Data Law Navigator | Peru
Information on Data Protection and Cyber Security laws from CMS experts
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Last updated 16 July 2018
Peru has adopted the following legal framework for the protection of personal data which regulate the collection and processing of personal data:
- Law No. 29733, Personal Data Protection Law, issued on 21 June 2011 and published in the Official Gazette on 3 July 2011;
- Supreme Decree No. 003-2013-JUS, Regulations on Personal Data Protection Law, published in the Official Gazette on 22 March 2013 and fully enforceable from May 8th, 2015; and
- Directorial Resolution No. 019-2013-JUS/DGPDP, Guidelines on Security of Information, published on 22 March 2013.
The Data Protection Authority (DPA) is a Directorate part of the General Directorate of Transparency, Access to Public Information and Protection of Personal Data, part of the Ministry of Justice and it has administrative, regulatory, supervisory and sanctioning functions exclusively for data protection and cybersecurity matters as long as they involve usage of personal data.
Anticipated changes to law
There is a Draft Bill to modify article 58.1 of the Consumer Code, in order to prohibit the use of aggressive or deceptive communication commercial practices without the data subject consent:
“58.1 The right of every consumer to protection gainst commercial methods aggressive or deceptive means that providers cannot carry out practices that significantly reduce the freedom of choice of the consumer to through figures such as harassment, coercion, undue influence or fraud.
In this regard, are prohibited all commercial practices that mean:
The use of call centers (call centers), telephone call systems, shipping from text messages to cell phones or mass electronic messages to promote products and services, as well as providing the telemarketing service, to all those telephone numbers and electronic addresses of consumers who have not provided the providers of said goods and services with their consent prior, informed, express and unequivocal, for the use of this practice commercial. This consent may be revoked, at any time and in accordance with the regulations governing the protection of personal data.”
Even though the Personal Data Protection Law provides a legal framework to diverse industries, the regulation establishes specific rules regarding some industries such as healthcare and telecommunications.
Related to telecommunications, local law establishes the responsibility of telco operators to ensure the confidentiality, security, proper use and integrity of the personal data obtained from their subscribers in the course of their commercial operations. In that sense, they may not process the aforementioned personal data for purposes other than those authorised by their owner, unless warranted or express legal mandate.
On the other hand, there is an exemption to the principle of consent regarding health information when the data is needed for prevention, diagnosis and medical or surgical treatment of the data subject under risk circumstances, provided that the processing is carried out in health facilities or by professionals in health sciences observing professional secrecy; or in case of public interest provided by local law; or if personal data must be processed for reasons of public health or to conduct epidemiological or similar studies, provided that adequate dissociation procedures are applie
The sanctions and remedies for non-compliance with data protection law are administrative. The Data Protection Authority can impose fines up to US$128,000. The amount of the fines depends on the magnitude of the violation.
There is no criminal liability for non-compliance with the data protection law.
Registration / notification
Registration of personal databases before the National Authority for Personal Data Protection is required before processing data. Data controllers must fill in a form, providing the following information: (i) the identity of the data controller, (ii) the purpose and use of the database, (iii) what type of personal data is included; (iv) security measures; and (v) any international transfer. The registry must be updated whenever a relevant modification takes place.
Notification is not required before data processing, but rules for obtaining consent do apply.
Main obligations and processing requirements
The data controller, and data processor when applicable, must comply with the following obligations:
- Process personal data only with data subject prior, free, express, unequivocal, and informed consent, unless otherwise provided by law.
- Not to collect personal data by fraudulent, unfair or illegal means.
- Collect updated, necessary, relevant and adequate personal data in connection with a determined, explicit and legal purpose.
- Not to use personal data for other means rather than the ones it was collected in the first place, unless such data undergoes an anonymisation or dissociation process.
- Store personal data in such a manner, that it allows data subjects to enforce their rights.
- Delete or replace personal data upon knowledge of its inaccuracy or incompleteness.
- Delete personal data when it is no longer necessary for the purpose for which it was collected, unless such data undergoes an anonymisation or dissociation process.
- Provide the information that the National Authority for Personal Data Protection requests.
Personal data processing must respect the fundamental rights of data subjects and the rights granted to them by Peruvian Law.
The data controller, the data processor and any other entity processing personal data must maintain personal data in confidentiality, unless exceptions apply. This obligation will be in force even after the termination of the relationship between the data subject and the data controller.
Data subject rights
The following are the rights granted to data subjects:
- Right to request information: The data subject has the right to request information about (i) the data controller or data processor identity and contact details, (ii) the purposes for which the data subject’s personal data is processed, (iii) who may or will receive the data, (iv) the existence of the relevant database, whether electronic or otherwise, (v) whether answers to any requested information are compulsory or not, (vi) the consequences of providing personal data or of refusing to provide it, (vii) the data subject’s rights to access, rectify, suppress, oppose to the processing of his or her personal data, among other rights granted by the data protection law, and (viii) whether there is cross-border transfer of personal data.
