PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

1

REVISION REGISTER

Revision Number Date Section Changes

01 2018 /05/25 Entire Document Creation of the

Document

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

2

CONTENT

1. OBJECTIVE AND SCOPE

2. RESPONSIBILITY

3. AUTHORITY

4. CONTENT

4.1 WHO WE ARE

4.2 Acceptance of this Privacy Policy and Purpose of Treatment of Information

4.3 Personal Information and Data we treat

4.4 Purposes of personal information and data treatment

4.5 Validity of treatment of personal data and information

4.6 Truthfulness of the Information

4.7 Information of children and underage teenagers

4.8 Use of Cookies

4.9 Protection, security and confidentiality of personal information and data

4.10 Rights of the Information Holder

4.11 Area Responsible of Personal Data Protection

4.12 General procedure to exercise the rights of Clients, Travelers and Users as holders of personal

information.

4.13 Modifications to the Privacy Policy

4.14 Ethics Hotline

4.15 Validity

5. Annexes

5.1 Colombia Annex

5.2 Mexico Annex

5.3 Peru Annex

5.4 European Union Annex

5.5 Canada Annex

5.6 United States Annex

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

3

1. OBJECTIVE AND SCOPE

We recognize the importance of security, privacy and confidentiality of personal information that

travelers, Clients and users provide our Companies through various channels (including websites,

applications, physical documents and others), and we are committed to adequately protect and treat it,

pursuant to the personal date legal protection regime available in each territory where we operate.

Therefore, the objective of this Policy is to inform travelers, clients and users who are Holders of personal

information regarding the type of data, the purpose of the Treatment so that we may provide our service,

the protection and rights available to the Holder of the information and the procedures to exercise them.

This Privacy Policy also applies to personal data of Eligible Passengers, as they are defined in the Terms

and Conditions of the PREFERENCIA Program “Program for Corporate Travel”, on behalf of who, entities

related to said PREFERENCIA Program, such as Corporate Clients, make Institutional Purchases.

Therefore, personal data of Eligible Passengers, including travel itineraries, methods of payment and

any other personal information will be treated under the terms of this Privacy Policy, with the possibility

of being transferred to the Corporate Client related to said Eligible Passenger for the purpose of

presenting reports, audits, requests of the Corporate Client and any other matter related to the operation

of the PREFERENCIA Program.

2. RESPONSIBILITY

Responsible for treatment: Aerovias del Continente Americano S.A. Avianca

Tax ID. No.: 890.100.577-6 NIT

Postal address: Calle 26 # 59-15 (Colombia)

Phone: 5877700

E-mail: habeasdata@avianca.com

3. AUTHORITY

Directorate of Risk, Security and Compliance with Information

4. CONTENT

4.1 WHO WE ARE

4.1.1 The Companies:

Aerovías del Continente Americano S.A. Avianca a commercial company incorporated in the Republic of

Colombia acting in its capacity as employer, directly or through its legally incorporated branches in the

territories of Argentina, Aruba, Colombia, Brazil, Curacao, Spain, London, Panamá and Venezuela.

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

4

Tampa Cargo S.A.S., a commercial company incorporated in the Republic of Colombia acting in its

capacity as employer, directly or through its legally incorporated branches in the territories of Colombia

and The United States.

Taca International Airlines S.A., a commercial company incorporated in the Republic of El Salvador

acting in its capacity as employer, directly or through its legally incorporated branches in the territories

of El Salvador and Guatemala.

Trans American Airlines S.A., a commercial company incorporated in the Republic de Perú acting in its

capacity as employer, directly or through its legally incorporated branches in the territories of Argentina,

Bolivia, Brazil, Guatemala, Paraguay, Perú.

Avianca Ecuador S.A., a commercial company incorporated in the Republic of Ecuador acting in its

capacity as employer in the territory of Ecuador.

Líneas Aéreas Costarricenses S.A. Lacsa, a commercial company incorporated in the Republic of Costa

Rica, acting in its capacity as employer, directly or through its legally incorporated branches in the

territories of Costa Rica, Cuba, Dominican Republic and Venezuela.

Aviateca S.A., a commercial company incorporated in the Republic of Guatemala de Guatemala, acting

in its capacity as employer in the territory of Guatemala.

Aviaservicios S.A. a commercial company incorporated in the Republic of Guatemala de Guatemala,

acting in its capacity as employer in the territory of Guatemala.

Pitasa S.A. a commercial company incorporated in the Republic of Guatemala de Guatemala, acting in

its capacity as employer in the territory of Guatemala.

American Central Corporation a commercial company incorporated in The United States de América

acting in its capacity as employer, directly or through its legally incorporated branches in the territories

of The United States, Canada and Puerto Rico.

Grupo Taca de Chile S.A. a commercial company incorporated in the Republic of Chile, acting in its

capacity as employer in the territory of Chile.

Isleña de Inversiones, S.A. de C.V., a commercial company incorporated in the Republic de Honduras

acting in its capacity as employer in the territory of Honduras.

Servicio Terrestre, Aéreo and Rampa S.A. a commercial company incorporated in the Republic of Costa

Rica, acting in its capacity as employer in the territory of Costa Rica.

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

5

Servicios Aéreos Nacionales S.A. a commercial company incorporated in the Republic of Costa Rica,

acting in its capacity as employer in the territory of Costa Rica.

Servicios Aeronáuticos PilotCrew-CR S.A. a commercial company incorporated in the Republic of Costa

Rica, acting in its capacity as employer in the territory of Costa Rica.

Servicios Misceláneos Australes S.A. a commercial company incorporated in the Republic of Costa Rica,

acting in its capacity as employer in the territory of Costa Rica.

Tripulantes de Taca S.A. a commercial company incorporated in the Republic of Costa Rica, acting in its

capacity as employer in the territory of Costa Rica.

Vu-Marsat S.A. a commercial company incorporated in the Republic of Costa Rica, acting in its capacity

as employer in the territory of Costa Rica.

Taca de Costa Rica S.A. a commercial company incorporated in the Republic of Costa Rica, acting in its

capacity as employer in the territory of Costa Rica.

Pilotos de Taca S.A. de C.V. a commercial company incorporated in the Republic of El Salvador acting

in its capacity as employer in the territory of El Salvador.

Technical and Training Services, S.A. de C.V. a commercial company incorporated in the Republic of El

Salvador acting in its capacity as employer in the territory of El Salvador.

Avianca Inc. a commercial company incorporated in The United States de América acting in its capacity

as employer in the territory of The United States.

Taca de Honduras S.A. de C.V. a commercial company incorporated in the Republic de Honduras, acting

in its capacity as employer in the territory of Honduras.

Grupo Taca Panamá S.A. a commercial company incorporated in the Republic of Panamá, acting in its

capacity as employer in the territory of Panamá.

Nicaragüense de Aviación S.A., a commercial company incorporated in the Republic de Nicaragua, acting

in its capacity as employer in the territory of Nicaragua.

Taca de México S.A., a commercial company incorporated in The United States de México, acting in its

capacity as employer in the territory of México.

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

6

C.R. Int'l Enterprises, Inc. a commercial company incorporated in The United States de América acting

in its capacity as employer in the territory of The United States.

