Personal data protection policy

Personal data protection policy

1. INTRODUCTION PERSONAL DATA PROTECTION POLICY

DINET S.A. with RUC 20427919111 and DT DINETPERÚ S.A.C. with RUC 20518156706 are organizations committed to the protection of personal data to which they have access in the development of their activities.

  • Achieve efficient communication related to our products, services, offers, promotions, alliances, studies, content, as well as those of our associated companies.
  • Provide our products and/or services.
  • Inform about new products and/or services.
  • Fulfill obligations contracted with our suppliers and collaborators.
  • Inform about changes to our products and/or services.
  • Evaluate the quality of our products and/or services.
  • Conduct internal studies on consumer habits.

Likewise, this Policy describes the rights that have been legally and constitutionally recognized in favor of our collaborators, suppliers and others; which may be exercised against personal information that DINET S.A. and DT DINETPERÚ S.A.C. process.

2. LEGAL BASIS

  • Peruvian Political Constitution of 1993.
  • Law 297333, Personal Data Protection Law, and its amendments (the “Law”).
  • Regulations of the Law, approved by Supreme Decree 003-2013-JUS (the “Regulations”).
  • Information Security Directive Managed by Personal Data Banks, approved by Directorial Resolution 019-2013-JUS/DGPDP.
  • Ministerial Resolution 129-2012-PCM, approves the mandatory use of the Peruvian Technical Standard “NTP-ISO/IEC 27001:2008 EDI Information Technology”.
  • Directorial Resolution 080 2019-JUS/DGTAIPD, which approves the Guide for the observance of the “Duty to Inform”.
  • Directorial Resolution 02-2020-JUS/DGTAIPD, which approves Directive 01-2020-JUS/DGTAIPD, Processing of Personal
  • Data through Video Surveillance Systems.

3. SCOPE OF APPLICATION

The provisions contained in this Policy shall apply to the processing of personal data carried out by DINET S.A. and DT DINETPERÚ S.A.C. in Peruvian territory.

The principles and provisions contained in this Policy shall apply to any personal data bank owned by DINET S.A. and DT DINETPERÚ S.A.C. In this sense, all processes of DINET S.A. and DT DINETPERÚ S.A.C. that involve the processing of personal data, must be subject to the provisions of this Policy.

4. OBLIGATED SUBJECTS

This Policy shall be mandatory for the following persons:

  • Legal representatives of DINET S.A. and DT DINETPERÚ S.A.C.
  • Personnel on the payroll of DINET S.A. and DT DINETPERÚ S.A.C., directors or not, who keep and/or process personal data banks.
  • Holders of personal data.
  • Suppliers (natural persons) who provide their services to DINET S.A. and DT DINETPERÚ S.A.C., under any type of contractual modality, which implies any processing of personal data.
  • Other persons established by law.

5. PERSONAL DATA BANK PURPOSES DEFINITIONS

5. 1 Dinet S.A

5. 2 DTDINETPERÚ S.A.C

6. DEFINITIONS

For a better understanding of the concepts used in this document, the following terminology has been considered:

  • Authority: National Authority for Personal Data Protection, an agency attached to the Ministry of Justice and Human Rights. It has administrative, guiding, regulatory, resolution, oversight and sanctioning functions in the area of ​​personal data protection.
  • Personal data bank: an organized set of personal data, automated or not, regardless of the medium, whether physical, magnetic, digital, optical or other that is created, whatever the form or modality of its creation, formation, storage, organization and access.
  • Private administration personal data bank: a personal data bank whose ownership corresponds to a natural person or a private legal entity, as long as the bank is not strictly linked to the exercise of public law powers.
  • Public administration personal data bank: a personal data bank whose ownership corresponds to a public entity.
  • Non-automated personal data bank: A non-computerized set of data on natural persons structured according to specific criteria, which allows access to personal data without disproportionate effort, whether centralized, decentralized or distributed functionally or geographically.
  • Non-automated personal data bank: A computerized set of data on natural persons structured according to specific criteria, which allows access to personal data without disproportionate effort, whether centralized, decentralized or distributed functionally or geographically.

Blocking: This is the measure by which the person in charge of the personal data bank prevents third parties from accessing the personal data that form part of the bank. Personal data may not be processed during the period in which a request for update, inclusion, rectification or deletion is being processed. It is also provided as a prior step to cancellation for the time necessary to determine possible responsibilities in relation to the treatments, during the legal or contractually provided limitation period.

