Browse through the main menu using the Tab or arrow keys; go to each section by pressing Enter; browse through the boxes in the menu using the arrow keys or through each of the options using the Tab key.

Privacy Policy

We acknowledge the importance of the safety, privacy and confidentiality of your personal information.

If you are a Client, Shareholder, Supplier or Collaborator, you will find all information regarding our Privacy and Data Protection Policies here.


General privacy policy for the protection of the personal data of travelers, customers and users

Contents

  1. Who we are

  2. Acceptance of this Privacy Policy

  3. Purpose of the Privacy Policy

  4. Personal data and information collected

  5. Purposes of the processing of personal data and information

  6. Duration of the processing of personal data and information

  7. Accuracy of information

  8. Information of children and underage adolescents

  9. Use of cookies and web beacons

  10. Protection, safety and confidentiality of personal data and information

  11. Procedure for the exercise of the rights of owners of information

  12. General procedure for the exercise of the rights of owners of personal data and information applicable in all territories where the companies operate

  13. Amendments to the Privacy Policy

  14. Compliance hotline

  15. Duration

  16. Appendices

1. Who we are?

1.1 The airlines: Aerovías del Continente Americano S.A. Avianca, Tampa Cargo S.A.S, trading companies incorporated in the Republic of Colombia, Aerolíneas Galápagos S.A. Aerogal, limited company incorporated in the Republic of Ecuador, Taca International Airlines S.A., incorporated in the Republic of El Salvador, Líneas Aéreas Costarricenses S.A. Lacsa, incorporated in the Republic of Costa Rica, Trans American Airlines S.A., incorporated in the Republic of Peru, Aviateca S.A., company incorporated under the laws of Guatemala, Servicios Aéreos Nacionales, Sociedad Anónima (SANSA), incorporated in the Republic of Costa Rica, Isleña de Inversiones, S.A. de C.V., incorporated in the Republic of Honduras, each and all of them hereinafter individually and collectively referred to as the AIRLINES, who, for the purpose of the provision and commercialization of passenger and product air transport services and related services such as tour packages, air and/or land cargo transport services, express courier and courier services, airport services, training services, loyalty programs, can act under the trademarks AVIANCA, AEROGAL, AVIATECA, LACSA, TACA, AVIANCA CARGO, AVIANCA SERVICES, AVIANCA TOURS, DEPRISA, PREFERENCIA “Business Travel Program”, AVIANCA EXPERIENCE AIRPASS, AVIANCA STORE or solely under the trademark AVIANCA, each and all of them respectively responsible for and/or in charge of the treatment of personal data and information.

1.2 The loyalty program LIFEMILES, joint program between the AIRLINES, managed and operated by LifeMiles Corp., has its own Privacy Policy which is available at Lifemiles.com.

1.3 The Privacy Policy applicable to FLYBOX is available at Flybox.co

2. Acceptance of this Privacy Policy

2.1 Express acceptance of this Privacy Policy and of the processing of personal data and information in accordance with the terms thereof takes effect when the traveler, client or user who owns the information provides the data through the sale and service channels, including Call Centers, or when they purchase any of our products or services, or when they click the button “Continue” or when they keep navigating our websites: Avianca.com, Deprisa.com, Lifemiles.com, Programapreferencia.com, Aviancaservices.com, Aviancacargo.com, Flybox.co, Aviancaexpress.com, Sociosyamigos.com or when thy use any of our mobile apps or electronic services in any of their forms, such as electronic kiosks.

2.2 For purposes of this Policy, the term "processing" involves any operation or set of operations over personal data and information such as, use, collection, storage, disclosure, distribution or deletion thereof.

2.3 By accepting this General Privacy Policy, each of the travelers, clients or users, acting as owner of the collected personal data and information, expressly authorizes the AIRLINES to partially or totally process such personal data and information, which includes the collection, storage, recording, use, distribution, processing, deletion, transmission under the terms of this Privacy Policy and/or transfer of the collected data within the country or to other countries for the purposes set out in the privacy policies of any third parties to whom such personal data is transferred. By accepting this Privacy Policy each of the travelers, clients or users acting as owner of the collected personal data and information authorizes the processing of such data for the purposes set out herein and, particularly, for:

  1. Using the collected personal data and information to send to the e-mail addresses provided by the traveler, client or user the boarding pass and/or document resulting from the transaction, as well as any information related to the purchased product or service.
  2. Using the received information for marketing of our products and services and the products and services of any third party with whom the AIRLINES maintain a business relationship.
  3. Sharing the personal data and information with commercial representatives, tour operators, such as hotels, car renting companies, insurers, etc. if required to manage travel plan reservation and other tour services.
  4. Providing the personal data and information to national and international oversight and supervision, administrative, police and judicial authorities, under a legal or regulatory requirement and/or using or disclosing this personal data and information in defense of of the rights and/or ownership of the AIRLINES, their customers, our websites or its users, for fraud detection or prevention, criminal prosecution or when the AIRLINES in good faith consider that the delivery of information and personal data is in their best interest to air safety.
  5. Allowing access to personal data and information to auditors or third parties hired to perform internal or external audit processes of the commercial activities carried out by us.
  6. Checking and updating personal data and information.
  7. Outsourcing the storage and/or processing of personal data and information for the proper execution of Human Resources processes and procedures, under the security and confidentiality standards which bind us.
  8. Transferring your personal data and information, in the event of a change of control in one or more AIRLINES or in any of the business units due to merger, acquisition, bankruptcy, split, or creation, to the new entity controlling the AIRLINES or their business units. If, as a result of the change of control, there is a change of the Person in Charge of the processing of personal data and information, such situation will be reported to the owners of the personal data and information, in order for them to exercise their rights under the relevant applicable law. The conditions under which the owners of personal data and information may exercise their rights will be indicated when reporting the change of control.

3. Purpose of the Privacy Policy

3.1 The purpose of this Privacy Policy is to communicate to each traveler, client or user the type of personal data and information we collect, its purpose and use, the times this information is shared and the means used to protect it, as well as the rights to which they are entitled as owners of the information and the corresponding procedures to exercise them.

3.2 Personal data and information are provided by travelers, clients and users to enable the provision of our services. The AIRLINES acknowledge the importance of safety, privacy and confidentiality of the personal data and information provided by travelers, clients and users through the different channels (including websites, points of sale, call centers, mobile apps and electronic kiosks), and we are committed to its protection and proper processing, in accordance with the legal provisions regarding data protection set out in each of the territories in which we operate.

3.3 This Privacy Policy is also applicable to the personal data of Eligible Passengers who are defined in the Terms and Conditions of the PREFERENCIA Program “Business Travel Program” as Corporate Clients who carry out Corporate Purchases. Therefore, the personal data of Eligible Passengers, including their travel itineraries, payment method and any other personal information thereof will be processed under the terms herein and might be transferred to the Corporate Client linked to such Eligible Passenger for the purposes of reports, audits, processing requests and any other purpose related to the operation of the PREFERENCIA Program.

4. Personal data and information collected

4.1 The AIRLINES may collect personal data and information about travelers, clients or users, which information may vary to the requirements of local authorities, technological systems, nature of the products or services provided, etc. For such purposes, the AIRLINES may collect the following personal data and information, which may be stored and/or processed in server located in computing centers, whether owned by the Companies or by any third party, across different countries:

  1. Names and surnames.
  2. Birthdate.
  3. Gender.
  4. Personal and/or work mailing and electronic addresses.
  5. Profession or occupation.
  6. Personal data of the cardholder (names and surnames, ID number and type).
  7. ID number and type.
  8. Marital status and/or kinship with underage children or disabled people requesting our services.
  9. Personal and/or work fax number.
  10. Residence information where the cardholders receive their bank statements.
  11. Company and position.
  12. Nationality and country of residence.
  13. Personal and/or work telephone and cellphone numbers.
  14. Credit card information (number, institution, expiry date).
  15. IP address of the client through cookies.
  16. Frequent Flyer card number and information about transactions and activities related to LifeMiles frequent flyer program.
  17. If required by US government authorities the “Redress Number” may be collected for passengers travelling to the United States.
  18. Necessary information to facilitate the flight or any other services, which includes the name of the travel companion, emergency contacts, seat preferences, special meals or medical needs.
  19. Information about payment methods (including travel agencies, direct sale or sale through representatives or agents, call center, websites, mobile apps).
  20. Use of products and services such as self-registration machines, flight status notifications and web check-in.
  21. Personal data and information collected through surveys, focus groups or any other market research method.
  22. Information required by officers or representatives of the AIRLINES, such as sale and/or customer relations representatives for the purpose of processing requests and complaints.
  23. Biometric data, including images, photos, videos, voices and/or sounds, fingerprints, which identify or allow the identification of our travelers, clients or users and/or any other individual who is located in any of the places where the AIRLINES have installed equipment.
  24. Health-related information (medical conditions which might prevent flying according to the treating physician) and medical certifications required to the passenger, client or user in order to provide, within the feasibility and possibilities of our operations, with the adequate conveniences and elements for proper medical care during the provision of air transport services, as well as to determine the feasibility of the flight.

4.2 Owners of personal data and information will not be required in any case to authorize the processing of sensitive data. Notwithstanding the foregoing, in the cases where owners of information provide any sensitive data to the AIRLINES for the proper provision of services, they shall expressly authorize the AIRLINES to process sensitive personal data and information in accordance to this Privacy Policy.

4.3 In addition, for safety purposes, the AIRLINES may collect, store, share and compare personal data and information with different national or international administrative, control and supervising, police and judicial authorities. Such personal data and information includes biometric data, obtained through any biometric, image recording, audio or video device, located in our facilities (such as administrative offices, retail outlets, VIP lounges, airport stands for customer service, call centers). To inform the general public about this, the AIRLINES issue Privacy Notifications in the places where this personal data and information are collected.

4.4 Due to our activity as carriers, the AIRLINES are required to provide certain personal data and information about passengers or cargo or shipments through express courier and courier services to airport, immigration and customs authorities, as well as any other national or international government, regulatory or safety authority before the departure of flights or before landing in any destination or in any other moment after the provision of the transport service. Generally, this information refers to identity information of the passengers on board, their itineraries, as well as the data contained in their respective travel documents (passport, visas) or related to transported goods.

5. Purposes of the processing of personal data and information

5.1 The collected personal data and information are used to process, confirm, fulfill and provide the purchased products and/or services, directly and/or with the participation of other airlines or third-party suppliers of products or services, as well as to make reservations, modifications, deletions, payment of compensation, accounting records, to process correspondence, to perform processing and verification of credit cards, debit cards and other payment methods, to carry out the promotion and advertising of our products, services and activities, to perform financial payment transactions, charges or refunds, to process legal proceedings, to report or process the requirements of the different police and legal authorities, banking institutions and/or insurance companies, for internal and/or commercial administrative process, including market research, auditing, accounting reports, statistical analysis, billing, and offering and/or recognition of benefits through loyalty programs in order to execute the transportation contract and other services and supplementary activities, detect and prevent fraud detection, money laundering and other criminal activities and/or or for the proper operation of loyalty programs and other activities indicated herein.

5.2 Personal data and information processing by the people/entities responsible for or in charge of the processing is framed within the guarantee of and respect to the processing principles set forth by applicable law. These principles are legality, freedom, transparency, consent, information, quality, access and restricted distribution, purpose, loyalty, proportionality, safety and confidentiality.

5.3 We inform that these activities may involve third parties, including providers of flight booking systems, security tools for processing banking, transactions, call centers, tour operators, banks, insurance companies, our representatives or agents, loyalty program managers, and that these activities can be carried out in different countries other than the one where the service is contracted or the product is purchased, without prejudice to other purposes that have been set out in this document and under terms and conditions of each of our business units’ products and services.

5.4 The AIRLINES do not sell or trade the personal data and information of travelers, clients and users.

6. Duration of the processing of personal data and information

6.1 The information provided by travelers, clients and users may remain stored for up to ten (10) years from the date of the last processing, to enable the AIRLINES compliance with legal and/or contractual obligations under their charge, particularly in tax, fiscal and accounting matters or for the time deemed necessary to comply with the provisions applicable to the corresponding matter or to the administrative, accounting, tax-related, legal and historical aspects of the information, or in any event provided by law.

7. Accuracy of information

7.1 Travelers, clients and users shall provide truthful information about their personal data and information in order to formalize the reservation and enable the provision of the contracted services, as well as to carry out any other services required, whose conditions they accept to provide the required information.

7.2 The AIRLINES assume the accuracy of the information provided and do not verify or assume the obligation to verify the identity or the authenticity of travelers, clients and users, nor the validity, adequacy and authenticity of the data provided by each one of them. Therefore, the Companies are not responsible for any damages of any kind that may originate due to the lack of accuracy, adequacy or authenticity of the information, including damages derived from homonyms or identity theft.

8. Information of children and underage adolescents

8.1 Children and underage adolescents may be users of our products and services, provided that they are duly authorized by their parents or guardians or that their parents or guardians act on their behalf. In the event that their parents or guardians of these children become aware of an unauthorized data processing, they may submit their inquiries or complaints to e_Solutions@centrosolucionavianca.com. The AIRLINES shall ensure the proper use of personal data of children and underage adolescents, complying with the applicable laws when processing such data, as well as the protection of their best interests and fundamental rights where possible, taking into account their opinions as owners of their personal data.

9. Use of cookies and web beacons

9.1 The AIRLINES may use cookies, web beacons and other similar technologies on their websites, mobile applications, electronic kiosks and on the electronic devices used to access thereto, in order to gather information about the origin of the connection and the activities and interests of travelers, clients and users when navigating the web, to increase website functionality and accessibility, to verify that users meet the criteria required to process their requests and adapt products and services to users’ needs, being able to obtain the following general information:

  1. The type of browser and operating system used.
  2. Websites visited.
  3. IP address.
  4. Duration of navigation.
  5. Device language.
  6. Accessed links.
  7. The last website visited before accessing Avianca.com.

9.2 These cookies, web beacons and other similar technologies can be disabled and deleted by the user whenever their wish. For this purpose, the travelers, clients and users may use the help settings of their internet browser.

10. Protection, safety and confidentiality of personal data and information

10.1 The protection, security and confidentiality of the personal data and information of travelers, clients and users are highly important for the AIRLINES. We have set forth policies, procedures and standards for information security, which may change at any time at the discretion of the AIRLINES and which aim to protect and preserve the integrity, confidentiality and availability of personal data and information, regardless of their nature or format, their temporary or permanent location or the way in which they are transmitted. Therefore, we rely on technological security tools and carry out safety industry practices, including: transmission and storage of sensitive information through secure mechanisms, such as encryption, use of secure protocols, safeguarding technological components, allowing access to the information only to authorized personnel, data backup, safe development of software, etc.

10.2 Third parties contracted by the AIRLINES are equally bound to comply with this privacy policy, as well as with the policies and manuals of information safety of the AIRLINES and the safety protocols applied to all of our processes.

10.3 Any contract entered into by the AIRLINES with any third party (contractors, external consultants, temporary employees, etc.) which involves the processing of personal data and information of travelers, clients and users includes a confidentiality agreement detailing their commitments to the protection, care, safety and preservation of confidentiality, integrity and privacy thereof.

11. Procedure for the exercise of the rights of owners of information

11.1 Travelers, clients and users are entitled to access their personal information under our control and to exercise their rights as owners thereof, in accordance with the applicable terms of data protection regulations and with the provisions set forth in this Privacy Policy.