All of them hereinafter individually and collectively referred to as the Companies, who, for the purpose

of the provision and commercialization of passenger and product air transport services and related

services such as tour packages, air and/or land cargo transport services, express courier and courier

services, airport services, training services, loyalty programs, can act under the trademarks AVIANCA,

AVIANCA ECUADOR S.A., AVIATECA, LACSA, TACA, AVIANCA CARGO, AVIANCA SERVICES, AVIANCA

TOURS, DEPRISA, PREFERENCIA "Corporate Travel Program", AVIANCA EXPERIENCE

AIRPASS, AVIANCA STORE, or solely under the trademark AVIANCA, each and all of them respectively

and as corresponds Responsible and/or In Charge of Treatment of information and personal data.1

4.2 Acceptance of this Privacy Policy and Purpose of Treatment of Information

For purposes of this Policy, the term "treatment" is understood as any operation or set of operations

over personal data and information such as, use, collection, storage, disclosure, distribution or deletion

thereof.

Acceptance of this Privacy Policy and of the Treatment of personal data and information pursuant to

the terms thereof takes effect when the Traveler, Client or Holder provides his or her personal data

through any channel or mean set forth by The Companies, such as sales and service points, including

the Call Center, or when they purchase any of our products, or when they click the button “Continue”

or when they continue browsing our websites:

Avianca.com, Deprisa.com, Lifemiles.com, Programapreferencia.com, Aviancaservices.com, Aviancacar

go.com, Flybox.co, Aviancaexpress.com, Sociosyamigos.com., or when thy use any of our mobile apps

or electronic services in any version such as electronic kiosks; proof of any of these facts, shall be

unequivocal proof of acceptance of this Privacy and Personal Data Treatment Policy.

By accepting this Privacy Policy, each of the Travelers, Clients or Users, acting as holders of the

information, expressly authorize THE AIRLINES to Treat said information, partially or fully, including

collection, storage, recording, use, distribution, Treatment, deletion, transmission under the terms of

this Privacy Policy and/or transfer within the country and/or to third countries under the terms set forth

in this Privacy Policy and for the purposes of Treatment described in this document, especially:

• Send the boarding pass and/or document confirming the transaction, pursuant to the contract

of carriage, to the Traveler’s, Client’s and User’s registered e-mail addresses, as well as any

other information related to the product or services purchased or the provision of services.

• Use the information received for the purpose of marketing our own products and/or services, or

those of third parties with whom THE AIRLINES maintain a business relationship, depending on

the region where the personal data is treated, and on regulations.

1 The LifeMiles loyalty program, managed and operated by LifeMiles Corp., has its own Privacy Policy available at www.lifemiles.com The Privacy Policy available for the Flybox program is available at www.flybox.com

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

7

• Share information and personal data, when it is included in the provision of the service with:

commercial representative, tourism operators (including hotels), car rental companies, insurers,

among others, as required to manage travel plan reservations and other tourism services.

• Provide information and personal data to control and surveillance, administrative, policy and

judicial, domestic and international authorities responding to a legal or regulatory requirement

and/or revealing this information and personal data to uphold the rights and/or property of THE

AIRLINES, its clients, our own websites or those of our users, to detect and prevent fraud, to

prevent, detect, capture or prosecute illegal acts or when THE AIRLINES in good faith consider

that disclosing the information and personal data is in the best interest of aviation security.

• Allow access to personal data and information to auditors or third parties contracted by the

Companies to perform internal or external audit processes of the commercial activities carried

out by the Organization.

• Check or update information and personal data of travelers, clients and users, during

performance of commercial activities developed by the Companies.

• Outsource storage and/or Treatment of personal data and information for the proper

performance of agreements entered into with us, under the security and confidentiality

standards which bind us.

• Trasfer your personal data and information, in the event of a change of control in one or more

of THE AIRLINES or in any of the business units due to merger, acquisition, bankruptcy,

demerger, or creation, to the new entity controlling THE AIRLINES or their business units. If, as

a result of the change of control, there is a change of the Person in Charge of the Treatment of

personal data and information, such situation will be reported to the Holders of the personal

data and information, so that they may exercise their rights pursuant to applicable law. The

conditions under which the Holders may exercise their rights will be indicated upon report of the

change of control.

4.3 Personal Information and Data we treat

The AIRLINES may collect personal data and information about Travelers, Clients and Users, which

information may vary according to the requirements of local authorities, technological facilities, nature

of the products or services provided, among others, for such purposes, we may collect the following

personal information, which may be stored and/or treated in servers located in various countries,

pursuant to the principle of transparency we have compiled a list of personal data Treated by the

airlines2:

• General Identification Data: Traveler’s, Client’s and/or User’s first and last name, date of birth,

ID number or ID, international travel ID No., gender, marital status and/or kinship with

underage children or disabled people requesting our services, occupation or trade.

• Location Data: postal and/or electronic address (personal and/or work), nationality or country

of residency, Nationality and country of residence, contact landline or cell phone (personal

and/or work), company where he or she works and position.

2 The list of personal data set forth in section 4.3 herein is not limited and may be updated or changed according to the business unit and the services provided to Travelers, Clients and Users of our Companies.

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

8

• Socioeconomic Content Data: Cardholder personal data (name, last name, ID type and number),

address where the cardholder receives bank statements, credit card information.

• Sensitive Data: including images, photographs, videos, voices and/or sounds, biometric data,

that identifies, or makes our Travelers, Clients and Users, and/or any person who is or transits

through any location where the AIRLINES have installed equipment, identifiable. Health

information (medical conditions that are considered contraindications for flying by the treating

physician) and medical certificates required by the Customer, Travel or Use, to provide, as

possible and available in our operation, the facilities and elements to provide proper medical

care during provision of the air transportation service, as well as to determine the feasibility of

the trip.

• Other information: Client’s IP address, through cookies, LifeMiles’ Member ID and information

on transactions and activities related to the LifeMiles Program.

• For flights to and from the United States, the “Redress Number” may be collected as a

requirement of that country’s governmental authorities.

• Information required to facilitate travel and other services, including the name of the travelling

party, emergency contacts, seat preference, special meals or medical requirements.

• Purchase channel information (including travel agencies, direct points of sale or representatives

or agents, call center, websites, mobile apps).

• Use of products and services such as self-check-in machines, flight status notification and online

check-in).

• Personal information and data collected through surveys, focus groups and other market

research methods.

• Information requested by THE AIRLINES’ officers or representatives, such as sales and/or

customer relations representatives, with the purpose of responding to requests or claims.

Holders of personal data and information will not be required in any case to authorize the Treatment of

sensitive data. Notwithstanding the to allow for the proper provision of services, they shall expressly

consent to treatment of the sensitive personal data or information by THE AIRLINES pursuant to this

Privacy Policy.

In addition, for security purposes, THE AIRLINES may collect, store, share and compare personal data

and information with different national or international administrative, control and supervising, police

and judicial authorities, including biometric data, of our Travelers, Clients and Users, obtained through

any image, audio or video recording device, located in our facilities (such as administrative offices,

points of sale, VIP lounges, airport modules for customer service, call centers). THE AIRLINES will inform

the general public about this by publishing Privacy Warnings , in the locations where this personal data

and information is collected.

Due to our activity as carriers, the AIRLINES are required to provide certain personal data and

information about passengers or cargo or courier and/or express shipments to airport, immigration and

customs authorities, as well as any other domestic or international government, regulatory or safety

authorities prior to the departure or before landing of flights in any destination after performing the

contract of carriage. By general rule, this information refers to identity information of the passengers

on board, their itineraries, as well as the data contained in their respective travel documents (passport,

visas) or related to transported goods.