  • Cancellation: This is the action or measure that the Law describes as deletion, when it refers to personal data from a database.
  • Personal data: This is numerical, alphabetical, graphic, photographic, acoustic information, about personal habits, or any other type concerning natural persons that identifies them or makes them identifiable through means that can be reasonably used.
  • Personal data related to health: This is information concerning the past, present or predicted health, physical or mental, of a person, including the degree of disability and their genetic information. Sensitive data: This is information related to personal data consisting of biometric data that can identify the owner, data related to racial and ethnic origin; economic income, political, religious, philosophical or moral opinions or convictions; union membership; and information related to health or sexual life.
  • Days: Business days.
  • ARCO rights: These are the rights of access, rectification, cancellation and opposition, provided for in the Law and its Regulations.
  • Processing order: Delivery by the owner of the personal data bank to a person in charge of processing personal data by virtue of a legal relationship that binds them. This legal relationship delimits the scope of action of the person in charge of processing personal data.
  • Processing manager: This is the person who processes personal data, and may be the owner of the personal data bank or another person on behalf of the owner of the personal data bank by virtue of a legal relationship that binds them to it and delimits the scope of their action.
  • Cross-border flow of personal data: International transfer of personal data to a recipient located in a country other than the country of origin of the personal data, regardless of the medium in which they are found, the means by which the transfer was made or the treatment they receive.
  • Sufficient level of protection for personal data: Level of protection that covers, as a minimum, the recording and compliance with the guiding principles of the Law, as well as the technical security and confidentiality measures, appropriate according to the category of data in question.
  • Rectification: This is a generic action intended to affect or modify a personal data bank, either to update it, include information in it or specifically rectify its content with exact data.
  • Jurisprudence repository: This is the bank of judicial or administrative resolutions that are organized as a source of consultation and intended for public knowledge.
  • Data controller: This is the person who decides on the processing of personal data.
  • Personal Data Owner: Natural person whose personal data is subject to processing.
  • Owner of the personal data bank: Natural person, legal entity under private law or public entity that determines the purpose and content of the personal data bank, its treatment and security measures. Under the scope of this Policy, the owners of the personal data banks are DINET S.A. and DT DINETPERÚ S.A.C.
  • Transfer of personal data: any transmission, supply or manifestation of personal data, of a national or international nature, to a legal entity under private law, to a public entity or to a natural person other than the owner of personal data.
  • Processing of personal data: any technical operation or procedure, automated or not, that allows the collection, registration, organization, storage, conservation, elaboration, modification, extraction, consultation, use, blocking, deletion, communication by transfer or by diffusion or any other form of processing that facilitates the access, correlation or interconnection of personal data.

7. OBJECTIVES

7.1 General Objective

Define the principles and provisions to ensure the proper treatment of personal data collected by DINET S.A. and DT DINETPERÚ S.A.C.

7.2 Specific Objectives

Define the security and privacy conditions of the data subject's information in compliance with the Law and the Regulations.

Ensure the attention to queries and complaints made by the data subjects in the terms established in the Law.

Comply with the instructions and requirements issued by the Authority.

8. GUIDING PRINCIPLES

DINET S.A. and DT DINETPERÚ S.A.C., as holders of personal data banks and/or those responsible for the processing of such information, must comply with the guiding principles regarding the protection of personal data established by the Law and the Regulation, and which are detailed below:

  • Principle of legality

The processing of personal data must be carried out in accordance with the provisions of the Law, which prohibits the collection of such data by fraudulent, unfair or illicit means.

  • Principle of consent or authorization.

Except for the exceptions legally established in the Law, its Regulation and complementary rules, the processing of personal data carried out by DINET S.A. and DT DINETPERÚ S.A.C. must have the consent or authorization of the holder of the personal data. The processing of personal data is considered lawful when the owner of the personal data has given his or her free, prior, informed, express and unequivocal consent:

a. Free: It must have been done voluntarily, without any error, bad faith, violence or fraud that could affect the manifestation of the will of the owner of the personal data. Consent for secondary or accessory purposes (for example, related to advertising and commercial prospecting) must be obtained independently and cannot be conditioned to the provision of the main service offered.

b. Prior: It must have been given prior to the collection of personal data.

c. Express and unequivocal: It must have been expressed under conditions that do not allow doubts about its granting.

d. Informed: The owner of the personal data must be informed clearly, expressly and indubitably, in simple language, of at least: (i) the identity and address of the owner of the personal data bank or the person responsible for the processing; (ii) the purpose or purposes of the processing to which your data will be subjected; (iii) the identity of those who are or may be its recipients, if applicable; (iv) the existence of the personal data bank in which they will be stored; (v) the mandatory or optional nature of the responses to the questionnaire that is carried out, when applicable; (vi) the consequences of providing your personal data and the refusal to do so; and, (vii) where applicable, the national and international transfer of personal data.