11.2 Consequently, the AIRLINES establish a general procedure for the exercise of rights by owners of personal data and information, which is set forth in paragraph 12 herein, without prejudice to the application of specific provisions set out by local laws in each territory. In case of a disagreement between the general procedure and the specific provisions set out by local laws, specific provisions shall prevail.

12. General procedure for the exercise of the rights of owners of personal data and information applicable in all territories where the companies operate:

12.1 Travelers, clients and users are entitled to see and know the details of the processing of personal data required by the AIRLINES, as well as to rectify them if inaccurate or incomplete and to request their deletion if not used for legal or contractual purposes or when not complying with the purposes and terms set out in this Privacy Policy.

12.2 By accepting this Privacy Policy, travelers, clients and users, freely and expressly state that they were previously informed about the following rights to which they are entitled by applicable laws as owners of personal data:

  1. To know, update and rectify their personal data and information before the entity that is responsible or in charge of the processing of their personal data and information.
  2. To request proof of the authorization granted to the entity that is responsible for the processing of their personal data and information, unless such request constitutes an express exception for such processing.
  3. To be informed, upon request, by the entity that is responsible for the processing of their personal data and information about how such personal data and information have been used.
  4. To file complaints before the corresponding authorities for violations to the applicable data protection provisions.
  5. To revoke the authorization and/or request the removal of the personal data and information under the terms of this Privacy Policy.
  6. To access personal data and information that was subject to processing, upon previous request to the AIRLINES and under the provisions of the corresponding valid and applicable regulations. If the requests exceed one per month, the AIRLINES will charge the owner requesting such information for its shipment, reproduction and, if applicable, certification costs.

12.3 The procedures for the exercise of their rights will be the following:

Requests: Owners, authorized persons or assignees may access their personal data and information in our databases, in which case we will supply the requested information, after verification of their entitlement to make the request. The request will be processed within a maximum term of ten (10) working days from the date of receipt thereof. In the event such request cannot be processed within said term, we will inform the reasons for the delay, indicating the date on which the request will be processed, which in no case shall exceed five (5) working days from the expiry of the first term.

Claims: If the owners, authorized persons or assignees consider that the personal data and information in our databases must be corrected, updated or deleted, or if they become aware of a potential breach to any of the duties set forth in the regulations, they may file a claim before the AIRLINES, which will be processed under the following rules:

  1. The claim shall be made through a request to the AIRLINES with their identification, the description of the facts related to the claim, their address, and the accompanying documents they want to enforce. If the claim is incomplete, we will require the missing information within five (5) days from the date of receipt thereof in order to rectify the information. If after two (2) months from the date of request the interested party has not filed the required information, we will consider the claim as abandoned.
  2. If we are not able to resolve the claim, it will be forwarded to the appropriate entity within a maximum term of two (2) business days and will be promptly informed thereof.
  3. The maximum term to process the claim will be fifteen (15) working days from the day following the date of the appropriate receipt thereof. If it is not possible to satisfy the claim within this term, we will inform you of the reasons for the delay and the date your claim will be processed, which in no case may exceed eight (8) working days following the expiry of the first term.

12.4 In order to enforce their rights, travelers, clients and users may exercise their rights to know, update, rectify and delete their personal data and information by sending their request to: e_Solutions@centrosolucionavianca.com, or through the Suggestions and Complaints service available at Avianca.com or through the Call Centers located in the countries where we operate.

12.5 The areas in charge of taking requests, inquiries or claims before which the owner of information may enforce their rights, according to the corresponding business unit or service, are:

  1. Air transport service clients and related services:
    Service Channel: Call Center, Avianca.com, e_Solutions@centrosolucionavianca.com.
    Responsible Area: Avianca Customer Service.
  2. Deprisa:
    Service Channel: Call Center, Deprisa.com.
    Responsible Area: Deprisa Customer Service.
  3. Avianca Services:
    Service Channel: salesaviancaservices@avianca.com.
    Área Responsable: Avianca Services.
  4. Avianca Cargo:
    Service Channel: Aviancacargo.com.
    Responsible Area: Avianca cargo.

12.6 The owner of the information shall include the following data in their request:

  1. Names
  2. Surnames
  3. ID Number
  4. E-mail
  5. Subject
  6. Type of document
  7. Telephone
  8. Country
  9. City
  10. Contact reason

12.7 In the event that any traveler, client, user or third party considers that the use of content in any of our communication channels, such as websites, mobile applications and kiosks constitutes a breach to their intellectual property rights, they shall notify it to the aforementioned e-mail addresses and include the following information:

  1. Personal data: name, address, telephone number and e-mail address of the claimant.
  2. Authentic signature, with the personal data of the holder of the intellectual property rights subject to infringement or of the person authorized to act on behalf of the holder of the intellectual property rights subject to infringement.
  3. Accurate and complete indication of the content that is protected by the intellectual property rights infringed and its location.
  4. Express and clear statement of the fact that such content has been used without the authorization of the holder of its intellectual property rights.
  5. Express and clear statement of the accuracy of the information provided in the notification and of the fact that the use of such content is an infringement to the intellectual property rights thereof. This statement shall be made under responsibility of the claimant.

12.7.1 The claims arising from these facts shall be subject to proper processing and resolution under the applicable legal proceedings, pursuant to the nature and applicability thereof.

12.8 The request for deletion of information and the revocation of the authorization or the request to restrict the use and disclosure of personal data will not proceed when the owner is legally or contractually bound to remain in the database, under the terms set forth by the applicable laws.

12.9 We have identified some territories where specific provisions are set out by local laws. In case you wish to know such specific provisions, please see the Appendices listed below:

  1. Appendix Colombia
  2. Appendix Mexico
  3. Appendix Peru
  4. Appendix European Union
  5. Appendix Canada
  6. Appendix United States

13. Amendments to the privacy policy

13.1 The AIRLINES reserve the right to make changes or updates to this Privacy Policy at any time in compliance with new legislations, internal policies or new requirements in order to provide or offer their services or products.

13.2 These amendments will be made available to the public through the following channels: visible notices on their premises or customer service centers, on our websites, smartphone applications (Smartphones) or electronic kiosks (Privacy Notice) or through the last e-mail provided.

13.3 Subject to applicable laws, the Spanish version of this Privacy Policy shall prevail as the authoritative and official text over any other versions in other languages. In the event that there is any inconsistency between the Spanish version and any translation of this Privacy Policy in another language, the Spanish version shall prevail.

14. Compliance hotline

Avianca Holdings S.A. has contracted Navex Global Inc., a company incorporated under the laws of Delaware, USA, to manage the Compliance Hotline established by the Company and its affiliated companies, in order for employees, related third parties, suppliers, shareholders, travelers, customers, users and the general public to submit complaints or inquiries related to the application or breaches to the Code of Ethic and Business Conduct Guidelines, Anticorruption Policy and other corporate policies adopted by the Organization*. Navex Global Inc. has set out the website Portal Web Ethicspoint.com and different telephone lines for the operation of the Compliance Hotline.

For the purposes of the legal obligations set out by the rules related to the privacy and protection of personal data collected through the Compliance Hotline, Navex Global Inc. acts as Manager and shall carry out the processing thereof on behalf of Avianca Holdings S.A. and its affiliated companies, who will jointly act as the Responsible Entities. Avianca Holdings S.A. will not carry out any direct processing of personal data collected. The processing will be carried out by its affiliated companies in order to investigate complaints, answer inquiries and take the corresponding administrative or legal actions. Such processing will be carried out in accordance with this Privacy Policy, which is available for consultation in the “Policies” section of such website.

15. Duration

15.1 This General Privacy Policy is effective as of the day of its publication. The latest published revision was made on June 22, 2016.

16. Appendices

16.1 Appendix Colombia

Regarding information and personal data whose processing is carried out in Colombia, the procedures for the exercise of the rights of the owners of such information will be the ones set out by Law 1581 of 2012 and its normative provisions. Pursuant to Article 10 of Decree 1377 of 2013, the AIRLINES request your permission to continue processing your personal data and information under the terms set out by this Privacy Policy. In addition, pursuant to paragraph a) of article 26 of Law 1581 of 2012, we inform you that by expressly accepting this Privacy Policy, you grant us permission to transmit and/or transfer your personal data and information to other countries in which we operate, where different levels of protection of personal data to those required in Colombia may exist, including El Salvador, Peru, Ecuador, Bolivia, Guatemala, Brazil, Costa Rica, USA, Uruguay, Paraguay and Argentina.

You can exercise your rights to know, update, modify and/or delete your personal data via contactenos@avianca.com, pursuant to the general procedures set out in paragraph 12 of this General Privacy Policy. For the purposes of enforcing their rights, travelers, customers or users can exercise their rights to know, update, rectify and delete their personal data and information by sending a request to e_Solutions@centrosolucionavianca.com or through the Suggestions and Claims Services available at Avianca.com, or through our Call Centers: Bogota: 4013434; other cities in Colombia: 018000953434, in accordance with this Privacy Policy.

The AIRLINES contact details in Colombia are:

Adress: Avenida Eldorado No. 59 – 15, Bogota.
Bogota Telephone Number: 4013434.
Other cities in Colombia: 018000953434.
E-mail: e_Solutions@centrosolucionavianca.com.

16.2 Appendix Mexico

Regarding information and personal data whose processing is carried out in Mexico, the procedures for the exercise of the rights of the owners of such information will be the ones set out by Federal Law on Protection of Personal Data Held by Individuals (DOF 05-07-2010), and its respective Regulations (DOF 21-12-2011).

Procedures for the exercise of the right to access, rectify, cancel and oppose (ARCO, by its Spanish acronym) in Mexico:

Pursuant to the provisions of Mexican law, owners of personal data and information have the right to access, rectify, cancel or oppose the processing of their personal data, for which purpose the following procedure shall be carried out: The area responsible for the processing of personal data (Direction and Intelligence of Information) may be contacted through the following channels in order to send the required information and documentation:

Address: Avenida Eldorado No. 59 – 15, Bogotá.
E-mail: e_Solutions@centrosolucionavianca.com.

The request to access, rectify, cancel or oppose shall include, at least:

  1. Complete name and address of the owner of the personal data and information, or provide any other means to response to the request.
  2. Documents proving the identity or legal representation of the owner of the personal data and information.
  3. Clear and accurate description of the personal data and information subject to the enforcement of the aforementioned rights.
  4. Any other item or document that facilitates the location of personal data and information.
  5. Indicate the modifications to be made and/or limitations on the use of personal data and information, as set forth by this privacy policy.
  6. Provide documentation to support your request. The AIRLINES shall communicate the adopted resolution to the owner of the personal data and information, within a term not exceeding 20 working days from the date of receipt of the request. If necessary, this term may be extended on a single occasion for an equal term.

Based on the above, and in accordance with the provisions of the Law, the AIRLINES shall inform the owner of the personal data and information the meaning and motivation of the resolution, through the same means through which the request was carried out, and that resolution shall be accompanied with relevant evidence, if any.

If the request is appropriate, it will be executed by the AIRLINES within 15 working days following the communication of the adopted resolution.

Based on the response or lack of response by the AIRLINES, the owner may file a request for data protection with the Federal Institute of Access to Information (IFAI, by its Spanish acronym). Such request shall be submitted by the owner within 15 working days from the date the ARILINES communicate the response to the owner, and shall be subject to the provisions of the Law.

For requests of access to personal data and information, the petitioner or their legal representative shall be required to prove their identity.

The obligation of access to information shall be fulfilled when the AIRLINES make available the personal data and information to the owner or when such information is provided in form of photocopies or electronic documents.

In the event that a traveler, client or user requests access to their personal data and information under the assumption that the AIRLINES are the responsible entities thereof, and it is ultimately concluded that the AIRLINES are not responsible thereof, the AIRLINES shall communicate this to the owner through any means for the request to be considered fulfilled.

The response to the request for access, rectification, deletion or opposition of personal data will be free of charge. Our customers, travelers or users should only cover the reasonable costs of shipping or reproduction of copies or other formats, which will be informed in due time.

In the event that the same client, traveler or user restates the request for access, rectification, deletion or opposition of personal data and information in less than 12 months from the date of the last request, the response may have an additional cost indicated by the AIRLINES, in accordance with the provisions of Article 35 of the Federal Law on Protection of Personal Data.

The AIRLINES may refuse total or partial access to personal data and information or the rectification, deletion or opposition to the processing thereof in the following cases:

  1. If the petitioner is not the owner or legal representative or is not authorized.
  2. If the petitioner’s personal data and information is not contained in the databases of the AIRLINES.
  3. If the rights of any third party are violated.
  4. If there exists any legal impediment or resolution by an authority.
  5. If the rectification, deletion or opposition was previously carried out and the request is no longer pertinent.

The deletion of personal data and information will result in a lockout period after which the deletion of the data will be performed. Once the personal data and information are cancelled, the AIRLINES shall notify the owner thereof.

Once the aforementioned process is completed, the AIRLINES may keep the personal data solely for the purposes of the processing obligations arising from this policy. If the personal data and information are transmitted to third parties or entities in charge before the rectification or deletion and if they are subject to processing by such third parties, the AIRLINES shall inform such third parties about the request filed by the owner in order to make such rectifications and deletions.

The AIRLINES will not have any obligation to cancel the personal data and information in cases where the provisions set out by Article 26 of the Federal Law on Protection of Personal Data are applicable, or when the owner has a legal or contractual duty to remain in the database, under the terms set forth by the law. In addition, once the collected personal data and information are no longer necessary for the compliance with the purposes set forth by this policy and with the applicable legal provisions, such personal data and information will be cancelled from the databases of the AIRLINES.

Mechanisms and procedures to revoke your consent:

Owners may at any time revoke their consent to the processing of their personal data and information. In order to do so, the owner shall send an e-mail written in Spanish to the following address: e_Solutions@centrosolucionavianca.com, which shall include the same requirements previously indicated for the exercise of ARCO rights, indicating the personal data and information subject to such revocation. The AIRLINES will perform such revocation within fifteen (15) working days from the date of receipt of the e-mail.

Options provided to the owner to limit the use or disclosure of personal data and information:

Owners may at any time limit their consent to the processing of their personal data and information for marketing and promotional purposes by sending an e-mail to the following address: e_Solutions@centrosolucionavianca.com, mentioning such limitations. The AIRLINES will stop sending information within ten (10) working days from the date of receipt of the e-mail.

The AIRLINES contact details in Mexico are:

Address: Avenida Paseo de la Reforma 195-301, Colonia Cuauhtémoc, CP 06500, México, D.
Mexico Telephone Number: 01800 1233120.
E-mail: e_Solutions@centrosolucionavianca.com.

16.3 Appendix Peru

Regarding information and personal data whose processing is carried out in Mexico, the procedures for the exercise of the rights of the owners of such information will be the ones set out by Law 29733 and Supreme Decree 003-2013-JUS (hereinafter “the Law and its regulations”).

Travelers, clients and users are entitled to see and know the details of the processing of personal data and information we perform, to know the collected personal data and information, to oppose if necessary, to request their rectification if inaccurate or incomplete and to cancel them if not used according to the law, the terms and conditions of the purchased product or service, the corresponding contract or the terms set forth by this Privacy Policy.

