header_logo
cancel1

Peru

Last Verified on Thursday 14th February 2019

    • Peru

      Yes, according to Law No. 29733, Personal Data Protection Law, data protection right derives from article 2.6 of the Peruvian Constitution, which considers as fundamental right the right “to the assurance that information services, whether computerised or not, whether public or private, will not provide information affecting personal and family privacy”.

      Last verified on Thursday 14th February 2019

    • Peru

      Yes, Peru has adopted the following legal framework for the protection of personal data, which regulates the collection and processing of personal data: 

      • Law No. 29733, Personal Data Protection Law, issued on 21 June 2011 and published in the Official Gazette on 3 July 2011;
      • Supreme Decree No. 003-2013-JUS, Regulations on Personal Data Protection Law, published in the Official Gazette on 22 March 2013 and fully enforceable from 8 May 2015; and
      • Directorial Resolution No. 019-2013-JUS/DGPDP, Guidelines on Security of Information, published on 22 March 2013.

      These documents in the Spanish version can be found at: www.minjus.gob.pe/legislacion/.

      The Personal Data Protection Law and its regulations apply to any person or legal entity, public or private, processing personal data in Peruvian territory.

      Last verified on Thursday 14th February 2019

    • Peru

      Personal data is defined in the law as any information that identifies or could identify a natural person using reasonable means. The regulation further defines personal data as any numerical, alphabetical, graphic, photographic or acoustic information on the personal or any other kind of habits concerning individuals.

      The definition does not apply to legal entities, partnerships or sole traders.

      Last verified on Thursday 14th February 2019

    • Peru

      Yes, local law distinguishes between sensitive and non-sensitive data.

      Sensitive data is defined in the law as personal data consisting of biometric data that can be used to identify the individual, data referring to racial or ethnic origins, income and political, religious, philosophic or moral convictions, trade union membership or information related to health or sexual life. The regulation further defines it as personal data referring to physical, moral or emotional characteristics or facts, circumstances of emotional or family life, personal habits in the most private sphere, information on physical or mental health, or other information of similar nature bearing on an individual’s intimacy. Non-sensitive data, however, is all personal data that is not contained in the above definition.

      The difference between sensitive and non-sensitive data in our local law is that consent for the collection and use of sensitive data must be explicit and written and it can only be processed if the purpose is related to the data controller’s activities.

      Last verified on Thursday 14th February 2019

    • Peru

      Processing of personal data is defined as any operation or technical procedure, automated or not, that permits the compilation, registry, organisation, storage, conservation, elaboration, alteration, extraction, consultation, utilisation, suppression, communication by transfer or by diffusion or any other form of processing that facilitates the access, correlation or interconnection of the personal data.

      Such data processing must respect the following principles:

      • Legality: all data processing must be carried out in accordance with the provisions in the law.
      • Consent: all data processing must be carried out with the data subject’s consent.
      • Purpose: all personal data must be collected with an only, determined, explicit and licit purpose.
      • Proportion: all data processing must be carried out rightfully, relevant and not excessive to its purpose.
      • Quality: the personal data processed must be truthful, accurate, updated, necessary, appropriate and suitable to its purpose.
      • Security: data controller must take technical, organisational and legal measurements in order to ensure the security of personal data.
      • Resource disposal: all personal data subject must have administrative and jurisdictional ways to claim any violation of her or his rights regarding the data processing.
      • Appropriate protection level: regarding cross-border flow must guarantee a sufficient level of protection, which must have at least the same requirement as established in our local law.

      Last verified on Thursday 14th February 2019

    • Peru

      Yes, even though the Personal Data Protection Law provides a legal framework to diverse industries, the regulation establishes specific rules regarding some industries such as healthcare and telecommunications.  

      Related to telecommunications, local law establishes the responsibility of telco operators to ensure the confidentiality, security, proper use and integrity of the personal data obtained from their subscribers in the course of their commercial operations. In that sense, they may not process the aforementioned personal data for purposes other than those authorised by their owner, unless warranted or express legal mandate.

