Privacy Policy - GeoPark

Privacy Policy

I.Objective

To comply with the laws and the respective regulatory decrees on the protection of personal data. Among the obligations contained within current regulations is the adoption of an internal manual of policies and procedures to ensure adequate compliance with the law and, in particular, to respond to questions and complaints from data owners. In this way, the organization protects the right of habeas data.

This policy applies to Argentina, Chile, Brazil, Ecuador and Colombia, and is based on Colombian standards for its development and fulfillment. Although the necessary and specific requirements of each country will be met, this policy was based on Colombian mechanisms since the website, through which personal data will be received, is managed from computers located in Colombia.

II. Scope

This Commitment is applicable to GeoPark Colombia and its subsidiaries, affiliates and/or controlled companies (GeoPark Colombia S.A.S, GeoPark Colombia E&P S.A. Sucursal Colombia, Amerisur Exploración Colombia Limitada, Petrodorado South America S.A. Sucursal Colombia, Fenix Oil & Gas Limited Sucursal Colombia); GeoPark Chile S.p.A. and its subsidiaries GeoPark TdF S.p.A., GeoPark Fell S.p.A., and GeoPark Magallanes Ltda.; GeoPark Argentina SAU; GeoPark Brasil Exploracao y Producao de Petóleo e Gas Ltda., GeoPark Perú S.A.C, Sucursal Ecuador, and El Consorcio GeoPark-Frontera Bloque Espejo, hereinafter “the organization,” and its employees and third parties hired by such companies.

III. General

The member companies of the organization, through the adoption of this document, comply with the requirements established in Law 1581 of 2012, Decree 1377 of 2013 Law 25,326/2000 of Protection of Personal Data (PDPA) of Argentina, law of protection of personal data (law 19,628) of Chile, the Organic Law of Protection of Personal Data of Ecuador, Law 13,709 of 2018 Federal Data Protection of Brazil and other applicable regulations that modify, add or complement the Protection of Personal Data in each of the countries in which the organization has a presence. The Commitment has certain special requirements, in line with the countries in which the organization has a presence. This Privacy Commitment regulates everything pertinent to the collection, storage, use, circulation and deletion of personal data.

Scope. This Privacy Commitment applies to the handling of personal data that the organization collects by any means depending on the development of its corporate purpose and to databases containing personal data, as defined by law. Likewise, this Privacy Commitment is extended, as appropriate, to the companies of the group and/or third parties linked or to be linked, located inside and outside the national territory, as applicable.

The organization is directly responsible for the handling of personal data, however, it reserves the right to designate a third party to carry out such duties, nonetheless requiring the person in charge to apply the Privacy Policy and act with absolute confidentiality.

IV. Definitions

Authority: Refers to the corresponding personal data authority, depending on the country where the information is collected.

Authorization: Prior, expressed and informed consent of the owner to handle personal data.

Privacy Notice: Verbal or written communication generated by the person in charge, addressed to the data owner regarding the handling of their personal data, through which they are informed of the existence of the Privacy Policy, how to access it and the purpose of the proposed handling of personal data.

Database: Organized set of personal data that is subject to handling.

Confidentiality: Handling of information in a way that ensures access only by authorized personnel or, in the case of personal data, by the data owner.

Personal data: Any data connected with or that can be associated with one or more specific or determinable individuals.

Public data: Data that is not semi-private, private, or sensitive. Public data is considered to include, among others, data related to the marital status of persons, their profession or trade and their status as a trader or public servant. By its nature, public data may be found, among other places, in public registers, public documents, gazettes and official bulletins, and duly enforceable court judgments that are not reserved.

Public Personal Data: Any personal data that is freely known and open to the general public.

Private personal data: Any personal data that is of restricted knowledge, and in principle private to the general public.

Semi-private data: Data that is not personal, reserved, or public and whose knowledge or disclosure may interest not only its owner but a certain sector or group of people or society in general.