By accepting this Privacy Policy, you freely and expressly state that you were previously informed about the following rights to which you are entitled as the owner of your personal data and information under Peruvian law:

  1. Access.
  2. Information.
  3. Rectification and Updating.
  4. Deletion.
  5. Opposition.

In order to exercise such rights, a request shall be sent to the AIRLINES including the following information:

  1. Names and surnames and authentication of the petitioner’s identity (copy of their ID or passport).
  2. Specific reasons for the request.
  3. Address or electronic address for the purposes of response notifications.
  4. Documents supporting the request (in the case of the right to rectify, cancel or oppose).
  5. Signature of the petitioner.

The procedures to exercise your rights are the following:

  1. Right to access and information:
    Owners may exercise the right to access the data contained in our database, in which case they will be provided with requested access information.
    The access request will be answered within a maximum term of twenty (20) working days from the day of receipt of the request.
    If processing the claim within this term is not possible, they will be informed of the reasons for the delay and the term for the response will be extended to twenty (20) additional working days. The owner of the data may exercise their right to information to know the manner in which such information has been collected.
    Such request will be answered within a maximum term of eight (8) working days from the day of receipt of the request. If the request to exercise the right of access or information is incomplete, the owner will be required to correct the information within a term of five (5) days from the date of receipt of the claim.
    If the required information is not presented after such 5-day term, the request shall be deemed not filed.
  2. Right to rectify, update, oppose or cancel:
    If the owner considers that the information contained in a database must be subject to correction, updating or deletion, they may file a duly supported request, which will be processed under the following rules: If the request is incomplete, the owner will be required to correct the information within a term of five (5) days from the date of receipt of the claim.
    If the required information is not presented after 5 days from the date of the request, the request shall be deemed not filed.
    On the other hand, if the information or documents supporting the request are insufficient, the AIRLINES may require additional documentation to process the request within seven (7) days from the date of receipt of the request and such information shall be submitted by the owner within ten (10) working days.
    In addition, if you have not submitted the required information after such term, such information shall be deemed not submitted. During the rectification or deletion processes, the AIRLINES or the responsible entities will block third-party access to the data.
    The maximum term to process a request of rectification, updating, opposition or deletion will be ten (10) working days from the date of receipt of the request. If processing the claim within this term is not possible, you will be informed of the reasons for the delay and the date your claim will be processed, which shall not exceed the ten (10) working days from the date of receipt of the request.

The AIRLINES contact details in Peru are:

Address: Avenida Jose Pardo 831 (Piso 4) Miraflores Lima Perú.
Peru Telephone Number (Lima): 2136060.
E-mail: e_Solutions@centrosolucionavianca.com.

16.4 Appendix European Union

The provisions of this General Privacy Policy shall apply to travelers, customers or users who reside in a country of the European Union and for passengers who purchase their airline tickets in a country of the European Union. In addition, the following applies in order to ensure optimal protection of your personal data and information, in accordance with the legislation in force:

In some cases, it is possible that recipients of personal data and information are located outside of the European Union and may have full or partial access thereto (full name, passport or ID number, travel destination, etc.) in order to perform the contracted transport service and/or the purchased products or services, or for reasons set out by the law and regulations. In the event that such data were transferred to any place outside of the European Union, such transference shall be performed in accordance with the effective regulations (i.e. in Spain, Organic Law 15/1999 on Protection of Personal Data of December 13 and in the United Kingdom, the Data Protection Act 1998 of March 1, 2000).

In order to execute the transportation service contract and the provision of the purchased services, some essential date must be collected, such collection and processing may be refused by the passenger, however, such refusal may lead to the impossibility of performing the contracted service or to trip deletion. In addition, the provision of inaccurate data by the passenger may lead to denied boarding or denied entry to a foreign country.

When purchasing the service, the passenger will be informed of mandatory and non-mandatory data. Therefore, if the passenger fails to provide mandatory data, the corresponding services will not be performed.

If requested any contact electronic address, users may reject the option to receive any kind of information related to the services of the AIRLINES and may, at any time, unsubscribe from the information services in which they have signed up.

Owners of personal data may exercise the rights of opposition, access, rectification and deletion of data under the terms provided by the applicable law (in Spain, Law 15/1999, Protection of Personal Data).

In order to exercise such rights, passengers shall submit a request to the AIRLINES including the documents to support the authenticity of their identity.

The AIRLINES contact details in the EUROPEAN UNION are:

Address: Avianca C/Castelló 23, 4º Izq. 28001 Madrid España.
E-mail: e_Solutions@centrosolucionavianca.com.

16.5 Appendix Canada

Regarding information and personal data whose processing is carried out in Canada, the procedures for the exercise of the rights of the owners of such information will be the ones set out by the Personal Information Protection and Electronic Documents Act, also known as PIPEDA or the Act, which constitutes a federal statute for the establishment of rules governing collection, use and distribution of personal information in Canada. This Act applies to Canadian territory, except for the provinces of British Columbia, Alberta and Quebec, since such provinces are exempt from the application of this statute since they have their own local regulations, which are substantially similar to the provisions of PIPEDA.

PIPEDA orders all organizations to collect, use and distribute personal information for purposes that are reasonable and appropriate to the circumstances. In addition, PIPEDA sets out a list of 10 principles with which every private organization must comply when collecting, using or distributing personal information of any traveler, client or user, which can be seen at PIPEDA.

If requested any contact electronic address, users may reject the option to receive any kind of information related to the services of the AIRLINES and may, at any time, unsubscribe from the information services in which they have signed up.

Owners of personal data and information may exercise their rights by sending a request, complaint or claim to e_Solutions@centrosolucionavianca.com, which will be processed in accordance with the terms set out by this Privacy Policy and any other applicable law.

16.6 Appendix United States

The Department of Transportation of the United States of America (hereinafter DOT) states that the AIRLINES shall adequately report the collection, use and disclosure of personal data and information of travelers, clients or users.

Although there is no federal statute that specifically regulates the processing of personal data and information in this country, the DOT may investigate and prevent any practice related to trading air transport services, which also covers the processing of the personal data and information of our travelers, customers or users.

The AIRLINES commit to comply the Children's Online Privacy Protection Act in the United States of America (also known as COPPA).

COPPA regulates the protection of the privacy of children in the United States and authorizes the DOT to investigate any online use of the personal data and information of those under 13.

In the event that a person under 13 provides personal data and information without their parents or guardians’ consent, they may contact the AIRLINES through e_Solutions@centrosolucionavianca.com, in which case the AIRLINES will process the request, complaint or claim under the terms set out by this Policy and the provisions set out by applicable laws.

Additionally, as applicable, you may check our Privacy and Data Protection Policies.

  • If you are a supplier of any AIRLINE and wish to check the privacy policies applicable to your personal data and information, please see our Privacy Policy for Suppliers.
  • If you are an active employee, retiree, pensioner, related third party, beneficiary or candidate to a position in any of the AIRLINES and wish to check the privacy policies applicable to your personal data and information, please see our Privacy Policy for Employees.
  • If you are a shareholder of Avianca S.A. and wish to check the privacy policies applicable to your personal data and information please see the Aerovías the Americas S.A. Avianca’s Privacy Policy for the Protection of the Personal Data of Shareholders and Investors.
  • If you are a shareholder of Avianca Holdings S.A. and wish to check the privacy policies applicable to your personal data and information please see Avianca Holdings S.A.’s Privacy Policy for the Protection of the Personal Data of Shareholders and Investors.

Aerovias del Continente Americano S.A. Privacy Policy for the Protection of Personal Data of Shareholders and Investors

The purpose of this Aerovías del Continente Americano S.A. Privacy Policy for the Protection of Personal Data of Shareholders and Investors is to establish the processing of the personal data of its Shareholders and Investors, the purposes of data processing, the protection of data and the rights to which owners of personal data are entitled and the procedures to exercise such rights.

Aerovías del Continente Americano S.A. (hereinafter Avianca or the Company) acknowledges the importance of protecting and ensuring the safety, privacy and confidentiality of personal data collected from its Shareholders and Investors through the different channels available and it will ensure the protection and processing (as defined afterwards) thereof, in accordance with the legal provisions regarding personal data protection under the terms of this Policy.

Contents

  1. Definitions

  2. Scope

  3. Processing purposes and authorization

  4. Rights of the shareholders and investors as owners of their personal data and procedures to exercise such rights

  5. Protection, safety y confidentiality of personal data and information

  6. Compliance hotline

  7. Amendments to the privacy policy

  8. Term of validity of authorization

1. Definitions

For the purposes of this Policy, the following words and expressions will have the meaning ascribed:

  1. Common Shares: shares issued by the Company which carry voting rights.
  2. Common Shareholder: An individual or entity that holds one or more Common Shares.
  3. Bonds: Common bonds issued by the Company in 2009.
  4. Investor: An individual or entity that holds one or more Bonds.
  5. Direct Depositors: Brokers authorized by the Financial Superintendence, who act as intermediaries in exchange operations of Bonds and who act on behalf of the Investor before DECEVAL.
  6. Processing: In this Policy, Processing is any operation or set of operations over the personal data of each Common Shareholder and Investor, for the purposes set forth in this Policy.
  7. Entities in charge of the Processing: Legal entities affiliated to the Company, who act on its behalf in handling administrative and/or accounting process that involve processing of personal data related to Common Shares, Bonds, and each Common Shareholder and Investor and (ii) DECEVAL, the entity responsible for the administration of Bonds on behalf of the ISSUING COMPANY, in accordance with the provisions of the Manual of Policies for Personal Data Processing available on the DECEVAL’s website, under the Commercial Offer of Deposit and Administration of the Dematerialized Issuance of Ordinary Bonds, presented by the Colombian Central Securities Depository, DECEVAL S.A. and accepted through purchase order by Aerovías del Continente Americano S.A. Avianca, regarding processing of personal data of each Investor.
  8. Entity responsible for the Processing: The Company.

2. Scope

This Policy applies to the Processing of personal data of Common Shareholders and Investors carried out by Avianca as the entity responsible for the Processing.

In addition, this Policy applies to the Processing that the following companies carry out as affiliates of Avianca Holdings S.A. and as Entities in charge of Processing:

  1. Aerovías del Continente Americano S.A. Avianca, incorporated in the Republic of Colombia.
  2. Taca International Airlines S.A., incorporated in the Republic of El Salvador.
  3. Líneas Aéreas Costarricenses S.A. Lacsa, incorporated in the Republic of Costa Rica.
  4. Taca Costa Rica S.A. incorporated in the Republic of Costa Rica.

On the other hand, since the administration of personal data of Investors of the Company is carried out through the Central Securities Depository DECEVAL S.A., as the Entity in charge of the Processing, the Company acts in its capacity of Entity Responsible for the Processing of such data, which have been collected through banking or brokerage institutions, who act as Direct Depositors on behalf of Investors before DECEVAL and who, due to the functions legally carried out by them, are also Entities in charge of the Processing, collect such data on behalf of the Company and submit them directly to DECEVAL under the contractual relation they maintain with such Entity.

The POLICY MANUAL – PROCESSING OF PERSONAL DATA adopted by DECEVAL applies to the Processing carried out by DECEVAL as the Entity in charge of the Processing of personal data of Investors under the contract entered into between such entity and the Company. Such policy manual is available at Deceval.com.co.

3. Processing purposes and authorization

Personal data of each Common Shareholder and Investor is partially or totally processed by the Company, including the collection, storage, recording, use, distribution, processing, deletion, transmission under the terms of this Privacy Policy and/or transfer of the collected data within the country or to other countries for the purposes set out in the privacy policies of any third parties to whom such personal data is transferred. By accepting this Privacy Policy each Common Shareholder and Investor acting as owner of the collected personal data and information authorizes the processing of such data for the purposes set out herein and, particularly, for:

  1. Keeping the records of its Shareholders and Investors.
  2. Accessing and updating the personal data of its Shareholders and Investors.
  3. Contacting and sending information regarding the Company.
  4. Issuing certifications required by Shareholders or Investors.
  5. Paying dividends and yields.
  6. Processing inquiries, claims and complaints.
  7. Carrying out accounting records.
  8. Managing correspondence and e-mail communications or telephone calls.
  9. Processing and/or initiating legal proceedings.
  10. Recording the transfer of shares or bonds.
  11. Recording levies on shares and bonds.
  12. Responding to the requirements of different national and international oversight and supervision, administrative, police and judicial authorities.
  13. Requesting information to Credit Reporting Agencies.
  14. Verifying and requesting criminal or disciplinary records and the existence of administrative sanctions.
  15. Verifying and accessing restrictive lists.
  16. Responding to the requirements of banking institutions and/or insurance companies, which maintain contractual or business relations with the Company.
  17. Using or disclosing them in defense of the rights and/or property of the Company.
  18. Using or disclosing them for fraud detection or prevention or criminal prosecution.
  19. Allowing access to personal data and information to auditors or third parties hired by the Company to perform internal or external audit processes of the commercial activities carried out by the Company.
  20. Contracting third parties for the storage and/or processing thereof under safety and confidentiality standards.
  21. Transmitting them national or international entities to which the Company will commission processes related to shares or bonds.
  22. Transmitting them to third parties interested in investing in the Company or in any integration process under any legal form provided by law.
  23. Transferring them to national or international entities during business or corporate situations that involve change of the Entity Responsible for the Processing of personal data, in which case such situation will be informed to the owners of personal data in order for them to exercise their rights in accordance with the law.
  24. In general, to carry out any other proceeding in charge of by Company in connection with shares or bonds.

The Company recognizes that once a share or bond issued by the Company is acquired by a Common Shareholder or Investor, they authorize the processing of their personal data for the aforementioned purposes.

4. Rights of the shareholders and investors as owners of their personal data and procedures to exercise such rights

Rights of Shareholders and Investors in connection with the processing of their personal data

Shareholders and Investors are entitled to see and know the details of the processing and use of personal data required carried out by the Entity Responsible of the Processing or the Entities in charge of the Processing, as well as to rectify them if inaccurate or incomplete, to file complaints with the relevant authorities and to revoke the authorization and request their deletion if not processed under constitutional and legal principles, rights and guarantees, before the due process, and in particular to:

  1. Know, update and rectify their personal data and information with the Entity Responsible of the Processing or the Entities in charge of the Processing of their personal data and information.
  2. Request proof of authorization granted to the Entity Responsible for the Processing, except when expressly disregarded as a requirement for the processing.
  3. Be informed by the Entity Responsible of the Processing or the Entities in charge of the processing about how such personal data and information have been used.
  4. File complaints with the relevant authorities in the event that the applicable provisions regarding personal data protection are violated.
  5. Revoke authorization and/or request the deletion of personal data and information under the terms of this Privacy Policy.
  6. Access the personal data and information that have been subject to processing, upon previous request to the Company and under the valid and applicable regulations.

Procedure to Exercise their Rights

The Company has established the following procedure for the exercise of rights by Shareholders and Investors, without prejudice to the application of specific provisions set out by local laws in each territory. In case of a disagreement between the general procedure herein and the specific provisions set out by local laws, specific provisions shall prevail.

Processing requests to update and access personal data:

Common Shareholders or Investors or their successors, may file claims, inquiries and requests to update their personal data, as follows:

  1. The Common Shareholder shall file their claims, inquiries and requests to update the information via e-mail or through written communication directed to the President or Secretary General of the Company.
  2. Investors who own bonds shall file their claims, inquiries and/or requests to update the information through the channels provided by DECEVAL to carry out this process.

