POLICIES

This Privacy Policy (hereinafter, the “Policy”) aims to provide clear and precise information regarding the processing of personal data carried out by PESQUERA HAYDUK SA (hereinafter, “HAYDUK”).

HAYDUK is a company engaged in fishing, industrial, and commercial activities. In the course of these activities, HAYDUK processes the personal data of various natural persons, including collaborators, applicants or candidates, suppliers, clients, and other third parties with whom it maintains a direct or indirect relationship (hereinafter, the “User” or the “Users”).

This Policy applies to the processing of personal data carried out by HAYDUK through its physical and digital channels, institutional website, mobile applications, physical or electronic forms, internal platforms, and any other means enabled for the collection, storage, or processing of personal data.

Furthermore, this Policy applies both to the services that HAYDUK makes available to its clients and to those it offers to Users through its website (hereinafter, the “Website”).

3.1. IDENTITY AND CONTACT INFORMATION

• Corporate Name: PESQUERA HAYDUK SA
• Tax ID (RUC): 20136165667.
• Address: Av. Manuel Olguin Nº 501, Oficina 701, Santiago de Surco District, Province and Department of Lima, Peru.
• ‍Contact Email: datospersonales@hayduk.com.pe

3.2. DATA PROCESSOR, HOLDER OF THE PERSONAL DATA BANK AND/OR DATA CONTROLLER

Within the framework of its operations, HAYDUK may act, as applicable, as Holder of the Personal Data Bank, Data Controller, or Data Processor, in accordance with the provisions of Law No. 29733 – Personal Data Protection Law, its Regulations approved by Supreme Decree No. 016-2024-JUS, and other complementary provisions (hereinafter, the “Personal Data Regulations”).

HAYDUK shall act as Holder of the Personal Data Bank or Data Controller when it directly collects and processes personal data of employees, applicants, suppliers, clients, users of its website, or any other natural person linked to its operations, through physical or digital channels, for its own purposes related to business management, operations, contractual, legal, commercial, and labor matters. In such cases, the processing is carried out for its own purposes, and the corresponding personal data banks shall be registered before the National Register for the Protection of Personal Data in accordance with applicable regulations.

Furthermore, HAYDUK may act as Data Processor when, by virtue of a contractual relationship, it processes personal data on behalf of a third party, acting solely under the documented instructions from the Holder of the Personal Data Bank or Data Controller. In this case, the processing shall be carried out exclusively for the purposes established in the respective contract and in compliance with the security measures required by the Personal Data Regulations.

The User, as the data subject, freely, priorly, informedly, expressly, and unequivocally consent to the processing of their personal data by HAYDUK in its capacity as Holder or Processor, as applicable, in accordance with the purposes described in this Privacy Policy and in strict compliance with the Personal Data Regulations. Such consent shall be evidenced by clicking the consent checkbox.

3.3. PERSONAL DATA OF USERS

HAYDUK processes only the personal data that is strictly necessary to fulfill the purposes authorized by the data subjects, as well as for the development of its business, contractual, labor, and institutional communication activities, in accordance with the provisions of the Personal Data Regulations.

The categories of personal data that HAYDUK may process, depending on the relationship or link with the data holder, are as follows:

• Identification data: first and last names, type and number of identity document (ID card (DNI), passport, or other), signature, date of birth, nationality, sex, photograph.
• Contact data: home address, work address, landline and/or mobile number, personal and/or corporate email address.
• Employment and professional data: job title, work area, workplace, information regarding academic background and professional experience, records and certificates.
• Economic and financial data: bank account number, financial institution, interbank account code (CCI), severance compensation account (CTS) number, salary, payroll deductions, affiliation to the Private Pension System (AFP) or the National Pension System (SNP).
• Sensitive data: biometric data (fingerprint, facial recognition), health data related to occupational medical examinations, medical leave certificates, and temporary work incapacity certificates (CITT).
• Browsing data: IP address, approximate geographic location, browser and device type, pages visited within the HAYDUK website, obtained through cookies and similar technologies, as indicated in section 3.9 of this Policy.
• Dependents’ data: National ID number (DNI), full names, age.
• Data obtained through the HAYDUK Website through the use of tools such as cookies that obtain information from the User’s browsing activity, in accordance with the provisions of Section 9 of this Policy.