In the case of sensitive data, consent must also be granted in writing, through a handwritten signature, digital signature or any other authentication mechanism that guarantees the unequivocal will of the owner of the personal data.

In the case of personal data that is provided to DINET S.A. and DT DINETPERÚ S.A.C., by a third party and not directly by its owner, the third party must have the consent of the owner of the personal data by which the latter (that is, the owner of the data) authorizes said third party to transfer his personal data in favor of DINET S.A. and DT DINETPERÚ S.A.C., which may ensure this by means of a sworn statement, under the responsibility of the aforementioned third party.

  • Principle of purpose

All collection of personal data must have a specific, explicit and lawful purpose. The processing of personal data must not extend to any purpose other than that which has been unequivocally established as such at the time of its collection, excluding cases of activities of historical, statistical or scientific value when a dissociation or anonymization procedure is used.

A purpose will be considered to be determined when it has been expressed clearly, without room for confusion and when the object that the processing of personal data will have is objectively specified. In the case of personal data banks containing sensitive data, their creation can only be justified if their purpose, in addition to being legitimate, is specific and in accordance with the activities or explicit purposes of the owner of the personal data bank.

If DINET S.A. and DT DINETPERÚ S.A.C. require using personal data for a purpose other than that originally reported and authorized by its owner, a new authorization must be obtained from the owner of the personal data.

On the other hand, professionals who process personal data, in addition to being limited by the purpose of their services, are obliged to maintain professional secrecy.

  • Principle of proportionality

All processing of personal data must be adequate, relevant and not excessive for the purpose for which it was collected.

  • Principle of quality

The personal data to be processed must be true, accurate and, as far as possible, updated, necessary, pertinent and appropriate for the purpose for which it was collected. It must be kept in such a way as to guarantee its security and only for the time necessary to fulfill the purpose of the processing.

  • Principle of security

The owner of personal data banks must adopt the technical, organizational and legal measures necessary to guarantee the security of personal data. The security measures must be appropriate and in accordance with the processing to be carried out and the category of personal data in question.

  • Principle of availability of recourse

The owner of personal data must have the necessary administrative or jurisdictional means to claim and enforce their rights when these are violated by the processing of their personal data.

  • Principle of adequate level of protection

In cases of cross-border flow of personal data, a sufficient level of protection must be guaranteed for the personal data to be processed or, at least, comparable to that provided for by law or by international standards on the matter.

9. PERSONAL DATA PROTECTION POLICY

9.1 Information

DINET S.A. and DT DINETPERÚ S.A.C. will inform, through privacy notices, privacy policies, information posters, website, personal data protection clauses, among other means of dissemination, the holders of personal data, as well as those responsible for and in charge of processing, the personal data protection mechanisms adopted, as well as the purpose and other principles that regulate the processing of said data. They will also inform about the existence of the personal data banks that they keep, and the rights conceived by Law and its Regulations to the holders of personal data.

9.2 Collection of personal data

  • Name, address, email and telephone number.
  • Image and signature.
  • Sex, date and place of birth, marital status, nationality, country of residence, occupation and other similar demographic data.
  • Identity document number, bank account number, credit card number, passport number and driver's license number.
  • Information about financial status, for example, data on income, assets, investments, debts, credit rating and pension/insurance plans.
  • Information about physical and mental status, including a medical history, description of any illness or injury suffered and any specific treatment.
  • Biometric data, data relating to racial and ethnic origin.
  • Economic income.
  • Political, religious, philosophical or moral opinions or convictions.
  • Trade union membership.
  • Information related to health or sexual life.
  • Information that DINET S.A. and DT DINETPERÚ S.A.C. are required to verify for tax or regulatory reasons, such as information related to identity, any business management held and criminal records.
  • Other information that DINET manages in relation to the services that DINET provides, such as personal circumstances that must be described when taking out insurance, data on incidents that have given rise to a claim and facts and circumstances that are related to the data subject.
  • Other information that DINET S.A. and DT DINETPERÚ S.A.C. manage in relation to the services that both provide, such as personal circumstances that must be described when taking out insurance, data on incidents that have given rise to a claim and facts and circumstances that are related to the data subject.
  • Other information that DINET S.A. and DT DINETPERÚ S.A.C. collect as part of their daily activity, such as data on visits to their offices, attendance at meetings and events sponsored by DINET S.A. and DT DINETPERÚ S.A.C., and the correspondence they exchange with the data subjects.

