence.

16. DATADELETION

Data Owners, their successors or representatives may request, at any timeand for free to Tecnoglass S.A., deletion of personal data when:

a) They believe the data is notbeing processed in accordance with the principles, duties and obligations undercurrent regulations and in this Policy.

b) Data is no longer necessary orrelevant for the purpose for which it was collected.

c) The time required to fulfillthe purposes for which the information was collected has expired

This deletion involves partial or total removal of personal data, accordingto the request of Data Owners, their successors or representatives on records,files and databases managed by Tecnoglass S.A.

The claim shall be addressed to Tecnoglass S.A., by the means set forth inthis policy, containing at least the following information:

a) Full name of Data Owner.

b) Contact information fornotices.

c) Documents proving dulyrepresentation or power to act, if necessary.

d) Description of the factsgiving rise to the claim.

e) Clear and precise descriptionof the personal data for which the Data Owner seeks deletion.

f) The documents considered asevidence.

However, it is important to consider that the right of data suppression isnot absolute and Controller may deny the exercise thereof when:

a) The Data owner has a legal orcontractual duty to remain in the database.

b) When data removal hindersjudicial or administrative proceedings related to tax obligations,investigation and prosecution of crimes or updating administrative sanctions.

c) When data is necessary toprotect the legal interests of the Data Owner to perform an action in thepublic interest or to fulfill an obligation legally acquired by the Owner.

17. APPROVALREVOKE

Data Owners, their successors or their representatives may, at any time andfor free, revoke consent to the processing of personal data, as long as it is not prevented by legal or contractual provision.

To this end, the Data Owner may revoke his/her consent by the same means by which it was granted.

In this regard, it should be noted that there are two types of revoking consent: One is given on all consensual purposes and the other is given on some specific types of data processing.

18. DUTIES OF PROCESSING OF PERSONAL DATA CONTROLLER

Tecnoglass S.A. will be directly responsible for the processing and custody of personal data, directly or indirectly, collected and stored. However, it reserves the right to delegate to a third party such treatment, which will require the manager’s attention and implementation of policies and appropriate procedures for the protection of personal data and strict confidentiality thereof, in accordance with Article 18 of Act 1581 of 2012.

19. SECURITY MEASURES ADOPTED REGARDING THE PROCESSING OF PERSONAL DATA

Tecnoglass S.A. shall adopt the technical, human and administrative measures to ensure the security and confidentiality of the data and to prevent alteration, loss, consultation, use, or unauthorized access. Personal Data that Owner provides to Tecnoglass S.A. under any means, shall be managed confidentially with due constitutional, legal and other rules governing the protection of personal data.

20. EFFECTIVE DATE OF PERSONAL DATA PROCESSING POLICY

This Processing of Personal Data Policy is effective from October 3rd of 2016 and for the time Tecnoglass S.A. performs its corporate purpose.