The personal data processed may have been provided directly by the data holder (for example, by completing physical or digital forms, sending emails, participating in recruitment processes, or registering on platforms) or may have been obtained from public or private sources, in accordance with applicable regulations. If the User provides us with personal data of third parties, the User declares that he/she has obtained the consent of such third parties for HAYDUK to process his/her personal data in accordance with the information set forth in this Privacy Policy. In this regard, the User shall hold HAYDUK harmless against any claim filed by a third party or any damage that such third party may suffer.

Under no circumstances does HAYDUK process personal data of minors, except where such data is strictly necessary and the express consent of their parents, guardians, or legal representatives has been obtained, in accordance with the provisions of the Personal Data Regulations.

3.4. PURPOSES AND LEGAL BASES FOR PROCESSING

The processing of personal data carried out by HAYDUK is based on specific, explicit, legitimate, and proportionate purposes, in compliance with the Personal Data Regulations. In each case, the processing is supported by one or more legal bases provided by such regulations, such as the free, prior, informed, express, and unequivocal consent of the data holder; the performance of a contractual relationship; compliance with legal obligations; HAYDUK’s duly balanced legitimate interest; or public interest, as applicable.

Below are detailed the main purposes for which HAYDUK processes personal data, grouped according to the type of relationship with the User, as the data holder:

3.4.1. Management of Employment and Pre-Contractual Relationships

Purposes: Recruitment, evaluation, and hiring processes; formalization and administration of employment or contractual relationship; payment of salaries and benefits; compliance with labor, social security, tax, and occupational health legal obligations; management of leave, absences, and medical examinations; maintenance of employment records.

Types of data processed: Identification data, employment data, academic data, contact data, identity documents, biometric data, and health data (occupational).

Legal basis: Performance of a pre-contractual or contractual relationship; compliance with legal obligations; consent for the processing of sensitive data, where applicable.

3.4.2. Management of Physical and Logical Security

Purposes: Access control to facilities; video surveillance (including in areas or spaces within HAYDUK’s premises); system authentication; access traceability; prevention of security incidents.

Types of data processed: Biometric data, images, access records, activity logs, and user identifiers.

Tipos de datos tratados: Datos biométricos, imágenes, registros de acceso, logs de actividad, identificadores de usuario.

Legal basis: HAYDUK’s legitimate interest in ensuring security and compliance with its legal obligations; consent, where required.

3.4.3. Handling of Legal Requests, Audits, and Supervision

Purposes: Respond to requests from competent authorities; to address audits; to support legal or contractual actions.

Types of data processed: All personal data held by HAYDUK that is required by the authority in accordance with the principle of legality.

Legal basis: Compliance with a legal obligation.

3.4.4. Management of Relationships with Suppliers, Contractors, and Third Parties

Purposes: Evaluation, contracting, and execution of services; monitoring contractual compliance; handling requests; access control; payment for services.

Types of data processed: Identification and contact data, as well as data contained in communications or forms.

Legal basis: Execution of contractual relationship; consent for direct communications; legitimate interest.

3.4.5. Management of Relationships with Clients and Service Users

Purposes: Registration, management, and handling of inquiries, complaints, or requests from clients or users; compliance with warranties; delivery of requested information.

Types of data processed: Identification and contact data, as well as data contained in communications or forms.

Legal basis: Execution of contractual relationship; consent for direct communications; legitimate interest.

3.4.6. Communication of Activities, Events, Benefits, and Corporate Content

Purposes: Sending institutional information or information related to corporate benefits, internal activities, health or integration campaigns, news, or related content.

Types of data processed: Email address, name, job title, workplace, telephone number, and photographs.

Legal basis: HAYDUK’s legitimate interest; consent, where required.

3.4.7. Historical Preservation and Documentary Recordkeeping

Purposes: To maintain documentation as part of the institutional archive for the period required by applicable regulations or in accordance with the principle of data minimization.

Types of data processed: All data collected throughout the lifecycle of the employment or contractual relationship.

Legal basis: Legal obligation or legitimate interest.