      On the other hand, there is an exemption to the principle of consent regarding health information when the data is needed for prevention, diagnosis and medical or surgical treatment of the data subject under risk circumstances, provided that the processing is carried out in health facilities or by professionals in health sciences observing professional secrecy; or in case of public interest provided by local law; or if personal data must be processed for reasons of public health or to conduct epidemiological or similar studies, provided that adequate dissociation procedures are applied.

      The processing of personal data on the internet is not specifically provided for. The only requirement is that a privacy policy must be published on any website that processes personal data.

      Last verified on Thursday 14th February 2019

    • Peru

      Yes, according to the local law, the processing of personal data of minors, the data controller needs the consent from their tutors. Except for data subjects between 14 and 18 years old, since they can provide their consent by themselves.

      Last verified on Thursday 14th February 2019

    • Peru

      The sanctions and remedies for non-compliance with data protection law are administrative. The Data Protection Authority can impose fines up to US$127,300. The amount of the fines depends on the magnitude of the violation.

      There is no criminal liability for non-compliance with the data protection law.

      Last verified on Thursday 14th February 2019

    • Peru

      Yes, the Data Protection Authority (DPA) is an agency that depends on the Ministry of Justice and it has administrative, regulatory, supervisory and sanctioning functions exclusively for data protection and cybersecurity matters as long as they involve usage of personal data.

      Last verified on Thursday 14th February 2019

    • Peru

      Registration of personal databases before the National Authority for Personal Data Protection is required before processing data. Data controllers must fill in a form, providing the following information: (i) the identity of the data controller, (ii) the purpose and use of the database, (iii) what type of personal data is included; (iv) security measures; and (v) any international transfer. The registry must be updated whenever a relevant modification takes place. 

      Notification is not required before data processing, but rules for obtaining consent do apply.

      Last verified on Thursday 14th February 2019

    • Peru

      The data controller, and data processor when applicable, must comply with the following obligations:

      • process personal data only with data subject prior, free, express, unequivocal and informed consent, unless otherwise provided by law.
      • not to collect personal data by fraudulent, unfair or illegal means.
      • collect updated, necessary, relevant and adequate personal data in connection with a determined, explicit and legal purpose.
      • not to use personal data for other means rather than the ones it was collected in the first place, unless such data undergoes an anonymisation or dissociation process.
      • store personal data in such a manner, that it allows data subjects to enforce their rights.
      • delete or replace personal data upon knowledge of its inaccuracy or incompleteness.
      • delete personal data when it is no longer necessary for the purpose for which it was collected, unless such data undergoes an anonymisation or dissociation process; and
      • provide the information that the National Authority for Personal Data Protection requests.

      Personal data processing must respect the fundamental rights of data subjects and the rights granted to them by Peruvian Law.

      The data controller, the data processor and any other entity processing personal data must maintain personal data in confidentiality, unless exceptions apply. This obligation will be in force even after the termination of the relationship between the data subject and the data controller.

      Last verified on Thursday 14th February 2019

    • Peru

      Yes, the following rules apply for third party processing personal data on behalf of a data controller:

      • process personal data according to the data controller’s instructions and exclusively for the purpose set out in the agreement between the data controller and data processor;
      • to subcontract the processing of personal data, the data processor must have the data controller’s authorisation; 
      • destroy the data once all contractual obligations have been fulfilled, unless there is an instruction from the data controller to keep the data for longer time where there is a possibility that future services related to such data, in any case data may be securely stored for no longer than two years;
      • implement appropriate security measures.

      Last verified on Thursday 14th February 2019

    • Peru

      The data subject must provide prior, free, express, unequivocal and informed consent before his or her personal data can be processed.

      For sensitive data, the data subject must give explicit and written consent (handwritten or digital signature is required). Concerning minors, the data controller needs the consent from their tutors. There is an exception for data subjects between 14 and 18 years old, in those cases they can give consent by themselves.

