PURPOSE OF THIS POLICY
The objective of this policy is to publicize the way in which MACHU PICCHU RESERVATIONS SAC protects and treats the personal data of customers, passengers, suppliers, tour operators, travel agencies and collaborators, from the moment they are collected through the different channels, whether physical or digital, for the duly communicated purposes.
MACHU PICCHU RESERVATIONS is a company whose purpose is to provide services related to individual and group travel, by air, sea or land, the organization of trips or excursions, accommodation and any other activity directly related to tourism. To do this, it collects, uses, manages, transfers, stores and processes information, which may be associated with data belonging to natural persons in the development of its activities. Such as: name, ID, telephone number, email address, country of residence, among others, through various physical and digital formats.
MACHU PICCHU RESERVATIONS, in accordance with Peruvian Law No. 29733 -Personal Data Protection Law- and its Regulation No. 003-2013-JUS; as well as the General Data Protection Regulation GDPR (EU 2016/679), undertakes to guarantee and adopt information security measures through the best international practices, taking into account the confidentiality, integrity and availability of the personal data provided. .
DEFINITIONS
- Responsible for the treatment : is the natural or legal person who, alone or together with others, determines the purposes and means of the treatment of personal data; that is, MACHU PICCHU RESERVATIONS will be responsible for the personal data obtained through its different collection channels and provided by the users of MACHU PICCHU RESERVATIONS, as well as the companies that are part of it.
- Personal data : any information relating to an identified or identifiable natural person (the user), such as name, identity document number, passport, location data or one or more elements of physical, physiological, genetic, psychological, economic, cultural or social of a person.
- Processing : any operation or set of operations on personal data or sets of personal data (whether or not they are automated).
such as the collection, registration, organization, modification, consultation, use, dissemination or any other form of access, reconciliation or combination, limitation, erasure or destruction of personal data.
- Right of access : the user has the right to know what data is processed by MACHU PICCHU RESERVATIONS and to obtain a copy of the same.
- Right of rectification: it is the user’s right to update, rectify and/or correct their personal data.
- Right of opposition : it is the user’s right to oppose at any time the processing of their personal data by MACHU PICCHU RESERVATIONS.
- Right of deletion (“right to be forgotten”): it is the user’s right to request the deletion of their data from any document, file or place where they are accessible.
- Right to limitation of treatment : the user has the right to demand the limitation of the treatment of their data when any of the circumstances established in the legislation occurs, such as the illicit treatment of the data or the fact that MACHU PICCHU RESERVATIONS no longer needs them.
- Right to data portability : it is the user’s right to receive the personal data that concerns him and that he has provided to MACHU PICCHU RESERVATIONS. in a structured, commonly used and machine-readable format, and to transmit them to another data controller without being able to prevent it.
- Right not to be subjected to individualized decisions : the user’s right not to be subjected to a decision based solely on automated processing, including profiling, that produces legal effects on him or significantly affects him in a similar way.
- CONSENT AND LEGITIMITY OF TREATMENT
MACHU PICCHU RESERVATIONS processes user data:
- When they expressly consent to the processing of their personal data for the purposes detailed in this document and/or;
- When the treatment is necessary for the execution of a contract for the provision of services and products in which the user is a party.
- PERSONAL DATA PROCESSED AND SCOPE OF APPLICATION
This policy applies to personal data relating to customers, passengers, suppliers, tour operators, travel agencies and employees, provided by them, in use of their freedom, voluntarily. aware. The information collected and stored includes the basic data entered in the registration forms, contact forms or the like; such as, for example, name, identity document, passport, gender, age, telephone number, email address, country of residence, among others, the data collected through the different channels managed by the company, necessary for the provision of tourist services of MACHU PICCHU RESERVATIONS. In any case, users will be able to see which data is essential for the correct provision of the service and which are of an accessory nature before sending their personal data.
The user is solely responsible for the veracity and accuracy of the data provided. Only those over 18 years of age and/or those with sufficient legal capacity can be users. Likewise, the user is solely responsible for the data provided by third parties, as well as for ensuring that they have been informed of this privacy policy and have obtained their express consent.
GUIDING PRINCIPLES
MACHU PICCHU RESERVATIONS will take into account the following principles in the process of processing personal data.
- Principle of legality: The processing of personal data within the framework of Law 29733 is a regulated activity that must be subject to the provisions of the aforementioned law, as well as other provisions that regulate it. The collection of personal data by fraudulent, unfair or illegal means is prohibited.
- Principle of consent: According to the principle of consent, the processing of personal data is lawful when the owner of the personal data has given their free, prior, express, informed and unequivocal consent. Formulas of consent in which it is not expressed directly, such as those in which it is requested to presume or assume the existence of an unexpressed will, are not admitted. Even the consent given with other declarations must be expressed expressly and clearly.