3.5. DATA DISCLOSURE AND INTERNATIONAL TRANSFERS

The personal data processed by HAYDUK shall not be disclosed or transferred to third parties for purposes other than those that have been informed and authorized by the User, as the data holder, unless there is a legal obligation or a mandate issued by a competent authority.

However, HAYDUK’s employees, officers, advisors, suppliers, service providers, and any other third-party rendering services on its behalf may have access to personal data, provided that such access is necessary for the management of contractual, pre-contractual, employment, or commercial relationships with the data holders. In such cases, access shall be granted in the capacity of data processor or sub-processor and shall be duly governed by a data processing agreement, in accordance with the provisions of the Personal Data Regulations.

Likewise, HAYDUK may transfer personal data for the purpose of a data processing engagement or the subcontracting of such engagement in connection with the provision of its services, in accordance with the provisions of Section 3.7 of this Privacy Policy.

In cases where HAYDUK transfers Users’ personal data, it shall inform the recipient of the personal data that must be processed in compliance with the information previously provided by HAYDUK to the User and in accordance with the scope of the consent granted by the User, which shall be duly communicated to the recipient.

With respect to cross-border data transfers, such transfers shall be carried out only when the recipient or importer of the personal data is located in a country that provides an adequate level of data protection in accordance with the provisions of the Personal Data Regulations.

If the country does not provide an adequate level of data protection, HAYDUK shall implement appropriate warranties to ensure the proper processing of personal data outside the national territory, as applicable. For this purpose, HAYDUK shall rely on contractual clauses or other legal instruments establishing, at a minimum, the same obligations to which it is subject, as well as the conditions under which the User consented to the processing of their personal data.

HAYDUK may also disclose the personal data collected in specific cases where such disclosure is established and required by applicable regulations, or when requested by competent authorities.

3.6. RETENTION PERIODS

HAYDUK stores Users’ personal data for as long as necessary to use the data in accordance with the purpose for which it was collected, based on the legal grounds that legitimize its processing and in compliance with the principles of necessity and proportionality established in the Personal Data Regulations.

Once the purpose for which the data was collected has been fulfilled, HAYDUK shall retain Users’ personal data for up to two (02) years in order to comply with its legal obligations, unless otherwise provided by law and/or unless a valid objection, revocation, erasure request, or any other applicable right has been duly exercised by the User.

In compliance with its legal obligations, when HAYDUK acts as a data processor, it shall retain the holder’s data for the maximum period permitted under the Personal Data Regulations, that is, two (2) years.

After the termination of the corresponding relationship, and as applicable, HAYDUK shall retain the data duly disassociated, without making any use of it, for as long as it may be necessary for the exercise or defense of claims, or where any judicial, legal, contractual, or administrative liability may arise from its processing and requires attention and potential retrieval.

Likewise, where minimum retention periods are established by law or required by a public authority in the exercise of its functions, the data shall be retained in accordance with such periods.

In all cases, appropriate technical and organizational security measures shall be applied to ensure the confidentiality and integrity of the data during its retention, as well as secure procedures for its definitive deletion when applicable.

3.7. USERS’ RIGHTS

Los datos personales recogidos por HAYDUK pueden ser procesados por empleados autorizados de HAYDUK para la prestación de los servicios, o por terceras empresas que prestan servicios como encargados de HAYDUK. Las empresas que prestan servicios como encargados o sub-encargados se detallan en el Anexo 01 de esta Política. El Anexo 1 podrá ser actualizado por HAYDUK.

Los encargos o sub-encargos para el tratamiento de datos personales, se realizarán de acuerdo a las Normas de Datos Personales.

3.8. DERECHOS DE LOS USUARIOS

At any time, and/or whenever deemed appropriate, Users may exercise their ARCO rights (access, rectification, cancellation, and objection) by writing to the following contact email address: datospersonales@hayduk.com.pe        

Users are entitled to the rights set forth in the Personal Data Regulations, including the right to be informed; to access and obtain knowledge of their personal data; to update, rectify, cancel, or object to its processing; the right to inclusion; the right to objective processing; the right to request the deletion of the personal data provided; to know the purposes and uses applied to their personal data; to revoke the consent granted; and to access their personal data free of charge, as well as any other rights currently or subsequently recognized under the Personal Data Regulations.

