Privacy and Personal Data Protection Policy - Peru

1. Applicable Regulations

This means: (i) the Political Constitution of Peru, which stipulates that computerized or non-computerized, public or private information services must not supply information that affects the personal and family privacy of individuals, (ii) the Personal Data Protection Law – Law 29733 of 2011, and its regulations approved by Supreme Decree 003-2013-JUS, (iii) the Information Security Directive administered by Personal Data Banks approved by Directorial Resolution No. 019-2013-JUS-DGPDP, (iv) the Peruvian Technical Standard NTP-ISO/IEC 27001 2014 on Information Security Management System Techniques, (v) Directive No. 01-2020-JUS/DFTAIPD regulating the processing of Personal Data through Video Surveillance Systems, and any other provision that modifies, complements, repeals, or substitutes the aforementioned.

2. Definitions

Personal Data Bank: Refers to the organized set of Personal Data, whether automated or not, regardless of the medium on which it is found, whether physical, magnetic, digital, optical, or others that may be created, in any form or manner of its creation, formation, storage, organization, and access.

Authorization for the Processing of Personal Data: Refers to any operation or technical procedure, automated or not, that allows the collection, recording, organization, storage, preservation, processing, modification, extraction, consultation, use, deletion, communication by transfer or dissemination, or any other form of processing of Personal Data.

Processing of Personal Data of children and/or adolescents: For the processing of Personal Data of a minor, consent of the parents or guardians, as applicable, will be required.

3. Controller (holder) of the Personal Data Bank

GHL Peru S.A.C.

• RUC: 20513187573
• Address: Calle Pancho Fierro No. 194, San Isidro District

Holding Hotelera GHL S.A.S.

• NIT: 901580112 2
• Headquarters: Calle 72 # 6-30, Bogotá – Colombia
• Phone: +57 3139333

4. Responsibilities of the holder of the Personal Data Bank:

5.1. Provide and maintain sufficient protection level for the Personal Data contained in the Personal Data Bank under its ownership.

5.2. Determine and comply with the purpose and content of the Personal Data Bank under its ownership.

5.3. Process the Personal Data contained in the Personal Data Bank under its ownership.

5.4. Ensure compliance with the rights of the Data Subject conferred by Law No. 29733, Personal Data Protection Law.

The Controller (holder) of the Personal Data Bank is responsible for the Processing of Personal Data stored in its Personal Data Bank.

5. Responsibilities of the Processor of the Personal Data Bank:

The Processor performs the Processing following the guidelines and using the means designated by the Controller (holder) of the Personal Data Bank. Likewise, the Processor must assist the Controller upon request, to ensure compliance with all obligations regarding the protection of Personal Data.

6. Types of Personal Data Banks and Purposes of Processing

The Personal Data Banks mentioned above will be registered in the National Registry of Personal Data Protection administered by the National Authority of Personal Data Protection. The Controller (holder) of the Personal Data Bank may determine the registration of other Personal Data Banks.

7. Transmission of Personal Data and Cross-border Flow of Personal Data

The transmission of Personal Data is carried out to the Processor of Personal Data, GHL PERU S.A.C., as the administrator and hotel operator. GHL PERU S.A.C. is part of the GHL HOTELES group, which operates various hotels in Peru and several countries worldwide.

Being part of a global business group that operates hotels worldwide, Personal Data may be transferred outside the national territory, including to countries that may not offer an equivalent level of data protection. However, we will ensure that any transfer of Personal Data complies with the Applicable Regulations to guarantee the security and protection of information, as stipulated by Law No. 29733 and applicable provisions.

To facilitate travel, it may be necessary to disclose and process Personal Data for immigration, border control, security and anti-terrorism purposes, or other appropriate purposes determined by government authorities at points of departure and/or destination. Some countries require passenger data to be provided in advance to allow travel. In compliance with the Applicable Regulations, if legally authorized, we may share the minimum necessary Personal Data with competent authorities.

9. Detailed Obligations regarding the Processing of Personal Data

GHL acknowledges that Personal Data belongs to the individuals to whom it refers and that only they can decide on it. In this sense, it will use them only for those purposes for which it is duly authorized, respecting in all cases the Applicable Regulations.

In accordance with Article 28 of Law 29733, we undertake to permanently comply with the following obligations:

(i) Carry out the Processing of Personal Data, only with the prior informed, express, and unequivocal consent of the data subjects, except as authorized by law, with the exceptions set forth in Article 14 of Law 29733.

(ii) Not collect Personal Data by fraudulent, unfair, or unlawful means.

(iii) Collect Personal Data that are up-to-date, necessary, relevant, and appropriate, in relation to specific, explicit, and lawful purposes for which they were obtained.

(iv) Not use the Personal Data subject to processing for purposes other than those that motivated their collection, unless anonymization or dissociation procedures are followed.

(v) Store Personal Data in a way that allows the data subjects to exercise their rights.

(vi) Delete and replace or, where appropriate, complete the Personal Data subject to processing when aware of its inaccurate or incomplete nature, without prejudice to the rights of the data subject in this regard.

(vii) Delete Personal Data subject to processing when it is no longer necessary or relevant for the purpose for which it was collected or when the period for its processing has expired, unless anonymization or dissociation procedures are followed.

(viii) Provide the National Authority of Personal Data Protection with information regarding the Processing of Personal Data that it requests and allow access to the Personal Data Banks it manages, for the exercise of its functions, within the framework of an ongoing administrative procedure requested by the affected party.

(ix) Those established by the Applicable Regulations.

10. Duration and Changes

This Annex to the personal data processing policy is approved on May 22, 2024, from which date it becomes applicable.

This Policy may be amended by GHL when necessary without prior notice, provided that they are non-substantial modifications. Otherwise, changes will be communicated in advance to the Data Subjects.