Upon receiving a request to update the information, the Company or the Entity in charge, which may be a company affiliated to Avianca Holdings S.A., will validate if such request correspond to a Shareholder or Investor and will perform the update within fifteen (15) working days following the date of the request. If such update or change of the information of the Shareholders or Investors involves changing the name or marital status, or in the cases of legal entities, a change of business name or partners, they shall attach the legal supporting documents to prove the new situation.

Inquiries will be processed by the Company or the Entity in charge, which may be a company affiliated to Avianca Holdings S.A., within a maximum term of ten (10) working days from the date of receipt thereof. In the event such request cannot be processed within said term, the Company or the Entity in charge will inform the reasons for the delay, indicating the date on which the request will be processed, which in no case shall exceed five (5) working days from the expiry of the first term.

If an Entity in charge is not an affiliated company of Avianca Holdings S.A., requests and inquiries regarding personal data will be processed according to the procedure established by such Entity, under its own privacy policies.

Processing claims about personal data

If the Common Shareholder or Investor, or they successors, consider that the personal data related their Shares or Bonds must be corrected or deleted, or if they become aware of a potential breach to any of the duties set forth in the regulations or in this Policy, they may file a claim, which will be processed as follows:

The Common Shareholder shall file their claims via e-mail or through written communication directed to the President or Secretary General of the Company taking into consideration the following rules:

  1. The claim shall be accompanied with their identification, the description of the facts related to the claim, their address, and the accompanying documents they want to enforce. If the claim is incomplete, the Company will require the missing information within five (5) days from the date of receipt thereof in order to rectify the information. If after two (2) months from the date of request the Common Shareholder has not filed the required information, the Company will consider the claim as abandoned.
  2. If the Company is not able to resolve the claim, it will be forwarded to the appropriate entity within a maximum term of two (2) business days and the Common Shareholder will be promptly informed thereof.
  3. The maximum term to process the claim will be fifteen (15) working days from the day following the date of the appropriate receipt thereof. If it is not possible to satisfy the claim within this term, the Common Shareholder will be informed of the reasons for the delay and the date their claim will be processed, which in no case may exceed eight (8) working days following the expiry of the first term.
  4. Common Shareholders may exercise their rights to know, update, rectify and/or delete their personal data via e-mail to ir@avianca.com, in accordance with the terms of this Privacy Policy. The contact details of the Company in Colombia are: Avenida Eldorado No. 59 – 15, Bogota.

Investors who own bonds shall file their claims, inquiries and/or requests to update the information through the channels provided by DECEVAL to carry out this process.

5. Protection, safety y confidentiality of personal data and information

The protection, security and confidentiality of the personal data and information of Share-holders and Investors are highly important for the Company. We have set forth policies, procedures and standards for information security, which may change at any time at the discretion of the Companies and which aim to protect and preserve the integrity, confiden-tiality and availability of personal data and information, regardless of their nature or format, their temporary or permanent location or the way in which they are transmitted. Therefore, we rely on technological security tools and carry out safety industry practices, including: transmission and storage of sensitive information through secure mechanisms, such as encryption, use of secure protocols, safeguarding technological components, allowing ac-cess to the information only to authorized personnel, data backup, safe development of software, etc.

Third parties contracted by the Company are equally bound to comply with this privacy policy, as well as with the policies and manuals of information safety of the Company and the safety protocols applied to all of our processes.

Any contract entered into by the Company with any third party (contractors, external con-sultants, temporary employees, etc.) which involves the processing of personal data and information of travelers, clients and users includes a confidentiality agreement detailing their commitments to the protection, care, safety and preservation of confidentiality, integri-ty and privacy thereof.

6. Compliance hotline

Avianca Holdings S.A. has contracted Navex Global Inc., a company incorporated under the laws of Delaware, USA, to manage the Compliance Hotline established by the Company and its affiliated companies, in order for employees, related third parties, suppliers, shareholders, travelers, customers, users and the general public to submit complaints or inquiries related to the application or breaches to the Code of Ethic and Business Conduct Guidelines, Anticorruption Policy and other corporate policies adopted by the Organization*. Navex Global Inc. has set out the website Ethicspoint.com and different telephone lines for the operation of the Compliance Hotline.

For the purposes of the legal obligations set out by the rules related to the privacy and protection of personal data collected through the Compliance Hotline, Navex Global Inc. acts as Manager and shall carry out the processing thereof on behalf of Avianca Holdings S.A. and its affiliated companies, who will jointly act as the Responsible Entities. Avianca Holdings S.A. will not carry out any direct processing of personal data collected. The processing will be carried out by its affiliated companies in order to investigate complaints, answer inquiries and take the corresponding administrative or legal actions. Such processing will be carried out in accordance with this Privacy Policy, which is available for consultation in the “Policies” section of such website.

7. Amendments to the privacy policy

The Company reserves the right to make changes or updates to this Privacy Policy at any time in compliance with new legislations, internal policies or new requirements in order to provide or offer their services or products. These amendments will be made available to the public at Aviancaholdings.com.

8. Term of validity of authorization

The personal information of Shareholders and Investors may remain stored and processed in accordance with this Policy, for up to twenty (20) years from the date of the last processing, to enable the Company compliance with legal and/or contractual obligations or for the time set out by law if such period is longer, in order to comply with the provisions applicable, in particular, to the administrative, accounting, tax-related, legal and historical aspects related to the shares or bonds.

This General Privacy Policy is effective as of the day of its publication. The latest published revision was made on June 22, 2016.

Additionally, as applicable, you may check our Privacy and Data Protection Policies.

  • If you are a supplier of any AIRLINE and wish to check the privacy policies applicable to your personal data and information, please see our Privacy Policy for Suppliers.
  • If you are an active employee, retiree, pensioner, related third party, beneficiary or candidate to a position in any of the AIRLINES and wish to check the privacy policies applicable to your personal data and information, please see our Privacy Policy for Employees.
  • If you are a traveler, customer or user of our services and wish to check the privacy policies applicable to your personal data and information, please see our General Privacy Policy for the Protection of the Personal Data of Travelers, Customers and Users.
  • If you are a shareholder of Avianca Holdings S.A. and wish to check the privacy policies applicable to your personal data and information please see Avianca Holdings S.A.’s Privacy Policy for the Protection of the Personal Data of Shareholders and Investors.

Privacy Policy for Suppliers

Confidentiality and due protection of the personal information trusted to the Companies is highly important. Pursuant to their Code of Ethics, all the companies that act under the Avianca trademark are committed to process the data of their supplier in a responsible manner.

The Companies need to collect certain personal data in order to carry out the activities related to their commercial operation. The Companies have the legal and social obligation to comply with the legal and safety measures set out to protect the personal data collected for the purposes described in this privacy policy, which can be found on our website Avianca.com.

Contents

  1. Entities responsible for the collected information

  2. Collected Data

  3. Purpose of Data Processing

  4. Data transfer and transmission

  5. Information updating and inactivation

  6. VDuration of Personal Data and Information Processing

  7. Protection, Safety and Confidentiality of the Information

  8. Amendments to the Privacy Policy

  9. Compliance Hotline

  10. Term of Validity

  11. Appendices

1. Entities responsible for the collected information

The airlines Aerovías del Continente Americano S.A. Avianca, Tampa Cargo S.A., trading companies incorporated in the Republic of Colombia, Aerolíneas Galápagos S.A. Aerogal, a trading company incorporated in the Republic of Ecuador, and the airlines composing Grupo Taca: Taca International Airlines S.A., incorporated in the Republic of El Salvador, Líneas Aéreas Costarricenses S.A. Lacsa, incorporated in the Republic of Costa Rica, Trans American Airlines S.A.S, incorporated in the Republic of Peru, Aviateca, S.A., a company incorporated under the laws of Guatemala, each and all of them hereinafter individually and collectively referred to as the “Companies”, are responsible for the processing of personal data and information.

2. Collected Data

In order to effectively comply with our obligation arising from the purchasing or contracting of goods and services, we require certain information from our suppliers such as:

Business names or names of individuals.

  1. Trademarks.
  2. Fiscal and tax identification information.
  3. Bank information for transfer payments.
  4. Contacts.
  5. Copies of supporting bank and fiscal documents.
  6. Address, e-mail, telephone and/or fax number of the supplier.

Any other supporting documentation required by the nature of the purchase or service contract once suppliers provide the Companies with their information, they authorize the Companies to keep in their records all the information provided by any channel, in order to gather their personal and control data.

3. Purpose of Data Processing

The collected information may be used for the following purposes:

  1. Assessing and selecting potential suppliers.
  2. Complying with fiscal and legal obligations set forth by governmental or regulatory entities.
  3. Establishing business relations in order to purchase goods or services. Controlling and paying the supplied goods or services.
  4. Qualitative and quantitative evaluations of the services provided by the suppliers.
  5. Communicating policies and procedures on business conduct regarding suppliers.
  6. Processes of control and accounting recording of the obligations established with the suppliers.
  7. Inquiries, auditing and reviews arising from the business relations established with suppliers.
  8. Any other activity that is necessary to comply with the business relation between the supplier and the Companies.

4. Data transfer and transmission

The information provided by suppliers will be processed in accordance with the provisions of this privacy policy for suppliers, unless such suppliers authorize in written form the use of such information for different purposes. The physical and electronic access to the provided data will be limited to officers that need to access such data in order to comply with the established purposes.

The Companies commit to ensuring the compliance with all the legal principles of protection regarding data transmission under the terms of this privacy policy and/or transfer of the collected data within the country or to other countries for the purposes set out in the privacy policies of any third parties to whom such personal data is transferred.

The Companies communicate the following purposes:

Since we are part of an international holding, the information provided by suppliers needs to be available to all the companies that are part of the Holding, in order to carry out the processes binding suppliers.

We are often under the legal obligation of providing part of your information to administrative, legal, fiscal and regulatory authorities.

Suppliers accept that their personal identification information may be subject to transfer in the event that the Companies are partially or totally subject to sale, merge or any other form of transfer to a different entity.

5. Information updating and inactivation

The Companies may eventually request their suppliers to check and update the information collected about them.

In addition, suppliers may request any change in the provided information and exercise the legal rights to which they are entitled as owners of personal information by sending their request to afiliacion.proveedores@avianca.com.

Suppliers may at any time and under legitimate reasons object in any written form the processing of their personal data. If their request is applicable, the Companies will no longer process such data.

The Companies have a policy to conduct periodic debugging of information belonging to providers whose business relation with the Companies have been terminated or interrupted.

6. Duration of Personal Data and Information Processing

The information provided by suppliers will remain stored for up to ten (10) years from the date of the last processing, to enable the AIRLINES compliance with legal and/or contractual obligations under their charge, particularly in tax, fiscal and accounting matters.

7. Protección, seguridad y confidencialidad de la información

The information of suppliers of products and/or services is highly important for the Companies, therefore, we have set forth policies, procedures and standards for information security, which aim to protect and preserve the integrity, confidentiality and availability of such information, regardless of the medium or format in which they are stored, their temporary or permanent location or the way in which they are transmitted under the terms set out in this privacy policy and/or the way in which they are transferred within the country or to other countries for the purposes set out in the privacy policies of any third parties to whom such personal data is transferred.

Therefore, we rely on technological tools and carry out safety industry practices, including: transmission and storage of sensitive information through secure mechanisms, such as encryption, use of secure protocols, safeguarding technological components, allowing access to the information only to authorized personnel, data backup, safe development of software, etc.

8. Amendments to the Privacy Policy

This privacy policy may be amended if deemed necessary by the Companies. We reserve the right to update and make significant amendments to this policy, as well as to the practices we implement to process information. Suppliers are entitled to request at any time a copy of the current privacy policy and are also entitled to exercise their rights as owners of personal data in accordance with the valid and applicable laws.

9. Compliance Hotline

Avianca Holdings S.A. has contracted Navex Global Inc., a company incorporated under the laws of Delaware, USA, to manage the Compliance Hotline established by the Company and its affiliated companies, in order for employees, related third parties, suppliers, shareholders, travelers, customers, users and the general public to submit complaints or inquiries related to the application or breaches to the Code of Ethic and Business Conduct Guidelines, Anticorruption Policy and other corporate policies adopted by the Organization*. Navex Global Inc. has set out the website http://aviancaholdings.ethicspoint.com and different telephone lines for the operation of the Compliance Hotline.

For the purposes of the legal obligations set out by the rules related to the privacy and protection of personal data collected through the Compliance Hotline, Navex Global Inc. acts as Manager and shall carry out the processing thereof on behalf of Avianca Holdings S.A. and its affiliated companies, who will jointly act as the Responsible Entities. Avianca Holdings S.A. will not carry out any direct processing of personal data collected. The processing will be carried out by its affiliated companies in order to investigate complaints, answer inquiries and take the corresponding administrative or legal actions. Such processing will be carried out in accordance with this Privacy Policy, which is available for consultation in the “Policies” section of such website.

10. Term of Validity

This General Privacy Policy is effective as of the day of its publication. The latest published revision was made on June 22, 2016.

11. Appendices

11.1 Appendix Colombia

Regarding information and personal data whose processing is carried out in Colombia, the procedures for the exercise of the rights of the owners of such information will be the ones set out by Law 1581 of 2012 and its normative provisions. Pursuant to Article 10 of Decree 1377 of 2013, the AIRLINES request your permission to continue processing your personal data and information under the terms set out by this Privacy Policy. In addition, pursuant to paragraph a) of article 26 of Law 1581 of 2012, we inform you that by expressly accepting this Privacy Policy, you grant us permission to transmit and/or transfer your personal data and information to other countries in which we operate, where different levels of protection of personal data to those required in Colombia may exist, including El Salvador, Peru, Ecuador, Bolivia, Guatemala, Brazil, Costa Rica, USA, Uruguay, Paraguay and Argentina.

You can exercise your rights to know, update, modify and/or delete your personal data via contactenos@avianca.com, pursuant to the general procedures set out in paragraph 12 of this General Privacy Policy. For the purposes of enforcing their rights, travelers, customers or users can exercise their rights to know, update, rectify and delete their personal data and information by sending a request to e_Solutions@centrosolucionavianca.com or through the Suggestions and Claims Services available at www.avianca.com, or through our Call Centers: Bogota: 4013434; other cities in Colombia: 018000953434, in accordance with this Privacy Policy.

The AIRLINES contact details in Colombia are:

Address: Avenida Eldorado No. 59 – 15, Bogotá.
Bogota Telephone Number: 4013434.
Other cities in Colombia: 018000953434.
E-mail: e_Solutions@centrosolucionavianca.com.

11.2 Appendix Mexico

Regarding information and personal data whose processing is carried out in Mexico, the procedures for the exercise of the rights of the owners of such information will be the ones set out by Federal Law on Protection of Personal Data Held by Individuals (DOF 05-07-2010), and its respective Regulations (DOF 21-12-2011).

Procedures for the exercise of the right to access, rectify, delete and oppose (ARCO, by its Spanish acronym) in Mexico:

Pursuant to the provisions of Mexican law, owners of personal data and information have the right to access, rectify, delete or oppose the processing of their personal data, for which purpose the following procedure shall be carried out: The area responsible for the processing of personal data (Direction and Intelligence of Information) may be contacted through the following channels in order to send the required information and documentation:

Address: Avenida Eldorado No. 59 – 15, Bogotá.
E-mail: e_Solutions@centrosolucionavianca.com.

