DATA PROTECTION POLICY
Procedure for compliance with Personal Data Protection Law N° 29733
In Peru, the Personal Data Protection Law No. 29733 has been in force since October 2013, and compliance with its provisions has been mandatory since May 2015 for all public and private entities that process personal data within Peru.
The provisions of the law recognize and protect the fundamental right to privacy and establish a legal framework that regulates the gathering, storage, use, dissemination and deletion of personal data.
In accordance with these provisions, COLTUR PERU S.A.C. (hereinafter, “COLTUR”) hereby expresses its commitment to protect the personal data of its clients, collaborators, suppliers, and partners, and to conduct all data processing activities in strict compliance with the guiding principles established under said provisions.
Furthermore, COLTUR is committed to the promotion of an organizational culture based upon best practices in the tourism sector and on standards of ethics, transparency and sustainability aligned with the principles of the B Corp certification system, thereby reinforcing its commitment to respect people’s rights and to the responsible management of information.
To establish the guidelines, recommendations and procedures applicable to the processing of personal data at COLTUR PERU S.A.C., with the aim of ensuring and demonstrating compliance with the provisions of the Personal Data Protection Law No. 29733 and the regulations contained therein.
The provisions of this document are mandatory and apply to all members of COLTUR PERU S.A.C. involved in the processing of personal data, or who interact with such data in the performance of their duties.
- Personal databank
An organized set of personal data, whether automated or not, regardless of the medium (physical, magnetic, digital, optical or other), and regardless of the form or method of its creation, formation, storage, organization and methods of retrieval.
For example: COLTUR’s customer database.
- Personal data
Any information about a natural person that identifies them or renders them identifiable through reasonably used means.
For example: The identity document numbers of COLTUR customers.
- Person responsible for the processing of personal data
A natural person, legal entity under the provisions of private law, or public entity that, individually or jointly, processes personal data on behalf of the database owner, by virtue of a legal relationship that defines the scope of their involvement.
For example: COLTUR staff members with authorized access to the customer database.
- Cross-border flow of personal data
The international transfer of personal data to a recipient located in a country other than the country of origin, regardless of the medium, support or subsequent processing involved.
For example: When COLTUR hosts its customer database on a cloud service such as Microsoft OneDrive.
- Sufficient level of protection for personal data
Degree of protection that ensures compliance with the guiding principles of Law No. 29733, as well as the implementation of appropriate technical security and confidentiality measures, in accordance with the category of data involved.
- Owner of personal data
Natural person to whom the personal data pertains.
- Natural person to whom the personal data corresponds
Natural person, private legal entity or public entity that defines the purpose, content and processing of the personal databank, as well as applicable security measures.
- Processing of personal data
Any technical operation or procedure, whether automated or not, that involves the collection, recording, organization, storage, conservation, processing, modification, extraction, consultation, use, blocking, deletion or communication of personal data, or any form of processing that allows the access to, correlation or interconnection of personal data.
The provisions of Law N° 29733 – Personal Data Protection Law define the following guiding principles:
Table 1. Guiding principles of Law N° 29733
| Principle | Description |
| Principle of legality and value of principles | Ensure the good faith of those responsible for processing personal data and their compliance with the defined regulations. The actions of personal data owners and processors, and in general, of all those involved in personal data, must adhere to the guiding principles set forth above. |
| Principle of consent | The consent of the personal data owner must be requested and obtained at the time of registration. |
| Principle of purpose | The purpose of collecting and storing personal data must be specified. |
| Principle of proportionality | An effort should be made to collect only the minimum data necessary. |
| Principle of quality | The personal data collected must be kept in a way that guarantees its security and only for the time necessary to fulfill the purpose of the processing or in accordance with regulations. |
| Principle of security | The security mechanisms that will be used to store the information must be specified. |
| Principle of resource availability | An administrative mechanism must be specified so that personal data owners can submit requests to claim and assert their rights (correction/deletion of personal data). |
| Principle of adequate level of protection | Only applicable when there is a cross-border flow of personal data. We must ensure an adequate level of protection for the personal data being processed, or at least a level comparable to that provided for by relevant legal frameworks or international standards. |
Below, the guidelines, recommendations and procedures applicable to each of the principles defined above are detailed:
- Compliance with the principle of legality must be supported contractually, both in the case of COLTUR staff members and suppliers, and external third parties.
- In the case of COLTUR staff members, this principle is guaranteed through Article 8 of the company’s employment contract.