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

9

4.4 Purposes of personal information and data treatment

Collected personal data and information is used to process, confirm, fulfill and provide the purchased

products and/or services, directly and/or with the participation of other airlines or third-party suppliers

of products or services, as well as to make reservations, modifications, deletions, changes of itinerary,

refunds, respond to requests, claims and complaints, payment of compensation and indemnities,

accounting records, correspondence, processing and verification of credit cards, debit cards and other

payment instruments, to promote and advertise our products, services and activities, to perform

financial payment transactions, charges or refunds, to respond to legal proceedings, to report or process

the requirements domestic or international control and surveillance administrative authorities, police

and legal authorities, banking institutions and/or insurance companies, for internal and/or commercial

administrative processes, including market research, auditing, accounting reports, statistical analysis,

billing, and offering and/or recognition of benefits through loyalty programs in order to perform the

contract of carriage and other services and supplementary activities, detect and prevent fraud, money

laundering and other criminal activities and/or or for the proper operation of loyalty programs and other

activities indicated herein.

Personal data and information Treatment by the people/entities responsible for or in charge of the

Treatment is framed within the guarantee of and respect to the Treatment principles set forth by

applicable law. These principles are legality, freedom, transparency, consent, information, quality,

access and restricted distribution, purpose, loyalty, proportionality, safety and confidentiality.

We inform Clients, Travelers and Users, that third parties may be involved in performance of THE

AIRLINES’ activities, including providers of flight booking systems, security tools for processing of

banking, transactions, call centers, tour operators, banking entities, insurance companies, our

representatives or agents, loyalty program managers and/or operators, and that these activities can be

carried out in countries other than those where the service is contracted or the product is purchased,

without prejudice to other purposes that have been set out in this document and under terms and

conditions of each of our business units’ products and services and/or Privacy Policies of said third

parties.

Through our LifeMiles loyalty Program, by LifeMiles B.V., THE AIRLINES acknowledge and provide

incentives for traveler loyalty. Each member of the Program is subject to the terms and conditions of

the LifeMiles Program and their Privacy Policy, available at www.lifemiles.com. Any f personal data of

members of the LifeMiles Program treated by THE AIRLINES, shall be carried out in their capacity as

Responsible Party for the purposes set forth in the personal data protection regulations. THE AIRLINES

do not sell, assign or transfer personal information of their Travelers, Clients and Users to third parties.

4.5 Validity of treatment of personal data and information

The validity of the information is subject to fulfilling its purposes, therefore, information provided by

Travelers, Clients and Users may remain stored for up to ten (10) years from the date of the last

Treatment, to enable us to comply with legal and/or contractual obligations under our charge,

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

10

particularly in accounting, fiscal and tax matters or for the time deemed necessary to comply with the

provisions applicable to the corresponding matter or to the administrative, accounting, tax-related, legal

and historical aspects of the information, or in any event provided by law and the provision of the

service.

4.6 Truthfulness of the Information

Travelers, Clients and Users have the duty of providing THE AIRLINES with truthful personal information

in order to formalize the reservation and enable the provision of the contracted services, as well as to

carry out any other services required.

The AIRLINES presume the accuracy of the information provided by Clients, Travelers and Users and

are not under the obligation to verify identity of Travelers, Clients and Users, or the truthfulness, validity,

adequacy and authenticity of the data provided by each one of them. Therefore, the Companies shall

assume no liability for any damages of any nature that may originate due to the lack of truthfulness,

adequacy, sufficiency or authenticity of the personal data and information, including damages derived

from homonyms or identity theft.

4.7 Information of children and underage teenagers

THE AIRLINES, acknowledge the special level of protection required in relation to personal data of minors

and teenagers, and therefore, in cases when the latter are users of the products and services offered

by THE AIRLINES, it is understood that they act through their legal representatives duly authorized

person, parents or guardians, or legal representation of the minor pursuant to the specifications of the

region or country where the minor’s data is treated. In the event that their parents or guardians of these

children become aware of an unauthorized data Treatment, they may submit their inquiries or

complaints to habeasdata@avianca.com.

The AIRLINES shall ensure the proper use of personal data of children and underage teenagers,

guaranteeing that treatment of their data complies with applicable laws, as well as the protection of

their best interests and fundamental rights where possible, taking into account their opinions as holders

of their personal data.

4.8 Use of Cookies

The AIRLINES may use cookies and other similar technologies on their websites, mobile applications,

electronic kiosks and electronic devices used to access them, in order to learn the origin, increase

functionality and accessibility to website, verify that users meet the required criteria to process their

requests and adapt their products and services to Users’ needs, being able to obtain the following

general information:

• The type of browser and operating system used

• Websites visited

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

11

• IP address

• Duration of browsing

• Device language

• Accessed links

• The last website visited before accessing www.avianca.com

These cookies and other similar technologies can be disabled and deleted by the User whenever they

want. For this purpose, the candidate, collaborator bound by labor agreement, family group and/or

beneficiary, retired collaborator and/or any other interested Holder, may verify and/or request help on

the Internet browser they are using.

Check our Cookies Policy and learn how we use your personal data for a better user experience.

4.9 Protection, security and confidentiality of personal information and data

Protection, security and confidentiality of the personal data and information of Travelers, Clients and

Users is highly important for THE AIRLINES.

THE AIRLINES have policies, procedures and information security standards, which may change at any

time at their discretion and which aim to protect and preserve the integrity, confidentiality and

availability of personal data and information, regardless of its nature or format, its temporary or

permanent location or how it is transmitted. Therefore, we rely on technological security tools and

comply with renowned industry security practices, including: transmission and storage of sensitive

information through secure mechanisms, such as encryption, use of secure protocols, safeguarding

technological components, restriction of access to the information only to authorized personnel, data

backup, safe development of software, etc.

Third parties contracted by the AIRLINES are equally bound to comply with this Privacy Policy, as well

as THE AIRLINES’ policies and manuals of information security and the safety protocols applied to all of

our processes.

Any contract entered into by the AIRLINES with any third party (contractors, external consultants,

temporary collaborators, etc.) which involves the Treatment of personal data and information of

Travelers, Clients and Users includes a confidentiality agreement that specifies their commitments to

the protection, care, safety and preservation of confidentiality, integrity and privacy thereof.

4.10 Rights of the Information Holder

The Information Holder is hereby informed of the rights granted by applicable laws as a Holder of

personal data and which are listed below:

• To know, update and rectify their personal data and information before the entity that is

responsible or in charge of the Treatment of their personal data and information.

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

12

• To request proof of the authorization granted to the entity that is responsible for the Treatment

of their personal data and information, unless such request constitutes an express exception for

such Treatment.

• To be informed, upon request, by the entity that is responsible for the Treatment of their

personal data and information about how such personal data and information have been used.

• To file complaints before competent authorities for violations to the applicable personal data

protection regime.

• To revoke the authorization and/or request the removal of the personal data and information

under the terms of this Privacy Policy.

• To access their personal data and information that was subject to Treatment, upon previous

request to the AIRLINES and under the provisions of the corresponding valid and applicable

regulations. If the requests exceed one per calendar month, the Companies will charge the

Holder requesting such information for its shipment, reproduction and, if applicable, certification

costs.

4.11 Area Responsible of Personal Data Protection

Responsible for treatment: Aerovias del Continente Americano S.A. Avianca

Tax ID. No.: 890.100.577-6 NIT

Postal address: Calle 26 # 59-15 (Colombia)

Phone: 5877700

E-mail: habeasdata@avianca.com

4.12 General procedure to exercise the rights of Clients, Travelers and Users as holders of

personal information.

Travelers, Clients and Users of THE AIRLINES are entitled to know the details of their personal data

treatment and to exercise their rights as Holders thereof, under the terms of applicable data protection

regulations and pursuant to the provisions of this Privacy Policy.