Sensitive information: Information that affects the privacy of the Owner or whose improper use may generate discrimination, such as that revealing racial or ethnic origin, political orientation, religious or philosophical convictions, membership of trade unions, social or human rights organizations, or which promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties, as well as data related to health, sex life and biometric data, among others, the capture of still or moving images, fingerprints, photographs, iris, voice, facial or palm recognition, etc.

Person in charge of data handling: An individual or organization, public or private, who alone or in association with others handles personal data on behalf of the person responsible for the handling.

Data Protection Officer: Person or area that is designated to assume the function of personal data protection.

Person responsible for data handling: An individual or organization, public or private, who alone or in association with others, makes decisions on the database and/or the handling of data.

Risk: Possibility of occurrence of potential harm or harm to persons, units or organizations, with respect to which preventive or control actions are taken, at their own initiative or on instructions or measures from authorities.

Information Security: Set of preventive and reactive measures that allow the organization to safeguard and protect information to maintain the confidentiality, availability, and integrity of data.

Owner: Individual whose personal data is handled.

Transfer: Data transfer takes place when the person responsible and/or in charge of the processing of personal data, sends the information or personal data to a recipient, who in turn is responsible for its handling and is located within or outside the country from which the information was sent.

Transmission: Handling of personal data that involves it being sent within or outside the country it originates from to be processed by the person in charge of the handling on behalf of the person responsible.

Handling: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

V. Principles

Access and Restricted Circulation. Handling is subject to limits deriving from the nature of personal data and from the provisions in the current regulations. In this sense, data can only be handled by persons authorized by the owner and/or by persons accounted for in law. Personal data, except for public information, may not be made available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the owners or third parties authorized by law.

Confidentiality. All persons involved in the handling of personal data that is not public are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the handling, able to make provision or communication of personal data only when this corresponds to the development of the activities authorized by law and its terms.

Purpose. Handling must obey a legitimate purpose in accordance with the Constitution and the Law, about which the owner must be informed.

Legality. Data handling is a regulated activity that must be executed in accordance with the provisions of the law and other applicable provisions.

Freedom. Handling requires the prior, expressed, and informed consent of the owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that replaces consent.

Security. Information must be handled with the technical, human, and administrative measures that are necessary to provide security to the records avoiding their adulteration, loss, consultation, use, or unauthorized or fraudulent access.

Transparency. In the handling, the right of the owner to obtain from the person responsible for handling or the person in charge, at any time and without restrictions, information about the existence of data that concerns him/her is preserved.

Veracity or Quality. Truthful, complete, accurate, up-to-date, verifiable, and understandable information.

