1. INTRODUCTION

COSTA DEL SOL S.A. is a company that provides lodging services nationwide, along with other activities aligned with its corporate objectives.
COSTA DEL SOL S.A. is obliged to comply with the current Peruvian legislation regarding personal data protection, Law No. 29733 – Personal Data Protection Law, its Regulations under Supreme Decree No. 003-2013-JUS, and its complementary provisions (the “Law”). These legal provisions require COSTA DEL SOL S.A., essentially, to:

• Collect and use personal information appropriately.
• Ensure the quality and security of the information.
• Respect individuals’ rights concerning their personal data.

COSTA DEL SOL S.A. is committed to the protection, management, and appropriate handling of personal data accessed in the regular course of its business operations.
This commitment includes the continuous review and improvement of the organization’s processes to ensure proper protection of such personal data.

This Personal Data Protection Policy (the “Policy”) sets out the guidelines established by COSTA DEL SOL S.A. for the collection and processing of personal data to ensure respect for data subjects’ rights and compliance with the current legal framework.

The Policy may be supplemented by additional procedures, regulations, and/or guidelines that expand on the provisions herein, provided they are aligned with its guiding principles.

2. OBJECTIVE

This document aims to establish principles, uniform practices, and responsibilities regarding the processing of personal data in which COSTA DEL SOL S.A. is involved.

3. SCOPE

This document applies to all personal data banks or personal data intended to be stored in databases of COSTA DEL SOL S.A., and to the processing thereof carried out directly or through third parties. The Policy must be fully understood and followed by all COSTA DEL SOL S.A. employees. For the interpretation of this Policy, the definitions established in the Law apply, particularly the ones listed below.

4. DEFINITIONS

• Personal Data: Any information that identifies or could identify a natural person through reasonably available means. For example: National ID number, physical address, full name.
• Processing of Personal Data: Any technical operation or procedure, automated or not, that enables the collection, recording, organization, storage, preservation, processing, modification, retrieval, consultation, use, blocking, deletion, transfer, dissemination, or any other form of processing that facilitates access, correlation, or interconnection of personal data. In essence, it encompasses all possible uses and processing from data collection to deletion or conservation.
• Consent: Prior, free, unequivocal, and express authorization granted by an individual for the processing of their personal data:
  • Prior: It must be obtained before collection.
  • Free: It must not be forced or conditional.
  • Unequivocal and express: It must be clear and documented on a tangible medium.
• Personal Data Bank: An organized set of personal data, automated or not, regardless of the medium—physical, magnetic, digital, optical, or others—that is created and maintained, regardless of its format or method of storage and access.
• Data Bank Controller: A natural person, private legal entity, or public institution that determines the purpose, content, processing, and security measures of a personal data bank.
• Data Processor: Any natural person, private legal entity, or public institution that, alone or jointly with others, processes personal data on behalf of the data controller.
• Anonymization Procedure: Personal data processing that prevents or makes it impossible to identify the data subject. This procedure is irreversible.
• Dissociation Procedure: Personal data processing that prevents or makes it impossible to identify the data subject. This procedure is reversible.

5. COMPLIANCE RESPONSIBILITIES

COSTA DEL SOL S.A. shall assign and communicate the responsibilities corresponding to its various Management Areas for compliance with this Policy.
The Administrative Management Department shall be responsible for the annual review of this Policy and for implementing any necessary updates within COSTA DEL SOL S.A. This department shall also handle any inquiries related to the application and scope of this Policy.

Notwithstanding the above, all employees of COSTA DEL SOL S.A., as well as third parties engaged with COSTA DEL SOL S.A. in the regular course of business and who have access to or process personal data, are subject to compliance with this Policy.

No employee of COSTA DEL SOL S.A. shall carry out actions or omit responsibilities on behalf of the company that would constitute a violation of the Law.

6. CONFIDENTIALITY

This Policy is for the internal and exclusive use of COSTA DEL SOL S.A. and is therefore considered confidential.
Any use beyond the stated purpose is prohibited unless expressly and formally authorized in writing by the Administrative Management Department.

Personal data accessed or processed by COSTA DEL SOL S.A. employees or related third parties may not be used or processed in any manner without the prior consent of the data subject, even after their relationship with COSTA DEL SOL S.A. has ended, except as provided by the Law.

For employees who, due to the nature of their duties, have access to confidential and sensitive personal data, COSTA DEL SOL S.A. will implement specific training and awareness programs.

All individuals involved in the processing of personal data are required to maintain professional secrecy and confidentiality regarding the data.

This obligation shall remain in effect even after their relationship with COSTA DEL SOL S.A. has ended.

7. PRINCIPLES

All employees of COSTA DEL SOL S.A. must adhere at all times to the following principles established by the Law:

• Lawfulness: The processing of personal data must be conducted in accordance with the provisions of the Law. The collection of personal data through fraudulent, unfair, or unlawful means is strictly prohibited.
• Consent: COSTA DEL SOL S.A. may only process personal data with the prior, express, unequivocal, and free consent of the data subject, unless otherwise provided by the Law.
• Purpose: COSTA DEL SOL S.A. must clearly state the purpose for collecting personal data. This purpose must be specific, explicit, and lawful. Data collected shall not be used for purposes other than those for which it was collected, unless consent is obtained from the data subject.

Accordingly, COSTA DEL SOL S.A. shall implement measures to ensure that the collection, storage, and retention of personal data comply with the principles of proportionality and purpose, and that appropriate technical and legal safeguards are in place.