For the purpose of the above, this policy defines the general procedure for Holders of information to

exercise their rights, notwithstanding the enforcement of specific stipulations and procedures of

domestic laws in each territory. In the event of a discrepancy between the general procedure and the

specific stipulations or procedures contained in applicable local regulations in each territory, the specific

regulations shall prevail.

The Personal Data Privacy area is the responsible department within the Organization to promote and

enforce the Personal Data Protection Program. For this purpose, the Organization has enabled specific

service channels for interested parties to exercise their Personal Data protection rights, such as the

habeasdata@avianca.com email address.

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

13

4.12.1 Queries

a) The Holder of the Information and/or the person exercising the right on his or her behalf, must

prove Ownership to avoid loss, query, unauthorized or fraudulent use or access by a person

other than the Interested Party and/or whoever has the power to act on its behalf.

• Proof by the Holder shall be confirmed by submission of: a physical or digital company

of the pertinent identification document and passport (identification number on

international flights), depending on the method of submission of the query.

• When the request is made by a person other than the Holder, the third party must duly

prove power of attorney to act on behalf of the Holder by sending any supporting

documents.

b) The request to exercise any of the rights listed in numeral 10 must be submitted: in writing, on

a physical and/or digital mean through the channels enabled by the Organization for that

purpose and identified in this Privacy Policy.

c) The request to exercise any of the aforementioned rights must contain at least the following

information:

• Name of the interest party, his or her representative and/or the person exercising the

right on his or her behalf.

• Concrete, accurate and justified request of the invoked right.

• Physical and/or electronic address for notifications.

• Documents that support the request (if applicable)

• Signature of the requesting party depending on the method of request.

d) The request will be handled by the area and/or delegate within the organization in charge of

protection of personal data only when Ownership of the information is proven and it meets the

abovementioned requirements.

4.12.2 Claims

a) The Holder of the Information and/or the person exercising the right on his or her behalf, must

prove Ownership to avoid loss, query, unauthorized or fraudulent use or access by a person

other than the Interested Party and/or whoever has the power to act on its behalf.

• Proof by the Holder shall be confirmed by submission of: a physical or digital company

of the pertinent identification document and passport (identification number on

international flights), depending on the method of submission of the query.

• When the request is made by a person other than the Holder, the third party must duly

prove power of attorney to act on behalf of the Holder by sending any supporting

documents.

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

14

b) The request to exercise any of the rights listed in numeral 10 must be submitted: in writing, on

a physical and/or digital mean through the channels enabled by the Organization for that

purpose and identified in this Privacy Policy.

c) The request to exercise any of the aforementioned rights must contain at least the following

information:

• Name of the interest party, his or her representative and/or the person exercising the

right on his or her behalf.

• Concrete, accurate and justified request of the invoked right.

• Physical and/or electronic address for notifications.

• Documents that support the request (if applicable)

• Signature of the requesting party depending on the method of request.

d) The request will be handled by the area and/or delegate within the organization in charge of

protection of personal data only when Ownership of the information is proven and it meets the

abovementioned requirements.

4.12.3 Security Violation

a) When the Holder’s request identifies a violation that may lead to a regulatory breach or the

violation of a right associated to personal data, the process in the previous numerals shall be

followed along with the following specifications and exceptions:

Classification of the type of incident:

• Critical Level: Involves sensitive data, or disclosure of private or semi-private data

without authorization of the Holder that leads to a possible loss of confidentiality of the

information.

• Intolerable Level: Involves private or semi-private data associated to improper handling

pursuant to contractual obligations or the authorization granted by the Holder.

b) Mitigation actions pursuant to the Internal Information Privacy and Handling Manual.

4.12.4 Terms

The following general terms of reference shall be used, however, the region of origin of the Holder of

the information must be considered, response times and requirements may vary, therefore, depending

on the region, the construal of this numeral must be made jointly with the annexes and reference must

be made to those that are pertinent.

Query: They will be handled within a maximum of ten (10) working days as of reception of the query.

When it is not possible to respond within said term, we will inform of the reasons for the delay and the

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

15

date on which the query will be answered, which in no case may exceed five (5) working days after

expiration of the first term.

Claims: They will be handled within a maximum of fifteen (15) working days as of reception of the duly

supported claim. When it is not possible to respond to the claim within said term, we will inform of the

reasons for the delay and the date on which the query will be answered, which in no case may exceed

eight (8) working days after expiration of the first term.

If the claim in incomplete, the Holder will be asked to cure any faults within the following five (5) days.

After two (2) months of the date of the request, without receiving the required information from the

interested party, we will understand that the claim has been desisted.

4.12.5 Channels enabled to handle queries and claims

To exercise their rights, Travelers, Clients and Users may enforce their rights to know, update, rectify

and eliminate personal data or information by sending a request to habeasdata@avianca.com

In the event that any Traveler, Client and User considers that the use of content in any of our

communication channels, such as websites, mobile applications and kiosks constitutes a breach to their

intellectual property rights, they shall notify us by sending a communication with the following

information to the abovementioned email address:

• Personal data: name, address, telephone number and e-mail address of the claimant.

• Authentic signature, with the personal data of the Holder of the intellectual property rights

subject to infringement or of the person authorized to act on behalf of the Holder of the

intellectual property rights subject to infringement.

• Accurate and complete indication of the content that is protected by the intellectual property

rights infringed and its location.

• Express and clear statement of the fact that such content has been used without the

authorization of the Holder of its intellectual property rights.

• Express and clear statement, and under the responsibility of the claimant, that the information

provided is accurate and that the use of such content is an infringement to the intellectual

property rights thereof.

The claims arising from these facts shall be subject to proper Treatment and resolution under the

applicable legal proceedings, pursuant to the nature and applicability thereof.

The request for deletion of information and the revocation of the authorization or the request to restrict

the use and disclosure of personal data will not proceed when the Holder is legally or contractually bound

to remain in the database, under the terms set forth by the applicable laws.

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

16

Notwithstanding the enforcement of the general procedure set forth in this Privacy Policy, we have

identified some territories where specific provisions are set out by local laws. In case you wish to know

such specific provisions, please see the Annexes listed below:

• Colombia Annex

• Mexico Annex

• Peru Annex

• European Union Annex

• Canada Annex

• United States Annex

These annexes apply in accordance to and are an integral part of the General Privacy Policy for the

protection of Personal Data of Travelers, Clients and Users.

4.13 Modifications to the Privacy Policy

THE AIRLINES reserve the right to make changes or updates to this Privacy Policy at any time in

compliance with new legislations, internal policies or new requirements in order to provide or offer their

services or products.

These modifications will be made available to the public through the following channels: visible notices

on their premises or customer service centers, on our websites, smartphone applications (Smartphones)

or electronic kiosks (Privacy Notice) or through the last e-mail provided.

Subject to applicable laws, the Spanish version of this Privacy Policy shall prevail over any other version

disclosed in any language. In the event that there is any inconsistency between the Spanish version and

any translation of this Privacy Policy in another language, the Spanish version shall prevail.

4.14 Ethics Hotline

The Organization has an Ethics Hotline, managed by Navex Global Inc., a company incorporated under

the laws of Delaware, USA, and independent from The Organization so that collaborators, related third

parties, suppliers, shareholders, Travelers, Clients, Users and the general public to submit complaints

or inquiries, reveal conflicts of interests , which shall be treated confidentially. The Ethics Hotline

guarantees anonymity in the event that the reporting party wished to hide his or her identity.

The Ethics Hotline is available 24/7 at http://aviancaholdings.ethicspoint.com and on several phone

lines available on this link.