VI. Commitment

  1. Treatment. The organization assumes the commitment to handle personal data responsibly, observing the guidelines of this Privacy Commitment and the legal provisions in force.In accordance with the principle of freedom, the information provided by the owners of personal data may be collected by any means, including electronic, either known or to be known, and it will be treated by authorized personnel and stored in the databases, according to its purpose. The acceptance of the Privacy Commitment implies that its owner accepts and authorizes the handling of their personal data, including their transmission and/or national or international transfer for the purposes described in this document, in accordance with the law.Information provided by owners will be made available to them through easily read formal channels without technical barriers that prevent access, and which have information held in the corresponding database.
  2. Purpose. The organization handles personal data for the following purposes:2.1. To establish and maintain business relationships with clients, investors, consultants, contractors and/or authorized subcontractors, partners and current or potential suppliers to provide goods and services effectively in the development of its corporate purpose.2.2. To establish and maintain general or personalized communications with its employees, authorities, third parties, clients, investors, suppliers and contractors, allowing the organization to comply with its commercial, contractual and social responsibility activities2.3. To comply with labor obligations and manage employees’ employment contracts. For these purposes, the information that is handled may include that collected prior to the employment relationship in the case of prospects, applicant interns, candidates, or people to be hired; as well as information on active employees and on people who have left the organization.2.4. To perform safety studies and background checks on personnel who have or aspire to have employment, contractual or commercial relationships with the Company. Also, in compliance with national regulations on self-control, risk management and operations reporting.2.5. To collect information in the development of competitive processes and their evaluation for the provision of services, construction of works and supply of goods.2.6. To register and/or authorize the entry of people and/or elements to any of the facilities of the organization, for security and risk control reasons. Said activity may include monitoring through video surveillance systems for the control of physical and environmental risks at the perimeter of the organization’s facilities.2.7. To comply with any kind of guidelines or security protocols (for example, biosecurity) determined by relevant authorities, upon which the organization will adjust the collection of data and its handling, attending to aspects related to the need, purposes, complexity and temporality of the data. This type of information will be stored for a reasonable and necessary time to comply with the mandates of the authorities. Once the purpose has been fulfilled, the data will be deleted ex officio.2.8. To compile statistics.2.9. To comply with Law 1581, Decree 1377 of 2013 in Colombia, Law 25.32/2000 on the Protection of Personal Data (PDPA) in Argentina, Law on the Protection of Personal Data (Law 19,628) in Chile, the Organic Law on the Protection of Personal Data of Ecuador, Law 13,709 of 2018 Federal Data Protection of Brazil, and other applicable regulations.

Prior to or at the same time as the information is requested by the organization from the owners, they will be informed of the specific purposes for which their data will be treated in accordance with what a reasonable person would consider appropriate within the given circumstances.

The data the organization processes through its platforms may be provided directly by the owners of information through our website, email, applications, or any other available means. It is reiterated that the person providing the information confirms that (s)he has read, understood, and accepted the content of the Privacy Policy and expressly consents to its collection, storage, use, circulation, and deletion in accordance with this Policy. Otherwise, users should not access our organization’s services or provide information.

If in the normal course of business carried out by the organization, sensitive data, data for security studies and data concerning minors is collected and processed, the organization will explicitly reiterate to the owners of such sensitive data or their representatives that the information they provide is absolutely optional and that in no way are they obliged to provide it.

Therefore, the holders or their representatives understand that by granting authorization they are explicitly and unequivocally allowing data to be processed. Notwithstanding, when data concerning minors is processed, it will always be done within the parameters and requirements required by law, which are listed below:

a) That it responds to and respects the best interests of children and adolescents.

b) That it ensures respect for their fundamental rights.

c) In line with the maturity of the child or adolescent, that their opinion is considered.

Once these requirements are met, the legal representative of the child or adolescent shall grant the minor’s prior authorization to exercise his or her right to be heard, an opinion that will be assessed considering their maturity, autonomy, and capacity to understand the matter.

VII. RIGHTS OF THE OWNERS

  1. Rights of the Owners. Owners of personal data will have the following rights: 

3.1. To know, update and rectify their personal data. This right may be exercised for reasons including partial, inaccurate, incomplete, fractional, or misleading data, or data whose handling is expressly prohibited or has not been authorized.

3.2. To request proof of the authorization of handling, except when it is expressly excepted as a requirement for handling.

3.3. To be informed of the handling, upon request, regarding the use given to their personal data.

3.4. To submit complaints to the Industry and Commerce Regulator for violations of the provisions of current regulations and other regulations that modify, add to or complement them.

3.5. To revoke the authorization and/or request the deletion of data when the handling does not respect principles, rights and constitutional and legal guarantees. The revocation and/or deletion will proceed when the Industry and Commerce Regulator has determined that in the handling the person responsible or in charge has acted contrary to the law and the Constitution.

3.6. To access, at no financial cost, their personal data.

  1. People to whom the information can be provided. Information that meets the conditions established by law may be provided to the following persons: (i) the holders, their successors in title or their legal representatives; (ii) public or administrative entities in the exercise of their legal functions or by court order and (iii) third parties authorized by the owner or by law.

