Personal Data Protection Policy

• Connection To Perú is a company in the tourism sector dedicated to the sale of tourist services nationwide through service brokerage, which includes: sale of transport tickets, private transfers, lodging and food services, tourist packages and full days located on Apv. San Antonio E-5 San Sebastián CUSCO. Connection To Perú is obliged to comply with current Peruvian legislation on the protection of personal data, Law No. 29733 Protection of Personal Data and its complementary provisions.
• Therefore, Connection To Perú is committed to:
• The collection and use of personal information.
• Ensure the quality and security of the information.
• Respect the rights of people with respect to information about themselves.
• Connection To Perú is committed to the protection, management and proper treatment of personal data to which it has access in the regular operation of its business. This commitment includes the review and continuous improvement of the organization's processes in order to guarantee adequate protection of said personal data and the guidelines established by Connection To Perú for the collection and processing of personal data in order to ensure respect of the rights of their owners and compliance with the current regulatory framework. The Policy may be supplemented with procedures, regulations and/or additional guidelines that develop what is established in this document, provided that they are aligned with its guiding principles.

• The purpose of this document is to establish principles, uniform practices and responsibilities regarding the processing of personal data in which Connection To Perú is involved.

• This document is applicable to all the processes of Connection To Perú that will use personal data of the clients destined to be contained in the different databases of Connection To Perú and to the treatment of these.
• The Policy will be known and fully complied with by all the workers of Connection To Perú and suppliers. For the purposes of interpreting this Policy, the definitions contained in the Law apply, especially those included below.

• Personal data: Any information that identifies a natural person or that which can be identified through reasonably used means. For example, the ID, physical address, full name. Sensitive data: Personal data made up of biometric data that by themselves can identify the owner; data referring to racial and ethnic origin; economic income, political, religious, philosophical or moral opinions or convictions; union membership; and health-related information.
• Treatment of personal data: Any operation or technical procedure, automated or not, that allows the collection, registration, organization, storage, conservation, elaboration, modification, extraction, consultation, use, blocking, deletion, communication by transfer or diffusion or any another form of processing that facilitates the access, correlation or interconnection of personal data. In short, the processing of personal data regulates all possible forms of use and processing of personal data within the organization from its entry to its possible elimination or conservation.
• Consent: Prior, free, unequivocal and express authorization that the individual must grant to authorize the processing of their personal data.
• Prior: Must be obtained before collection.
• Free: It should not be forced or conditioned.
• Unequivocal and express: There should be no doubt about its manifestation and it must be recorded in some tangible medium. Personal data bank: Organized set of personal data, automated or not, regardless of the support, be it physical, magnetic, digital, optical or others that are created, whatever the form or modality of its creation, formation, storage, organization and access.
• Owner of the personal data bank: Natural person, private legal entity or public entity that determines the purpose and content of the personal data bank, its treatment and security measures. Person in charge of the personal data bank: Any natural person, private legal entity or public entity that alone or acting jointly with another carries out the processing of personal data on behalf of the owner of the personal data bank. Anonymization procedure: Processing of personal data that prevents identification or that does not make the owner of the personal data identifiable. The procedure is irreversible. Dissociation procedure: Processing of personal data that prevents identification or that does not make the owner of the personal data identifiable.

• Connection To Perú will assign and communicate the corresponding responsibilities to all personnel and suppliers, for the fulfillment of this Policy.
• The area responsible for annually reviewing this Policy and making the respective adjustments within Connection To Perú will be the General Management. Likewise, said Management will be in charge of answering any query related to the application and scope of this Policy.
• Without prejudice to this, all employees of Connection To Perú as well as all suppliers and third parties with whom Connection To Perú is linked in the regular exercise of its business and have access to or process personal data are subject to compliance with the Policy. Finally, no employee of Connection To Perú should perform on behalf of the Company. actions or incur in omissions that entail a breach of the Law.

This Policy will be for the internal and exclusive use of Connection To Perú and, therefore, is confidential. Any use other than that indicated is prohibited and must be expressly authorized in writing by the General Management.
• The personal data to which both the workers of Connection To Perú and related third parties have access or participate in their treatment may not be treated or used in any way without the prior consent of the owner of the personal data even after termination. of its relationship with Connection To Perú, except for the exceptions regulated by Law.
• In the case of workers who, due to the nature of their functions, have access to confidential and sensitive personal information, Connection To Perú will try to develop specific training and awareness actions. The people who intervene in the processing of personal data are obliged to keep professional secrecy and maintain confidentiality with respect to them. Said obligation will remain even after the end of its relationship with Connection to Perú.