The request to access, rectify, delete or oppose shall include, at least:

  1. Complete name and address of the owner of the personal data and information, or provide any other means to response to the request.
  2. Documents proving the identity or legal representation of the owner of the personal data and information.
  3. Clear and accurate description of the personal data and information subject to the enforcement of the aforementioned rights.
  4. Any other item or document that facilitates the location of personal data and information.
  5. Indicate the modifications to be made and/or limitations on the use of personal data and information, as set forth by this privacy policy.
  6. f. Provide documentation to support your request. The AIRLINES shall communicate the adopted resolution to the owner of the personal data and information, within a term not exceeding 20 working days from the date of receipt of the request. If necessary, this term may be extended on a single occasion for an equal term.

Based on the above, and in accordance with the provisions of the Law, the AIRLINES shall inform the owner of the personal data and information the meaning and motivation of the resolution, through the same means through which the request was carried out, and that resolution shall be accompanied with relevant evidence, if any.

If the request is appropriate, it will be executed by the AIRLINES within 15 working days following the communication of the adopted resolution.

Based on the response or lack of response by the AIRLINES, the owner may file a request for data protection with the Federal Institute of Access to Information (IFAI, by its Spanish acronym). Such request shall be submitted by the owner within 15 working days from the date the ARILINES communicate the response to the owner, and shall be subject to the provisions of the Law.

For requests of access to personal data and information, the petitioner or their legal representative shall be required to prove their identity.

The obligation of access to information shall be fulfilled when the AIRLINES make available the personal data and information to the owner or when such information is provided in form of photocopies or electronic documents.

In the event that a traveler, client or user requests access to their personal data and information under the assumption that the AIRLINES are the responsible entities thereof, and it is ultimately concluded that the AIRLINES are not responsible thereof, the AIRLINES shall communicate this to the owner through any means for the request to be considered fulfilled.

The response to the request for access, rectification, deletion or opposition of personal data will be free of charge. Our customers, travelers or users should only cover the reasonable costs of shipping or reproduction of copies or other formats, which will be informed in due time.

In the event that the same client, traveler or user restates the request for access, rectification, deletion or opposition of personal data and information in less than 12 months from the date of the last request, the response may have an additional cost indicated by the AIRLINES, in accordance with the provisions of Article 35 of the Federal Law on Protection of Personal Data.

The AIRLINES may refuse total or partial access to personal data and information or the rectification, deletion or opposition to the processing thereof in the following cases:

  1. If the petitioner is not the owner or legal representative or is not authorized.
  2. If the petitioner’s personal data and information is not contained in the databases of the AIRLINES.
  3. If the rights of any third party are violated.
  4. If there exists any legal impediment or resolution by an authority.
  5. If the rectification, deletion or opposition was previously carried out and the request is no longer pertinent.

The deletion of personal data and information will result in a lockout period after which the deletion of the data will be performed. Once the personal data and information are deleted, the AIRLINES shall notify the owner thereof.

Once the aforementioned process is completed, the AIRLINES may keep the personal data solely for the purposes of the processing obligations arising from this policy. If the personal data and information are transmitted to third parties or entities in charge before the rectification or deletion and if they are subject to processing by such third parties, the AIRLINES shall inform such third parties about the request filed by the owner in order to make such rectifications and deletions.

The AIRLINES will not have any obligation to delete the personal data and information in cases where the provisions set out by Article 26 of the Federal Law on Protection of Personal Data are applicable, or when the owner has a legal or contractual duty to remain in the database, under the terms set forth by the law. In addition, once the collected personal data and information are no longer necessary for the compliance with the purposes set forth by this policy and with the applicable legal provisions, such personal data and information will be deleted from the databases of the AIRLINES.

Mechanisms and procedures to revoke your consent:

Owners may at any time revoke their consent to the processing of their personal data and information. In order to do so, the owner shall send an e-mail written in Spanish to the following address: e_Solutions@centrosolucionavianca.com, which shall include the same requirements previously indicated for the exercise of ARCO rights, indicating the personal data and information subject to such revocation. The AIRLINES will perform such revocation within fifteen (15) working days from the date of receipt of the e-mail.

Options provided to the owner to limit the use or disclosure of personal data and information:

Owners may at any time limit their consent to the processing of their personal data and information for marketing and promotional purposes by sending an e-mail to the following address: e_Solutions@centrosolucionavianca.com, mentioning such limitations. The AIRLINES will stop sending information within ten (10) working days from the date of receipt of the e-mail.

The AIRLINES contact details in Mexico are:

Address: Avenida Paseo de la Reforma 195-301, Colonia Cuauhtémoc, CP 06500, México, D.
Mexico Telephone Number: 01800 1233120.
E-mail: e_Solutions@centrosolucionavianca.com.

11.3 Appendix Peru

Regarding information and personal data whose processing is carried out in Mexico, the procedures for the exercise of the rights of the owners of such information will be the ones set out by Law 29733 and Supreme Decree 003-2013-JUS (hereinafter “the Law and its regulations”).

Travelers, clients and users are entitled to see and know the details of the processing of personal data and information we perform, to know the collected personal data and information, to oppose if necessary, to request their rectification if inaccurate or incomplete and to delete them if not used according to the law, the terms and conditions of the purchased product or service, the corresponding contract or the terms set forth by this Privacy Policy.

By accepting this Privacy Policy, you freely and expressly state that you were previously informed about the following rights to which you are entitled as the owner of your personal data and information under Peruvian law:

  1. Access.
  2. Information.
  3. Rectification and Updating.
  4. Deletion.
  5. Opposition.

In order to exercise such rights, a request shall be sent to the AIRLINES including the following information:

  1. Names and surnames and authentication of the petitioner’s identity (copy of their ID or passport).
  2. Specific reasons for the request.
  3. Address or electronic address for the purposes of response notifications.
  4. Documents supporting the request (in the case of the right to rectify, delete or oppose).
  5. Signature of the petitioner.

The procedures to exercise your rights are the following:

  1. Right to access and information:
    Owners may exercise the right to access the data contained in our database, in which case they will be provided with requested access information.
    The access request will be answered within a maximum term of twenty (20) working days from the day of receipt of the request.
    If processing the claim within this term is not possible, they will be informed of the reasons for the delay and the term for the response will be extended to twenty (20) additional working days. The owner of the data may exercise their right to information to know the manner in which such information has been collected.
    Such request will be answered within a maximum term of eight (8) working days from the day of receipt of the request. If the request to exercise the right of access or information is incomplete, the owner will be required to correct the information within a term of five (5) days from the date of receipt of the claim.
    If the required information is not presented after such 5-day term, the request shall be deemed not filed.
  2. Right to rectify, update, oppose or delete:
    If the owner considers that the information contained in a database must be subject to correction, updating or deletion, they may file a duly supported request, which will be processed under the following rules: If the request is incomplete, the owner will be required to correct the information within a term of five (5) days from the date of receipt of the claim.
    If the required information is not presented after 5 days from the date of the request, the request shall be deemed not filed.
    On the other hand, if the information or documents supporting the request are insufficient, the AIRLINES may require additional documentation to process the request within seven (7) days from the date of receipt of the request and such information shall be submitted by the owner within ten (10) working days.
    In addition, if you have not submitted the required information after such term, such information shall be deemed not submitted. During the rectification or deletion processes, the AIRLINES or the responsible entities will block third-party access to the data.
    The maximum term to process a request of rectification, updating, opposition or deletion will be ten (10) working days from the date of receipt of the request. If processing the claim within this term is not possible, you will be informed of the reasons for the delay and the date your claim will be processed, which shall not exceed the ten (10) working days from the date of receipt of the request.

The AIRLINES contact details in Peru are:

Address: Avenida Jose Pardo 831 (Piso 4) Miraflores Lima Perú.
Peru Telephone Number (Lima): 2136060.
E-mail: e_Solutions@centrosolucionavianca.com.

11.4 Appendix European Union

The provisions of this General Privacy Policy shall apply to travelers, customers or users who reside in a country of the European Union and for passengers who purchase their airline tickets in a country of the European Union. In addition, the following applies in order to ensure optimal protection of your personal data and information, in accordance with the legislation in force:

In some cases, it is possible that recipients of personal data and information are located outside of the European Union and may have full or partial access thereto (full name, passport or ID number, travel destination, etc.) in order to perform the contracted transport service and/or the purchased products or services, or for reasons set out by the law and regulations. In the event that such data were transferred to any place outside of the European Union, such transference shall be performed in accordance with the effective regulations (i.e. in Spain, Organic Law 15/1999 on Protection of Personal Data of December 13 and in the United Kingdom, the Data Protection Act 1998 of March 1, 2000).

In order to execute the transportation service contract and the provision of the purchased services, some essential date must be collected, such collection and processing may be refused by the passenger, however, such refusal may lead to the impossibility of performing the contracted service or to trip deletion. In addition, the provision of inaccurate data by the passenger may lead to denied boarding or denied entry to a foreign country.

When purchasing the service, the passenger will be informed of mandatory and non-mandatory data. Therefore, if the passenger fails to provide mandatory data, the corresponding services will not be performed.

If requested any contact electronic address, users may reject the option to receive any kind of information related to the services of the AIRLINES and may, at any time, unsubscribe from the information services in which they have signed up.

Owners of personal data may exercise the rights of opposition, access, rectification and deletion of data under the terms provided by the applicable law (in Spain, Law 15/1999, Protection of Personal Data).

In order to exercise such rights, passengers shall submit a request to the AIRLINES including the documents to support the authenticity of their identity.

The AIRLINES contact details in the EUROPEAN UNION are:

Address: Avianca C/Castelló 23, 4º Izq. 28001 Madrid España.
E-mail: e_Solutions@centrosolucionavianca.com.

11.5 Appendix Canada

Regarding information and personal data whose processing is carried out in Canada, the procedures for the exercise of the rights of the owners of such information will be the ones set out by the Personal Information Protection and Electronic Documents Act, also known as PIPEDA or the Act, which constitutes a federal statute for the establishment of rules governing collection, use and distribution of personal information in Canada. This Act applies to Canadian territory, except for the provinces of British Columbia, Alberta and Quebec, since such provinces are exempt from the application of this statute since they have their own local regulations, which are substantially similar to the provisions of PIPEDA.

PIPEDA orders all organizations to collect, use and distribute personal information for purposes that are reasonable and appropriate to the circumstances. In addition, PIPEDA sets out a list of 10 principles with which every private organization must comply when collecting, using or distributing personal information of any traveler, client or user, which can be seen at PIPEDA.

If requested any contact electronic address, users may reject the option to receive any kind of information related to the services of the AIRLINES and may, at any time, unsubscribe from the information services in which they have signed up.

Owners of personal data and information may exercise their rights by sending a request, complaint or claim to e_Solutions@centrosolucionavianca.com, which will be processed in accordance with the terms set out by this Privacy Policy and any other applicable law.

11.6 Appendix United States

The Department of Transportation of the United States of America (hereinafter DOT) states that the AIRLINES shall adequately report the collection, use and disclosure of personal data and information of travelers, clients or users.

Although there is no federal statute that specifically regulates the processing of personal data and information in this country, the DOT may investigate and prevent any practice related to trading air transport services, which also covers the processing of the personal data and information of our travelers, customers or users.

The AIRLINES commit to comply the Children's Online Privacy Protection Act in the United States of America (also known as COPPA).

COPPA regulates the protection of the privacy of children in the United States and authorizes the DOT to investigate any online use of the personal data and information of those under 13.

In the event that a person under 13 provides personal data and information without their parents or guardians’ consent, they may contact the AIRLINES through e_Solutions@centrosolucionavianca.com, in which case the AIRLINES will process the request, complaint or claim under the terms set out by this Policy and the provisions set out by applicable laws.

Additionally, as applicable, you may check our Privacy and Data Protection Policies.

  • If you are a traveler, customer or user of our services and wish to check the privacy policies applicable to your personal data and information please see our General Privacy Policy for the Protection of the Personal Data of Travelers, Customers and Users.
  • If you are an active employee, retiree, pensioner, related third party, beneficiary or candidate to a position in any of the AIRLINES and wish to check the privacy policies applicable to your personal data and information, please see our Privacy Policy for Employees.
  • If you are a shareholder of Avianca S.A. and wish to check the privacy policies applicable to your personal data and information please see the Aerovías the Americas S.A. Avianca’s Privacy Policy for the Protection of the Personal Data of Shareholders and Investors.
  • If you are a shareholder of Avianca Holdings S.A. and wish to check the privacy policies applicable to your personal data and information please see Avianca Holdings S.A.’s Privacy Policy for the Protection of the Personal Data of Shareholders and Investors.

Privacy policy regarding human resources processes of the companies

Contents

  1. Who we are

  2. Purpose of the Privacy Policy

  3. Acceptance of this Privacy Policy

  4. Scope of aplication

  5. Collected personal data and information

  6. Duration of personal data and information processing

  7. Accuracy of information

  8. Information of children and underage adolescents

  9. Use of cookies and web beacons

  10. Protection, safety and confidentiality of personal data and information

  11. Procedure for the exercise of the rights of owners of information

  12. General procedure for the exercise of the rights of owners of personal data and information applicable in all territories where the companies operate

  13. Amendments to the privacy policy

  14. Duration of personal data and information processing

  15. Storage of occupational health records

  16. Compliance hotline

  17. Term of validity

  18. Appendices

1. Who we are

The Companies:

Aerovías del Continente Americano S.A. Avianca a trading company incorporated in the Republic of Colombia, who acts as employer, directly or through its legally constituted branches in Argentina, Aruba, Colombia, Brazil, Curacao, Spain, London, Panama and Venezuela.

Tampa Cargo S.A.S., a trading company incorporated in the Republic of Colombia, who acts as employer, directly or through its legally constituted in Colombia and the United States.

Taca International Airlines S.A., a trading company incorporated in the Republic of El Salvador, who acts as employer, directly or through its legally constituted in El Salvador and Guatemala.

Trans American Airlines S.A., a trading company incorporated in the Republic of Peru, who acts as employer, directly or through its legally constituted in Argentina, Bolivia, Brazil, Guatemala, Paraguay, Peru.

Aerolíneas Galápagos S.A. Aerogal, a trading company incorporated in the Republic of Ecuador, who acts as employer in Ecuador.

Líneas Aéreas Costarricenses S.A. Lacsa, a trading company incorporated in the Republic of Costa Rica, who acts as employer, directly or through its legally constituted in Costa Rica, Cuba, Dominican Republic and Venezuela.

Aviateca S.A., a trading company incorporated in the Republic of Guatemala, who acts as employer in Guatemala.

Aviaservicios S.A., a trading company incorporated in the Republic of Guatemala, who acts as employer in Guatemala.

Pitasa S.A., a trading company incorporated in the Republic of Guatemala, who acts as direct employer in Guatemala.

American Central Corporation, a trading company incorporated in the United States of America, who acts as employer, directly or through its legally constituted in the United States, Canada and Puerto Rico.

Grupo Taca de Chile S.A., a trading company incorporated in the Republic of Chile, who acts as employer in Chile.

Isleña de Inversiones, S.A. de C.V., a trading company incorporated in the Republic of Honduras, who acts as employer in Honduras.

Servicio Terrestre, Aéreo y Rampa S.A., a trading company incorporated in the Republic of Costa Rica, who acts as employer in Costa Rica.

Servicios Aéreos Nacionales S.A., a trading company incorporated in the Republic of Costa Rica, who acts as employer in Costa Rica.