      Also, a data subject’s consent is not required in the following cases:

      • Public entities collect and transfer data to perform their activities within the scope of their functions and authority.
      • Personal data is included or to be included in a publicly available source.
      • Personal data is related to financial solvency and credit standing, according to the applicable law (Law No. 27489).
      • Within the scope of the law enacted to promote competition in regulated markets, issued by the regulatory entities referred to in Law No. 27332, Framework Law of the Regulatory Entities of Private Investment in Public Services, provided such information is not used to violate the user’s privacy.
      • Personal data is needed to fulfil a contractual obligation or a scientific or professional relationship with the data subject, provided that such data is necessary for the development and compliance with such relationship.
      • Personal data is related to health issues and, under risk circumstances, the data is needed for prevention, diagnosis, and medical or surgical treatment of the data subject, provided that the processing is carried out in health facilities or by professionals in health sciences observing professional secrecy; or in case of public interest provided by law; or if personal data must be processed for reasons of public health or to conduct epidemiological or similar studies, provided that adequate dissociation procedures are applied.
      • Personal data is used by a non-profit organisation with political, religious or union purposes, and refers to the data of its members within the scope of such organisation’s activities and may not be transferred without the consent of its members.
      • Personal data has undergone an anonymisation or dissociation process.
      • Economic groups made by compelled to inform companies, according to Financial Intelligence Unit regulation, which can share information to each other on its clients, aiming to prevent asset laundering and terrorism financing, or any other of regulatory compliance, establishing appropriate safeguards on confidentiality and use of shared information.
      • Personal data is necessary to safeguard the legitimate interest of the data subject.
      • Personal data is used in asset laundry and terrorism financing prevention, or other legal mandates.
      • Personal data is used within a valid exercise of the freedom of information constitutional right.
      • Other exemptions provided by law or its regulation.

      Last verified on Thursday 14th February 2019

    • Peru

      The following are the rights granted to data subjects:

      • Right to request information: The data subject has the right to request information about (i) the data controller or data processor identity and contact details, (ii) the purposes for which the data subject’s personal data is processed, (iii) who may or will receive the data, (iv) the existence of the relevant database, whether electronic or otherwise, (v) whether answers to any requested information are compulsory or not, (vi) the consequences of providing personal data or of refusing to provide it, (vii) the data subject’s rights to access, rectify, suppress, oppose to the processing of his or her personal data, among other rights granted by the data protection law, and (viii) whether there is cross-border transfer of personal data.
      • Right of access to personal data: The data subject is entitled to request information on how his or her personal data is processed, how his or her personal data was collected, the reason or purposes of such collection, who ordered it and whether cross-border transfers have been made or are planned to be made.
      • Right to update, include, rectify or delete personal data: The data subject has the right to the update, include, rectify or delete his or her personal data, when such data is inaccurate, incomplete, false, there is an omission or error, it is no longer necessary or relevant for the purpose for which it was collected or upon the expiration date established for its processing.
      • Right to prevent the supply of personal data: The data subject has the right to prevent the supply of his or her data to third parties when it impacts on his fundamental rights.
      • Right to oppose to the processing of personal data: The data subject may oppose the processing of his or her personal data when there is a legitimate reason linked to his or her particular situation and inasmuch as the data subject didn’t consent to such data processing or whenever there is a law against such processing.
      • Right of objective processing: The processing of personal data intended to evaluate certain aspects of a data subject personality traits or behaviour shouldn’t be used to take a decision with legal effects on the data subject, based solely on such processing, unless this occurs in the course of a negotiation of a contract or whenever this arises on the course of a process of hiring or incorporating someone into a public office, allowing him or her to defend his or her point of view.
      • Right to claim protection: Whenever the data subject is denied any of the aforementioned rights, he or she may file a claim before the National Data Protection Authority or file a petition for the writ of habeas data before the judiciary.
      • Right to be indemnified: The data subject has to right to be indemnified or to claim compensation for any damages caused by the infringement of the data protection law.

      Last verified on Thursday 14th February 2019

    • Peru

      Two rules may apply to the transfer of data outside the country: (i) Personal data can be transferred to other countries whose level of protection is adequate, according to the Peruvian data protection regulation, and (ii) otherwise, if an entity transfers personal data outside the country, it shall guarantee that the data processing will be carried out in accordance with the Peruvian data protection regulation.