The User may revoke their consent for the processing of their personal data at any time, without prior justification and without retroactive effect. The revocation of consent shall be subject to the same requirements observed at the time it was granted. The User may refuse or revoke consent for the processing of their personal data for purposes additional to those that give rise to the authorized processing, without affecting the relationship underlying the consent that has been granted and not revoked. In the event of revocation, any new processing activities shall be adjusted in accordance with such revocation, and any processing activities already underway shall be adapted within a period not exceeding ten (10) working days.

The exercise of ARCO rights (access, rectification, cancellation, and objection) by Users shall be carried out as follows:

1. By the User, by proving their identity and submitting a copy of their National Identity Document or equivalent document. The use of a digital signature in accordance with applicable regulations shall replace the submission of the National Identity Document and its copy.
2. Through a duly accredited legal representative.
3. Through an expressly authorized representative for the exercise of the right, attaching a copy of their National Identity Document or equivalent document, as well as the document evidencing the granted representation.

Likewise, the exercise of ARCO rights shall be carried out by submitting a request addressed to HAYDUK when it acts as Holder of the Personal Data Bank or as Data Processor (where it is required to handle such requests). The request must contain the following information:

1. The User’s full name and proof of identity, and, where applicable, that of their representative.
2. A specific request giving rise to the application.
3. A physical address or an electronic address for notification purposes.
4. The date and signature of the applicant.
5. Supporting documents substantiating the request, where applicable.

All requests shall be received with acknowledgment of receipt, where applicable. If the request does not meet the requirements described above, HAYDUK, when acting as Holder of the Personal Data Bank, shall, within five (5) working days counted from the day following receipt of the request, raise any observations that cannot be remedied ex officio and invite the User to correct them within a maximum period of five (5) working days. If the deficiencies are not remedied within the indicated period, the request shall be deemed not submitted. When a request to exercise rights is submitted to HAYDUK in its capacity as Data Processor, it must forward the request within a maximum period of three (3) working days to Holder of the Personal Data Bank or Data Controller in order for the corresponding request to be addressed. Where the request to exercise rights is submitted to HAYDUK as Data Processor and HAYDUK is the entity carrying out the processing on behalf of the Holder of the Personal Data Bank or Data Controller, HAYDUK shall receive the request and immediately forward it to the respective Holder of the Personal Data Bank so that the User’s right may be duly addressed, and shall also inform the User of such forwarding.

If the information provided in the request is insufficient or erroneous in such a way that it prevents it from being processed, HAYDUK, when acting as Holder of the Personal Data Bank, may request additional information or documentation from the User within seven (7) working days following receipt of the request. Within ten (10) working days from the day following receipt of such request for additional information, the User must provide the documentation they deem pertinent to substantiate their application. Otherwise, the request shall be deemed not submitted. The applicable period for issuing a response shall be suspended until the User complies with the request for additional information or documentation.

A request for updating, rectification, or inclusion must specify the personal data to which it refers, as well as the modification to be made, and must be accompanied by documentation supporting the appropriateness of the requested action.

Likewise, in accordance with the Personal Data Regulations, HAYDUK, when acting as Holder of the Personal Data Bank or as Data Processor, as applicable, shall observe the following response periods for handling requests:

1. The maximum period to respond to the exercise of the right to information shall be eight (08) working days, counted from the day following the submission of the corresponding request.
2. The maximum period to respond to the exercise of the right of access shall be twenty (20) working days, counted from the day following the submission of the request by the data holder.
3. In the case of the exercise of other rights, such as rectification, cancellation, or objection, the maximum response period shall be ten (10) working days, counted from the day following the submission of the corresponding request.

Except for the period established for the exercise of the right to information, the applicable time limits for responding to or addressing the other rights may be extended once, for an additional period of up to the same duration, provided that the circumstances justify such extension. The justification for the extension must be communicated to the User within the original period intended to be extended. Likewise, the response to the User must be provided in a clear, legible, understandable, and easily accessible manner.

The User has the right to be informed, in a clear, express, and unequivocal manner and in plain language, of the following:

1. The personal data subject to processing;
2. The manner in which their personal data was collected;
3. The reasons that motivated the collection of the personal data;
4. The indication of at whose request the collection was carried out; and
5. The transfers made or planned to be made with respect to the personal data.

