Policy of Protection and Processing of Personal Data

POLICY OF PROTECTION AND PROCESSING OF PERSONAL DATA

I. PURPOSE

The purpose of this policy is to inform the way how ALUDI TRAVEL E.I.R.L  (hereinafter referred to as “ALUDI TRAVEL”) protects and processes the personal data of customers, passengers, providers, tour operators, travel agencies and employees, collected through the different physical or digital channels, for all purposes expressly communicated.

II. GENERAL INFORMATION

The purpose of ALUDI TRAVEL, is to provide services related to individual and group trips, by air, land or sea, organization of tours or excursions, arrangement of accommodation, and any other tourism-related activity.

For this purpose, during the execution of its activities, the personal information of natural persons is collected, used, managed, transferred, stored and processed, such as the name, identity card, telephone number, email address, country of residence, among others, through different physical and digital formats.

In accordance with Peruvian Law No. 29733 – Law on Personal Data Protection – and Code No. 003-2013-JUS, and the General Data Protection Regulation GDPR (UE 2016/679), Aludi Travel agrees to ensure and adopt the measures for information security through the best international practices, regarding confidentiality,

completeness and availability of personal data provided.

III. DEFINITIONS

▪ Controller: the natural or legal person, which alone or jointly with others, determines the purposes and means of the processing of personal data, namely,

Aludi Travel shall be responsible for the personal data obtained by its different collection channels and provided by its customers and member companies.

▪ Personal Data: any information relating to an identified or identifiable natural person (the data subject), such as the name, identification number (DNI), passport, location data or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

▪ Processing: any operation or set of operations conducted on personal data or sets of personal data (whether or not by automated means), such as collection,

recording, organization, modification, consultation, use, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

▪ Right of access: the right of the data subjects to know which information is being processed by Aludi Travel and to obtain a copy of it.

▪ Right to rectification: the right of the data subjects to have their personal data updated, rectified and/or corrected.

▪ Right to object: the right of the data subjects to object at any time to the processing of their personal data by Aludi Travel.

▪ Right to erasure (“right to be forgotten”): the right of the data subjects to have their data erased from any document, file or place.

▪ Right to restriction of processing: the right of the data subjects to have their personal data restricted to several circumstances provided by law, such as the illicit processing of personal data or when it is no longer required by Aludi Travel.

▪ Right to data portability: the right of the data subjects to receive the personal data concerning them that have been provided to Aludi Travel, in a structured,

commonly used and machine-readable format, and the right to transmit those data to another controller without hindrance from the controller.

▪ Right to not being the subject to individualized decisions: the right of the data subjects to not being the subject to a decision based solely on automated

processing, including profiling, which produces legal effects concerning them or similarly significantly affect them.

IV. CONSENT AND LAWFULNESS OF PROCESSING

Aludi Travel processes personal data of the data subjects:

(i) When they expressly have given consent to the processing of their personal data for the purposes set forth in this document and/or,

(ii) When processing is necessary for the performance of a contract for the provision of services and products, to which the data subject is party.

V. PERSONAL INFORMATION AND SCOPE

This policy covers the personal data concerning the clients, passengers, providers, tour operators, travel agencies and employees, provided by them freely, voluntarily and consciously. The data collected and stored are comprised of basic data entered through registration and contact forms and other similar means, such as the name, identification number, passport, gender, age, telephone number, email address, country of residence, among other details collected through the different company managed channels, which are necessary for Aludi Travel to provide the tourism related services. In any case, the data subjects may see which personal data are required for the provision of service and which are complementary before providing their personal data.

The data subjects shall be solely responsible for providing correct and accurate data.

They must be above 18 years old and fully competent to contract. In addition, the data subjects shall assume sole responsibility for the information provided of third parties,  and for ensuring that they have been informed of this Policy of Confidentiality, and for having obtained their express authorization.

VI. GUIDING PRINCIPLES

Aludi Travel shall consider the principles shown below for the processing of personal data.

