DATA PROTECTION POLICY
Procedure for compliance with Personal Data Protection Law N° 29733
1. Context
In Peru, Law N° 29733 – Personal Data Protection Law has been in force since October 2013, and since May 2015 it has been mandatory for all companies operating in the country.
This law guarantees the fundamental right of individuals to the protection of their privacy. Every type of processing of personal data conducted by COLTUR PERU S.A.C. (COLTUR) must be undertaken in strict compliance with the guiding principles set forth in Law N° 29733.
2. Purpose
To compile guidelines, recommendations and procedures for the handling of personal data, in such a way as to ensure and demonstrate compliance with Law N° 29733 - Personal Data Protection Law.
3. Scope
The guidelines, recommendations and procedures set out in this document are mandatory and apply to all COLTUR Group personnel responsible for the processing of personal data, or who interact with personal data.
4. Definitions
- Personal databank
An organized set of personal data, automated or non-automated, regardless of the medium, whether physical, magnetic, digital, optical or other, that is created, whatever the form or modality of its creation, formation, storage, organization and access. For example, the COLTUR client database.
- Personal data
All information about an individual that identifies him or her or makes him or her identifiable through means that can be reasonably used. An example would be the identity document numbers of COLTUR clients.
- Person responsible for the processing of personal data
Any natural person or legal person under private law, or public entity, who acting alone or jointly with another conducts the processing of personal data on behalf of the owner of the personal databank, by virtue of a legal relationship that links him or her to the same and delimits the scope of his or her actions. This includes those who conduct such processing without the existence of a personal databank.Any natural person or legal person under private law, or public entity, who acting alone or jointly with another conducts the processing of personal data on behalf of the owner of the personal databank, by virtue of a legal relationship that links him or her to the same and delimits the scope of his or her actions. This includes those who conduct such processing without the existence of a personal databank. For example, those COLTUR collaborators with access to the client database.
- Cross-border flow of personal data
International transfer of personal data to a recipient located in a country other than the country of origin of the personal data, regardless of the medium in which said data is stored, the means by which the transfer was made, or the treatment received. An example of this concept would be if COLTUR hosted its customer database in a service provided by Microsoft.
- Sufficient level of protection for personal data
A level of protection that includes, as a minimum, the employing of, and compliance with, the guiding principles of this Law, as well as technical security and confidentiality measures appropriate to the category of data in question.
- Owner of personal data
Natural person to whom the personal data corresponds
- Natural person to whom the personal data corresponds
Natural person, legal person under private law, or public entity, responsible for determining the purpose and content of the personal databank, the treatment of said content, and the security measures employed.
- Processing of personal data
Any technical operation or procedure, whether automated or non-automated, that enables the gathering, recording, organization, storage, conservation, processing, modification, extraction, consultation, use, blocking, deletion, communication by transfer or dissemination, or any other form of processing that facilitates access to, correlation or interconnection of personal data.
5. Guiding principles
The provisions of Law N° 29733 - Personal Data Protection Law define the following guiding principles:
Table 1. Guiding principles of Law N° 29733
Below, we detail the guidelines, recommendations, and procedures for each of the aforementioned principles:
5.1 Principle of legality and value of principles
- The principle of legality must always be guaranteed by contract, both for internal collaborators of the COLTUR Group and for service providers and external suppliers.
- In the case of internal collaborators of the COLTUR Group, this is ensured by Article 8 of the Employment Contract.
- In the case of service providers that participate in the operations of the COLTUR Group, this is ensured by Article 5 – Confidentiality of the Service Lease Contract.
- In the case of natural or legal persons who, due to the nature of their collaboration, must engage in a personal data processing task for the COLTUR Group and who do not fall under the flows mentioned in points ‘b’ or ‘c’, they must sign a document ensuring their express commitment to compliance with Law N° 29733 – Personal Data Protection Law.
5.2 Principle of consent
- Consent for the processing of personal data must be requested from the holders of the personal data in a free, prior, informed, express and unequivocal manner, by accepting the conditions proposed by the COLTUR Group for the handling of said information.