Under the right of access, the User may not obtain information or documentation that, although related to the User, does not strictly fall within the circumstances set forth in the preceding paragraph.

As a manifestation of the right of access, the User may request the personal data concerning them that they have provided to HAYDUK as Holder of the Personal Data Bank, in a structured, commonly used, and machine-readable format, and may request its transmission to another controller or Holder of the Personal Data Bank. When exercising the right to data portability, the User has the right to have their data transmitted directly from one controller or Holder of the Personal Data Bank to another, where technically feasible, provided that such exercise does not impose an excessive financial burden, excessive or unreasonable technique to HAYDUK as appropriate. Derived, inferred, or constructed data based on personal data may be subject to portability, provided that HAYDUK, as the Holder of the Personal Data Bank, so determines.

The information corresponding to the right of access may, at the User’s option, be provided in writing, by electronic means, by telephone, by image, or through any other suitable means for such purpose. The User may choose one of the following methods: (i) on-site viewing; (ii) written format, copy, photocopy, or similar; (iii) electronic transmission of the response, provided that the identity of the data subject, as well as the security and receipt of the information, are guaranteed; and (iv) any other form or means appropriate to the configuration or material implementation of the personal data bank or to the nature of the established processing. Regardless of the method used, access must be provided in a clear, legible, and intelligible format, without the use of codes or keys requiring mechanical devices for proper understanding and, where applicable, accompanied by an explanation. Access must be provided in language understandable to the average knowledge level of the population with respect to the terms used.

The information made available to the User in connection with the exercise of the right of access must be comprehensive and include what is stated in the Personal Data Regulations, even if the request covers only one specific aspect of such information.

The User may request the deletion or cancellation of their personal data when such data is no longer necessary or relevant for the purpose for which it was collected, when the period established for its processing has expired, or when the User has revoked their consent for its processing. The request for deletion or cancellation may refer to all the User’s personal data contained in a personal data bank or only to a portion thereof. The submission of a request for deletion to HAYDUK, as Data Controller, shall entail the cessation of the processing of the personal data through its blocking while its subsequent deletion is evaluated. When HAYDUK acts as the Holder of the Personal Data Bank, it shall document for the User that the request has been fulfilled and shall indicate any transfers of the deleted data, identifying to whom such data was transferred, as well as the communication of the corresponding deletion. Deletion shall not proceed when personal data must be retained for historical, statistical, or scientific reasons in accordance with applicable legislation, or, as the case may be, within the framework of contractual relationships between HAYDUK, as Data Controller, and the User, which justify the continued processing of such data. Likewise, whenever possible, depending on the nature of the reasons supporting the denial, dissociation or anonymization measures shall be applied to allow continued processing.

In the same way, the User has the right to object at any time to the processing of their personal data, provided that they demonstrate the existence of well-founded and legitimate grounds relating to a specific personal situation that justify the exercise of this right. If the objection is justified, HAYDUK, when acting as the Holder of the Personal Data Bank, must cease the processing that gave rise to the objection, including de-indexing where applicable. Unless there is a prior contractual relationship supporting such processing, when personal data is processed for advertising and commercial prospecting purposes, including profiling, the User may exercise their right to object at any time.

3.9. USE OF COOKIES

HAYDUK uses cookies and similar technologies to enhance users’ browsing experience, as well as to collect statistical and operational information. The use of these technologies is carried out in compliance with the provisions of Law No. 29733, the Personal Data Protection Law, and its Regulations approved by Supreme Decree No. 016-2024-JUS.

What Are Cookies?

Cookies are small text files that are stored in the browser of the user’s device when visiting websites. They allow information about the visit and use of the site to be remembered, facilitating future interactions and optimizing the browsing experience. Some cookies are essential for the proper functioning of the website, while others allow data to be collected for statistical, functional, or advertising purposes.

Types of Cookies That the Website May Use

There are different types of cookies. Below, we describe the types of cookies available in the market and then explain which ones are used by our website.

According to who manages them:

1. First-Party Cookies: These are cookies sent to the user’s device from the website itself. In other words, first-party cookies are those set directly by the website being visited.
2. Third-Party Cookies: These are cookies sent to the user’s device from the website. This website may use third-party services that collect information for statistical purposes, to analyze users’ interaction with the website, and to provide other services related to the website’s activity and other Internet services.

