Data Protection Policy
1. General
South American Tours, a group of companies under the umbrella of South American Tours de Uruguay, Buenos Aires 618 Piso 2 Oficina 201, ZIP Code 11000 Montevideo, Uruguay, (hereinafter: „South American Tours“ or “we”) takes the protection of personal data very seriously. We only process your personal data in compliance with the applicable legislation on data privacy and adhere to the General Data Protection Regulation (“GDPR”, EU Regulation 2016/679).
As an Incoming Agency for South America with clients all over the world, we process personal data of our business partners and clients (hereinafter: “clients”) as well as of the guests travelling with us (hereinafter: “travelers”). Therefore, this Data Protection Policy holds relevant information on how we process the personal data of our clients and the travelers.
According to Art. 27 GDPR, we have designated as Representative in the Union our German subsidiary South American Tours GmbH, Kaiserstraße 23, 60311 Frankfurt am Main.
The person responsible for data protection within South American Tours is Mrs. Diana Spehn, General Manager of South American Tours Peru, dspehn@southamericantours.com.
2. Processing of Traveler Data
In order to fulfil our contractual obligations for the operation of our tours, we process personal data of the travelers, including but not limited to:
- name and surname
- passport number
- passport expiry date
- nationality
- date of birth
- passport copy
- address, including email address
- credit card detail
- personal information such as health information, relationship to other guests travelling etc.
We will process such data only as far as necessary for the fulfilment of the contract with our clients. As far as applicable, the legal basis for this data processing is Art. 6 (1) 1 lit. b) GDPR.
In order to fulfil our contract, we will share such personal data of the traveler with the providers involved in the operation of the arrangement for this traveler. The disclosure of personal travel data to our providers is limited to the extent necessary for the operation of the tour. Furthermore, all our providers are bound by the regulations of data protection law, are carefully selected and regularly monitored by us. Beyond that, we will only pass personal traveler data to third parties if we are required to do so by law or a court ruling.
If we transfer personal travel date to a third country in the sense of GDPR – as for example when operating a cross-border tour throughout South America – we will ensure that such data transfer is justified according to Art. 44 et seq. GDPR. For any data transfers within our group of companies, we have concluded a Framework Agreement based on the standard data protection clauses adopted by the Commission.
As we are not processing the traveler’s data as a processor (i.e. on your behalf) but as a controller, our clients and we act as joint controllers according to Art. 26 GDPR. Therefore, we have determined in our General Terms and Conditions our respective responsibilities for compliance with the obligations under GDPR. In particular, as our clients are the main contact of the travelers, we have delegated to our clients all duties to provide the information referred to in Art. 13, 14 and 26 (2) GDPR to the travelers. Furthermore, the clients are responsible for exercising of rights of the data subject (Art. 15 et seq.). In the case that South American Tours receives any requests directly from the traveler, South American Tours will pass them to the client for further processing. Beyond that, South American Tours and the client will assist each other by complying with the obligations under GDPR for which South American Tours and the client are each responsible for the data processing taking place in their sphere. For example, South American Tours and the client will inform each other in any personal data breach at the earliest convenience after becoming aware of the breach, and providing all information available.
According to our understanding, our General Terms and Conditions hold all information necessary for the arrangement according to Art. 26 GDPR. However, if one of our clients wishes us to sign a separate agreement, please do not hesitate to contact us.
3. Processing of Client Data
South American Tours is a DMC working exclusively Business to Business, hence our clients are defined as travel trade companies from all around the world.
For operational activities, we store data the clients provide to us and data we exchange with our clients, such as address, contact partners, email addresses, phone numbers, invoices, data of the guests travelling, operational information etc.
For our sales and marketing activities, we store addresses, contact information as well as information provided by the client during personal encounters. Legal basis is – as far as applicable – our legitimate interest in marketing activities according to. Art. 6 (1) 1 lit. f) GDPR.
In case one of our clients would not like to be part of our internal data base, he/she can request to be deleted by mail to sales@southamericantours.com. Our data base is electronically protected and can only be accessed by authorized staff at South American Tours.
We also reserve the right to use the data provided to send you South American Tours’ information about events, publications, and services rendered by us, with the option to unsubscribe at any given time.
We also insert the contacts collected during sales activities in a separate data base of our newsletter System. The newsletter, which is sent out monthly, includes the option to unsubscribe.
Legal basis for all marketing activities is our legitimate interest in marketing activities according to. Art. 6 (1) 1 lit. f) GDPR.
As regards the personal data processed on our website, please be kindly referred to our Privacy Policy on our website.
We will only disclose personal data of clients to other companies and individuals that we have commissioned to carry out individual assignments and services on our behalf. The disclosure of your personal data to these companies is limited to the extent necessary for the completion of the activity. These companies are similarly bound by the regulations of the data protection law, are carefully selected by us and regularly monitored by us. Moreover, we will only pass on your personal data to third parties if we are required to do so by law or a court ruling.
As some of our offices are based in a third country, we have concluded a Framework Agreement based on the standard data protection clauses adopted by the Commission within our group of companies.
4. Data Security / Period of storage
For the protection of personal data, we take measures to protect such data from unauthorized access, loss, misuse or destruction.
Personal data is only stored for the time that is necessary to achieve the purpose of its storage, or as provided for by legislation. Accordingly, personal data is routinely blocked or deleted when there is no longer a purpose to its storage or on expiry of a deadline stipulated by law.
For any further information, please do not hesitate to contact us – for contact details see under number 1.