- The holders of personal data must give their consent using the form “Authorization for the processing of personal and sensitive data”. This form may be digitalized, and with the acceptance of the holder of the personal data at the time of data collection, the principle of consent is duly fulfilled.
- Consent is requested at the time of data collection, and the COLTUR Group will not necessarily be responsible for this task. But in the event that it does process personal data, it must verify that at the time of data collection, the owner of the personal data authorizes that the information may be shared with the COLTUR Group.
5.3 Principle of purpose
- The purpose(s) of collecting personal data must be disclosed as part of the consent agreed upon by the personal data holders. In this way, the personal data holders are duly informed of the use that will be given to the data being collected. An example of purpose might be: “Management of accommodation and/or transportation reservations: The data received will be transferred principally to accommodation providers (hotels) and transportation providers, whether land or air”.
5.4 Principle of proportionality
- In order to comply with this principle, a Personal Data Mapping Sheet must be prepared, describing the personal data collected (or received through third parties), why they are necessary, and whether they are mandatory or optional.
5.5. Principle of quality
a. In order to guarantee the security of the personal data collected, everything is stored digitally, protected by a username/password and by the security provided by the COLTUR Group's internal network. More details on this aspect will be given in point 5.6 ‘Security principle’.
b. In order to accommodate the possibility of audits and tax issues (regulated in Peru by SUNAT), the personal data of clients will be stored for 5 years from the date of registration in the personal databank and file folders of the COLTUR Group.
c. Currently, an adaptation is being made to the database so that, as of August 2022, the provision defined in point b will be fulfilled.
d. In addition, the COLTUR Group has defined a TI-PR-008 Information Backup v2 mechanism, in order to guarantee the security and permanence of the personal data stored:
5.6 Principle of security
a. The COLTUR Group uses two means to store the -personal data- collected. A local database personal bank and a file folder hosted in the cloud using Microsoft's OneDrive service.
b. The local database is utilized through the COLTUR Group Management System, which uses authentication based upon user/password credentials as a security mechanism. In addition, the database is physically hosted on the internal servers of the COLTUR Group, and access to it is restricted to the group's internal network.
c. The COLTUR Group Management System defines profiles with restricted access to stored personal data. The creation and deletion of new users is performed in accordance with the procedure defined in TI-PR-005, ‘Attention to the creation and deletion of users’.
d. The file folder hosted in the cloud through Microsoft's OneDrive service uses authentication based upon username/password credentials as a security mechanism. In addition, users with access to OneDrive are also distributed through profiles that only give them access to the personal data necessary in order to comply with what is defined in their profile.
Microsoft's Privacy Statement (for personal data) can be consulted at: https://privacy.microsoft.com/es-mx/privacystatement. Additionally, Microsoft provides a "Trust Center", with recommendations and practices implemented in the treatment of the personal data provided by its customers: https://www.microsoft.com/es-ww/trust-center/privacy?rtc=1.
5.7 Principle of use of resources
The COLTUR Group has established as an administrative mechanism that the email address info@colturperu.com must be used to receive any requests that the owners of personal data consider appropriate.
b. Requests will be received operationally by the personnel responsible for the processing of personal data and addressed within a period of no more than 30 business days.
5.8 Principle of adequate level of protection
a. For the reception of personal data through cross-border flows, the COLTUR Group must ensure that the information sent is protected by at least a password (Example: compressed in a ZIP file, or the password protection provided by Microsoft Office).
b. In the event that the COLTUR Group sends personal data across borders, it must request that the recipient provide evidence of compliance comparable to that provided for by law or by the relevant international standards.
6. MEASURES TO BE APPLIED
Failure to comply with the provisions of any of these principles will result in the immediate suspension of access to computer resources in order to ensure their stability and proper functioning. The IT Department is responsible for conducting audits in order to verify compliance with the guidelines specified in this document for each principle and will notify the offending user in writing of any breach, with a copy to the departmental manager. In the event of serious and/or repeat offenses, the actions to be taken will be decided upon in coordination with Human Resources and the departmental management.