According to Their Duration:

1. Session Cookies: These are designed to collect and store information only for the duration of the user’s visit to the website and disappear once the session ends. They are typically used to store information that only needs to be retained during the session to ensure the website’s basic functionalities while the user is browsing it.
2. Persistent Cookies: These are cookies that store information for a longer period, which may be accessed and processed by the cookie controller during that time. The duration varies depending on each cookie and may range from a few minutes to several years.

According to the purpose:

1. Technical or Necessary Cookies: These allow the user to browse through a website, platform, or application and to use the different options or services available therein, such as controlling traffic and data communication, identifying the session, accessing restricted areas, remembering the items in an order, completing the purchase process, submitting a registration request or participation in an event, using security features during browsing, storing content for video or audio streaming, or sharing content through social networks.
2. Personalization Cookies: These allow information to be remembered so that the user can access the website with certain features that may differentiate their experience from that of other users, such as the appearance or content of the website.
3. Analytics or Performance Cookies: These are processed by the website and allow the monitoring and analysis of user behavior on the website. The information collected enables the statistical measurement and analysis of website usage, as well as the creation of user browsing profiles, with the purpose of introducing necessary improvements to the products or services offered by the website. The information collected through these cookies is used to measure website activity and to develop browsing profiles of users, in order to implement improvements based on the analysis of users’ service usage data.
4. Advertising or Marketing Cookies: These are handled by the website or by third parties and allow the management, in the most efficient way possible, of advertising spaces that, if any, have been included on the website.
5. Behavioral Advertising Cookies: These allow the most effective management possible of advertising spaces that may have been included on the website by storing information about user behavior obtained through continuous observation of browsing habits, which enables the development of a specific profile to display advertising based on such behavior.

Cookies used by HAYDUK

HAYDUK uses both first-party and third-party cookies for the following purposes:

1. Essential Cookies: These are necessary for the operation of the Website. They enable basic functions such as secure browsing, access to protected areas, optimization of loading speed, and cache management. Without these cookies, the Website cannot function properly.
2. Non-Essential Cookies: These cookies require the User’s consent and allow for improved functionality and browsing experience. They include:
   1. Preference Cookies: These allow to remember settings such as the selected language or region.
   2. Statistics Cookies: These collect anonymous information about how Users interact with the Website for analytical purposes.
   3. Marketing Cookies: These are used to track User behavior on the Website and improve the relevance of displayed content.
   4. Unclassified Cookies: These correspond to technologies used for specific functions that do not clearly fall within the above categories.

Information collected through Cookies

Through the use of cookies, HAYDUK may collect information such as:

• Type of browser and device used.
• Date, time, and duration of the visit to the Website.
• Pages viewed and interactions performed.
• Session data, authentication details, and preferences remembered for future visits.

Main Purposes of the Use of Cookies

 HAYDUK uses first-party and third-party cookies for the following main purposes:

• To improve the User’s browsing experience on the Website.
• To optimize the functionality, performance, and security of the Website.
• To obtain data regarding the User’s navigation and interaction within the Website.
• To track and identify the User’s active session.
• To facilitate access to and use of the Website’s contact and registration features.

 Additional Purposes of the Use of Cookies

In addition to the purposes indicated above, the information collected through cookies may be used to:

1. Prepare statistical analyses regarding User behavior in order to implement continuous improvements to the structure and functionality of the Website.
2. Remember data previously entered by the User in order to facilitate future visits.
3. Optimize the content, layout, and response speed of the Website.

The User may configure their browser to reject some or all cookies, as well as use the “I do not accept” button to refuse the use of non-essential cookies. Likewise, the User may revoke their consent at any time by writing to datospersonales@hayduk.com.pe.

Consent

Upon first accessing the HAYDUK Website, the User shall be informed of the use of cookies through a banner or notice. The User may accept, reject, or configure the use of non-essential cookies. Consent may be revoked at any time through the browser settings or by writing to datospersonales@hayduk.com.pe.

If the User does not authorize the use of non-essential cookies, only the technical cookies that are strictly necessary to ensure the basic functionality of the Website shall be used.