1. Principle of Legality: In accordance with Law 29733, the processing of personal data is a regulated activity that must be subject to said law and all other pertinent regulating provisions. Collecting personal information through fraudulent, disloyal or illegal means is forbidden.
2. Principle of Consent: In accordance with the principle of consent, the processing of personal data is legitimate when the data subject has given his/her prior, voluntary, express, informed and clear consent. Consent statements that are not directly expressed, like those requiring the assumption or assuming the existence of an intention that has not been expressed, are not accepted. Even the consent given with other statements shall be expressly and clearly expressed.
3. Principle of Purpose: The principle of purpose considers that a purpose is determined when it has been clearly expressed, without confusion and when the purpose of processing personal data is objectively specified. As a personal data bank that contains sensitive data, its creation may only be justified if its purpose, in addition of being legitimate, is specific and consistent with the activities or purposes of the manager of the personal data bank. The professionals processing personal data, in addition of being restricted for the purpose of their services, have the obligation to keep confidentiality.
4. Principle of Quality: The personal data must be true, exact and, if possible, updated, necessary, pertinent and proper for its purpose. It must be preserved in such a way that it remains secure and only for the time required for the purpose of processing. Principle of Proportionality: Any processing of personal data must be suitable, relevant and must not go beyond the purpose for which it was collected.
5. Principle of Security: The manager of the personal data bank and the processor must adopt the technical, organizational and legal measures required to ensure the security of the personal data. The security measures must be suitable andconsistent with the processing to be conducted and the category of personal data.
6. Principle of Availability of Means: Any data subject must have the administrative or jurisdictional means required to file claims and enforce their rights, when they are affected for the processing of their personal data.
7. Principle of Proper Protection Level: For the border flow of personal data, a sufficient level to protect the personal data to be processed must be ensured, or at least, similar to what is set forth by law or the concerning international standards.

VII. PURPOSES OF PERSONAL DATA

Aludi Travel will use the personal data provided by the data subjects for the purposes shown below:

Passengers

• To provide the tourism-related contracted services and products.
• To contact the client (travel agencies, companies and natural persons) during the provision of the contracted services and products.

• To coordinate with providers, travel agencies, cruises and hotels.
• To send information to the clients about the service and/or provisions to be met by the clients during the service, for example, the contracting terms and conditions, tax requirements and/or other conditions that may include the company’s internal policies.

• To answer doubts, questions and requests.
• To provide proof of the payments of the non-domiciled IVA before Tax Authorities, through the Information of Passport and Andean Immigration Card (TAM), among others.

• To analyze and identify the expectations and preferences of travel agencies to buy tickets and services.

Workers and employees:

• The Company will require personal data from its employees to comply with the labor statutory provisions in force and/or development of projects related to Human Resources and Talent Management, such as payroll registration, employee attendance, recruitment, payment of commissions, among others.

• Video-surveillance security within the facilities.
• To comply with the policy and procedures of the Policy of Money Laundering and Terrorist Financing.

Tour Operators and Providers:

• To manage the payment of the services and products requested. 
• To contact about the provision of services and products requested.
• Video-surveillance security within the facilities.

The personal data that you provide us will be stored in the data bases described in the Annex 2 of this document.

VIII. RIGHTS OF THE DATA SUBJECTS

The data subjects will have the rights shown below:

1. Only the data subjects may have the rights of information and access, rights to rectification, erasure, object and objective processing of personal data, without detriment to the rules governing representation.
2. Exercising any of the rights does not exclude from the possibility of exercising any other rights, nor can it be understood as a prior requirement for exercising any of those.
3. To know, update and rectify their personal data before Aludi Travel or the appointed processor. This right may be applied in case of incomplete, inaccurate, incomplete, partial, confusing data or data which processing has been forbidden or not authorized.
4. To be informed by Aludi Travel or the appointed processor, upon request, of how their personal data have been used.
5. To revoke the authorization and/or request erasure of data when the constitutional and legal principles, rights and guarantees are not fulfilled in the processing. Revoking or erasing the information will proceed when the National Authority of Personal Data Protection has determined that Aludi Travel or the processor had contravened Law 29733 and the Constitution when processing the data.
6. To have free access to your personal data subject to processing, in the terms and conditions set forth herein.

IX. CONDITIONS FOR THE PROCESSING OF PERSONAL DATA
Authorization from the data subject In order for Aludi Travel to process any personal data, prior authorization from the data subject is required, which shall be obtained through any means that may be subject to further consultation. These mechanisms may be predetermined through technical means that enable the automated manifestation of the data subject, or they can be written or oral. Aludi Travel will adopt the procedures required to request, no later than the moment of collecting the data, the authorization from the data subject for processing the data, and tell which personal details will be collected, as well as all specific purposes of the processing. The personal data available in public sources may be processed by Aludi Travel, provided that it is public information. In case substantial changes are made to the data processing policies of Aludi Travel, with regard to the identification of the responsible person and the purpose of processing personal data, which affect the authorization, Aludi Travel will communicate these changes to the data subjects, before or at the latest when implementing the new policies. In addition, a new authorization shall be obtained from the data subject when the change is referred to the purpose of the processing. For communicating the changes and authorization, any technical means may be used.