Servicios Aeronáuticos PilotCrew-CR S.A., a trading company incorporated in the Republic of Costa Rica, who acts as employer in Costa Rica.

Servicios Misceláneos Australes S.A., a trading company incorporated in the Republic of Costa Rica, who acts as employer in Costa Rica.

Tripulantes de Taca S.A., a trading company incorporated in the Republic of Costa Rica, who acts as employer in Costa Rica.

Vu-Marsat S.A., a trading company incorporated in the Republic of Costa Rica, who acts as employer in Costa Rica.

Taca de Costa Rica S.A., a trading company incorporated in the Republic of Costa Rica, who acts as employer in Costa Rica.

Pilotos de Taca S.A. de C.V., a trading company incorporated in the Republic of El Salvador, who acts as employer in El Salvador.

Technical and Training Services, S.A. de C.V., a trading company incorporated in the Republic of El Salvador, who acts as employer in El Salvador.

Avianca Inc., a trading company incorporated in the United States of America, who acts as employer in the United States.

Taca de Honduras S.A. de C.V., a trading company incorporated in the Republic of Honduras, who acts as employer in Honduras.

Grupo Taca Panamá S.A., a trading company incorporated in the Republic of Panama, who acts as employer in Panama.

Nicaragüense de Aviación S.A., a trading company incorporated in the Republic of Nicaragua, who acts as employer in Nicaragua.

Taca de México S.A., a trading company incorporated in the United States of Mexico, who acts as employer in Mexico.

C.R. Int'l Enterprises, Inc., a trading company incorporated in the United States of America, who acts as employer in the United States.

Each and all of them hereinafter individually and collectively referred to as the “Companies”, who, for the purpose of the provision and commercialization of passenger and product air transport services and related services such as tour packages, air and/or land cargo transport services, express courier and courier services, airport services, training services, loyalty programs, can act under the trademarks AVIANCA, AEROGAL, AVIATECA, LACSA, TACA, AVIANCA CARGO, AVIANCA SERVICES, AVIANCA TOURS, DEPRISA, PREFERENCIA “Business Travel Program”, AVIANCA EXPERIENCE AIRPASS, AVIANCA STORE or solely under the trademark AVIANCA, each and all of them respectively responsible for and/or in charge of the treatment of personal data and information.

2. Purpose of the Privacy Policy

2.1 The purpose of this Privacy Policy is to communicate to each owner of personal data the type of data and information collected and its purpose, use and protection, as well as the rights to which they are entitled as owners of the information and the corresponding procedures to exercise them.

2.2 We acknowledge the importance of safety, privacy and confidentiality of the personal data and information provided by the owners of the information through the different channels (including websites, applications, physical documents), and we are committed to its protection and proper processing, in accordance with the legal provisions regarding data protection set out in each of the territories in which we operate.

3. Acceptance of this Privacy Policy

3.1 Express acceptance of this Privacy Policy and of the processing of personal data and information in accordance with the terms thereof takes effect when the owner of the information provides personal data through any channel or medium established by the Companies in order to properly execute the various processes and procedures related to Human Resources management.

3.2 For purposes of this Policy, the term "processing" involves any operation or set of operations over personal data and information such as, use, collection, storage, disclosure, distribution or deletion thereof.

3.3 By accepting this Privacy Policy, each of the owners of information, acting as owner of the collected personal data and information, expressly authorizes the Companies to partially or totally process such personal data and information, which includes the collection, storage, recording, use, distribution, processing, deletion, transmission under the terms of this Privacy Policy and/or transfer of the collected data within the country or to other countries for the purposes set out in the privacy policies of any third parties to whom such personal data is transferred. By accepting this Privacy Policy each of the owners of the collected personal data and information authorizes the processing of such data for the purposes set out herein and, particularly, for:

  1. Using the collected personal data and information to send emails with information related to the processes and procedures of Human Talent, such as the administration of vacancies available in the Companies, information related to recruitment and selection processes, collective benefits of employment contracts, payroll receipts, training courses and/or any other type of information directly or indirectly related to the fulfillment of the obligations of the employment, civil or commercial contract and with Human Resource management.
  2. Providing personal data and information to national and international oversight and supervision, administrative, police and judicial authorities, under a legal or regulatory requirement and/or using or disclosing this personal data and information in defense of of the rights and/or ownership of the Companies, their customers, our websites or its users, for fraud detection or prevention, criminal prosecution or when the Companies in good faith consider that the delivery of information and personal data is in their best interest to fraud safety.
  3. Allowing access to personal data and information to auditors or third parties hired to perform internal or external audit processes of the commercial activities carried out by us.
  4. Checking and updating personal data and information, at any time, in order to keep this information updated.
  5. Outsourcing the storage and/or processing of personal data and information for the proper execution of Human Resources processes and procedures, under the security and confidentiality standards which we bind us.
  6. Transmitting personal data to countries other than those where information is collected, in which case the Companies will seek to protect such data in accordance with the security and confidentiality standards set forth herein.
  7. Transferring your personal data and information, in the event of a change of control in one or more Companies or in any of the business units due to merger, acquisition, bankruptcy, split, or creation, to the new entity controlling the Companies or their business units. If, as a result of the change of control, there is a change of the Person in Charge of the processing of personal data and information, such situation will be reported to the owners of the personal data and information, in order for them to exercise their rights under the relevant applicable law. The conditions under which the owners of personal data and information may exercise their rights will be indicated when reporting the change of control.

4. Scope of aplication

This Personal Data Privacy Policy applies to the owners of information, acting under any of the capacities described below:

4.1 Candidates: to fill a vacancy, position or charge in the Companies (hereinafter "candidate"). A candidate is any individual expressing, through any means provided by the Companies, their interest in participating in the processes of human talent attraction.

By accepting this Privacy Policy, each of the candidates, acting as owner of the collected personal data and information, expressly authorizes the Companies to partially or totally process such personal data and information, which includes the collection, storage, recording, use, distribution, processing, deletion, transmission under the terms of this Privacy Policy and/or transfer of the collected date within the country or to other countries for the purposes set out in the privacy policies of any third parties to whom such personal data is transferred.

By accepting this Privacy Policy each of the Candidates acting as owner of the collected personal data and information authorizes the processing of such data for the purposes set out herein and, particularly, for:

  1. Using the collected personal data and information to send emails, information related to the processes and procedures of Human Talent, such as the administration of vacancies available in the Companies, information related to recruitment and selection processes, and/or any other type of information directly or indirectly related to the fulfillment of the obligations of the employment, civil or commercial contract and with Human Resource management.
  2. Checking the accuracy of the information provided, checking personal and/or job references and checking for disciplinary or criminal records in the official websites.
  3. Checking and updating personal data and information, at any time, in order to keep this information updated.

4.2 Employee bound by employment contract: The Employee bound by employment contract is the person who is bound to any of the Companies through an employment contract (hereinafter "Employee bound by employment contract").

By accepting this Privacy Policy, each of the Employees bound by employment contract, acting as owner of the collected personal data and information, expressly authorizes the Companies to partially or totally process such personal data and information, which includes the collection, storage, recording, use, distribution, processing, deletion, transmission under the terms of this Privacy Policy and/or transfer of the collected date within the country or to other countries for the purposes set out in the privacy policies of any third parties to whom such personal data is transferred.

By accepting this Privacy Policy each of the Employee bound by employment contract acting as owner of the collected personal data and information authorizes the processing of such data for the purposes set out herein and, particularly, for:

  1. Using the collected personal data and information to send emails, information related to the processes and procedures of Human Talent, such as payroll receipts, collective benefits of the employment contract, request of information that is relevant to the Company, withholding tax certificates, request of data updating, information of interest, request of documents, programming of work shifts, newsletters, policies, manuals, training courses, reservation and pre-reservation of benefit air tickets, corporate agreements, voucher confirmation for using transportation and/or any other type of information directly or indirectly related to the fulfillment of the obligations under the employment contract.
  2. Checking the accuracy of the information provided, checking personal and/or job references and checking for disciplinary or criminal records in the official websites.
  3. Checking and updating personal data and information, at any time, in order to keep this information updated.

4.3 Related third parties: a related third party any is any individual, other than employees bound by employment contracts, who provides services or supports the execution of some processes in the Companies or who works for a contractor or supplier of goods and services –whether such contractor or supplier is an individual or legal entity that has entered into a civil or commercial contract with the Companies– and who under the provisions of any of such contract, carries out operational-support, technical, administrative or commercial functions (hereinafter “Related third party”).

By accepting this Privacy Policy, each of the Employees bound by employment contract, acting as owner of the collected personal data and information, expressly authorizes the Companies to partially or totally process such personal data and information, which includes the collection, storage, recording, use, distribution, processing, deletion, transmission under the terms of this Privacy Policy and/or transfer of the collected date within the country or to other countries for the purposes set out in the privacy policies of any third parties to whom such personal data is transferred.

By accepting this Privacy Policy each of the Employee bound by employment contract acting as owner of the collected personal data and information authorizes the processing of such data for the purposes set out herein and, particularly, for:

  1. Using the collected personal data and information to send emails with information related to the processes and procedures of Human Talent, such as system-generated reservations and pre-reservations, corporate agreements and/or any other type of information directly or indirectly related to the fulfillment of the obligations under the employment contract.
  2. Checking and updating personal data and information, at any time, in order to keep this information updated.

4.4 Family group and/or beneficiary: A Family Group is any individual who has consanguinity and/or civil links with any Employee bound by employment contract or related third party who have access to the benefits directly granted by the Airlines. A beneficiary is an individual who have been registered in the Human Resources administration systems by an employee bound by employment contract or related third party in order to grant them the benefits directly granted by the Airlines (hereinafter “Family Group and/or beneficiary”).

By accepting this Privacy Policy, each of the Family Groups and/or Beneficiaries, acting as owner of the collected personal data and information, expressly authorizes the Companies to partially or totally process such personal data and information, which includes the collection, storage, recording, use, distribution, processing, deletion, transmission under the terms of this Privacy Policy and/or transfer of the collected date within the country or to other countries for the purposes set out in the privacy policies of any third parties to whom such personal data is transferred.

By accepting this Privacy Policy each of the Family Groups and/or Beneficiaries, acting as owner of the collected personal data and information authorizes the processing of such data for the purposes set out herein and, particularly, for using the collected personal data and information to send emails with information related to the processes and procedures of Human Talent, such as system-generated reservations and pre-reservations, corporate agreements and/or any other type of information directly or indirectly related to the fulfillment of the obligations under the employment contract.

4.5 Removed employee:A removed employee is an individual who had an employment relationship generated by an employment contract with any of the Companies and whose employment contract was terminated by any legal cause (hereinafter “Retired Employee”).

By accepting this Privacy Policy, each of the Removed Employees, acting as owner of the collected personal data and information, expressly authorizes the Companies to partially or totally process such personal data and information, which includes the collection, storage, recording, use, distribution, processing, deletion, transmission under the terms of this Privacy Policy and/or transfer of the collected date within the country or to other countries for the purposes set out in the privacy policies of any third parties to whom such personal data is transferred.

By accepting this Privacy Policy each of the Removed Employees, acting as owner of the collected personal data and information authorizes the processing of such data for the purposes set out herein and, particularly, for using the collected personal data and information to send emails with information related to the processes and procedures of Human Talent, such as system-generated reservations and pre-reservations, corporate agreements and/or any other type of information directly or indirectly related to the fulfillment of the obligations under the employment contract.

4.6 Retiree / pensioner: A retiree / pensioner is an individual who had an employment relationship generated by an employment contract with any of the Companies and whose employment contract was terminated through direct acknowledgement by the Companies of their retirement rights or through the Social Security System (hereinafter “Retiree / Pensioner”).

By accepting this Privacy Policy, each of the Retirees / Pensioners, acting as owner of the collected personal data and information, expressly authorizes the Companies to partially or totally process such personal data and information, which includes the collection, storage, recording, use, distribution, processing, deletion, transmission under the terms of this Privacy Policy and/or transfer of the collected date within the country or to other countries for the purposes set out in the privacy policies of any third parties to whom such personal data is transferred.

By accepting this Privacy Policy each of the Retirees / Pensioners, acting as owner of the collected personal data and information authorizes the processing of such data for the purposes set out herein and, particularly, for using the collected personal data and information to send emails with information related to the processes and procedures of Human Talent, such as system-generated reservations and pre-reservations, corporate agreements and/or any other type of information directly or indirectly related to the fulfillment of the obligations under the employment contract.

4.7 Any other interested owner: of information kept in the personnel administration files (hereinafter “Other Interested Owner of Information”).

By accepting this Privacy Policy, any Other Interested Owner of Information, acting as owner of the collected personal data and information, expressly authorizes the Companies to partially or totally process such personal data and information, which includes the collection, storage, recording, use, distribution, processing, deletion, transmission under the terms of this Privacy Policy and/or transfer of the collected date within the country or to other countries for the purposes broadly set out in this Privacy Policy and, particularly, to use the collected personal data and information to send emails with information related to the processes and procedures of Human Talent, such as system-generated reservations and pre-reservations, corporate agreements and/or any other type of information directly or indirectly related to the fulfillment of the obligations under the employment contract.

5. Collected personal data and information

5.1 Companies may collect personal data and information about: candidates, employees bound by employment contract, related third parties, family groups and/or beneficiaries, removed employee, retiree / pensioner and/or any other interested owner of information, which information may vary due to the requirements of local authorities, technological systems, nature of contracts, nature of legal and fringe benefits, etc. For such purposes, the Companies may collect the following personal data and information, which may be stored and/or processed in server located in computing centers, whether owned by the Companies or by any third party, across different countries:

In the case of candidates who will hold a position within the Companies:

  1. Names and surnames.
  2. Type and number of Identification Document.
  3. Nationality.
  4. Birthdate.
  5. Gender.
  6. Marital status.
  7. Telephone and cellphone numbers.
  8. Personal and/or work mailing and electronic addresses.
  9. Personal and/or work fax number.
  10. Profession or occupation.
  11. Academic Profile.
  12. Professional Profile.

In the case of active employees, retirees, pensioners and individuals who had an employment contract with the Companies:

  1. Names and surnames.
  2. Tipo y número de identificación.
  3. Birthdate.
  4. Gender.
  5. Marital status.
  6. Home telephone number.
  7. Cellphone number.
  8. Personal and/or work mailing and electronic addresses.
  9. Personal and/or work fax number.
  10. Profession or occupation.
  11. Academic Profile.
  12. Professional Profile.
  13. Date of entry.
  14. Birthdate.
  15. Nationality.
  16. Department.
  17. Blood type.
  18. Name of mother.
  19. Name of father.
  20. Former job.
  21. Physical disabilities.
  22. Relationships with officers – degree of kinship.
  23. Type of contract.
  24. Duration of contract.
  25. Transportation allowance.
  26. Passenger admittance.
  27. Labor Union.
  28. Position.
  29. Salary.
  30. Functions.
  31. Functions Chart.
  32. Working days per week.
  33. Monthly working time.
  34. Weekly working time.
  35. Type of payment.
  36. Bank of payment.
  37. Agency of payment.
  38. Severance Pay Fund.
  39. Health Fund.
  40. Pension Fund.
  41. Family Subsidy Entity.
  42. Public and/or Private Health Service Provider.
  43. Clinical Records.