VIII. DUTIES OF THE PERSONS RESPONSIBLE FOR AND IN CHARGE OF THE PROCESSING OF PERSONAL DATA

  1. Duties. The duties of the organization are as follows:

5.1. To guarantee the owner, at all times, the full and effective exercise of the right of habeas data.

5.2. To request and keep, under the conditions provided for by law, a copy of the respective authorization granted by the owner.

5.3. To duly inform the owner about the purpose of the data collection and the rights that by virtue of the authorization granted correspond to the owner.

5.4. To keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use, or unauthorized or fraudulent access.

5.5. To ensure that the information provided to the person in charge, if any, is truthful, complete, accurate, up-to-date, verifiable and understandable.

5.6. To update the information, communicating in a timely manner to the person in charge of data handling, if any, all information regarding previously provided data and adopting other necessary measures so that the information provided to the person in charge is updated.

5.7. To rectify information when incorrect and appropriately inform the person in charge of data handing, if any.

5.8. To provide to the person in charge of data handling, if any and as appropriate, only data whose handling is previously authorized in accordance with the provisions of the law.

5.9. To require the person in charge of data handling, if any, to respect the security and privacy of owners’ information at all times.

5.10. To process the questions and complaints formulated in the terms indicated by law.

5.11. To adopt an internal policy and procedure manual to ensure compliance with the law, and in particular to respond to questions and complaints.

5.12. To inform the person in charge of data handling, if any, when certain information is under discussion by the owner, from the complaint being submitted to the respective procedure being completed.

5.13. To inform the owner on request about the use given to their data.

5.14. To inform the data protection authority when there are violations of the security codes and there are risks in the administration of owners’ information.

5.15. To comply with instructions and requirements issued by Authorities.

  1. Duties of the Person in charge of data handling. If there are one or more persons in charge of data handling, they must comply with current regulations and the following duties:

6.1. To guarantee the owner the full and effective exercise of the right of habeas data at all times.

6.2. To keep information under the security conditions necessary to prevent its adulteration, loss, consultation, use, or unauthorized or fraudulent access.

6.3. To update, rectify or delete data in a timely manner and according to the terms of the law.

6.4. To update the information reported by the person responsible for data handling within five (5) working days of its receipt.

6.5. Process questions and complaints made by information owners in the terms indicated in this Privacy Policy, in accordance with the Law.

6.6. To adopt an internal policy and procedure manual to ensure compliance with the law, and in particular to respond to questions and complaints from the owners.

6.7. To register “complaint in process” in the database in the way it is regulated by law.

6.8. To insert in the database “information under judicial discussion” once notified by the relevant authority about judicial processes related to the quality of personal data.

6.9. To refrain from circulating information that is being disputed by the owner and has been ordered by Authorities to be blocked.

6.10. To allow only authorized people to access information.

6.11. To inform Authorities when there are violations of the security codes and there are risks in the administration of owners’ information.

6.12. To comply with instructions and requirements issued by Authorities.

When the responsibilities of the person responsible of handling data and person in charge of handling coincide, the duties foreseen for each one will be fulfilled, without generating duplication of actions.

IX. PROCEDURES

  1. Procedures for questions and complaints. For the purposes of complying with the provisions of this Privacy Policy and the applicable regulations, the function of Data Protection Officer will be exercised by the person who holds the position of Legal Coordinator of GeoPark Colombia S.A.S., who may act as such for one or more of the companies linked or related to the organization. In this sense, the owners of personal data, or their successors in title and/or duly accredited representatives, may submit information inquiries and complaints through the following channels:

Questions about information and complaints must contain the following:

  • Identification of the owner of the information.
  • Name and surnames of the person presenting the question or complaint and the capacity in which it acts.
  • The information required in the case of a question or description of the facts in the case of complaints.
  • Documents that serve as evidence, when applicable.
  • Contact details for sending a reply.

