This Policy establishes the obligations of Meta Travel Peru with respect to data protection and the rights of our clients, staff, business contacts, etc. (“data subjects”) with respect to your personal data under the General Data Protection Regulation.

This Policy establishes the procedures to be followed in the processing of personal data. The procedures and principles in this document must be followed at all times by the Company, our employees, agents, contractors or other parties working on behalf of the Company.

Meta Travel Peru is committed not only to what the law mandates, but also to the spirit of the law and attaches great importance to the correct, legal and fair handling of all personal data, respecting the legal rights, privacy and trust of all individuals with whom we deal.

1. Principles of data protection

The purpose of this Policy is to guarantee compliance with the Regulations. All personal data must be:

a) Processed lawfully, fairly and transparently in relation to the data subject.

b) Collected for specific, explicit and legitimate purposes and not further processed in a way that is incompatible with those purposes.

c) When necessary, update them; all reasonable steps must be taken to ensure that personal data found to be inaccurate is erased or rectified without delay.

d) Kept in a format that allows the identification of the interested parties for a period not exceeding that necessary.

2. Adequate, relevant and limited data processing

The Company will only collect and process personal data for specific purposes informed to the persons concerned.

3. Accuracy of data and maintenance of updated data

The Company will ensure that all personal data collected and processed is kept accurate and up to date. Where inaccurate or out-of-date data is found, all reasonable steps will be taken without delay to amend or delete that data, as appropriate.

4. Data Subject Access

A data subject may make an access request at any time to obtain more information about the personal data that the Company holds about them.

5. Rectification of personal data

If an interested party informs that the personal data held by the Company is inaccurate or incomplete, requesting its rectification, the personal data in question will be rectified, and the interested party will be informed of said rectification.

In the event that the affected personal data has been communicated to third parties, those parties will be informed of any rectification of said personal data.

6. Deletion of personal data

Data subjects may request that personal data be erased when it is no longer necessary for the Company to retain that personal data for the purpose for which it was originally collected or processed.

Unless the Company has reasonable grounds to refuse to erase personal data, all erasure requests will be honored, and the data subject will be informed of the erasure.

7. Data portability

The Company processes personal data by automated means. This may include tourist manifests and other details required by tour operators to carry out their services.

Where data subjects have given their consent to the Company to process their personal data or the processing is otherwise required for the performance of a contract between the Company and the data subject, data subjects have a legal right under the Regulations to receive a copy of your personal data and use it for other purposes (i.e., transmitting it to other data controllers, for example to other organizations).

To facilitate the right to data portability, the Company will make the following formats available to interested parties:

a) Data collected and sent electronically and securely.

b) Paper formats when required.

8. Personal data

The Company may collect, retain and process the following personal data:

a) Full name, address and contact information, to communicate with clients about tourist services.

b) Passport data, as necessary to provide tourist services.

c) Credit or debit card data, as required to process payments.

d) Social and digital media data as necessary to inform customers about new products and improve the customer experience.

9. Data protection measures

The Company will ensure that all of its employees, agents, contractors or other parties working on its behalf comply with the following when working with personal data:

a) All emails containing personal data must be encrypted using industry standard encryption techniques;

b) Where any personal data needs to be erased or removed for any reason (including where copies have been made and are no longer needed), it must be removed and disposed of securely. Hard copies should be shredded and electronic copies should be securely disposed off.

c) Personal data may only be transmitted over secure networks; transmission over unsecured networks is not permitted under any circumstances;

d) No personal data may be transferred to any employee, agent, contractor or other parties, whether these parties are working on behalf of the Company or not, without authorization.

e) Personal data must be handled with care at all times and must not be left unattended or in view of unauthorized employees, agents, subcontractors or others at any time.

f) No personal data should be stored on any mobile device (including but not limited to laptops, tablets and smartphones), whether such device belongs to the Company or otherwise without the formal written approval of senior managers responsible and, in the event of such approval, strictly in accordance with all instructions and limitations described at the time approval is given, and for no more than is absolutely necessary;

g) All electronic copies of personal data must be stored securely using passwords and secure data encryption;

h) All passwords used to protect personal data must be changed regularly and must not use words or phrases that can be easily guessed or compromised.