- Principle of purpose: According to the principle of purpose, a purpose is considered to be determined when it has been clearly expressed, without the possibility of confusion, and when the purpose for which the personal data will be processed is objectively specified. In the case of personal data banks that contain sensitive data, their creation can only be justified if their purpose, in addition to being legitimate, is specific and in line with the activities or explicit objectives of the owner of the personal data bank. Professionals who process personal data, in addition to being limited by the purpose of their services, are bound by professional secrecy.
- Principle of quality: The personal data that is processed must be true, exact and, as far as possible, updated, necessary, pertinent and adequate to the purpose for which they were collected. They must be kept in a way that guarantees their security and only for the time necessary for the purposes of the treatment.
- Principle of proportionality: all processing of personal data must be adequate, relevant and not excessive in relation to the purposes for which they were collected.
- Security principle: The owner of the personal data bank and the data controller must adopt the necessary technical, organizational and legal measures to guarantee the security of personal data. The security measures must be adequate and proportionate to the processing to be carried out and to the category of personal data in question.
- Principle of availability of resources: Every holder of personal data must have the necessary administrative or judicial means to assert and demand their rights when they are violated by the processing of their personal data.
- Principle of adequate protection: For the cross-border flow of personal data, an adequate level of protection must be guaranteed for the personal data to be processed, or at least comparable to that provided for by law or international standards in this field.
- PURPOSES OF PERSONAL DATA
MACHU PICCHU RESERVATIONS will use the personal data provided by users for the following purposes
passengers
- Comply with the objective of providing the contracted tourist services and products.
- Contact with the client (travel agencies, companies and individuals) during the provision of contracted services and products.
- Facilitate coordination with suppliers, travel agencies, cruise lines and hotels.
- Provide customers with information about the nature of the service and/or the knowledge and compliance requirements during the service, for example, contractual terms, compliance with tax obligations and/or other terms that could include internal policies of the company.
- Respond to doubts, questions and requests.
- Justify the liquidation of the Value Added Tax of Non-residents before the Tax Administration, through the information of the Passport and the Andean Migration Card (TAM), among others.
- Analyze and identify the expectations and preferences of travel agencies regarding tickets and services.
Workers and collaborators:
- The company will request personal information from its employees to comply with the requirements of the applicable labor regulations and/or for the development of human resources and talent management projects such as payroll registration, staff attendance, personnel selection, payment of commissions , among others.
- Security in the facilities through video surveillance.
- Comply with the policy and procedures of the Money Laundering and Terrorist Financing Prevention Policy.
Tour operators and suppliers:
- To be able to manage the payment of the requested services and products.
- To contact you in relation to the provision of contracted services and products.
- Security in the facilities through video surveillance.
The personal data you provide will be stored in the databases described in Annex 2 of this document.
The owner of personal data has the following rights:
- The rights of information, access, rectification, cancellation, opposition and objective treatment of personal data can only be exercised by the owner of the personal data, without prejudice to the rules of representation.
- The exercise of one or some of the rights does not exclude the possibility of exercising one or some of the others, nor can it be understood as a prior condition for the exercise of any of them.
- Know, update and rectify your personal data with MACHU PICCHU RESERVATIONS or with the designated data controller. This right may be exercised, among others, against partial, inaccurate, incomplete, fragmented, misleading data or whose treatment is expressly prohibited or has not been authorized.
- Be informed by MACHU PICCHU RESERVATIONS or by the designated data processor , upon request, about the use of your personal data.
- Revoke the authorization and/or request the cancellation of the data when the treatment does not comply with the principles, rights and constitutional and legal guarantees. The revocation and/or cancellation will be carried out when the National Authority for the Protection of Personal Data has determined that MACHU PICCHU RESERVATIONS or the person in charge of the designated treatment have behaved in a manner contrary to Law 29733 and the Constitution.
- Free access, under the conditions defined in this document, to your processed personal data.
DATA PROCESSING CONDITIONS
- Authorization of the owner:
In order for MACHU PICCHU RESERVATIONS to carry out any personal data processing action, the prior and informed authorization of the owner is required, which must be obtained by any means that can be consulted later. These mechanisms may be predetermined by technical means that facilitate the automated manifestation of the holder or may be written or oral.
MACHU PICCHU RESERVATIONS will adopt the necessary procedures to request, at the latest at the time of data collection, the consent of the Holder for the treatment of the same and will inform about the personal data that will be collected, as well as about all the specific purposes of the data. treatment for which consent is obtained.