In the case of related third parties (any natural person, other than employees bound by employment contracts, who provides services or supports the execution of some processes in the Companies or who works for a contractor or supplier of goods and services –whether such contractor or supplier is an individual or legal entity that has entered into a civil or commercial contract with the Companies– and who under the provisions of any of such contract, carries out operational-support, technical, administrative or commercial functions):

  1. Names and surnames.
  2. Type and number of Identification Document.
  3. Nationality.
  4. Birthdate.
  5. Gender.
  6. Marital status.
  7. Telephone and cellphone numbers.
  8. Personal and/or work mailing and electronic addresses.
  9. Personal and/or work fax number.
  10. Profession or occupation.
  11. Academic Profile.
  12. Professional Profile.

In the case of active employees, retirees, pensioners and individuals who had an employment contract with the Companies:

  1. Names and surnames.
  2. Tipo y número de identificación.
  3. Birthdate.
  4. Gender.
  5. Marital status.
  6. Home telephone number.
  7. Cellphone number.
  8. Personal and/or work mailing and electronic addresses.
  9. Personal and/or work fax number.
  10. Profession or occupation.
  11. Academic Profile.
  12. Professional Profile.
  13. Date of entry.
  14. Birthdate.
  15. Nationality.
  16. Department.
  17. Blood type.
  18. Name of mother.
  19. Name of father.
  20. Former job.
  21. Physical disabilities.
  22. Relationships with officers – degree of kinship.
  23. Type of contract.
  24. Duration of contract.
  25. Transportation allowance.
  26. Passenger admittance.
  27. Labor Union.
  28. Position.
  29. Salary.
  30. Functions.
  31. Functions Chart.
  32. Working days per week.
  33. Monthly working time.
  34. Weekly working time.
  35. Type of payment.
  36. Bank of payment.
  37. Agency of payment.
  38. Severance Pay Fund.
  39. Health Fund.
  40. Pension Fund.
  41. Family Subsidy Entity.
  42. Public and/or Private Health Service Provider.
  43. Clinical Records.

In the case of family groups and/or beneficiaries (refers to family members who will be able to enjoy air-ticket benefits or fringe benefits according to the resume and registration format “Documents of Beneficiaries”):

  1. Name (beneficiary).
  2. Period of Validity (Date of entry to the Company).
  3. Birthdate (of the beneficiary).
  4. Nationality.
  5. Department.
  6. Country.
  7. Gender.
  8. Kinship.

5.2 Owners of personal data and information will not be required in any case to authorize the processing of sensitive data. Notwithstanding the foregoing, in the cases where owners of information provide any sensitive data to the Companies for the proper administration by Human Resources, they shall expressly authorize the Companies to process sensitive personal data and information in accordance to this Privacy Policy.

5.3 In addition, for safety purposes, the Companies may collect, store, share and compare personal data and information with different national or international administrative, control and supervising, police and judicial authorities. Such personal data and information includes biometric data, obtained through any biometric, image recording, audio or video device, located in our facilities (such as administrative offices, retail outlets, VIP lounges, airport stands for customer service, administrative offices located at different airports, restricted areas at airports). To inform the general public about this, the Companies issue Privacy Notifications in the places where this personal data and information are collected.

6. Duration of personal data and information processing

6.1 The information provided by the candidates who will fill a vacant position in the Companies may remain stored for up to two (2) years from the date of the last processing, to enable the Companies’ compliance with legal and/or contractual obligations under their charge, particularly in the development of corporate policies or contractual and/or legal obligations, or for the time deemed necessary to comply with the provisions applicable to the corresponding matter or to the administrative, accounting, tax-related, legal and historical aspects of the information, or in any event provided by law.

6.2 The information provided by active employees, retirees, pensioners and other individuals who had a direct employment relationship with the Companies, will remain stored in physic, electronic or in any other form established by the Companies to that end, for the time deemed necessary to comply with the provisions applicable to the corresponding matter or to the administrative, accounting, tax-related, legal and historical aspects of the information, or in any event provided by law.

7. Accuracy of information

7.1 It is the obligation of the interested owner of information to provide truthful information about their personal data in order to carry out the following processes: talent attraction, formalization of employment relationship, enabling service provision by the contracted personnel, administration of benefits and legal and fringe obligations, whose conditions they accept to provide the required information.

7.2 The Companies assume the accuracy of the information provided and do not verify or assume the obligation to verify the identity or the authenticity of the documents submitted by the owners of the data, nor the validity, adequacy and authenticity of the data provided by each one of them. Therefore, the Companies are not responsible for any damages of any kind that may originate due to the lack of accuracy, adequacy or authenticity of the information, including damages derived from homonyms or identity theft.

8. Information of children and underage adolescents

8.1 The Companies might hold information of children and underage adolescents who are related by consanguinity or affinity to an employee bound by an employment contract, related third party, family group and/or beneficiary, removed employee, retiree / pensioner and/or any other interested owner of information.

In the event that the parents or legal guardians of these children become aware of an unauthorized data processing, they may submit their inquiries or complaints to talentohuman@avianca.com.

The Companies shall ensure the proper use of personal data of children and underage adolescents, complying with the applicable laws when processing such data, as well as the protection of their best interests and fundamental rights where possible, taking into account their opinions as owners of their personal data.

9. Use of cookies and web beacons

9.1 The Companies may use cookies, web beacons and other similar technologies on their websites, mobile applications, electronic kiosks and on the electronic devices used to access thereto, in order to gather information about the origin of the connection, increase website functionality and accessibility, verify that users meet the criteria required to process their requests and adapt products and services to users’ needs, being able to obtain the following general information:

  1. The type of browser and operating system used.
  2. Websites visited.
  3. IP address.
  4. Duration of navigation.
  5. Device language.
  6. Accessed links.
  7. The last website visited before accessing Avianca.com.

9.2 These cookies, web beacons and other similar technologies can be disabled and deleted by the user whenever their wish. For this purpose, the candidate, employee bound by an employment contract, related third party, family group and/or beneficiary, removed employee, retiree / pensioner and/or any other interested owner of information may use the help settings of their internet browser.

10. Protection, safety and confidentiality of personal data and information

10.1 The protection, security and confidentiality of the personal data and information of the owner of the information are highly important for the Companies. We have set forth policies, procedures and standards for information security, which may change at any time at the discretion of the Companies and which aim to protect and preserve the integrity, confidentiality and availability of personal data and information, regardless of their nature or format, their temporary or permanent location or the way in which they are transmitted. Therefore, we rely on technological security tools and carry out safety industry practices, including: transmission and storage of sensitive information through secure mechanisms, such as encryption, use of secure protocols, safeguarding technological components, allowing access to the information only to authorized personnel, data backup, safe development of software, etc.

10.2 Any contract entered into by the Companies with any third party (contractors, external consultants, temporary employees, etc.) which involves the processing of personal data and information of a candidate, employee bound by an employment contract, related third party, family group and/or beneficiary, removed employee, retiree / pensioner and/or any other interested owner of information includes a confidentiality agreement detailing their commitments to the protection, care, safety and preservation of confidentiality, integrity and privacy thereof.

11. Procedure for the exercise of the rights of owners of information

11.1 The candidate, employee bound by an employment contract, related third party, family group and/or beneficiary, removed employee, retiree / pensioner and/or any other interested owner of information are entitled to access their personal information under our control and to exercise their rights as owners thereof, in accordance with the applicable terms of data protection regulations and with the provisions set forth in this Privacy Policy.

11.2 Consequently, the Companies establish a general procedure for the exercise of rights by owners of personal data and information, which is set forth in paragraph 12 herein, without prejudice to the application of specific provisions set out by local laws in each territory. In case of a disagreement between the general procedure and the specific provisions set out by local laws, specific provisions shall prevail.

12. General procedure for the exercise of the rights of owners of personal data and information applicable in all territories where the companies operate:

12.1 The candidate, employee bound by an employment contract, related third party, family group and/or beneficiary, removed employee, retiree / pensioner and/or any other interested owner of information are entitled to see and know the details of the processing of personal data required by the Companies, as well as to rectify them if inaccurate or incomplete and to request their deletion if not used for legal or contractual purposes or when not complying with the purposes and terms set out in this Privacy Policy.

12.2 By accepting this Privacy Policy, the candidate, employee bound by an employment contract, related third party, family group and/or beneficiary, removed employee, retiree / pensioner and/or any other interested owner of information, freely and expressly state that they were previously informed about the following rights to which they are entitled by applicable laws as owners of personal data:

  1. To know, update and rectify their personal data and information before the entity that is responsible or in charge of the processing of their personal data and information.
  2. To request proof of the authorization granted to the entity that is responsible for the processing of their personal data and information, unless such request constitutes an express exception for such processing.
  3. To be informed, upon request, by the entity that is responsible for the processing of their personal data and information about how such personal data and information have been used.
  4. To file complaints before the corresponding authorities for violations to the applicable data protection provisions.
  5. To revoke the authorization and/or request the removal of the personal data and information under the terms of this Privacy Policy.
  6. To access personal data and information that was subject to processing, upon previous request to the Companies and under the provisions of the corresponding valid and applicable regulations. If the requests exceed one per month, the Companies will charge the owner requesting such information for its shipment, reproduction and, if applicable, certification costs.

12.3 The procedures for the exercise of their rights will be the following:

Requests: Owners, authorized persons or assignees may access their personal data and information in our databases, in which case we will supply the requested information, after verification of their entitlement to make the request. The request will be processed within a maximum term of ten (10) working days from the date of receipt thereof. In the event such request cannot be processed within said term, we will inform the reasons for the delay, indicating the date on which the request will be processed, which in no case shall exceed five (5) working days from the expiry of the first term.

Claims: If the owners, authorized persons or assignees consider that the personal data and information in our databases must be corrected, updated or deleted, or if they become aware of a potential breach to any of the duties set forth in the regulations, they may file a claim before the Companies, which will be processed under the following rules:

  1. The claim shall be made through a request to the Companies with their identification, the description of the facts related to the claim, their address, and the accompanying documents they want to enforce. If the claim is incomplete, we will require the missing information within five (5) days from the date of receipt thereof in order to rectify the information. If after two (2) months from the date of request the interested party has not filed the required information, we will consider the claim as abandoned.
  2. If we are not able to resolve the claim, it will be forwarded to the appropriate entity within a maximum term of two (2) business days and will be promptly informed thereof.
  3. The maximum term to process the claim will be fifteen (15) working days from the day following the date of the appropriate receipt thereof. If it is not possible to satisfy the claim within this term, we will inform you of the reasons for the delay and the date your claim will be processed, which in no case may exceed eight (8) working days following the expiry of the first term.

12.4 In order to enforce their rights, the candidate, employee bound by an employment contract, related third party, family group and/or beneficiary, removed employee, retiree / pensioner and/or any other interested owner of information may exercise their rights to know, update, rectify and delete their personal data and information by sending their request to: talentohumano@avianca.com.

12.5 The areas in charge of taking requests, inquiries or claims filed by the candidate, employee bound by an employment contract, related third party, family group and/or beneficiary, removed employee, retiree / pensioner and/or any other interested owner of information, according to the corresponding business unit or service, are: talentohumano@avianca.com.

12.6 The owner of the information shall include the following data in their request:

  1. Names and surnames.
  2. ID number.
  3. E-mail.
  4. Subject.
  5. Type of document.
  6. Telephone.
  7. Country.

12.7 In the event that any candidate, employee bound by an employment contract, related third party, family group and/or beneficiary, removed employee, retiree / pensioner and/or any other interested owner of information considers that the use of content in any of our communication channels, such as websites, mobile applications and kiosks constitutes a breach to their intellectual property rights, they shall notify it to the aforementioned e-mail addresses and include the following information:

  1. Personal data: name, address, telephone number and e-mail address of the claimant.
  2. Authentic signature, with the personal data of the holder of the intellectual property rights subject to infringement or of the person authorized to act on behalf of the holder of the intellectual property rights subject to infringement.
  3. Accurate and complete indication of the content that is protected by the intellectual property rights infringed and its location.
  4. Express and clear statement of the fact that such content has been used without the authorization of the holder of its intellectual property rights.
  5. Express and clear statement of the accuracy of the information provided in the notification and of the fact that the use of such content is an infringement to the intellectual property rights thereof. This statement shall be made under responsibility of the claimant.

12.7.1 The claims arising from these facts shall be subject to proper processing and resolution under the applicable legal proceedings, pursuant to the nature and applicability thereof.

12.8 The request for deletion of information and the revocation of the authorization or the request to restrict the use and disclosure of personal data will not proceed when the owner is legally or contractually bound to remain in the database, under the terms set forth by the applicable laws.

12.9 We have identified some territories where specific provisions are set out by local laws. In case you wish to know such specific provisions, please see the Appendices listed below:

  1. Appendix Colombia
  2. Appendix México
  3. Appendix Peru
  4. Appendix European Union
  5. Appendix Canada
  6. Appendix United States

13. Amendments to the privacy policy

13.1 The Companies reserve the right to make changes or updates to this Privacy Policy at any time in compliance with new legislations, internal policies or new requirements in order to provide or offer their services or products.

13.2 These amendments will be made available to the public through the following channels: visible notices on their premises or customer service centers, on our websites, smartphone applications (Smartphones) or electronic kiosks (Privacy Notice) or through the last e-mail provided.

13.3 Subject to applicable laws, the Spanish version of this Privacy Policy shall prevail as the authoritative and official text over any other versions in other languages. In the event that there is any inconsistency between the Spanish version and any translation of this Privacy Policy in another language, the Spanish version shall prevail.

14.Duration of personal data and information processing

The information provided by candidate, employee bound by an employment contract, related third party, family group and/or beneficiary, removed employee, retiree / pensioner and/or any other interested owner of information and other individuals who may have had a direct employment relationship with the Companies, will remain stored in physic, electronic or in any other form established by the Companies to that end, for the time deemed necessary to comply with the provisions applicable to the corresponding matter or to the administrative, accounting, tax-related, legal and historical aspects of the information or, in any case, complying with the provisions of Article 264 of the Code of Labor.

Contact details of the Companies in Colombia are:

  • Address: Avenida Eldorado No. 59 – 15, Bogotá.
  • E-mail: talentohumano@avianca.com.

15. Storage of occupational health records

Article 14 of Resolution 2346 of 2007 issued by the Ministry of Labor of Colombia defines occupational health records as the single set of private and mandatory documents subject to storage, where an individual’s health conditions, medical procedures and other procedures carried out by the medical team involved in their care are chronologically recorded. It may originate from one or more occupational health assessments. It contains and describes background labor information and risks factors to which an individual has been exposed in the course of their working life, as well as the results of environmental assessments and occupational incidents.

Occupational health records are part of the general clinical record, thus, the laws regulating this matter are applicable thereto.

16. Compliance hotline

Avianca Holdings S.A. has contracted Navex Global Inc., a company incorporated under the laws of Delaware, USA, to manage the Compliance Hotline established by the Company and its affiliated companies, in order for employees, related third parties, suppliers, shareholders, travelers, customers, users and the general public to submit complaints or inquiries related to the application or breaches to the Code of Ethic and Business Conduct Guidelines, Anticorruption Policy and other corporate policies adopted by the Organization*. Navex Global Inc. has set out the website http://aviancaholdings.ethicspoint.com and different telephone lines for the operation of the Compliance Hotline.