Retention of Data Obtained through Cookies

Personal data collected through cookies will be retained for a maximum period of twelve (12) months, without prejudice to different retention periods that may apply due to legal obligations or the nature of the cookie.

Browser Settings

The User may configure their browser to restrict or block the use of cookies. Each browser has different procedures for managing these settings. However, disabling certain cookies may affect the proper functioning of the Website.

3.10. SECURITY MEASURES

HAYDUK processes personal data under strict confidentiality and has implemented technical, organizational, and legal measures aimed at ensuring its integrity, availability, and confidentiality, in accordance with the provisions of Law No. 29733, Personal Data Protection Law, and its Regulation. The measures adopted are aligned with the type of data processed, the context and purposes of the processing, the state of the art, and the identified risks.

Below are the main measures and controls implemented by HAYDUK:

• Information Storage: Personal data collected from clients, employees, and suppliers (including contractors) is securely stored in the corporate ERP system, protected through personalized access credentials and according to assigned privileges (including printers and photocopiers). User accounts are unique, protected with strong passwords and two-factor authentication, non-transferable, and associated with access profiles according to user’s functions.
• Server Use and Access: Access to systematized databases is restricted exclusively to authorized personnel through authentication mechanisms and privilege control. Access rights are managed under the principle of least privilege and are periodically reviewed in accordance with established protocols.
• Information Confidentiality: HAYDUK maintains strict confidentiality regarding the personal data processed, regardless of the medium or channel through which it was obtained. Contractual confidentiality and data protection clauses have been incorporated into agreements entered with third parties, including the prohibition of unauthorized access and the obligation to maintain professional secrecy. Access to personal data is restricted according to the role profile or the contractual relationship with HAYDUK.
• Security Measures: Controls are implemented to prevent unauthorized access, loss, alteration, or destruction of data, including firewalls, intrusion detection systems, network segmentation, password policies, backup procedures, and continuous monitoring of the IT infrastructure.
• Data Protection Impact Assessment (DPIA): In accordance with the provisions of the Regulation approved by Supreme Decree No. 016-2024-JUS, HAYDUK will carry out, where applicable, Data Protection Impact Assessments when the processing of personal data may represent a significant risk to the rights of data subjects, especially in high-risk processing activities. These assessments will enable the identification and mitigation of potential vulnerabilities prior to implementing new data processing operations.
• Security Policy: HAYDUK has an internal document that details the policy, procedures, and protocols for the secure management of personal data. The Security Policy includes, at a minimum, procedures for access management, privilege management, and the periodic verification of assigned privileges related to information systems, including technological platforms, mobile applications, database engines, among others, used to process personal data.
• Code of Ethics and Conduct: HAYDUK promotes an organizational culture based on respect for privacy and the protection of personal data. To this end, it has adopted a Code of Ethics and Conduct applicable to its personnel and to third parties who have access to personal data. This Code establishes standards of conduct and best practices regarding privacy.
• Personal Data Officer: HAYDUK will appoint a Personal Data Officer (PDO), in accordance with the provisions of the Regulation approved by Supreme Decree No. 016-2024-JUS, who will be responsible for supervising regulatory compliance within the organization. This person will coordinate the implementation of security measures, handle requests for the exercise of data holder rights, act as a point of contact with the National Personal Data Protection Authority, and promote an organizational culture aligned with the principles of legality, proportionality, security, and traceability in the processing of personal data.
• Security Incident Management: In the event of security incidents that compromise personal data, HAYDUK will immediately adopt corrective and mitigating measures.

Additionally, if a security incident is identified that results in the exposure of large volumes of personal data, whether due to the quantity or type of data involved, or that may affect a large number of individuals, involve sensitive data, or cause evident harm to other rights or freedoms of the User, and where HAYDUK acts as the Holder of the Personal Data Bank, HAYDUK will notify the National Authority for Personal Data Protection within a maximum period of forty-eight (48) hours after becoming aware of the incident. It will also notify the National Digital Security Center, as applicable. Furthermore, the affected User will be informed within forty-eight (48) hours, using clear and simple language, including the measures adopted to mitigate the effects of the incident.

On the other hand, when HAYDUK acts as a Data Processor, it will immediately inform the Holder of the Personal Data Bank or Data Controller of the corresponding security incident. 