      Provision (ii) is not applicable in the following circumstances: 

      • when the transfer results from the application of an international treaty to which Peru is party;
      • international legal cooperation;
      • international cooperation in the fight against terrorism, illicit drug trafficking, money laundry, corruption, human trafficking, among other organised crime;
      • when the transfer is necessary to fulfil contractual obligations where the data subject is a party, including authentication, improvement and technical support, maintenance, billing, among others;
      • money transfers made according to applicable law;
      • when the transfer is necessary for medical prevention or diagnosis, or providing healthcare or medical treatment or for managing healthcare services, provided that adequate dissociation procedures are applied;
      • when the data subject has given prior, free, express, unequivocal and informed consent to the data transfer; or
      • other exceptions that the Personal Data Protection Regulation provides.

      Neither provision (i) or (ii) apply when personal data is transferred to fulfil a scientific or professional relationship with the data subject, provided that such data is necessary for development and compliance with such relationship.

      International data transfer requires that the recipient or importer of personal data assume the same obligations as the exporter of personal data. It is necessary to notify the transfer to the competent authority. Also, the data controller may request the authority to share its opinion on the compliance of the transfer but no approval is needed.

      Last verified on Thursday 14th February 2019

    • Peru

      The data controller and data processor must adopt organisational, technical, and legal measures to protect personal data against damage, loss, alteration or unauthorised access or processing. Personal data should be stored in databases that meet the following conditions:

      • access control;
      • identification and authentication procedures;
      • conservation, backup and recovery of personal data;
      • authorisation for personal data transfer;
      • implement document storage security measures;
      • authorisation for reproduction or copies;
      • access to records is limited to authorised personnel; and
      • implement security measures when personal data is being transferred.

      The Directive on Security of Information establishes security measures for the management of personal data; however, these are not legally binding to data controllers or data processors.

      Last verified on Thursday 14th February 2019

    • Peru

      Cookies or location technologies are not regulated directly by the Personal Data Protection Law. However, data protection regulation will apply if personal identifiable information is collected and processed through the aforementioned mechanisms.

      Last verified on Thursday 14th February 2019

    • Peru

      There is no specific regulation regarding fintech data protection and cybersecurity in force as yet in Peru. However, there is growing concern among local authorities to regulate such digital activities, manifested by the proposal to modify the Operational Risk Management Regulation, prepublished on 30 November 2018, which aims to add standards of cybersecurity management and provide guidelines for subcontracting data processing in the cloud.

      Last verified on Thursday 14th February 2019

    • Peru

      The following are our local law provisions for unsolicited electronic commercial communications:

      • The Anti-Spam Law (Law No. 28493) regulates unsolicited electronic commercial communications: this regulation establishes that every unsolicited email originated in Peruvian territory must: (i) include the word ADVERTISING at the email subject line, (ii) provide the complete information of the email sender, and (iii) provide an opt-out mechanism to restrict further unsolicited emails.
      • Consumer Protection Law (Law No. 29571) prevents  consumers from receiving instant messaging, emails or telemarketing calls from suppliers, promoting products and/or services, without their prior authorisation for the use of these commercial practices.

      Last verified on Thursday 14th February 2019

    • Peru

      The Secretariat of Digital Government elaborated the Guidelines for the Use of Services in the Cloud for public entities, approved on 4 January 2018, which is considered as a set of measures, guidelines and recommendations that must be taken into account by public entities in their cloud procurement procedures.

      Last verified on Thursday 14th February 2019

    • Peru

      Yes, Personal Data Protection Law regulates the adequate treat of personal data by public and private entities indistinctly. However, the regulation establishes that its provisions shall not apply to the contents included or to be included in public administration data banks, as long as the treatment is necessary for the strict fulfillment of competences assigned by law to the respective public entity and provided that its object is:

      • national defence;
      • public safety; and
      • the development of activities in criminal matters for the investigation and repression of a felony.

      Last verified on Thursday 14th February 2019

    • Peru

      Yes, according to Law No. 27806, Transparency and Access to Public Information Law, every person has the right to request and receive information of any public entity subject to some restrictions regarding to confidential information.

      Last verified on Thursday 14th February 2019

    • Peru

      Yes, it is provided in the Personal Data Protection Law as a function of the Data Protection Authority to promote the use of self-regulation mechanisms as a complementary instrument for the protection of personal data.

      Last verified on Thursday 14th February 2019

Latin Lawyer gives you a fantastic platform to promote your legal expertise to our extensive readership base

Become an author

Contributing editors

Authors