Treatment of personal data and protection of privacy will be performed by companies integrated into

Avianca Holdings, S.A., with the purpose of investigating claims, absolving queries and taking

administrative or legal action. This treatment will be performed pursuant to the Privacy Policies, available

on the “Policies” section of the Ethics Line portal.

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

17

4.15 Validity

This General Privacy Policy shall enter into force on the day it is published.

5. Annexes

5.1 Colombia Annex

Regarding information and personal data treated in Colombia, the procedures to exercise of the rights

of the holders of such information will be the one set out by Law 1581 from 2012 and its regulatory

decrees. Pursuant to Article 10 of Decree 1377 from 2013, the AIRLINES request your authorization to

continue Treatment of your personal data and information under the terms set forth by this Privacy

Policy. In addition, pursuant to paragraph a) of article 26 of Law 1581 from 2012, we inform you that

by expressly accepting this Privacy Policy, you grant us permission to transmit and/or transfer your

personal data and information to other countries in which we operate, where different levels of protection

of personal data to those required in Colombia may exist, including El Salvador, Peru, Ecuador, Bolivia,

Guatemala, Brazil, Costa Rica, USA, Uruguay, Paraguay and Argentina.

You can exercise your rights to know, update, modify and/or delete your personal data and information

by sending an email to habeasdata@avianca.com or through the Suggestions and Claims service at

www.avianca.com, or through our Call Centers in Bogota 4013434 or in other cities in Colombia on

018000953434, in accordance with this Privacy Policy.

The contact information for THE AIRLINES in Colombia are:

Address: Avenida Eldorado No. 59 – 15, Bogota

Phone Number in Bogota: 4013434

Other cities in Colombia: 018000953434

E-mail: habeasdata@avianca.com

5.2 Mexico Annex

Regarding information and personal data treated in Mexico, the procedures for the exercise of the rights

of the holders of such information will be the ones set out by Federal Law on Protection of Personal Data

Held by Individuals (DOF 05-07-2010), and its respective Regulations (DOF 21-12-2011).

Procedures for exercising ARCO rights in Mexico: Pursuant to the provisions of Mexican law, holders of

personal data and information have the right to access, rectify, cancel or oppose the Treatment of their

personal data, for which purpose the following procedure shall be carried out: The area responsible for

the Treatment of personal data (Direction and Intelligence of Information) may be contacted through

the following channels in order to send the required information and documentation:

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

18

Address: Avenida Eldorado No. 59 – 15, Bogota, Colombia

E-mail: habeasdata@avianca.com

The request to access, rectify, cancel or oppose shall include, at least:

• Full name and address of the holder of the personal data and information, or provide any other

means to response to the request.

• Documents proving the identity or legal representation of the holder of the personal data and

information.

• Clear and accurate description of the personal data and information subject to the enforcement

of the aforementioned rights.

• Any other item or document that facilitates the location of personal data and information.

• Indicate the modifications to be made and/or limitations on the use of personal data and

information.

• Provide documentation to support your request. THE AIRLINES shall communicate the adopted

resolution to holder owner of the personal data and information, within a term not exceeding 20

working days from the date of receipt of the request. If necessary, this term may be extended

on a single occasion for an equal term.

Based on the above, and in accordance with the provisions of the Law, THE AIRLINES shall inform the

owner of the personal data and information the meaning and motivation of the resolution, through the

same means through which the request was carried out, and that resolution shall be accompanied with

relevant evidence, if any.

If the request is appropriate, it will be executed by THE AIRLINES within 15 working days following the

communication of the adopted resolution

Based on the response or lack of response by the AIRLINES, the holder may file a request for data

protection with the Federal Institute of Access to Information (IFAI). Such request shall be submitted

by the owner within 15 working days from the date the AIRLINES communicate the response to the

owner, and shall be subject to the provisions of the Law.

For requests of access to personal data and information, the petitioner or their legal representative shall

be required to prove their identity.

The obligation of access to information shall be fulfilled when THE AIRLINES make available the personal

data and information to the owner or when such information is provided in form of photocopies or

electronic documents.

In the event that a traveler, client or user requests access to their personal data and information under

the assumption that THE AIRLINES are the responsible entities thereof, and it is ultimately concluded

that THE AIRLINES are not responsible thereof, the AIRLINES shall communicate this to the owner

through any means for the request to be considered fulfilled.

The response to the request for access, rectification, deletion or opposition of personal data will be free

of charge. Our customers, Travelers or Users should only cover the reasonable costs of shipping or

reproduction of copies or other formats, which will be informed in due time.

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

19

In the event that the same client, traveler or user restates the request for access, rectification, deletion

or opposition of personal data and information in less than 12 months from the date of the last request,

the response may have an additional cost indicated by the AIRLINES, in accordance with the provisions

of Article 35 of the Federal Law on Protection of Personal Data.

The AIRLINES may refuse total or partial access to personal data and information or the rectification,

deletion or opposition to the Treatment thereof in the following cases:

• If the petitioner is not the owner or legal representative or is not authorized.

• If the petitioner’s personal data and information is not contained in the databases of the

AIRLINES.

• If the rights of any third party are violated.

• If there exists any legal impediment or resolution by an authority.

• If the rectification, deletion or opposition was previously carried out and the request is no longer

pertinent.

The cancellation of personal data and information will result in a lockout period after which the deletion

of the data will be performed. Once the personal data and information are cancelled, the AIRLINES shall

notify the owner thereof.

Once the aforementioned process is completed, the AIRLINES may keep the personal data solely for the

purposes of the Treatment obligations arising from this policy. If the personal data and information are

transmitted to third parties or entities in charge before the rectification or deletion and if they are subject

to Treatment by such third parties, the AIRLINES shall inform such third parties about the request filed

by the owner in order to make such rectifications and deletions.

The AIRLINES are not under any obligation to cancel the personal data and information in cases where

the provisions set out by Article 26 of the Federal Law on Protection of Personal Data are applicable, or

when the owner has a legal or contractual duty to remain in the database, under the terms set forth by

the law. In addition, once the collected personal data and information are no longer necessary for the

compliance with the purposes set forth by this policy and with the applicable legal provisions, such

personal data and information will be cancelled from the databases of the AIRLINES.

Mechanisms and procedures to revoke your consent:

Holders may at any time revoke their consent to the Treatment of their personal data and information.

In order to do so, the owner shall send an e-mail written in Spanish to the following address:

habeasdata@avianca.com, which shall include the same requirements previously indicated for the

exercise of ARCO rights, indicating the personal data and information subject to such revocation. The

AIRLINES will perform such revocation within fifteen (15) working days from the date of receipt of the

e-mail.

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

20

Options provided to the owner to limit the use or disclosure of personal data and information:

Holders may at any time limit their consent to the Treatment of their personal data and information for

marketing and promotional purposes by sending an e-mail to the following address:

habeasdata@avianca.com, mentioning such limitations. The AIRLINES will stop sending information

within ten (10) working days from the date of receipt of the e-mail.

Contact details THE AIRLINES in Mexico are:

Address: Avenida Paseo de la Reforma 195-301, Colonia Cuauhtémoc, CP 06500, México, D.

Phone Number in Mexico : 01800 1233120

E-mail: habeasdata@avianca.com

5.3 Peru Annex

Regarding information and personal treated in Peru, the procedures for the exercise of the rights of the

owners of such information will be the ones set out by Law 29733 and Supreme Decree 003-2013-JUS

(hereinafter “the Law and its regulations”).