For the purposes of the legal obligations set out by the rules related to the privacy and protection of personal data collected through the Compliance Hotline, Navex Global Inc. acts as Manager and shall carry out the processing thereof on behalf of Avianca Holdings S.A. and its affiliated companies, who will jointly act as the Responsible Entities. Avianca Holdings S.A. will not carry out any direct processing of personal data collected. The processing will be carried out by its affiliated companies in order to investigate complaints, answer inquiries and take the corresponding administrative or legal actions. Such processing will be carried out in accordance with this Privacy Policy, which is available for consultation in the “Policies” section of such website.

17. Term of validity

17.1 This General Privacy Policy is effective as of the day of its publication. The latest published revision was made on June 22, 2016.

18. Appendices

18.1 Appendix Colombia

Regarding information and personal data whose processing is carried out in Colombia, the procedures for the exercise of the rights of the owners of such information will be the ones set out by Law 1581 of 2012 and its normative provisions. Pursuant to Article 10 of Decree 1377 of 2013, the AIRLINES request your permission to continue processing your personal data and information under the terms set out by this Privacy Policy. In addition, pursuant to paragraph a) of article 26 of Law 1581 of 2012, we inform you that by expressly accepting this Privacy Policy, you grant us permission to transmit and/or transfer your personal data and information to other countries in which we operate, where different levels of protection of personal data to those required in Colombia may exist, including El Salvador, Peru, Ecuador, Bolivia, Guatemala, Brazil, Costa Rica, USA, Uruguay, Paraguay and Argentina.

You can exercise your rights to know, update, modify and/or delete your personal data via contactenos@avianca.com, pursuant to the general procedures set out in paragraph 12 of this General Privacy Policy. For the purposes of enforcing their rights, travelers, customers or users can exercise their rights to know, update, rectify and delete their personal data and information by sending a request to e_Solutions@centrosolucionavianca.com or through the Suggestions and Claims Services available at www.avianca.com, or through our Call Centers: Bogota: 4013434; other cities in Colombia: 018000953434, in accordance with this Privacy Policy.

The AIRLINES contact details in Colombia are:

Address: Avenida Eldorado No. 59 – 15, Bogotá.
Bogota Telephone Number: 4013434.
Other cities in Colombia: 018000953434.
E-mail: e_Solutions@centrosolucionavianca.com.

18.2 Appendix México

Regarding information and personal data whose processing is carried out in Mexico, the procedures for the exercise of the rights of the owners of such information will be the ones set out by Federal Law on Protection of Personal Data Held by Individuals (DOF 05-07-2010), and its respective Regulations (DOF 21-12-2011).

Procedures for the exercise of the right to access, rectify, delete and oppose (ARCO, by its Spanish acronym) in Mexico:

Pursuant to the provisions of Mexican law, owners of personal data and information have the right to access, rectify, delete or oppose the processing of their personal data, for which purpose the following procedure shall be carried out: The area responsible for the processing of personal data (Direction and Intelligence of Information) may be contacted through the following channels in order to send the required information and documentation:

Address: Avenida Eldorado No. 59 – 15, Bogotá.
E-mail: e_Solutions@centrosolucionavianca.com.

The request to access, rectify, delete or oppose shall include, at least:

  1. Complete name and address of the owner of the personal data and information, or provide any other means to response to the request.
  2. Documents proving the identity or legal representation of the owner of the personal data and information.
  3. Clear and accurate description of the personal data and information subject to the enforcement of the aforementioned rights.
  4. Any other item or document that facilitates the location of personal data and information.
  5. Indicate the modifications to be made and/or limitations on the use of personal data and information, as set forth by this Privacy Policy.
  6. Provide documentation to support your request. The AIRLINES shall communicate the adopted resolution to the owner of the personal data and information, within a term not exceeding 20 working days from the date of receipt of the request. If necessary, this term may be extended on a single occasion for an equal term.

Based on the above, and in accordance with the provisions of the Law, the AIRLINES shall inform the owner of the personal data and information the meaning and motivation of the resolution, through the same means through which the request was carried out, and that resolution shall be accompanied with relevant evidence, if any.

If the request is appropriate, it will be executed by the AIRLINES within 15 working days following the communication of the adopted resolution.

Based on the response or lack of response by the AIRLINES, the owner may file a request for data protection with the Federal Institute of Access to Information (IFAI, by its Spanish acronym). Such request shall be submitted by the owner within 15 working days from the date the ARILINES communicate the response to the owner, and shall be subject to the provisions of the Law.

For requests of access to personal data and information, the petitioner or their legal representative shall be required to prove their identity.

The obligation of access to information shall be fulfilled when the AIRLINES make available the personal data and information to the owner or when such information is provided in form of photocopies or electronic documents.

In the event that a traveler, client or user requests access to their personal data and information under the assumption that the AIRLINES are the responsible entities thereof, and it is ultimately concluded that the AIRLINES are not responsible thereof, the AIRLINES shall communicate this to the owner through any means for the request to be considered fulfilled.

The response to the request for access, rectification, deletion or opposition of personal data will be free of charge. Our customers, travelers or users should only cover the reasonable costs of shipping or reproduction of copies or other formats, which will be informed in due time.

In the event that the same client, traveler or user restates the request for access, rectification, deletion or opposition of personal data and information in less than 12 months from the date of the last request, the response may have an additional cost indicated by the AIRLINES, in accordance with the provisions of Article 35 of the Federal Law on Protection of Personal Data.

The AIRLINES may refuse total or partial access to personal data and information or the rectification, deletion or opposition to the processing thereof in the following cases:

  1. If the petitioner is not the owner or legal representative or is not authorized.
  2. If the petitioner’s personal data and information is not contained in the databases of the AIRLINES.
  3. If the rights of any third party are violated.
  4. If there exists any legal impediment or resolution by an authority.
  5. If the rectification, deletion or opposition was previously carried out and the request is no longer pertinent.

The deletion of personal data and information will result in a lockout period after which the deletion of the data will be performed. Once the personal data and information are deleted, the AIRLINES shall notify the owner thereof.

Once the aforementioned process is completed, the AIRLINES may keep the personal data solely for the purposes of the processing obligations arising from this policy. If the personal data and information are transmitted to third parties or entities in charge before the rectification or deletion and if they are subject to processing by such third parties, the AIRLINES shall inform such third parties about the request filed by the owner in order to make such rectifications and deletions.

The AIRLINES will not have any obligation to delete the personal data and information in cases where the provisions set out by Article 26 of the Federal Law on Protection of Personal Data are applicable, or when the owner has a legal or contractual duty to remain in the database, under the terms set forth by the law. In addition, once the collected personal data and information are no longer necessary for the compliance with the purposes set forth by this policy and with the applicable legal provisions, such personal data and information will be deleted from the databases of the AIRLINES.

Mechanisms and procedures to revoke your consent:

Owners may at any time revoke their consent to the processing of their personal data and information. In order to do so, the owner shall send an e-mail written in Spanish to the following address: e_Solutions@centrosolucionavianca.com, which shall include the same requirements previously indicated for the exercise of ARCO rights, indicating the personal data and information subject to such revocation. The AIRLINES will perform such revocation within fifteen (15) working days from the date of receipt of the e-mail.

Options provided to the owner to limit the use or disclosure of personal data and information:

Owners may at any time limit their consent to the processing of their personal data and information for marketing and promotional purposes by sending an e-mail to the following address: e_Solutions@centrosolucionavianca.com, mentioning such limitations. The AIRLINES will stop sending information within ten (10) working days from the date of receipt of the e-mail.

The AIRLINES contact details in Mexico are:

Address: Avenida Paseo de la Reforma 195-301, Colonia Cuauhtémoc, CP 06500, México, D.
Mexico Telephone Number: 01800 1233120.
E-mail: e_Solutions@centrosolucionavianca.com.

18.3 Appendix Peru

Regarding information and personal data whose processing is carried out in Mexico, the procedures for the exercise of the rights of the owners of such information will be the ones set out by Law 29733 and Supreme Decree 003-2013-JUS (hereinafter “the Law and its regulations”).

Travelers, clients and users are entitled to see and know the details of the processing of personal data and information we perform, to know the collected personal data and information, to oppose if necessary, to request their rectification if inaccurate or incomplete and to delete them if not used according to the law, the terms and conditions of the purchased product or service, the corresponding contract or the terms set forth by this Privacy Policy.

By accepting this Privacy Policy, you freely and expressly state that you were previously informed about the following rights to which you are entitled as the owner of your personal data and information under Peruvian law:

  1. Access.
  2. Information.
  3. Rectification and Updating.
  4. Deletion.
  5. Opposition.

In order to exercise such rights, a request shall be sent to the AIRLINES including the following information:

  1. Names and surnames and authentication of the petitioner’s identity (copy of their ID or passport).
  2. Specific reasons for the request.
  3. Address or electronic address for the purposes of response notifications.
  4. Documents supporting the request (in the case of the right to rectify, delete or oppose).
  5. Signature of the petitioner.

The procedures to exercise your rights are the following:

  1. DRight to access and information:
    Owners may exercise the right to access the data contained in our database, in which case they will be provided with requested access information.
    The access request will be answered within a maximum term of twenty (20) working days from the day of receipt of the request.
    If processing the claim within this term is not possible, they will be informed of the reasons for the delay and the term for the response will be extended to twenty (20) additional working days. The owner of the data may exercise their right to information to know the manner in which such information has been collected.
    Such request will be answered within a maximum term of eight (8) working days from the day of receipt of the request. If the request to exercise the right of access or information is incomplete, the owner will be required to correct the information within a term of five (5) days from the date of receipt of the claim.
    If the required information is not presented after such 5-day term, the request shall be deemed not filed.
  2. Right to rectify, update, oppose or delete:
    If the owner considers that the information contained in a database must be subject to correction, updating or deletion, they may file a duly supported request, which will be processed under the following rules: If the request is incomplete, the owner will be required to correct the information within a term of five (5) days from the date of receipt of the claim.
    If the required information is not presented after 5 days from the date of the request, the request shall be deemed not filed.
    On the other hand, if the information or documents supporting the request are insufficient, the AIRLINES may require additional documentation to process the request within seven (7) days from the date of receipt of the request and such information shall be submitted by the owner within ten (10) working days.
    In addition, if you have not submitted the required information after such term, such information shall be deemed not submitted. During the rectification or deletion processes, the AIRLINES or the responsible entities will block third-party access to the data.
    The maximum term to process a request of rectification, updating, opposition or deletion will be ten (10) working days from the date of receipt of the request. If processing the claim within this term is not possible, you will be informed of the reasons for the delay and the date your claim will be processed, which shall not exceed the ten (10) working days from the date of receipt of the request.

The AIRLINES contact details in Peru are:

Address: Avenida Jose Pardo 831 (Piso 4) Miraflores Lima Perú.
Peru Telephone Number (Lima): 2136060.
E-mail: e_Solutions@centrosolucionavianca.com.

18.4 Appendix European Union

The provisions of this General Privacy Policy shall apply to travelers, customers or users who reside in a country of the European Union and for passengers who purchase their airline tickets in a country of the European Union. In addition, the following applies in order to ensure optimal protection of your personal data and information, in accordance with the legislation in force:

In some cases, it is possible that recipients of personal data and information are located outside of the European Union and may have full or partial access thereto (full name, passport or ID number, travel destination, etc.) in order to perform the contracted transport service and/or the purchased products or services, or for reasons set out by the law and regulations. In the event that such data were transferred to any place outside of the European Union, such transference shall be performed in accordance with the effective regulations (i.e. in Spain, Organic Law 15/1999 on Protection of Personal Data of December 13 and in the United Kingdom, the Data Protection Act 1998 of March 1, 2000).

In order to execute the transportation service contract and the provision of the purchased services, some essential date must be collected, such collection and processing may be refused by the passenger, however, such refusal may lead to the impossibility of performing the contracted service or to trip deletion. In addition, the provision of inaccurate data by the passenger may lead to denied boarding or denied entry to a foreign country.

When purchasing the service, the passenger will be informed of mandatory and non-mandatory data. Therefore, if the passenger fails to provide mandatory data, the corresponding services will not be performed.

If requested any contact electronic address, users may reject the option to receive any kind of information related to the services of the AIRLINES and may, at any time, unsubscribe from the information services in which they have signed up.

Owners of personal data may exercise the rights of opposition, access, rectification and deletion of data under the terms provided by the applicable law (in Spain, Law 15/1999, Protection of Personal Data).

In order to exercise such rights, passengers shall submit a request to the AIRLINES including the documents to support the authenticity of their identity.

The AIRLINES contact details in the EUROPEAN UNION are:

Address: Avianca C/Castelló 23, 4º Izq. 28001 Madrid España.
E-mail: e_Solutions@centrosolucionavianca.com.

18.5 Appendix Canada

Regarding information and personal data whose processing is carried out in Canada, the procedures for the exercise of the rights of the owners of such information will be the ones set out by the Personal Information Protection and Electronic Documents Act, also known as PIPEDA or the Act, which constitutes a federal statute for the establishment of rules governing collection, use and distribution of personal information in Canada. This Act applies to Canadian territory, except for the provinces of British Columbia, Alberta and Quebec, since such provinces are exempt from the application of this statute since they have their own local regulations, which are substantially similar to the provisions of PIPEDA.

PIPEDA orders all organizations to collect, use and distribute personal information for purposes that are reasonable and appropriate to the circumstances. In addition, PIPEDA sets out a list of 10 principles with which every private organization must comply when collecting, using or distributing personal information of any traveler, client or user, which can be seen at PIPEDA.

If requested any contact electronic address, users may reject the option to receive any kind of information related to the services of the AIRLINES and may, at any time, unsubscribe from the information services in which they have signed up.

Owners of personal data and information may exercise their rights by sending a request, complaint or claim to e_Solutions@centrosolucionavianca.com, which will be processed in accordance with the terms set out by this Privacy Policy and any other applicable law.

18.6 Appendix United States

The Department of Transportation of the United States of America (hereinafter DOT) states that the AIRLINES shall adequately report the collection, use and disclosure of personal data and information of travelers, clients or users.

Although there is no federal statute that specifically regulates the processing of personal data and information in this country, the DOT may investigate and prevent any practice related to trading air transport services, which also covers the processing of the personal data and information of our travelers, customers or users.

The AIRLINES commit to comply the Children's Online Privacy Protection Act in the United States of America (also known as COPPA).

COPPA regulates the protection of the privacy of children in the United States and authorizes the DOT to investigate any online use of the personal data and information of those under 13.

In the event that a person under 13 provides personal data and information without their parents or guardians’ consent, they may contact the AIRLINES through e_Solutions@centrosolucionavianca.com, in which case the AIRLINES will process the request, complaint or claim under the terms set out by this Policy and the provisions set out by applicable laws.

Additionally, as applicable, you may check our Privacy and Data Protection Policies.

  • If you are a supplier of any AIRLINE and wish to check the privacy policies applicable to your personal data and information please see our Privacy Policy for Suppliers.
  • If you are a traveler, customer or user of our services and wish to check the privacy policies applicable to your personal data and information please see our General Privacy Policy for the Protection of the Personal Data of Travelers, Customers and Users.
  • If you are a shareholder of Avianca S.A. and wish to check the privacy policies applicable to your personal data and information please see the Aerovías the Americas S.A. Avianca’s Privacy Policy for the Protection of the Personal Data of Shareholders and Investors.
  • If you are a shareholder of Avianca Holdings S.A. and wish to check the privacy policies applicable to your personal data and information please see Avianca Holdings S.A.’s Privacy Policy for the Protection of the Personal Data of Shareholders and Investors.