Questions about information and complaints must observe the following procedures:

7.1. Questions. Queries about Personal Data will be dealt with within a maximum period of ten (10) business days from their filing. When it is not possible to respond to the query within said term the interested party will be informed, expressing the reasons for the delay and indicating the date on which their query will be answered, which in no case may exceed five (5) business days following the expiration of the first term.

7.2. Complaints. Complaints shall be made by means of a request that includes a description of the facts, the address and annexes with evidence. If the complaint is incomplete, the interested party will be required within five (5) days of receipt of the complaint to provide what is missing. If after two (2) months from the date of the request for further information the party has not submitted the information, it will be understood that the complaint has been withdrawn.

If the person that receives a complaint is not competent to resolve it, (s)he will transfer it to the corresponding person within a maximum period of two (2) working days and will inform the interested party of the situation.

Once the complete complaint has been received, a note will be included in the database stating “complaint in process” and the reason for it, within no more than two (2) working days. This note must be maintained until the complaint is resolved within no more than fifteen (15) working days, which may be extended for up to eight (8) working days from the expiration of the first term.

X. AUTHORIZATION AND PRIVACY NOTICE

  1. Authorization. Notwithstanding the exceptions provided for by law, the processing of personal data by the organization requires the free, prior, informed and expressed consent of the owner of said data.
  2. Means of Granting Authorization. The organization may request personal data from its owners by any physical or electronic means, known or to be known.
  3. Content of the Authorization. The authorization of the owner to handle personal data is a declaration that includes the following elements: (i) object of the authorization; (ii) purpose; (iii) users of the information; (iv) national and international transmission and transfer of information to third countries; (v) personal data of minors and; (vi) persons responsible for and in charge of the information.
    It will be understood that authorization complies with these requirements when it is manifested (i) in writing, (ii) orally or (iii) through unequivocal conduct of the owner that allows a reasonable conclusion to be drawn that the owner has granted authorization.
  4. Evidence of authorization. The organization shall take the necessary measures to secure and maintain suitable physical, electronic and/or technological records relating to the collection of the information.
  5. Cases in which authorization is not required. Authorization by the owner will not be necessary in the case of (i) information required by a public or administrative entity in the exercise of its legal functions or by court order; (ii) data of a public nature; (iii) cases of medical or health emergency; (iv) processing of information authorized by law for historical, statistical or scientific purposes and (v) data related to the Civil Registry of Persons.
  6. Privacy Notice. The privacy notice is the alternative mechanism through which the organization informs the owner of the existence of the Privacy Policy and how to access it. The notice may be contained in a physical, electronic, or other format and be made available to the owner, through which the policies for the processing of personal data are disclosed.
    The privacy notice, at a minimum, will contain the following information:

13.1. Name or business name and contact details of the controller.

13.2. The treatment to which the data will be subjected and the purpose of this.

13.3. The rights of the information owner.

13.4. The mechanisms provided by the person in charge so that the owner knows the Privacy Policy and the substantial changes that occur in it or in the corresponding Privacy Notice. In all cases, the owner must be informed how to access or consult the Privacy Policy.

When sensitive personal data is collected, the privacy notice must expressly indicate the optional nature of the answer to the questions that deal with this type of data.

The organization will keep the model of the privacy notice addressed to information owners.

  1. Accreditation of the Privacy Notice. The organization will keep the model of the privacy notice that it uses to inform the owners of the existence of the Privacy Policy and the way to access it, while personal data is processed in accordance with it and the obligations derived from it last. For the storage of the model, the organization may use computer, electronic or any other available technology.
  2. Dissemination of the Privacy Notice and the Privacy Policy. For the dissemination of the privacy notice and the Privacy Policy, the person responsible may use documents, electronic formats, verbal means or any other technology, on the condition that it guarantees and complies with the duty to inform the owner.
  3. Security measures. The organization will adopt the appropriate security measures for the protection and confidentiality of the personal data to the people who are provided with such data.