1. Cases in which authorization is not required

• Information required by a public or administrative entity exercising its legal functions or by judicial order.

• Public information.
• Cases of medical or health emergency.
• Processing of data authorized by law for historical, statistical or scientific purposes.
• Data related to Vital Records.

1. Provision of information

The information requested by the data subject shall be provided by Aludi Travel in the same way as it was requested.

1. Obligation to inform the data subject

At the moment of requesting the authorization from the data subject, Aludi Travel shall clearly and expressly inform the data subject of the following:

• The processing to which his/her personal data will be subject and its purpose.

• The optional responses to the questions posed when they are about sensitive data or about data of children and adolescents.

• The rights of the data subject.
• The identification, physical or electronic address and telephone of the controller.

1. Revocation of the authorization and/or erasure of data:

The data subjects may at any time request Aludi Travel to erase their personal data and/or revoke the authorization given for processing the data. It must be done by submitting a request, in accordance with Law 29733 of 2011 and its regulations – Executive Decree No. 003-2013-JUS of 2013.

The request for erasure of data and the revocation of authorization will not be accepted if the data subject has the contractual obligation to remain in the data

bank of Aludi Travel.

1. People to whom the information may be provided:

The personal data that have been processed by Aludi Travel may be provided to the following people:

• Data subjects, their successors or legal representatives.
• Public or administrative entities exercising their legal functions or by judicial order.

• Third parties authorized by the data subject or by law.

1. SECURITY OF THE PERSONAL DATA

Aludi Travel complies with the measures of personal data protection required by law and has adopted the reasonable measures according to the current technical knowledge and good practices for the custody and management of information in order to prevent the loss, misuse, alteration, illegal intrusion and theft of personal data provided by the data subjects.

1. PROCEDURES

The data subjects or their successors have the right to make consultations and/or file claims before Aludi Travel through a written communication – in which they must enter their identification details – sent to the address shown below at any time. Also, they have the right to remove their consent for processing personal data and/or use their rights of access and information, and rights to rectification, object, erasure, restriction, to be forgotten, portability and to not being subject of individualized decisions, through a written communication addressed to Aludi Travel, with the reference “PERSONAL DATA”, to the following addresses:

– Physical / Legal Address: Av. La Paz 112 San Miguel, Lima, Perú.

– Email: sales@aluditravel.com

Aludi Travel will give response to the consultation and/or claim through the same method of communication.

1. a) Consultation (Access / Information)

The data subjects or their successors may consult the personal data of the data subject that is found in the database of Aludi Travel, which will provide to the

requesting party all the information concerning the data subject that is found in its database.

The data subjects may make consultations at no cost with regard to their personal data whenever there is any substantial modification to Aludi Travel´s Policies of Data Processing.

Any consultation will be replied in the same way as they were made within 05 business days following its submission. To comply with this right, the data subject

or his/her successors shall submit the form of the Right of Access, which is attached herein.

1. b) Claims (Requests / Petitions)

The data subjects or their successors who consider that the information contained in a database must be rectified, erased or objected, or when they observe any

breach of the obligations set forth in Law 29733 of 2011, they may file a request to the Manager of the Personal Data Bank or the controller of Audi Travel. To

comply with these rights, the data subject or his/her successors shall submit the corresponding form, which is attached herein.

In case that the request does not meet the requirements given, the interested party will be required to rectify the faults within five (05) days following the reception of the claim. In case there is no rectification made after the term is completed, the request will be deemed not to have been submitted.

In case that the information provided in the request is insufficient or inaccurate, Aludi Travel may require additional documentation from the data subject within

seven (7) days following the reception of the request.

Within ten (10) days after receiving the requirement, starting from the day following its reception, the data subject shall include the pertinent additional documentation to provide grounds for the request. Otherwise, the request will be deemed not to have been submitted.

The maximum response times for the claims according to law regulations are asfollow:

• Right of information: Five (05) days starting from the day following the submission of the request.

• Right of access: Twenty (20) days starting from the day following the submission of the request by the data subject.

• Rights to rectification, erasure and objection: the maximum response time of the personal data bank manager or controller is ten (10) days starting from the day following the submission of the request.

Excepting for the response time provided for the right of information, the response times for the other rights may be extended for one time, and for the same time at the latest, provided that circumstances so require. The reason for extending the response time shall be communicated to the data subject within the term to be extended.