- For service providers participating in COLTUR operations, this obligation is formalized in Article 5: “Confidentiality of the Service Provision Agreement”.
- In situations where natural or legal persons not included in the previously mentioned contractual accords perform tasks that involve the processing of personal data, they must sign an express commitment to comply with the provisions of the Personal Data Protection Law No. 29733.
- Prior, informed, express and unequivocal consent for the processing of personal data must be obtained from the owner, through acceptance of the conditions established by COLTUR.
- This consent is formalized through the “Authorization for the Processing of Personal and Sensitive Data” form, in either physical or digital form. The data owner’s acceptance at the time of collection complies with the provisions of the principle of consent.
- Although COLTUR will not always be directly responsible for the collection of data, it must verify that the data owner has given their consent for the information to be shared with COLTUR when subsequent processing is conducted.
- Furthermore, all our clients have the ability to exercise control over the use of their personal data, including the right to decide to what extent they wish it to be used and for what specific purposes, in accordance with current legal provisions.
- The purpose of the processing must be expressly stated when requesting the data owner’s consent. This declaration enables the data owner to be duly informed regarding the use that will be made of their personal data.
For example: “For the management of accommodation or transportation reservations, the data received will be transferred primarily to accommodation providers (hotels) and transportation providers, whether land or air.”
- In order to comply with this principle, a personal data or mapping sheet must be produced, clearly identifying:
– What data is collected or received.
– Why this is necessary for operations.
– Whether the provision of data is mandatory or optional.
- In order to ensure the security of the personal data collected, all information is stored digitally and protected by a username and password, as well as by the security protocols provided by COLTUR’s internal network. This issue is addressed in greater detail in section 5.6.
- In compliance with tax obligations and considering the possibility of future audits, regulated in Peru by SUNAT (the National Tax Administration Service), clients’ personal data will be retained for a period of five (5) years, calculated from the date it is registered in COLTUR’s personal database and archive.
- A database overhaul process is currently underway, in order to ensure full compliance with the provisions of the previous section, as of August 2022.
- In addition, COLTUR has implemented procedure TI-PR-008 “Information Backup v2”, which establishes the guidelines for ensuring the security and integrity of stored personal data.
5.6 Principle of security
- COLTUR uses two (2) storage media for the personal data collected: a local database (personal database) and a file folder hosted in the cloud via the Microsoft OneDrive service.
- The local database is managed through the COLTUR Management System, which operates using authentication in the form of a username and password. This database is physically hosted on the company’s internal servers, and access is restricted exclusively to the COLTUR internal network.
- The Management System establishes access profiles with specific restrictions for the personal data stored. The creation and deletion of users is governed by internal procedure TI-PR-005: “Managing of the creation and deletion of users.”
- The cloud file folder, hosted on Microsoft OneDrive, also uses username and password authentication. Users with access are organized into defined profiles, which allow them to view only the personal data strictly necessary for the performance of their duties.
- The Microsoft Privacy Statement is available at the following link:
https://privacy.microsoft.com/es-mx/privacystatement.. - In addition, Microsoft also provides its customers with a Trust Center, with information on practices and measures adopted for the secure management of personal data, at:
https://www.microsoft.com/es-ww/trust-center/privacy?rtc=1.
- COLTUR has established the following email address as an administrative channel for assisting personal data owners: info@colturperu.com.
- Requests received will be managed operationally by the personnel responsible for processing personal data and responded to within a period of no more than thirty (30) business days, in accordance with current regulations.
- For the receipt of personal data through cross-border flows, COLTUR must ensure that the information is transmitted under minimum security measures, such as password protection (for example, compressed files in ZIP format or using Microsoft Office encryption functions).
- In cases where COLTUR sends personal data across borders, it must require the recipient to provide reasonable guarantees of regulatory compliance, demonstrating a level of protection comparable to that required by Peruvian law, or in accordance with international standards.
Failure to comply with any of the principles established in this document will lead, as a preventive measure, to the immediate suspension of access to IT resources, in order to safeguard the integrity, stability and proper functioning of the systems.
The Information Technology (IT) Department is responsible for conducting periodic audits, in order to verify compliance with the established guidelines, and it must notify any offending user in writing, with an additional copy sent to their department manager.
In cases of serious or repeated violations, the IT department will coordinate with Human Resources and the corresponding departmental management team, in order to define the appropriate corrective or disciplinary actions, in accordance with COLTUR’s internal policies.