Protection of Personal Data

 Marfes Tours Peru E.I.R.L.

RUC: 20608521560

ADDRESS: Av. Velasco Astete – San Camilo A-3- Cusco

EMAIL: info@marfestoursperu.com

MOBILE: (+51) 958 317 252

PHONE: (+51) 974 762 955

Article One: Definitions
AUTHORIZATION: prior, express, and informed consent of the holder to carry out the processing of personal data.

DATABASE: an organized set of personal data that is subject to processing. “Databases” will have this condition regardless of the medium in which they are contained, which may be physical, electronic, manual, automated, computer tools, etc.

PERSONAL DATA: any information related to or that can be associated with one or more determined or determinable natural persons.

HOLDER: the natural person whose personal data is subject to processing.

PROCESSING: any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion.

PRIVACY NOTICE: verbal or written communication generated by the controller, addressed to the holder regarding the processing of their personal data, informing them about the existence of the applicable information processing policies, how to access them, and the purposes of the processing intended for the personal data.

PUBLIC DATA: data that is not semi-private, private, or sensitive. Public data includes, among others, information regarding the civil status of individuals, their profession or occupation, and their status as merchants or public servants. By its nature, public data may be found in public records, public documents, official gazettes and bulletins, and judicial rulings that are not under reservation.

SENSITIVE DATA: refers to data that affects the holder’s privacy or whose improper use may lead to discrimination, such as those revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or political parties, as well as health, sexual life, and biometric data.

TRANSFER: the transfer of data occurs when the controller and/or processor of personal data, located in Peru, sends the information or personal data to a recipient, who is also responsible for processing the data and is located either inside or outside the country.

TRANSMISSION: processing of personal data that involves communicating the data within or outside the territory of Peru, when the purpose is for processing by the processor on behalf of a single controller.

PRINCIPLES
In the development, interpretation, and application of Law 1581 of 2012, the following guiding principles will be applied harmoniously and comprehensively:

PRINCIPLE OF PURPOSE: Processing must comply with a legitimate purpose according to the Constitution and the Law, which must be informed to the holder.

PRINCIPLE OF FREEDOM: Processing can only occur with the prior, express, and informed consent of the holder. Personal data cannot be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves the consent.

PRINCIPLE OF TRUTHFULNESS OR QUALITY: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited.

PRINCIPLE OF TRANSPARENCY: The processing must guarantee the holder’s right to obtain information from the controller or processor at any time and without restrictions regarding the existence of data concerning them.

PRINCIPLE OF RESTRICTED ACCESS AND CIRCULATION: Processing is subject to the limits derived from the nature of personal data, legal provisions, and the Constitution. In this regard, processing can only be done by persons authorized by the holder and/or by persons foreseen by law. Except for public information, personal data cannot be available on the internet or other mass media unless access is technically controlled to provide restricted knowledge only to holders or authorized third parties.

PRINCIPLE OF SECURITY: The information subject to processing by Marfes Tours Peru must be handled with the necessary technical, human, and administrative measures to ensure the security of records, preventing their alteration, loss, unauthorized or fraudulent access, use, or consultation.

PRINCIPLE OF CONFIDENTIALITY: Marfes Tours Peru is obliged to guarantee the confidentiality of information, even after the conclusion of its relationship with any of the activities comprising the processing, and may only disclose or communicate personal data when it corresponds to the development of activities authorized by law.

RIGHTS OF THE DATA HOLDER
The holder of personal data has the following rights:

• Know, update, and rectify their personal data before Marfes Tours Peru in its capacity as the controller of the processing.
• Request proof of the authorization granted to Marfes Tours Peru, except in cases expressly exempted from the requirement of authorization.
• Be informed by Marfes Tours Peru, upon request, about the use made of their personal data.
• File complaints with the Superintendency of Industry and Commerce for violations of the provisions of Law 1581 of 2012 and the regulations that modify, add to, or complement it.
• Revoke the authorization and/or request the deletion of the data when the processing does not respect the constitutional and legal principles, rights, and guarantees.
• Access their personal data that has been subject to processing, free of charge.