1. c) Requirement of Admissibility

The data subjects or their successors may file a claim before the National Authority of Personal Data Protection only if they have exhausted the procedure of

consultation or claim before Aludi Travel.

XII. OBLIGATIONS OF ALUDI TRAVEL IN THE PROCESSING OF DATA

• Guarantee the data subject, at any time, the full and effective exercise of the right of habeas data.

• Request and keep, according to the conditions provided by law, a copy of the authorization given by the data subject.

• Inform the data subject about the purpose of collecting information and the rights to which he/she is entitled by virtue of the authorization given.

• Take measures towards preserving the information under the security conditions to prevent it from being corrupted or from loss, non-authorized or fraudulent access, consultation or use.

• Take measures so that the information provided to the processor is true, complete, exact, updated, verifiable and understandable.

• Update the information, communicating the processor in a time basis, all news regarding the data that has been previously provided to him, and adopt the necessary measures so that the information provided remains updated.

• Rectify the information that is incorrect and inform the processor.
• Provide the processor, when appropriate, only the data for which processing is previously authorized in accordance with law.

• Require the processor to respect the security and confidentiality conditions of the data subject’s information, at all times.

• Process the consultations and claims filed according to law.
• Adopt an internal guidebook of policies and procedures towards guaranteeing that the law is fulfilled and, especially, for dealing with consultations and claims.

• Inform the processor when specific information is contested by the data subject, once the claim has been submitted and the corresponding proceeding has not been completed.

• Inform the data subject, upon request, of the use of his/her personal data.
• Inform the National Authority of Personal Data Protection when the security policies are violated and in case there are risks in managing the information of the data subjects.

• Comply with the instructions and requirements provided by the National Authority of Personal Data Protection.

XIII. OBLIGATIONS OF THE PROCESSOR

The processors shall comply with the following obligations, without detriment to the other provisions set forth by law and others governing their activity:

• Guarantee the data subject, at any time, the full and effective exercise of the right of habeas data.

• Take measures towards preserving the information under the security conditions to prevent it from being corrupted or from loss, non-authorized or fraudulent access, consultation or use.

• Update, rectify or erase the data in a timely basis, in accordance with law.
• Update the information reported by the controllers within five (05) business days following the reception of the information.

• Process the consultations and claims filed by the data subjects in accordance with law.

• Adopt an internal guidebook of policies and procedures towards guaranteeing that the law is fulfilled and, especially, for dealing with consultations and claims filed by the data subjects.

• Avoid disseminating information contested by the data subjects and that was blocked by the National Authority of Personal Data Protection.

• Allow the access to information solely to the people who may have access to it.
• Inform the National Authority of Personal Data Protection when the security policies are violated and in case there are risks in managing the information of the data subjects.

• Comply with the instructions and requirements provided by the National

Authority of Personal Data Protection.

• Safeguard the security of the databases containing personal data.
• Keep the personal data processing confidential.

XIV. SECURITY MEASURES

Aludi Travel takes all reasonable precautions and measures of technical, administrative and organizational nature towards ensuring the security of the personal

data of data subjects, especially those aimed at preventing them from being corrupted or from loss and non-authorized access or processing.

The application of security measures is intended to ensure that the data remain confidential, complete, available and well-stored.

The security guidelines of Aludi Travel are supported by the information security policies of Aludi Travel , developed under the best existing security practices and standards and complying with the regulations in force.

The direct and indirect officers who carry out duties at Aludi Travel must strictly

comply with the policies.

XV. PRESERVATION OF THE DATA

The periods for Aludi Travel to keep the personal data of the data subjects shall be different depending on the purpose of the processing. For instance, the data shall be preserved for the time a contractual relationship is effective for the provision of products and services between Aludi Travel and the data subjects and/or while the data subjects do not request Aludi Travel to erase their personal data. In addition, the data subjects understand and accept that some personal information shall be kept by Aludi Travel, in accordance with legal regulations and for the time provided by law.

XVI. MODIFICATIONS TO THE POLICY

Aludi Travel may make changes and update this policy depending on the news or legislative or jurisprudence requirements and/or needs of the institution, among others. In fact, data subjects are recommended to check this policy in a regular basis and/or each time when they access the company’s website. 

Attachments

REQUEST FOR THE RIGHT OF ACCESS

For the purpose of processing the request of access to your personal data processed by Aludi Travel, please, enter your personal details, so that we can prove your identity, in accordance with the regulations in force regarding personal data protection.