Travelers, Clients and Users are entitled to see and know the details of the Treatment of personal data

and information we perform, to know the collected personal data and information, to oppose if

necessary, to request their rectification if inaccurate or incomplete and to cancel them if not used

according to the law, the terms and conditions of the purchased product or service, the corresponding

contract or the terms set forth by this Privacy Policy.

By accepting this Privacy Policy, you freely and expressly state that you were previously informed about

the following rights to which you are entitled as the owner of your personal data and information under

Peruvian law:

• Access.

• Information.

• Rectification and Updating.

• Deletion.

• Opposition.

In order to exercise such rights, a request shall be sent to THE AIRLINES including the following

information:

• Names and last names and certification of the petitioner’s identity (copy of their ID or passport).

• Specific reasons for the request.

• Address or electronic address for the purposes of response notifications.

• Documents supporting the request (in the case of the right to rectify, cancel or oppose).

• Signature of the petitioner.

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

21

The procedures to exercise your rights are the following:

1. Right to access and information: Owners may exercise the right to access the data contained in

our database, in which case they will be provided with requested access information. The access

request will be answered within a maximum term of twenty (20) working days from the day of receipt

of the request. If processing of the claim within this term is not possible, they will be informed of the

reasons for the delay and the term for the response will be extended to twenty (20) additional

working days. The holder of the data may exercise their right to information to know the manner in

which such information has been collected. Such request will be answered within a maximum term

of eight (8) working days from the day of receipt of the request. If the request to exercise the right

of access or information is incomplete, the owner will be required to correct the information within a

term of five (5) days from the date of receipt of the claim. If the required information is not presented

after such 5-day term, the request shall be deemed not filed.

2. Right to rectify, update, oppose or cancel: If the holder considers that the information contained

in a database must be subject to correction, updating or deletion, they may file a duly supported

request, which will be processed under the following rules: If the request is incomplete, the owner

will be required to correct the information within a term of five (5) days from the date of receipt of

the claim. If the required information is not presented after 5 days from the date of the request, the

request shall be deemed not filed. On the other hand, if the information or documents supporting

the request are insufficient, the AIRLINES may require additional documentation to process the

request within seven (7) days from the date of receipt of the request and such information shall be

submitted by the owner within ten (10) working days. In addition, if you have not submitted the

required information after such term, such information shall be deemed not submitted. During the

rectification or deletion processes, the AIRLINES or the responsible entities will block third-party

access to the data. The maximum term to process a request of rectification, updating, opposition or

deletion will be ten (10) working days from the date of receipt of the request. If Treatment the claim

within this term is not possible, you will be informed of the reasons for the delay and the date your

claim will be processed, which shall not exceed the ten (10) working days from the date of receipt of

the request.

Contact details for THE AIRLINES in Peru are:

Address: Avenida Jose Pardo 831 (4th Floor) Miraflores Lima Peru

Phone Number in Peru (Lima): 2136060

E-mail: e_Solutions@centrosolucionavianca.com

5.4 European Union Annex

The provisions of this annex, which applies in relation to the General Privacy Policy for the Protection of

Personal Data of Travelers, Clients and Users and is an integral part thereof, shall apply for Travelers,

Clients and Users residing in a member country of the European Union, as well as for passengers who

buy their tickets in a member country of the European Union.

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

22

5.4.1 Who is responsible for treatment of your personal data?

Identity: Aerolineas del Continente Americano, S.A. Avianca

Register: NIF A4801001A

Mailing Address: C/ Castello No. 23 – 4 izq. Madrid (Spain)

Email: habeasdata@avianca.com

THE AIRLINES, as Responsible Party and/or In Charge, located outside the European Union, in

compliance with applicable regulations, has designated Aerovias del Continente Americano S.A. Avianca

Spain Branch as its Representative in the EU, with MAIN OFFICES AT (C/ Castelló, nº 23 – 4º Izquierda,

Phone.: +34 91 758 91 22 and e-mail habeasdata@avianca.com).

5.4.2 How do we obtain your personal data?

THE AIRLINES collect personal data of travelers, clients and users each time they use our services

(either provided by others or by companies or agents acting on our behalf), including when they make

a reservation and/or travel with us, when they use our website or when they interact with us through

electronic means or at our customer service centers.

THE AIRLINES can also receive personal data on travelers, clients or users from third parties such as:

companies contracted by THE AIRLINES to provide a service (handling company, etc.); companies that

intervene in your travel itinerary, including aviation companies that operate your trip before or after,

airport operators and customs and immigration authorities; companies that participate in THE AIRLINES’

loyalty programs and other customer programs (i.e. car rental companies and hotels).

5.4.3 What personal data do we collect and treat?

THE AIRLINES may collect information and personal data from Travelers, Clients and Users, which may

vary depending on the requirements of local authorities, technological facilities, the nature of the product

and/or the service being provided, among others, and for that purpose we may collect the following

personal information:

• General Identification Data: Traveler’s, Client’s and/or User’s first and last name, date of birth,

ID number or ID, international travel ID No., gender, marital status and/or kinship with

underage children or disabled people requesting our services, occupation or trade. Postal and/or

electronic address (personal and/or work), nationality or country of residency, Nationality and

country of residence, contact landline or cell phone (personal and/or work), company where he

or she works and position.

• Socioeconomic Content Data: Cardholder personal data (name, last name, ID type and number),

address where the cardholder receives bank statements, credit card information.

• Sensitive Data: including images, photographs, videos, voices and/or sounds, biometric data,

that identifies, or makes our Travelers, Clients and Users, and/or any person who is or transits

through any location where the AIRLINES have installed equipment, identifiable. Health

information (medical conditions that are considered contraindications for flying by the treating

physician) and medical certificates required by the Customer, Travel or Use, to provide, as

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

23

possible and available in our operation, the facilities and elements to provide proper medical

care during provision of the air transportation service, as well as to determine the feasibility of

the trip.

• Other information: Client’s IP address, through cookies, information about the location of your

device if you are browsing our website or using our mobile app, LifeMiles’ Member ID and

information on transactions and activities related to the LifeMiles Program.

• For flights to and from the United States, the “Redress Number” may be collected as a

requirement of that country’s governmental authorities.

• Information required to facilitate travel and other services, including the name of the travelling

party, emergency contacts, seat preference, special meals or medical requirements.

• Purchase channel information (including travel agencies, direct points of sale or representatives

or agents, call center, websites, mobile apps).

• Use of products and services such as self-check-in machines, flight status notification and online

check-in.

• Personal information and data collected through surveys, focus groups and other market

research methods.

• Information requested by THE AIRLINES’ officers or representatives, such as sales and/or

customer relations representatives, with the purpose of responding to requests or claims.

• Certain categories of personal data, such as those related to racial origin, ethnicity, religion,

health, sexual orientation or biometric data, constitute special categories of personal data that

require additional protection pursuant to the European Union data protection regulations.

Although THE AIRLINES attempt to limit the circumstances in which we collect and treat data of

this nature, it is possible that we may collect and treat this information from travelers, clients

and users in the following cases:

- When THE AIRLINES and/or an airport operator request specific medical assistance,

such as a wheelchair or oxygen.

- When they request to travel with THE AIRLINES with a specific medical condition or after

the 32nd week of pregnancy.

- Likewise, when a special service is requested (such as a menu) that does not constitute

in itself a special category of personal data, but could imply or suggest information about

your religion, health or other information.