XI. Special Dispensations

Applicable only to Argentina

Sending Personal Data to Third Parties: Third parties with whom we may share information may be located inside or outside Argentine territory, including countries with lower levels of data protection than those required in the Argentine Republic. Notwithstanding, the organization guarantees that it has adopted the necessary measures to ensure the security and confidentiality of its personal data. Consequently, the organization guarantees that it has adopted the necessary technical and organizational measures to ensure the security and confidentiality of its personal data, in compliance that stipulated by Provision 60/2016.

The Personal Data subject to processing may only be transferred (i) for the fulfillment of the purposes directly related to the legitimate interest of the assignor and the assignee and (ii) with the prior consent of the Owner. Such consent may be revoked. The Owner must be informed about the purpose of the assignment and identify the assignee or the elements that allow it to be done.

Access to data by the Owner: The owner of the personal data can exercise the right of access to data free of charge at intervals of not less than six months, unless a legitimate interest is demonstrated for this purpose in accordance with the provisions of article 14, paragraph 3 of Law No. 25,326 (Provision 14/2018, Article 2, B.O. 06/03/2018). To this end, the owner of the personal data may send a letter by email to co.privacidad@geo-park.com, requesting access to their data and, where appropriate, require the update, modification or deletion of the data that they consider to be erroneous. The Agency for Access to Public Information, the Control Body of Law No. 25,326, has the power to deal with complaints and cases that are filed in relation to non-compliance with the rules on the protection of personal data.

Use of Personal Data for Advertising Purposes: (Law 25,326, Article 27 Paragraph 3.) In any communication for advertising purposes that is made by mail, telephone, email, internet or other remote means, the possibility of the data owner to request the total or partial withdrawal or blocking of his/her name from the database must be expressly and prominently indicated.

Filing of Petitions, Queries, Complaints or Cases: If they are personal data of an Argentine national, they should be addressed to co.privacidad@geo-park.com.

 

 Applicable only to Brazil

Scope of Application: i) Data processing in the territories of Brazil; ii) Processing of data of individuals who are located within the territories of Brazil; (iii) regardless of where in the world the data processor is located; iv) Processing of data collected in Brazil.

Filing of Petitions, Queries, Complaints or Cases: If they are personal data of a Brazilian national, they should be addressed to co.privacidad@geo-park.com.

 

Applicable only to Chile

Changes to the policy: When there are changes to the privacy policy, the aforementioned notification will express (i) the time from when the changes to the Policy are effective and (ii) the effect associated with the expressed rejection or its timely non-acceptance.

Withdrawal of authorization for marketing purposes: Once the aforementioned request has been made, sending new communications is prohibited. Additionally, the organization undertakes that communication sent by electronic means for marketing purposes indicate (i) the subject or subject matter to which it relates; (ii) the identity of the sender; and (iii) a valid address or means for the recipient to request the suspension of the sending of such communications.

Filing of Petitions, Queries, Complaints or Cases: If they are personal data of a Chilean national, they should be addressed to co.privacidad@geo-park.com.

 

Applicable only to Ecuador

Filing of Petitions, Queries, Complaints or Cases: If they are personal data of an Ecuadorian national, they should be addressed to co.privacidad@geo-park.com.

XII. Responsibilities

The present commitment is the responsibility of the People and Legal areas of the organization.

XIII. Term

This update of the Privacy Policy applies as of March 23, 2021 for Colombia and replaces the previous one in its entirety, from the same day of its implementation. This update of the Privacy Policy applies as of May 24, 2022 for Ecuador, Argentina, Chile and Brazil and replaces the previous one in its entirety, from the same day of its implementation. The databases of the organization will have a term equivalent to the end of the purposes of the data handled. The organization may revise the Privacy Policy and modify it within the scope of the law. Any substantial changes to the Privacy Policy will be previously communicated to the owner in a timely manner.