• All employees of Connection To Perú must permanently comply in the exercise of their functions with the principles established in the Law that we detail below: a. Legality. The treatment of personal data carried out by Connection To Perú will be done in accordance with the provisions of the Law. The collection of personal data by fraudulent, unfair or illegal means is prohibited.
• b. Consent. Connection To Perú may not process personal data that does not have the prior, express, unequivocal and free consent of its owner as necessary, except for the exceptions provided by law.
• c. Purpose. Connection To Perú will collect personal data clearly indicating the purpose for which it performs said collection, which must be determined, explicit and lawful. The personal data subject to processing may not be used for purposes other than or incompatible with those for which they were obtained, except with the consent of the owner. In this sense, Connection To Perú will comply with implementing measures that guarantee: • The collection, storage and conservation of personal data comply with the principles of proportionality and purpose. • The proper protection of personal data in compliance with appropriate technical and legal security measures. It should be noted that Connection To Perú
• d. Proportionality. All processing of personal data carried out by Connection To Perú must be adequate, relevant and not excessive to the purpose for which they were collected.
• and. Quality. The personal data that will be processed by Connection To Perú must be true, exact and, as far as possible, updated, necessary, pertinent and adequate with respect to the purpose for which they were collected. They must be kept in such a way that their security is guaranteed and only for the time necessary to fulfill the purpose of the treatment, respecting the legal terms of conservation of applicable documents and information.
• F. Security. Connection To Perú and the third parties to whom it entrusts the processing of personal data must adopt the necessary and appropriate technical, organizational and legal measures to guarantee the security of personal data against different risks, such as accidental loss or destruction by accident, unauthorized access, covert use or infection of malware or computer viruses. These measures will be established, communicated and, if applicable, updated by Connection To Perú
• g. Adequate level of protection. In the event that Connection To Perú carries out international transfers of personal data, it must guarantee a sufficient level of protection for the personal data that is going to be processed or, at least, comparable to that provided by law.
• h. Rights of personal data holders. Connection To Perú will have a simple and free procedure for dealing with the rights of holders of personal data contemplated in the Law: (i) information, (ii) access, (iii) updating, (iv) inclusion, (v ) rectification, (vi) deletion, (vii) prevent supply, (viii) opposition and (ix) objective treatment.
• Therefore, Connection To Perú: • Will take the necessary measures to inform the owner of the personal data about the rights conferred by the Law. • Will adopt the measures that allow the owner of the personal data to keep them updated. • Will comply with responding in a timely manner and within the legal deadlines to the requirements and requests related to the rights of the holders of personal data mentioned above; In the processes of attention to the rights of holders of personal data, the following guidelines will apply. • The deletion or rectification of personal data will not proceed when it affects the legitimate rights or interests of Inversiones Connection To Perú, its shareholders, employees or managers or third parties or when there is a legal obligation to retain personal data. • Connection To Perú may reject certain requirements when the disclosure of personal data may compromise or hinder ongoing judicial or administrative proceedings.

• The personal data subject to treatment by Connection To Perú may only be assigned or transferred to third parties for the fulfillment of the purposes related to the legitimate interest of the assignor and the assignee and with the prior, express, free, unequivocal and informed consent. of the owner of the personal data. Such consent will not be required in the cases permitted by law.

• Connection To Perú will only collect personal data and/or sensitive data when strictly necessary and in compliance with the principles of purpose and proportionality. When the collection and processing of said data derives from the fulfillment of a legal obligation, Connection To Perú will inform the owner of the data of such a situation prior to its collection.

• Connection To Perú will not disclose personal data to third parties except when: a) It is necessary for the purpose for which the personal data was collected; as in the provision of services through third parties and suppliers.
b) The owner of the personal data is informed before the disclosure or at the time of the collection of the personal data.
c) The owner of the personal data gives his prior and express consent.
d) Consent is not required by law.
e) Personal data is required by public entities within the scope of their legal powers and powers.
f) The personal data is necessary to satisfy the legitimate requirements of any company interested in acquiring any of the operations Connection To Perú, prior consent of its owner; or,
g) Access to personal data is by auditors and lawyers and other professionals obliged to keep professional secrecy.

• Once the processing of personal data has been completed and the principle of purpose has been fulfilled, and provided that there is no legal mandate or reason that justifies the conservation of personal data, Connection To Perú will proceed to eliminate them from its records. Alternatively, Connection To Perú may apply dissociation processes, or equivalent when, for any commercial, statistical or market analysis reason, they justify the convenience of keeping such data. Connection To Perú will opportunely define the respective procedures that are necessary for the elimination of personal data.

• An employee who commits any infraction of the provisions established in this Policy will be considered a serious offense and liable to sanction. Connection To Perú will take the disciplinary measures it deems pertinent in cases of non-compliance with the obligations stipulated herein by the employees.

• Connection To Perú will endeavor to: i) comply with the provisions of this Policy;
ii) make known, observe and respect this Policy by each employee;
iii) post this Policy in easily accessible places; and
iv) sign confidentiality obligations with employees, users, contractors and third parties who access the personal data included in the databases.