For any inquiries related to this Policy or the security of personal data, you may contact us via email at: datospersonales@hayduk.com.pe.

3.11. SENDING COMMERCIAL COMMUNICATION

When HAYDUK acts as the Holder of Personal Data Bank or Data Controller, and the Website User or other data subject has provided their free, prior, informed, express and unequivocal consent, HAYDUK may process their personal data in order to contact them for the purpose of managing the contracting of its services, as well as to send information, updates, promotions, and commercial offers related to its products or services, tailored to their profile and interests. These communications will primarily be made through electronic means, such as email, instant messaging (WhatsApp or other similar platforms), SMS, social media, and notifications on the Website.

Additionally, the User also freely, priorly, informedly, expressly, and unequivocally consents to the conducting of satisfaction surveys and to the processing of their data for statistical purposes, with the objective of improving service quality and customer experience.

HAYDUK informs that the data holder may revoke their consent at any time or exercise their right to object to the processing for promotional purposes by sending a communication to the email address datospersonales@hayduk.com.pe, without prejudice to the processing carried out prior to the revocation.

3.12. AMENDMENTS TO THE POLICY

HAYDUK reserves the right to modify this Privacy Policy whenever necessary to adapt it to regulatory or technological changes, or to improvements in its internal practices. Any modification will be published on the Website and, if the changes are substantial, users will be notified by email or by another appropriate means.

Likewise, HAYDUK guarantees access to previous versions of this Policy upon request by the personal data holder.

• Law No. 29733, Personal Data Protection Law
• Regulation of the Personal Data Protection Law, approved by Supreme Decree No. 016-2024-JUS.

ANNEX 01

COMPANIES ACTING AS PROCESSORS OR SUB-PROCESSORS

• Microsoft Corporation, with registered address at One Microsoft Way, Redmond, Washington 98052-6399, United States, whose website is: microsoft.com. The company provides software products such as Microsoft 365, Microsoft Teams, SharePoint, among others. The purpose is to use operating systems and productivity applications related to the company’s activities, such as connectivity, supporting documents, repositories, among others.
• EXA, from EXA Peru S.A.C., with Taxpayer Identification Number (R.U.C.) 20524587492, with registered address at Calle Las Orquideas No. 585, Int. 12 (12th Floor), San Isidro, Lima, Peru, whose website is: exa.com. The purpose is to provide a talent management platform and a complementary repository for the management of personnel information.
• SAP, through SAP Business Technology Platform, with registered address at SAP SE, Dietmar-Hopp-Allee 16, 69190 Walldorf, Germany, represented in Peru by SAP Peru S.A.C., with registered address at Av. Circunvalacion del Club Golf Los Incas No. 154, Int. 1601 (Ovalo Monitor), Santiago de Surco, Lima, Peru, whose website is: sap.com. The company provides enterprise management software (financial and accounting), whose purpose is to centralize commercial information (logistics, suppliers, clients, employees, among others), as well as information related to payments, business relationships, and accounting records of suppliers, among others of a similar nature.
• Paperless o Sovos, from Paperless S.A.C., with Taxpayer Identification Number (R.U.C.) 20524119553, with registered address at Av. Pershing No. 790, Apt. 305 (Av. Pershing 790 – 798), Magdalena del Mar, Lima, Peru, whose website is: sovos.com. The company provides a digital platform that centralizes information from individual suppliers, including identification and banking data, as well as a digital repository for invoices, credit notes, and other supporting documents in PDF and XML formats.
• Iron Mountain Peru S.A.C., with Taxpayer Identification Number (R.U.C.) 20390724919, with registered address at Av. Elmer Faucett No. 3462 (in front of the FAP Theme Park), Callao, Lima, Peru, whose website is: ironmountain.com. The company provides physical document archiving services, including personnel files, payroll records, quotations, files of active and former employees, and, in general, document custody and records management services.
• SMART, from Solmar Security S.A.C., with Taxpayer Identification Number (R.U.C.) 20445414833, with registered address at Jr. Los Laureles No. 206, Urb. La Caleta (in front of Santa Rosa de Lima School), Chimbote, Ancash, Peru, whose website is: gruposolmar.pe. The purpose of this service is to store images and recordings captured by security cameras located at various HAYDUK facilities.