5.4.4 Why do we treat your personal data?

Complementing the purposes listed in numeral 5 herein, THE AIRLINES treat personal data for the

following reasons:

1. To enter into and manage a contractual relationship: The personal data and information are

used to perform and process the reservation, to process the services related to your trip, to

perform the contract of carriage, to provide air transportation passenger services, and related

products and services such as tourism packages, air and/or ground transportation services,

express and courier messenger services, airport services, itinerary modification, cancellation or

changes, internal administrative purposes, update status and service or operating notifications

about the contracted service, check-in or if the flight is delayed, notifications about services that

have been booked (such as travel itinerary), notifications about advance passenger information,

notifications that allow adding options and complements to the services being used (such as

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

24

advance seat selection, excess baggage, etc.), assisting you with flight connections and upon

boarding the aircraft, locating your baggage, access to VIP lounges, changes to reservations,

claims, queries and complaint reception, payment of compensation and indemnities, billing,

processing of charges and payment, accounting records, audits, accounting reports,

correspondence, processing and verification of credit cards, debit cards and other payment

instruments, to promote and advertise our products, services and activities, to perform financial

payment transactions, charges or refunds, among other purposes necessary to fulfill the

contracts of carriage and other agreements entered into with THE AIRLINES.

2. Management of Marketing Activities: Promote and advertise activities, products and services of

THE AIRLINES, associated airlines and/or our commercial partners, for commercial purposes,

including market research and statistical analysis; Mailing or texting information about THE

AIRLINES’ products and services; Adapting the content of our website, apps, e-mails and other

communications, to guarantee that they are as interesting as possible for you – including offers

and/or services related to destinations where you have travelled and similar ones; Offering you

information about offers, such as access to upgrades; Surveys; We will only send commercial

communications when you have consented to receive them.

3. Compliance with legal and security obligations: Passenger registration, responding to legal

processes, making reports or responding to requirements from various authorities and domestic

or international entities, control and surveillance administrative authorities, or policy or judicial

authorities, and specially incompliance with the information regulations and requirements from

trans-border control and customs authorities at countries of destination, in transit or overflown

during your itinerary, fraud identification and prevention of money laundering and other illegal

activities, facilitating immigration procedures and entry into the territory of a State, ethics

hotline.

4. Loyalty Programs; Offering and/or recognizing benefits through loyalty programs, and/or the

operation of loyalty programs. We recognize and provide incentives for our traveler’s loyalty

through the LifeMiles loyalty program, from LifeMiles B.V. If you are a member of this program,

you are subject to the terms and conditions thereof and its Privacy Policy, available at

www.lifemiles.com. Likewise, we recognize and provide incentives for our Corporate Clients’

loyalty through the Preferencia Program of THE AIRLINES. If your company is a Corporate Client,

it is subject to the Program’s terms and conditions, available at www.programapreferencia.com

5.4.5 How long will we keep your personal data?

Information provided by Travelers, Clients and Users may remain stored for up to ten (10) years from

the date of the last Treatment, to enable us to comply with legal and/or contractual obligations under

our charge, particularly in accounting, fiscal and tax matters or for the time deemed necessary to comply

with the provisions applicable to the corresponding matter or to the administrative, accounting, tax-

related, legal and historical aspects of the information, or in any event provided by law and the provision

of the service.

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

25

5.4.6 What is the legitimacy for treatment of your data?

The fundamental legal grounds that allow us to treat our clients’, travelers’ and users’ personal data is

the performance of any agreement with THE AIRLINES, as well as the contract of carriage (pursuant to

the terms and conditions that you can find in the Contract of Carriage section of our website), from

where the rights and obligations for both parties are derived.

There are also legal obligations in matters of immigration, fiscal, tax, aeronautical (such as APIS

(Advanced Passenger Information System), PNR (Passenger Name Record), among others, which

obligate us to perform certain treatments of data in compliance with procedures and requirements with

which THE AIRLINES must comply before the control and surveillance authorities and control entities at

any jurisdiction where they operate.

For example, for certain travel routes, the law requires that we provide border control entities with

information related to travel documents and your travel itinerary. We may have to disclose your

information to Authorities in other countries, whether from Civil Aviation, Immigration or others, to

comply with the legal obligations of the countries where your flight operates or overflies.

To contract transportation and provide the purchased services, as well as incompliance of certain legal

requirements, indispensable data must be collected. The client, traveler or user is under the obligation

to provide certain personal data (true and updated) legally required and necessary to execute the

contract. If they are not provided, we may not manage or perfect the contractual relationship and even,

if imprecise data is provide, boarding or entry into a foreign country could be denied.

In some cases, treatment is performed with a legitimate corporate interest, such as fraud prevention;

or by physically sending commercial communications of our products and similar services contracted by

you; as long as they do not prevail over the interests or rights and liberties of our clients.

Treatment of personal data to send commercial communications and, in its case, treatment of special

data categories is performed by THE AIRLINES based on consent granted by the traveler, client or use.

When we request your consent for some treatment, we will always inform you about it. In any case, we

inform that you have the right to withdraw your consent at any time, without conditioning performance

of the contract to withdrawal of said consent. If you are a registered user in our website, you can change

your privacy preferences at any time, modifying your online profile, accessing your private area. Also,

all commercial communications we send via email will have the option to “unsubscribe”, which allows

you to stop receiving commercial electronic communications. Even though we do everything within our

power to process unsubscribe requests within 15 working days after receiving the request, it is possible

that you may receive a commercial communication during this period.

5.4.7 Who are the recipients of your data?

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

26

The data of clients, travelers and users can be legitimately disclosed to the following third parties:

• To manage a contractual relationship: The companies integrated under Avianca Holdings S.A.

(of which Aerovias del Continente Americano S.A. is a part) or its related companies; and the

airlines that participate in your reservation and operate any of the purchased flights when, for

example, part of your itinerary includes a flight operated by a different airline (said airline will

be identified upon making your reservation); car rental companies, hotels, bus or train

companies when, for example, part of your itinerary includes a car rental, a hotel reservation a

bus or train ticket (said companies will be identified upon making your reservation); airports,

suppliers of flight reservation systems, of security tools to process bank transactions, airports,

call centers, tour operators, companies that provide ground services at airports where we are

present, banking entities, credit and debit card companies that issued the card you used to

make your reservation, insurers, our representatives or agents, among others.

• If you made a reservation with THE AIRLINES where one of your flights is operated by another

airline, this other airline will be, likewise, independently, responsible for treatment under the

data protection laws of the European Union, as well as under the local data protection laws that

apply to said company. Likewise, other entities, such as a hotel or car rental company, inter-

urban or train services operators, shall also be responsible for treatment. You can access the

privacy policies of those entities directly with them.

• For Marketing Activities: although we can share your data with those in charge of treatment or

commercial partners, we hereby inform that THE AIRLINES will not sell your personal data to

any third party.

• For Compliance with legal obligations: Authorities, such as customs, immigration and/or airport

authorities at countries included in your itinerary or that you overfly, governmental,

environmental and judicial authorities, security forces and bodies, police forces and regulatory

and control entities, when applicable laws so require or in response to a procedure, requirement,

request or other by any authority. THE AIRLINES, in their condition as aviation companies, are

obligated by the laws of the EU, the US and other countries, to provide border control and

customs authorities access to information of reservations and travel, when the flight is destined

or originates at said countries, including stopovers, and when it overflies it to arrive to its

destination. Navex Global Inc., a company incorporated under the laws of Delaware, US, for

administration of the ethics hotline.

• For Loyalty Programs: If the traveler is a member of these programs, to the companies that

manage THE AIRLINES’ loyalty programs, and operators and/or administrators of loyalty

programs. The LifeMiles loyalty program is managed and operated by LifeMiles, who will also be

responsible for treatment of your personal data. You can access its Privacy Policy at

www.lifemiles.com.