Personal data found in publicly accessible sources may be processed by MACHU PICCHU RESERVATIONS to the extent that they are public data by nature. In the event that there are substantial changes in the content of the data processing policies of MACHU PICCHU RESERVATIONS in relation to the identification of the person in charge and the purpose of the processing of personal data, which affect the content of the authorization, MACHU PICCHU RESERVATIONS will communicate these changes to the holders, before or at the latest at the time of the implementation of the new policies, and will also obtain a new authorization from the holder when the change refers to the purpose of the treatment. For the communication of changes and authorization, technical means may be used to facilitate this activity.
- Cases in which authorization is not required
- Information required by a public or administrative body in the exercise of its legal functions or by judicial decision.
- Public data.
- Medical or health emergencies.
- Treatment of information permitted by law for historical, statistical or scientific purposes.
- Data from the civil registry of persons.
- Provision of information
The information requested by the owner will be provided by MACHU PICCHU RESERVATIONS in the same way in which the request was made.
- Obligation to inform the registrant
MACHU PICCHU RESERVATIONS. At the time of requesting authorization from the owner, it clearly and expressly informs you of the following:
- The treatment to which your personal data will be submitted and the purpose of said treatment.
- The optional nature of the answer to the questions asked, in the case of sensitive data or data of children and adolescents.
- The rights you have as the owner.
- The identification, physical or electronic address and telephone number of the data controller.
- Revocation of authorization and/or deletion of data:
Holders may apply at any time to MACHU PICCHU RESERVATIONS. the deletion of your personal data and / or revoke the authorization granted for the treatment of the same, by submitting a request, in accordance with the provisions of Law 29733 of 2011 and the Regulation of DS Nº 003-2013-JUS of 2013.
The request for deletion of data or the revocation of the authorization will not be processed when the owner has a contractual obligation to remain in the MACHU PICCHU RESERVATIONS database.
- People to whom the information can be provided:
The information about the personal data processed by MACHU PICCHU RESERVATIONS can be provided to the following people:
- To the owners, their heirs or their legal representatives.
- To public or administrative bodies in the exercise of their legal functions or by court order.
- to third parties authorized by the owner or by law.
SECURITY OF PERSONAL DATA
MACHU PICCHU RESERVATIONS complies with the personal data protection measures required by law and has adopted the reasonably required measures according to current technical knowledge and good information custody and management practices to prevent loss, misuse, alteration, illegitimate intrusion and theft of personal data provided by users.
PROCEDURES
The owner or his assignees have the right to present to MACHU PICCHU RESERVATIONS. queries and/or claims, after verifying your identity, by writing to the following address at any time, withdraw your consent to the processing of personal data and/or you may exercise your rights of access, information, rectification, opposition, cancellation, limitation, forgetting, portability and not being subject to individualized decisions, by writing to MACHU PICCHU RESERVATIONS with the reference “PERSONAL DATA” to the following addresses
- Physical/legal address: Portal nuevo 270 plaza regocijo Cusco – Peru
- Email: info@kuskandestrek.com
MACHU PICCHU RESERVATIONS will respond to the request and/or claim in the same way in which it was made:
Inquiries (Access / Information)
Those responsible for the treatment or their successors in title may consult the personal information of the person responsible for the treatment contained in the MACHU PICCHU RESERVATIONS database, which will provide the applicant with all the information contained in its databases, related to the identification of the person responsible for the treatment.
The owner may consult their personal data free of charge when there are substantial changes in the data processing policies of MACHU PICCHU RESERVATIONS.
All requests will be processed by the same means that were submitted within a period of 5 working days from their submission. To exercise this right, the interested party or their assignees must submit the access form, which is included in the annex to this policy.
Claims (requests / petitions)
The Holder or his successors in title who consider that the information contained in a database must be rectified, canceled or opposed, or when they notice the alleged violation of any of the duties contained in Law 29733 of 2011, may submit a request to the Holder of the Personal Data Bank or the person in charge of processing MACHU PICCHU RESERVATIONS. In order to comply with these rights, the Owner of the data or their assignees must submit the respective form, which is found in the annex to this policy.
If the application does not meet the established requirements, the applicant is obliged, within five (5) days from receipt of the application, to correct the defects. If this period elapses without the correction being made, the request will be deemed not submitted.
In the event that the information provided in the application is insufficient or erroneous in a way that does not allow its attention, MACHU PICCHU RESERVATIONS may require, within a period of seven (7) days from receipt of the application, additional documentation from the holder of personal data to respond to it.
Within ten (10) days after receipt of the request, from the day following its receipt, the owner of the personal data must attach the additional documents that they consider pertinent to substantiate their request. Otherwise, the application will be considered not submitted.
The maximum terms to respond to claims, in accordance with the provisions of the law, are as follows:
- The right to information is five (05) days from the day following the submission of the corresponding request.
- The right of access is twenty (20) days from the day following the submission of the request by the owner of the personal data.