REQUESTING PARTY’S DETAILS

Mr./Ms………………………………………………………………………………of legal age, domiciled at…………………………………………………………………………………….., District

of……………………………………… Province of…………………… Country ….…………, identified by ID document……………………. – photocopy attached, does hereby express

his/her intention to make use of the right of access, in accordance with Law 29733 of 2011 and its regulations – Executive Decree No. 003-2013-JUS of 2013, and the General Data Protection Regulation GDPR (UE 2016/679).

THEREFORE, I REQUEST

That, free access be granted to my personal data kept in the data banks of Aludi Travel.

A copy of the Identity Document is hereby attached in a separate sheet to prove my identity as the data subject.

That, if this request is accepted, send by mail the information requested to the address mentioned above.

That the information must clearly and understandable include my personal details that are kept in your data banks, and the data resulting from any processing, as well as the origin of the data, the assignees and specifying the uses and purposes of storing the data.

In………………………..on…………………………………………of 20……

REQUEST FOR THE RIGHT TO RECTIFICATION

For the purpose of processing the request of rectification of your personal data processed by Aludi Travel, please, enter your personal details, so that we can prove your identity, in accordance with the regulations in force regarding personal data protection, as well as the data you want to rectify.

REQUESTING PARTY’S DETAILS

Mr./Ms………………………………………………………………………………of legal age, domiciled at…………………………………………………………………………………….., District of……………………………………… Province of…………………… Country ….…………, identified by ID document……………………. – photocopy attached, does hereby express

his/her intention to make use of the right to rectification, in accordance with Law 29733 of 2011 and its regulations – Executive Decree No. 003-2013-JUS of 2013, and the General Data Protection Regulation GDPR (UE 2016/679).

THEREFORE, I REQUEST

That, my incorrect personal data kept in the data banks of Aludi Travel be rectified at no cost. The information to be rectified is shown in the attached sheet in addition to the copy of the documents that, if necessary, serve as evidence of the new data. A copy of the identity document is also attached in order to prove my identity as the data subject. That, the rectification of data be sent in writing by mail to the abovementioned address once it is completed, or in case it is considered that this right is not applicable, a communication be sent to the same address with supporting arguments in order to file a claim according to the regulations.

In………………………..on…………………………………………of 20……

REQUEST FOR THE RIGHT TO ERASURE

For the purpose of processing the request to erase your personal data processed by Aludi Travel, please, enter your personal details, so that we can prove your identity, in accordance with the regulations in force regarding personal data protection, as well as the data you want to erase.

REQUESTING PARTY’S DETAILS

Mr./Ms………………………………………………………………………………of legal age, domiciled at…………………………………………………………………………………….., District of……………………………………… Province of…………………… Country ….…………, identified by ID document……………………. – photocopy attached, does hereby express

his/her intention to make use of the right to erasure, in accordance with Law 29733 of 2011 and its regulations – Executive Decree No. 003-2013-JUS of 2013, and the General Data Protection Regulation GDPR (UE 2016/679).

THEREFORE, I REQUEST

That, any of my personal data kept in the data banks of Aludi Travel be erased, in accordance with the conditions set forth by the national and international regulations, at no cost.

That, the acceptance of said erasure be sent in writing to the abovementioned address. In case it is not accepted, have it communicated likewise within the deadline and with supporting arguments, in order to file a claim according to the regulations.

In………………………..on…………………………………………of 20……

REQUEST FOR THE RIGHT TO OBJECT

For the purpose of processing the request to object your personal data processed by Aludi Travel, please, enter your personal details, so that we can prove your identity, in accordance with the regulations in force regarding personal data protection, as well as the data you want to object.

REQUESTING PARTY’S DETAILS

Mr./Ms………………………………………………………………………………of legal age, domiciled at…………………………………………………………………………………….., District of……………………………………… Province of…………………… Country ….…………, identified by ID document……………………. – photocopy attached, does hereby express

his/her intention to make use of the right to object, in accordance with Law 29733 of 2011 and its regulations – Executive Decree No. 003-2013-JUS of 2013, and the General Data Protection Regulation GDPR (UE 2016/679).

THEREFORE, I REQUEST

That, Aludi Travel proceed to exclude my personal data kept in the data banks of Aludi Travel.

For this purpose, the reasons to make this request are attached herein in a separate sheet (in a sheet attached to the request).

That, the acceptance of said objection be sent in writing to the abovementioned address. In case it is not accepted, have it communicated likewise within the deadline and with supporting arguments, in order to file a claim according to the regulations.

In………………………..on…………………………………………of 20……