Article Two: Duties of Marfes Tours Peru
Under this personal data protection policy, Marfes Tours Peru has the following duties:

• Guarantee the holder’s full and effective exercise of the right to habeas data at all times.
• Request and retain a copy of the respective authorization granted by the holder.
• Inform the holder about the purpose of the collection and the rights they have under the granted authorization.
• Retain the information under necessary security conditions to prevent alteration, loss, consultation, unauthorized access, or fraudulent use.
• Rectify incorrect information and communicate it.
• Process the consultations and complaints submitted by the holders.
• Inform the data protection authority about security breaches that pose risks to the management of the holders’ information.
• Comply with the instructions provided by the Superintendency of Industry and Commerce.
• Inform the holder, upon request, about the use of their data.
• Ensure the information is truthful, complete, accurate, up-to-date, verifiable, and understandable.
• Update the information, ensuring it remains accurate.
• Respect the conditions of security and privacy of the holder’s information.
• Ensure only data for which processing has been previously authorized is used.

Article Three: Events in which Authorization is Not Necessary
Authorization from the data holder is not required when:

• Information is requested by a public or administrative entity in the exercise of its legal functions or by court order.
• Public data is involved.
• There is a medical or sanitary emergency.
• Data processing is authorized by law for historical, statistical, or scientific purposes.
• Data is related to the Civil Registry.

Article Four: Legitimacy for Exercising the Holder’s Rights
The rights of the holders can be exercised by:

• The holder, who must prove their identity in a sufficient manner using the means provided by Marfes Tours Peru.
• The holder’s heirs (in the case of their death or incapacity), who must prove such status.
• The representative or attorney of the holder, provided they prove their representation or power.
• As stipulated for others or for third parties.

Article Five: Processing of Data and Its Purpose
The collected information is used to process, confirm, comply, and provide the services and/or products purchased, directly or through third-party suppliers, as well as to promote and advertise our activities, products, and services, make transactions, report to various control and supervisory authorities, police or judicial authorities, banking entities, and/or insurance companies, for internal and/or commercial purposes such as market research, audits, accounting reports, statistics, billing, and loyalty programs.

By accepting this PERSONAL DATA TREATMENT AND PROTECTION POLICY, our guests, visitors, clients, users, and suppliers, as holders of the collected data, authorize Marfes Tours Peru to process the data, either partially or fully, including collection, storage, recording, use, circulation, processing, and deletion, for the execution of activities related to the acquired services and products.

Article Six: Personal Data of Children and Adolescents
The processing of personal data of children and adolescents is prohibited unless it concerns public data and meets the following requirements:

• It responds to and respects the best interests of the child or adolescent.
• It ensures the respect of their fundamental rights.
• It includes authorization from the child’s or adolescent’s parent or guardian.

Article Seven: Persons Who Can Be Provided the Information
The information that meets the conditions established by law may be provided to:

• The holders, their heirs (when they are deceased), or their legal representatives.
• Public or administrative entities in the exercise of their legal functions or by court order.
• Third parties authorized by the holder or by law.

Article Ten: Authorization
The collection, storage, use, circulation, or deletion of personal data by Marfes Tours Peru requires the free, prior, express, and informed consent of the data holder. Marfes Tours Peru, as the controller of the personal data processing, has implemented the necessary mechanisms to obtain the holder’s consent and ensure that such consent can be verified.

With this authorization, the client accepts the policies and conditions outlined in this document.

Article Eight: Form and Mechanisms for Granting Authorization
The authorization from the data holder will be documented through each of the collection channels of Marfes Tours Peru. This may be in a physical document, electronic form, or any other format that guarantees its subsequent consultation. The authorization will be issued by the holder before the processing of their personal data, in accordance with Law 1581 of 2012.

Article Nine: Procedure for Storing Personal Data Information
Marfes Tours Peru will adopt adequate technical and administrative measures to ensure the care and preservation of personal data, preventing alteration, loss, consultation, unauthorized access, or fraudulent use.

Article Ten: Procedure for Using and Circulating Information
When third parties need to validate, correct, or confirm the information of the holders’ personal data contained in Marfes Tours Peru’s databases, the prior, express authorization of the holder will be required.

Article Fourteen: Procedure for Addressing Queries
The holders can request information about their personal data by writing to: gerencia@marfestoursperu.com. The request should include the data type, name, surname, ID, phone number, and email address to which the information will be sent. Marfes Tours Peru will respond within fifteen (15) business days.

Article Eleven: Procedure for Deletion, Correction, or Updating Information
The holders may request the deletion, correction, or updating of their personal data at any time. The request should be sent to gerencia@marfestoursperu.com.

Article Twelve: Data Processing Timeframe
The personal data provided by clients and users will be stored for up to fifteen (15) years, counted from the date of the last processing, to allow compliance with legal and contractual obligations.

Article Thirteen: Modifications to the Privacy Policy
Marfes Tours Peru reserves the right to modify or update this Privacy Policy at any time.