9.3 Purpose of personal data collection

The personal data provided by the data holders are collected by DINET S.A. and DT DINETPERÚ S.A.C., for the following purposes:

In the case of personal data collected from employees:

  • Manage information for human resources processes at the corporate level.
  • Make payment of wages.
  • Comply with the labor obligations to which DINET, as an employer, is subject, such as affiliation to the social security system, payment of contributions, contracting of insurance, compliance with safety and health measures at work, etc.
  • Prevent occupational risks.
  • Transfer this information to its different areas when necessary for the development of its operations.
  • In general, comply with the internal policies that DINET has implemented.

In the case of personal data collected from suppliers:

  • Enter, execute, terminate and carry out other acts related to the contractual relationship that the supplier maintains with
  • DINET S.A. and/or DT DINETPERÚ S.A.C.
  • Register the supplier in the computer systems of DINET S.A. and DT DINETPERÚ S.A.C.
  • Process payments in favor of the supplier.
  • Issue or request payment vouchers, or information related to these.
  • Contact the supplier by any means for the purposes of providing the services or supplying the goods required.
  • Evaluate compliance with the provision of services or the supply of contracted goods.
  • Transfer this information to its different areas when necessary for the development of its operations.
  • Demand compliance with the contracted goods or services.
  • Comply with security measures for the entry of its personnel to the facilities.
  • Capture, through video surveillance cameras, images and sounds that will be stored by DINET S.A. and DT DINETPERÚ
  • S.A.C. for the safety of its visitors and collaborators.
  • Any other activity of a similar nature to those described above that is necessary to develop the purpose of the contractual relationship that the provider maintains with DINET S.A. and DT DINETPERÚ S.A.C.

DINET S.A. and DT DINETPERÚ S.A.C. will never use personal data and/or sensitive data for purposes other than those described above, unless they have the prior, voluntary, express and informed consent of the owner of the personal data or, exceptionally, whenever the Law and/or Regulation expressly establish it.

9.4 Quality of personal data

Personal data must be adequate, pertinent and not excessive in relation to the purpose for which it is collected. The personal data to which DINET S.A. and DT DINETPERÚ S.A.C. will have access will be those that the owner of the personal data voluntarily provides based on the nature of the services provided and the relationship that exists between the owners of the data with DINET S.A. and DT DINETPERÚ S.A.C.

The personal data provided by the holders must be accurate and correct so that they reflect their current situation. Otherwise, these data will be deleted.

9.5 Data duration

Once the purpose has been fulfilled or the maximum period established for which the personal data was collected has elapsed, the data will be deleted from the personal data banks of DINET S.A. and DT DINETPERÚ S.A.C.; however, and exceptionally, they may be kept in case the latter may demand some type of liability against the owner of the personal data or in case the applicable regulations so determine.

9.6 Processing of personal data and consent

The personal data provided by the data owners will be stored in the data banks owned by DINET S.A. and DT DINETPERÚ S.A.C. and will be processed in order to carry out the purposes set out in section 9.3.

The personal data banks must be registered in the National Registry of Personal Data Protection of the Authority.

The personal data provided by the data owners may only be known and handled by the staff of DINET S.A. and DT DINETPERÚ S.A.C. or by authorized third parties who need to know such information in order to provide the services or meet the purposes for which they were granted. These personal data will be treated in a fair and lawful manner and will not be used for other purposes incompatible with those specified.

9.7 Communication by transfer of personal data

DINET S.A. and DT DINETPERÚ S.A.C. will not share the personal data provided by the data owners with third parties without their prior, voluntary, express and informed consent.

