Personal Data Protection Policy
- INTRODUCTION
- IncaTrail.com.pe is a company in the tourism sector dedicated to selling tourism services at the national level through service intermediation, which includes: ticket sales, private transfers, lodging and dining services, tour packages, and full-day activities. Our office is located at (Av. El Sol 948 Of. 220 C.C. Cusco Sol Plaza). We are committed to complying with the current Peruvian legislation regarding the protection of personal data, Law No. 29733 on the Protection of Personal Data and its complementary provisions.
- For this reason, IncaTrail.com.pe commits to: • Collecting and using personal information. • Ensuring the quality and security of information. • Respecting people’s rights regarding information about themselves.
- IncaTrail.com.pe is committed to the protection, management, and proper handling of personal data to which it has access in the normal course of its business. This commitment includes reviewing and continuously improving the organization’s processes to ensure the proper protection of such personal data and the guidelines established by IncaTrail.com.pe for the collection and processing of personal data to ensure the respect of the rights of its owners and compliance with the current regulatory framework. The Policy may be supplemented with procedures, rules, and/or additional guidelines that develop what is established in this document, as long as they are aligned with its guiding principles.
- OBJECTIVE
- This document aims to establish uniform principles, practices, and responsibilities regarding the processing of personal data involving IncaTrail.com.pe.
- SCOPE
- This document applies to all processes of IncaTrail.com.pe that will use customer personal data intended to be contained in the different databases of IncaTrail.com.pe and its processing.
- The Policy will be fully known and complied with by all employees of IncaTrail.com.pe and suppliers. For the interpretation of this Policy, the definitions contained in the Law are applicable, especially those included below.
- DEFINITIONS
- Personal data: Any information that identifies a natural person or that can be identified by reasonably used means. For example, ID, physical address, full name. Sensitive data: Personal data consisting of biometric data that can identify the owner by itself; data related to racial and ethnic origin; income, political, religious, philosophical, or moral opinions or beliefs; Union membership; and health-related information.
- Processing of personal data: Any operation or technical, automated or non-automated procedure that allows the collection, recording, organization, storage, conservation, processing, modification, extraction, consultation, use, blocking, deletion, communication by transfer or diffusion or any other form of processing that facilitates access, correlation, or interconnection of personal data. In summary, the processing of personal data regulates all possible forms of use and processing of data within the organization from its entry to its eventual deletion or retention.
- Consent: Prior, free, unequivocal, and express authorization that must be granted by the interested party to authorize the processing of their personal data. • Prior: Must be obtained before collection. • Free: Must not be forced or conditioned. • Unequivocal and express: There must be no doubt about its manifestation and must be recorded in some tangible medium. • Personal data bank: An organized set of personal data, automated or not, regardless of the medium, whether physical, magnetic, digital, optical, or others in which they are created, regardless of the form or modality of their creation, formation, storage, organization, and access.
- Owner of the personal data bank: Natural person, private legal entity, or public entity that determines the purpose and content of the personal data bank, the processing of this data, and the security measures. Responsible for the personal data bank: Any natural person, private legal entity, or public entity that, either alone or acting jointly with another, carries out the processing of personal data on behalf of the owner of the personal data bank. Procedure of anonymization: Processing of personal data that prevents the identification or does not identify the data subject. The procedure is irreversible. Procedure of disassociation: Processing of personal data that prevents the identification or does not identify the data subject.
- COMPLIANCE RESPONSIBLE
- IncaTrail.com.pe will assign and communicate the corresponding responsibilities to all staff and providers for the compliance with this Policy.
- The area responsible for annually reviewing this Policy and making the respective adjustments within IncaTrail.com.pe will be the General Management. Likewise, this Management will be in charge of resolving any doubts related to the application and scope of this Policy.
- Notwithstanding the above, all employees of IncaTrail.com.pe, as well as all providers and third parties with whom IncaTrail.com.pe engages in its regular business activities and who have access to or process personal data, are subject to compliance with this Policy. Finally, no employee of IncaTrail.com.pe shall act on behalf of the Company in actions or omissions that imply a breach of the Law.
- CONFIDENTIALITY
- This Policy is for internal and exclusive use by IncaTrail.com.pe and, therefore, is of a confidential nature. Any use other than that indicated is prohibited and must be expressly authorized in writing by the General Management.
- Personal data to which both IncaTrail.com.pe employees and related third parties have access to or participate in their processing cannot be processed or used in any way without the prior consent of the data subject, even after the termination of their relationship with IncaTrail.com.pe, except as regulated by law.
- In the case of employees who, due to the nature of their functions, have access to confidential and sensitive personal information, IncaTrail.com.pe will seek to develop specific training and awareness actions. Individuals involved in the processing of personal data are obligated to maintain professional secrecy and confidentiality regarding such data. This obligation will continue even after the termination of their relationship with IncaTrail.com.pe.
- PRINCIPLES
All employees of IncaTrail.com.pe must continuously comply with the principles established by law, which are detailed as follows:
- The processing of personal data carried out by IncaTrail.com.pe will be done in accordance with the provisions of the law. The collection of personal data by fraudulent, unfair, or illegal means is prohibited.