- Rights of rectification, cancellation or opposition, the maximum response period by the owner of the personal data bank or the person responsible for the treatment will be ten (10) days from the day following the presentation of the corresponding request.
With the exception of the term established for the exercise of the right to information, the terms corresponding to the response or attention of the other rights may be extended only once, and for a maximum of an equal period, provided that the circumstances justify it. The justification for the extension of the term must be communicated to the owner of the personal data within the term to be extended.
procedure requirement
The interested party or the assignee may only file a claim with the National Authority for the Protection of Personal Data after having exhausted the consultation or claim procedure with MACHU PICCHU RESERVATIONS.
MACHU PICCHU RESERVATIONS FUNCTIONS IN DATA PROCESSING
- Guarantee the interested party, at all times, the full and effective exercise of the right of habeas data.
- Request and keep, in accordance with the law, a copy of the respective authorization granted by the Concessionaire.
- Duly inform the interested party of the purpose of the collection and the rights that assist him by virtue of the authorization granted.
- Take steps to keep the information in a secure condition to prevent tampering, loss, unauthorized or fraudulent access, use or access.
- Take steps to ensure that the information provided to the data controller is true, complete, accurate, up-to-date, verifiable and understandable.
- Update the information, promptly communicating to the person responsible for the treatment any news regarding the data previously provided and adopt other necessary measures to guarantee the updating of the information that has been provided.
- Rectify the information when it is incorrect and communicate the relevant information to the data controller.
- Provide the Data Controller, where appropriate, only the data whose Treatment is previously authorized in accordance with the provisions of the Law.
- Require the data controller to respect the security and confidentiality of the data subject’s information at all times.
- Address queries and claims made in accordance with the law.
- Adopt a manual of internal policies and procedures to guarantee proper compliance with this law and, in particular, for the management of queries and complaints.
- Inform the data controller when certain information is being discussed by the interested party, once the claim has been submitted and the corresponding process has not been completed.
- Inform, at the request of the interested party, of the use made of their data.
- Inform the National Authority for the Protection of Personal Data when there are breaches of security policies and risks in the administration of the information of those responsible for treatment.
- Comply with the instructions and requirements issued by the National Authority for the Protection of Personal Data.
OBLIGATIONS OF THE RESPONSIBLE FOR DATA PROCESSING
Those responsible for data processing are required to comply with the following obligations, without prejudice to the other provisions of the law and other provisions that regulate their activity:
- Guarantee the interested party, at all times, the full and effective exercise of the right of habeas data.
- Take measures to keep the information in the necessary security conditions to prevent its falsification, loss, consultation, use or unauthorized or fraudulent access.
- Update, rectify or delete the data in a timely manner, in accordance with the provisions of this law.
- Update the information provided by the data controllers within five (5) business days of receipt.
- Address the requests and claims of the owners in accordance with the law.
- Adopt an internal policy and procedures manual to ensure compliance with the law and, in particular, to respond to questions and claims from data subjects.
- Refrain from disseminating information contested by the interested party and whose blocking has been ordered by the National Authority for the Protection of Personal Data.
- Allow access to information only to those who can access it.
- Inform the National Authority for the Protection of Personal Data when there are breaches of security policies and risks in the administration of the information of those responsible for treatment.
- Comply with the instructions and requirements issued by the National Authority for the Protection of Personal Data.
- Guarantee the security of databases containing personal data.
- Respect confidentiality in the processing of personal data.
SECURITY MEASURES
MACHU PICCHU RESERVATIONS adopts all reasonable precautions and measures of a technical, administrative and organizational nature to guarantee the security of the personal data of the Holders, mainly those aimed at preventing its alteration, loss and unauthorized treatment or access.
The application of security measures aims to guarantee the conservation, confidentiality, integrity and availability of the data.
MACHU PICCHU RESERVATIONS’s security guidelines are based on MACHU PICCHU RESERVATIONS’s information security policies, which have been prepared in accordance with the best practices and existing security standards and in compliance with current regulations.
These policies are strictly respected by direct and indirect employees who work at MACHU PICCHU RESERVATIONS.
DATA RETENTION
MACHU PICCHU RESERVATIONS will keep the personal data of the users for different periods depending on the purpose of the treatment, thus the data will be kept while a contractual relationship for the supply of products and services between MACHU PICCHU RESERVATIONS and the users is in force and/or while the users do not request the cancellation of personal data to MACHU PICCHU RESERVATIONS. Likewise, users understand and accept that some personal data must be kept by MACHU PICCHU RESERVATIONS by virtue of the legal provisions and according to the terms established by law.
CHANGES IN POLICY
MACHU PICCHU RESERVATIONS may modify and update this policy based on new developments or legislative and jurisprudential requirements and/or the needs of the company.
Therefore, it is recommended that users consult this policy regularly and/or each time they access the company’s website.