Without prejudice to the above, DINET S.A. and DT DINETPERÚ S.A.C. inform the owners of personal data that their information may be communicated to administrative entities, judicial and/or police authorities, provided that they require it and are authorized by a particular regulation.

9.8 Confidentiality of personal data

The personal data provided by the data owners will be treated with total confidentiality. With respect to personal data relating to health, DINET S.A. and DT DINETPERÚ S.A.C. are committed to maintaining professional secrecy indefinitely with respect to such data and guarantee the duty to keep them by adopting all necessary security measures.

9.9 Security of personal data

DINET S.A. and DT DINETPERÚ S.A.C. have adopted technical security and confidentiality measures appropriate to the category of personal data processed and necessary to maintain the required level of security in order to prevent alteration, loss or unauthorized processing or access to such information that may affect the integrity, confidentiality and availability of the information.

Likewise, DINET S.A. and DT DINETPERÚ S.A.C. DINET S.A. and DT DINETPERÚ S.A.C. have the necessary legal, technical and organizational measures to guarantee the security of personal data and prevent its alteration, loss and unauthorized processing and/or access, taking into account the state of technology, the nature of the personal data stored and the risks to which they are exposed, whether they come from human action, the physical or natural environment, as established by current Peruvian legislation on personal data protection.

DINET S.A. and DT DINETPERÚ S.A.C. have also implemented additional security measures to reinforce the confidentiality and integrity of the information and continually maintain the supervision, control and evaluation of the processes to ensure the privacy of personal data.

Without prejudice to the above, DINET S.A. and DT DINETPERÚ S.A.C. state that the transmission of information through communication networks and the Internet is not completely secure. Therefore, and despite the fact that the companies make their best efforts to protect personal data, they cannot guarantee the security of these during their virtual transit. In this regard, all information provided by data holders using communication networks and the Internet will be sent at their own risk.

The technical, legal and organizational security measures adopted by DINET S.A. and DT DINETPERÚ S.A.C. are detailed in Annex 1 of this Policy.

9.10 Exercise of ARCO Rights

The exercise of ARCO rights must be carried out in accordance with the provisions of the Law, the Regulations and the procedure for the exercise of ARCO rights implemented by DINET S.A. and DT DINETPERÚ S.A.C.

In this regard, DINET S.A. and DT DINETPERÚ S.A.C. undertake to assist those holders of personal data who wish to exercise their ARCO rights in accordance with the provisions of the Law, the Regulations and the procedure for the exercise of ARCO rights implemented by DINET S.A. and DT DINETPERÚ S.A.C.

To respond to your request to exercise ARCO rights, the corresponding area will have the following deadlines: (i) 8 days if it is the exercise of the right to information; (ii) 20 days if the right exercised corresponds to the right of access; and, (iii) 10 days if the right of rectification, cancellation or opposition is exercised. These terms, with the exception of the right to information, may be extended for a similar period, and the owner of the personal data must be promptly notified.

9.11 Minors

In order to protect the privacy of minors, DINET S.A. and DT DINETPERÚ S.A.C. will not process any personal data of minors without the prior consent of the holders of parental authority or guardians of the minor.

9.12 Obligations in the processing of personal data

In accordance with the provisions of article 28 of the Law, the obligations detailed below will apply to DINET S.A. and DT DINETPERÚ S.A.C. and, if applicable, to the data processor:

a) Process personal data, with prior informed, free, express and unequivocal consent of the owner of the personal data.

b) Not to collect personal data by fraudulent, unfair or illicit means.

c) To collect personal data that is updated, necessary, pertinent and adequate, in relation to specific, explicit and lawful purposes for which it was obtained.

d) Not to use the personal data subject to processing for purposes other than those that motivated its collection, unless anonymization or dissociation procedure is used.

e) To store the personal data in a way that enables the exercise of the rights of its owner.

f) To delete and replace or, where appropriate, complete the personal data subject to processing when it becomes aware of its inaccurate or incomplete nature, without prejudice to the rights of the owner in this regard.

g) To delete the personal data subject to processing when it is no longer necessary or pertinent to the purpose for which it was collected or the deadline for its processing has expired, unless anonymization or dissociation procedure is used.

h) Provide the Authority with the information relating to the processing of personal data that it requires and allow it access to the personal data banks that it manages, for the exercise of its functions, within the framework of an ongoing administrative procedure requested by the affected party.

10 Annexes

Annex 1: Security measures implemented.