- IncaTrail.com.pe cannot process personal data without the prior, express, unequivocal, and freely given consent of the data subject, as required, except as provided for by law.
- IncaTrail.com.pe will collect personal data, clearly indicating the purpose for which it is collected, which must be specific, explicit, and lawful. Personal data subject to processing may not be used for purposes other than those for which they were obtained, unless with the consent of the data subject. In this regard, IncaTrail.com.pe will comply with the implementation of measures to ensure that: • The collection, storage, and preservation of personal data comply with the principles of proportionality and purpose. • The adequate protection of personal data is ensured through appropriate technical and legal security measures.
- All processing of personal data carried out by IncaTrail.com.pe must be adequate, relevant, and not excessive for the purpose for which it was collected.
- The personal data to be processed by IncaTrail.com.pe must be truthful, accurate, and, to the extent possible, up-to-date, necessary, relevant, and appropriate for the purpose for which it was collected. They must be stored in a manner that guarantees their security and only for the time necessary to fulfill the purpose of the processing, respecting the legal deadlines for the retention of applicable documents and information.
- IncaTrail.com.pe and third parties to whom it entrusts the processing of personal data must adopt the necessary and appropriate technical, organizational, and legal measures to ensure the security of personal data against various risks, such as accidental loss or destruction, unauthorized access, covert use, or infection by malware or computer viruses. These measures will be established, communicated, and, where appropriate, updated by IncaTrail.com.pe.
- Adequate level of protection. In the event that IncaTrail.com.pe carries out international transfers of personal data, it must guarantee a sufficient level of protection for the personal data to be processed, or at least equivalent to that provided for by the law.
- Rights of data subjects. IncaTrail.com.pe will have a simple and free procedure to address the rights of data subjects as contemplated by the law: (i) information, (ii) access, (iii) updating, (iv) inclusion, (v) rectification, (vi) deletion, (vii) preventing supply, (viii) objection, and (ix) objective treatment.
Therefore, IncaTrail.com.pe will:
- Take the necessary measures to inform the data subject about the rights granted to them by the law.
- Implement measures that allow the data subject to keep their personal data up to date.
- Comply with responding in a timely and proper manner, and in accordance with the law, to requests and requirements related to the rights of the aforementioned data subjects.
- In the processes of addressing the rights of data subjects, the following guidelines will be applied:
- The deletion or rectification of personal data will not proceed when the rights or legitimate interests of IncaTrail.com.pe, its shareholders, employees, or managers, or of third parties are affected, or when there is a legal obligation to retain the personal data.
- IncaTrail.com.pe may reject certain requests when the disclosure of personal data could compromise or hinder ongoing judicial or administrative actions.
- TRANSFER OF PERSONAL DATA
- Personal data processed by IncaTrail.com.pe may only be transferred to third parties for the fulfillment of purposes related to the legitimate interests of both the data controller and the recipient, and with the prior, express, free, unequivocal, and informed consent of the data subject. Such consent will not be necessary in cases permitted by law.
- COLLECTION OF SENSITIVE DATA
- IncaTrail.com.pe will inform the data subject of this situation prior to the collection of sensitive data. Sensitive data will only be collected when strictly necessary and in compliance with the principles of purpose and proportionality. When the collection and processing of such data result from the fulfillment of a legal obligation, IncaTrail.com.pe will inform the data subject of this situation prior to its collection.
- DISCLOSURE OF PERSONAL DATA
IncaTrail.com.pe will not disclose personal data to third parties except when:
- a) It is necessary for the purpose for which they were collected, such as in the provision of services through third parties and suppliers.
- b) The data subject is informed before the disclosure or at the time of the collection of personal data.
- c) The data subject gives prior and explicit consent.
- d) Consent is not required by law.
- e) Personal data is required by public entities within the scope of their legal powers and duties.
- f) Personal data is necessary to satisfy legitimate requirements of a company interested in acquiring some of IncaTrail.com.pe’s operations, subject to the data subject’s consent.
- g) Access to personal data is by auditors, lawyers, and other professionals bound by professional secrecy.
- DATA DELETION
- Once the processing of personal data is completed and the principle of purpose has been fulfilled, and provided there is no legal requirement or reason to justify the retention of personal data, IncaTrail.com.pe will proceed to delete it from its records. Alternatively, IncaTrail.com.pe may apply disassociation processes or equivalent methods when, for some commercial, statistical, or market analysis reason, it justifies the convenience of retaining such data. IncaTrail.com.pe will define the necessary procedures for the deletion of personal data in due course.
- SANCTIONS LIST
- An employee who violates the provisions of this Policy will be considered as committing a serious and punishable offense. IncaTrail.com.pe will take disciplinary measures it deems appropriate in cases of non-compliance with the obligations stipulated here by employees.
- DISSEMINATION AND COMPLIANCE WITH THE POLICY
IncaTrail.com.pe will make every effort to:
- i) Comply with the provisions of this Policy;
- ii) Ensure that each employee is aware of, observes, and respects this Policy;
- iii) Post this Policy in easily accessible locations; and
- iv) Enter into confidentiality obligations with employees, users, contractors, and third parties who access the personal data included in the databases.