Since Avianca is located outside the European Union, many of our dependents are too. It is possible that

in some cases, recipients of the personal data and information are located outside the European Union,

since the nature of THE AIRLINES’ activity, that operates in many countries around the world, makes it

sometimes necessary to send personal data of travelers, clients and users outside the European

Economic Area to manage services related to the flight (i.e. if you fly outside the European Economic

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

27

Area). This, with the sole purpose of performing the contract of carriage and/or purchased services or

products, or for reasons legally stipulated and covered by the regulation.

If data is transferred outside the European Economic Area, it shall be done pursuant to current

regulations (Regulation (EU) 2016/679 issued by the European Parliament and the Council, April 27,

2016, in relation to Protection of Physical Persons regarding personal data treatment and free circulation

of this data and whereby Directive 95/46/CE is repealed – General Data Protection Regulations – as well

as national legislations of Member States in relation to his matter). For transfer outside the EEA, THE

AIRLINES will use standard Contractual Clauses for data protection adopted by the European

Commission and the EU – US Privacy Shield, as a guarantee that transfers made to countries that do

not have a decision that adapts to the European Commission.

5.4.8 What are your rights when you provide us with your data?

You have the right to obtain information of whether or not we are treating your personal data.

You have the right to access your personal, as well as to request rectification of inaccurate data or, in

your case, to request its suppression when, among other reasons, data is no longer necessary for the

purpose for which it was collected. You will also have the right to data portability in cases stipulated by

regulations.

In certain cases, you may request to limit treatment of your data, in which case, except for its

preservation, we will only treat it to formulate, exercise or defend claims and other motives set forth in

applicable legislation.

In certain circumstances and for reasons related to your specific situation, you can oppose data

treatment. We will stop treating your data, except tor imperious legitimate purposes, or to formulate,

exercise or defend possible claims.

Finally, regarding treatment to which you have consented voluntarily, you may withdraw your consent

at any time; but said withdrawal may not affect compliance with THE AIRLINES’ legal obligations.

To exercise your rights, you must send a request through the means enabled by the organization,

attaching a document that certifies your identity, the passport for validation associated with international

flights, the description of your request and how to contact you: Enabled means:

• Address: Avianca C/ Castello 23, 4o Izq., 28001, Madrid, Spain.

• Email: habeasdata@avianca.com

If you wish to obtain more information regarding your rights, if you are not satisfied with the exercise

of your rights and/or if you wish to present a claim, you must do so by addressing the data protection

control authority (Agencia Española de Protección de Datos). Contact information available at:

http://www.agpd.es/portalwebAGPD/CanalDelCiudadano/contacteciudadano/index-ides-idphp.php.

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

28

5.4.9 Information on children and minor teenagers

THE AIRLINES do not directly market minors and its services are not directly offered to them, even

though minors can be users of the products and services we offer, as long as they act through, or are

duly authorized by, their parents or whoever has guardianship or legal representation.

In the event of treatment of data of minors under the age of 16 (or the minimum age for consent

pursuant to regulations that apply to your Member State of residence) and for persons with disability to

provide their consent, treatment of personal information of these holders shall be authorized by whoever

has guardianship or representation of the minor or the legal representative of the holder.

5.4.10 Use of cookies and web beacons

Please visit our Cookies Policy and learn how we use your personal data to provide you with a better

experience.

5.4.11 Ethics Hotline

The Organization has an Ethics Hotline, managed by Navex Global Inc., a company incorporated under

the laws of Delaware, USA, and independent from The Organization so that collaborators, related third

parties, suppliers, shareholders, Travelers, Clients, Users and the general public to submit complaints

or inquiries, reveal conflicts of interests , which shall be treated confidentially. The Ethics Hotline

guarantees anonymity in the event that the reporting party wished to hide his or her identity.

The Ethics Hotline is available 24/7 at http://aviancaholdings.ethicspoint.com and on several phone

lines available on this link.

Treatment of personal data and protection of privacy will be performed by companies integrated into

Avianca Holdings, S.A., with the purpose of investigating claims, absolving queries and taking

administrative or legal action. This treatment will be performed pursuant to the Privacy Policies, available

on the “Policies” section of the Ethics Line portal.

5.4.12 Validity

This General Privacy Policy shall enter into force on the day it is published.

5.5 Canada Annex

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

29

Regarding information and personal data treated in Canada, the procedures to exercise the rights of

holders of such information will be the ones set out by the Personal Information Protection and Electronic

Documents Act, also known as PIPEDA or the Act, which constitutes a federal statute for the

establishment of rules governing collection, use and distribution of personal information in Canada. This

Act applies to Canadian territory, except for the provinces of British Columbia, Alberta and Quebec, since

such provinces are exempt from the application of this statute since they have their own local

regulations, which are substantially similar to the provisions of PIPEDA.

PIPEDA orders all organizations to collect, use and distribute personal information for purposes that are

reasonable and appropriate to the circumstances. In addition, PIPEDA sets out a list of 10 principles

with which every private organization must comply when collecting, using or distributing personal

information of any traveler, client or user, which can be seen at PIPEDA.

If requested any contact electronic address, Users may reject the option to receive any kind of

information related to the services of the AIRLINES and may, at any time, unsubscribe from the

information services in which they have signed up.

Owners of personal data and information may exercise their rights by sending a request, complaint or

claim to habeasdata@avianca.com, which will be processed in accordance with the terms set out by this

Privacy Policy and any other applicable law.

5.6 United States Annex

The Department of Transportation of the United States of America (hereinafter DOT) states that THE

AIRLINES shall adequately report the collection, use and disclosure of personal data and information of

Travelers, Clients or Users.

Although there is no federal statute that specifically regulates the Treatment of personal data and

information in this country, the DOT may investigate and prevent any practice related to trading air

transport services, which also covers the Treatment of the personal data and information of our

Travelers, customers or Users.

The AIRLINES commit to comply the Children's Online Privacy Protection Act in the United States of

America (also known as COPPA).

The COPPA Act regulates the protection of the privacy of children in the United States and authorizes

the DOT to investigate any online use of the personal data and information of those under 13.

In the event that a person under 13 provides personal data and information without their parents or

guardians’ consent, they may contact the AIRLINES through habeasdata@avianca.com, in which case

the AIRLINES will process the request, complaint or claim under the terms set out by this Policy and the

provisions set out by applicable laws.

Additionally, and as applicable, you can check our Privacy and Data Protection Policies:

PG_061 PRIVACY POLICY FOR CLIENTS, TRAVELERS AND USERS

Review Date: 2018-05-25

Rev.: 01

30

• If you are a supplier of one of THE AIRLINES and wish to check the privacy conditions that apply

to your personal data and information, please check the Privacy Policy for Suppliers.

• If you are an active employee, retired employee, related third party, beneficiary or candidate to

a position with THE AIRLINES and you wish to check the privacy conditions that apply to your

personal data and information, please check our Privacy Policy for Collaborators.

• If you are a shareholder of Avianca S.A. and you wish to check the privacy conditions that apply

to your personal data and information, please check our Privacy Policy of Aerovias el Continente

Americano S.A. for Personal Data Protection of Shareholders and Investors.

• If you are a shareholder of Avianca Holdings S.A. and you wish to check the privacy conditions

that apply to your personal data and information, please Privacy Policy of Avianca Holdings S.A.

for Personal Data Protection of Shareholders and Investors.

If you have a hearing and/or speech disability and you require personalized service, please call our toll-

free line (1 866) 998-3357 or write to us at habeasata@avianca.com. Remember that you can request

special services for persons with disabilities during our online purchase process.