COSTA DEL SOL S.A. may not disclose personal data unless required by a duly justified court order or authorized by the data subject under the conditions set forth by the Law.

Additionally, COSTA DEL SOL S.A. shall not deny public entities access to personal data when such access is requested for the strict fulfillment of the competencies legally assigned to such entities.

Proportionality: Any processing of personal data carried out by COSTA DEL SOL S.A. must be appropriate, relevant, and not excessive in relation to the purposes for which the data were collected.

Quality: Personal data processed by COSTA DEL SOL S.A. must be accurate, truthful, and, where possible, kept up to date. Data must be necessary, relevant, and adequate for the purposes for which they were collected. Data should be stored securely and only for as long as necessary to fulfill the processing purpose, in accordance with applicable legal retention periods.

Security: COSTA DEL SOL S.A. and any third parties engaged for data processing shall implement the technical, organizational, and legal measures necessary to ensure the security of personal data against various risks, such as accidental loss, destruction, unauthorized access, covert use, or malware/virus infection. These measures shall be defined, communicated, and, if necessary, updated by COSTA DEL SOL S.A.

Appropriate Level of Protection: In the event of international data transfers, COSTA DEL SOL S.A. must ensure a sufficient level of protection for the personal data being processed, at least equivalent to that required by the Law.

8. RIGHTS OF PERSONAL DATA SUBJECTS

COSTA DEL SOL S.A. shall provide a simple and free procedure to attend to the rights of personal data subjects, as established by the Law:

• Right to information
• Right of access
• Right to update
• Right to inclusion
• Right to rectification
• Right to erasure
• Right to object to data supply
• Right to object
• Right to objective processing

Accordingly, COSTA DEL SOL S.A. shall:

• Take necessary measures to inform data subjects of the rights granted to them by the Law.
• Implement mechanisms to allow data subjects to keep their personal data up to date.
• Respond promptly and within the legal timeframe to requests and requirements related to the aforementioned rights.

The following directives shall apply to requests submitted by personal data subjects:

• The erasure or rectification of personal data shall not proceed when it may affect the legitimate rights or interests of COSTA DEL SOL S.A., its shareholders, employees, executives, or third parties, or when there is a legal obligation to retain such data.
• COSTA DEL SOL S.A. may deny certain requests if the disclosure of personal data could compromise or obstruct ongoing judicial or administrative proceedings.

9. TRANSFER OF PERSONAL DATA

Personal data processed by COSTA DEL SOL S.A. may only be transferred or disclosed to third parties to fulfill purposes related to the legitimate interests of both the data controller and the recipient, and only with the prior, express, free, unequivocal, and informed consent of the data subject. Such consent shall not be required in the cases permitted by the Law.

10. DISCLOSURE OF PERSONAL DATA

COSTA DEL SOL S.A. shall not disclose personal data to third parties unless:
a) It is necessary for the purpose for which the data was collected.
b) The data subject was informed prior to disclosure or at the time of collection.
c) The data subject has given prior and express consent.
d) Consent is not required under the Law.
e) The data is requested by public entities within the scope of their legal powers.
f) The data is required to fulfill legitimate business interests of an entity interested in acquiring operations of COSTA DEL SOL S.A., with prior consent of the data subject.
g) The data is accessed by auditors, attorneys, or other professionals subject to professional confidentiality obligations.

11. CONTRACTUAL RELATIONSHIPS WITH THIRD PARTIES

In its relationships with third parties, COSTA DEL SOL S.A. shall include clauses not only related to confidentiality but also to personal data protection, covering the full data lifecycle within the organization. When entrusting personal data processing to third parties, COSTA DEL SOL S.A. shall seek to ensure that contracts include, where possible:

• Provisions stating that data processing shall be carried out in accordance with the instructions and guidelines provided by COSTA DEL SOL S.A.
• Security measures.
• Confidentiality obligations that are indefinite or as extensive as permitted by applicable legislation.
• Purpose of the data processing.
• Prohibition of additional transfers to third parties without the data subject’s consent and unless strictly necessary.
• Obligation to delete the personal data once processing is complete, unless the data subject authorizes its retention.
• Acknowledgment of this Policy.

12. DELETION OF PERSONAL DATA

Once the processing of personal data has concluded and the purpose for which the data was collected has been fulfilled, and provided there is no legal mandate or justification for its retention, COSTA DEL SOL S.A. shall proceed to delete the data from its records.
Alternatively, COSTA DEL SOL S.A. may apply dissociation, anonymization, or similar procedures if there is a business, statistical, or market analysis justification for retaining the data.

COSTA DEL SOL S.A. shall define and implement the appropriate procedures for the deletion of personal data as required.

13. INTERNAL AUDIT

COSTA DEL SOL S.A. shall comply with the internal audit requirements established by the Law and its Regulations.

14. DISCIPLINARY REGIME

Any employee who violates the provisions of this Policy shall be considered to have committed a serious offense and may be subject to disciplinary action.
COSTA DEL SOL S.A. shall apply appropriate disciplinary measures to employees who fail to comply with the obligations set forth in this Policy.

15. POLICY DISSEMINATION AND ENFORCEMENT

COSTA DEL SOL S.A. shall seek to:
a) Ensure compliance with this Policy.
b) Inform, observe, and enforce this Policy among all employees.
c) Publish this Policy in easily accessible locations.
d) Require confidentiality agreements from employees, users, contractors, and third parties who access the personal data included in its databases.