- Right of access to personal data: The data subject is entitled to request information on how his or her personal data is processed, how his or her personal data was collected, the reason or purposes of such collection, who ordered it and whether cross-border transfers have been made or are planned to be made.
- Right to update, include, rectify or delete personal data: The data subject has the right to the update, include, rectify or delete his or her personal data, when such data is inaccurate, incomplete, false, there is an omission or error, it is no longer necessary or relevant for the purpose for which it was collected or upon the expiration date established for its processing.
- Right to prevent the supply of personal data: The data subject has the right to prevent the supply of his or her data to third parties when it impacts on his fundamental rights.
- Right to oppose to the processing of personal data: The data subject may oppose the processing of his or her personal data when there is a legitimate reason linked to his or her particular situation and inasmuch as the data subject didn’t consent to such data processing or whenever there is a law against such processing.
- Right of objective processing: The processing of personal data intended to evaluate certain aspects of a data subject personality traits or behaviour shouldn’t be used to take a decision with legal effects on the data subject, based solely on such processing, unless this occurs in the course of a negotiation of a contract or whenever this arises on the course of a process of hiring or incorporating someone into a public office, allowing him or her to defend his or her point of view.
- Right to claim protection: Whenever the data subject is denied any of the aforementioned rights, he or she may file a claim before the National Data Protection Authority or file a petition for the writ of habeas data before the judiciary.
- Right to be indemnified: The data subject has to right to be indemnified or to claim compensation for any damages caused by the infringement of the data protection law.
Processing by third parties
The following rules apply for third party processing personal data on behalf of a data controller:
- Process personal data according to the data controller’s instructions and exclusively for the purpose set out in the agreement between the data controller and data processor.
- In order to subcontract the processing of personal data, data processor must have the data controller’s authorisation.
- Destroy the data once all contractual obligations have been fulfilled, unless there is an instruction from the data controller to keep the data for longer time where there is a possibility that future services related to such data, in any case data may be securely stored for no longer than two years.
- Implement appropriate security measures.
Transfers out of country
Two rules may apply to the transfer of data outside the country: (i) Personal data can be transferred to other countries whose level of protection is adequate, according to the Peruvian data protection regulation, and (ii) otherwise, if an entity transfers personal data outside the country, it shall guarantee that the data processing will be carried out in accordance with the Peruvian data protection regulation.
Provision (ii) is not applicable in the following circumstances:
- when the transfer results from the application of an international treaty to which Peru is party;
- international legal cooperation;
- international cooperation in the fight against terrorism, illicit drug trafficking, money laundry, corruption, human trafficking, among other organised crime;
- when the transfer is necessary to fulfil contractual obligations where the data subject is a party, including authentication, improvement and technical support, maintenance, billing, among others;
- money transfers made according to applicable law;
- when the transfer is necessary for medical prevention or diagnosis, or providing healthcare or medical treatment or for managing healthcare services, provided that adequate dissociation procedures are applied;
- when the data subject has given prior, free, express, unequivocal and informed consent to the data transfer; or other exceptions that the Personal Data Protection Regulation provides.
Neither provision (i) or (ii) apply when personal data is transferred to fulfil a scientific or professional relationship with the data subject, provided that such data is necessary for development and compliance with such relationship.
International data transfer requires that the recipient or importer of personal data assume the same obligations as the exporter of personal data. It is necessary to notify the transfer to the competent authority. Also, the data controller may request the authority to share its opinion on the compliance of the transfer but no approval is needed.
Data Protection Officer
No, there is no legal requirement to have a DPO.
The data controller and data processor must adopt organisational, technical, and legal measures to protect personal data against damage, loss, alteration or unauthorised access or processing. Personal data should be stored in databases that meet the following conditions:
- access control;
- identification and authentication procedures;
- conservation, backup and recovery of personal data;
- authorisation for personal data transfer;
- implement document storage security measures;
- authorisation for reproduction or copies;
- access to records is limited to authorised personnel; and
- implement security measures when personal data is being transferred.
The Directive on Security of Information establishes security measures for the management of personal data; however, these are not legally binding to data controllers or data processors.
There is no obligation to notify to the National Data Protection Authority about a data breach.
The following are our local law provisions for unsolicited electronic commercial communications:
- The Anti-Spam Law (Law No. 28493) regulates unsolicited electronic commercial communications: this regulation establishes that every unsolicited email originated in Peruvian territory must: (i) include the word ADVERTISING at the email subject line, (ii) provide the complete information of the email sender, and (iii) provide an opt-out mechanism to restrict further unsolicited emails.
- Directive No. 0005-2009/COD-INDECOPI created the registry “Thanks… do not insist”: regulates telemarketing calls or commercial emails to numbers or emails listed on such registry.
Cookies or location technologies are not regulated directly by the Personal Data Protection Law. However, data protection regulation will apply if personal identifiable information is collected and processed through the aforementioned mechanisms.