Data protection and cybersecurity laws in Peru

• Law No. 29733, Personal Data Protection Law ("Personal Data Protection Law"), which includes the provisions (such as principles, obligations, data bank registration and fines) applicable in Peru regarding personal data protection.
• Supreme Decree No. 016-2024-JUS, Regulation of the Personal Data Protection Law ("Regulations"), which details with further precision the provisions established in the Law.
• Directorial Resolution No. 02-2020-JUS/DGTAIPD, Guidelines on the processing of personal data using video-surveillance systems (optional and guidance standard), which aims to establish guidelines for the treatment of personal data that are captured through video surveillance systems for security and labour control purposes.
• Resolution No. 0326-2020-JUS, Methodology for the Calculation of Personal Data Protection Fines, which aims to provide uniform, predictable and objective guidelines and criteria regarding the imposition of fines.

The main provisions established in the above-mentioned data protection laws are as follows:

• The data protection laws apply to numeric, alphabetic, graphic, photographic, acoustic information, information about personal habits, location, online identifiers, or any other type of information concerning the physical, economic, cultural, or social aspects of natural persons that identifies them or makes them identifiable. An individual is considered identifiable when their identity can be verified directly or indirectly from a combination of data through means that can reasonably be used.
• The data protection laws apply to automated and non-automated data processing operations.
• The data protection laws apply to any person, corporation or public entity determining the purposes and means of processing personal data established in Peru ("Responsible of treatment") This definition includes all person or entities that treats personal data, even when such data is not part of a data bank.

The Personal Data Protection Law and its Regulations applies to any personal data treatment when:

• It is carried out at an establishment located in Peruvian territory belonging to the owner of the personal data bank or the party responsible for processing.
• It is carried out by a data processor, regardless of their location, on behalf of a personal data bank owner established in Peruvian territory or the responsible party for processing.
• The owner of the personal data bank or the party responsible for processing is not established in Peruvian territory but uses means located within said territory, unless such means are used solely for transit purposes that do not involve the processing of personal data. This provision includes the following cases:
  • The owner of the personal data bank or the responsible party is not located in Peruvian territory but carries out activities related to the offering of goods or services directed at data subjects located in Peruvian territory.
  • The owner of the personal data bank or the responsible party is not located in Peruvian territory but carries out activities aimed at analyzing the behavior of data subjects located in Peruvian territory, as well as profiling intended to predetermine behaviors, preferences, habits, or similar characteristics.
• The owner of the personal data bank or the party responsible for processing is not established in Peruvian territory, but Peruvian law applies, by contractual provision or international law. 

Thus, the existence of special rules, even when they include regulations on personal data, does not exclude compliance with the Personal Data Protection Law.

• The Data Protection Authority (DPA) 

There are no anticipated changes to local laws. 

The DPA has powers to impose the following sanctions: 

• Fines between approximately USD 750 to up to approximately USD 150,500. Fines will depend on the type of infraction committed according to the Methodology for the Calculation of Personal Data Protection Fines. Not complying with any measure imposed by the DPA could lead to additional fines of up to approximately USD 150,500
• Corrective measures, such as the obligation to register a database, communicate the cross-border flow, delete personal data, appoint a Personal Data Office, among others.

The Criminal Code details certain offences in the field of personal data:

• Illegal traffic of personal data: the person who illegitimately commercialises non-public information related to the personal and sensitive sphere, will be punished with imprisonment of not less than two nor more than five years.
• Dissemination of images, videos or audio with sexual content: whoever reveals, disseminates or commercialises images (or audio without the person's consent) shall be punished with imprisonment of not less than two nor more than five years and with thirty to 120 days' fine.
• Disclosure of personal and family privacy: anyone who discloses aspects of someone personal or family lives because he/she was able to know for (i) the work he has done for the affected party or (ii) being someone of confidence shall be punished with imprisonment of nor more that on year.
• Improper use of computer files: anyone who improperly uses any file containing data relating to political or religious beliefs and other aspects of the intimate life of one or more persons shall be liable to imprisonment for a term of not less than one year and not more than four years.

• In addition to making a complaint to the DPA, a data subject may also make a claim for damages in court, which may involve material and moral damages.

The Personal Data Protection Law does not require prior notification or registration to the DPA for any data processing activities. However, it does require the registration of any personal data bank before the National Registry for the Protection of Personal Data.

Personal data can only be processed with the consent of its owner, which must be fee, prior, informed, express and unequivocal.

Consent may be obtained through written, verbal, digital or other means established under Peruvian Civil Law. In the case of sensitive data, consent must be given in written form signed through handwritten, digital, electronic, or any other signature method that guarantees the will of the owner of the personal data. 

The responsible of treatment must inform to the data subject at least the following information:

• The identity and address of the owner of the personal data bank or the data controller to whom he/she can address to revoke consent or exercise his/her rights, and, when applicable, the representative.
• The purpose or purposes of the processing to which the data will be subjected.
• The identity of those who are or may be the recipients of the data, if applicable.
• The existence and identification of the personal data bank where the information will be stored, when applicable.
• Whether the responses to the proposed questionnaire are mandatory or optional, when applicable.
• The consequences of providing personal data or refusing to do so.
• National and international transfers of data, if applicable.
• The existence of automated decisions, including profiling, and information about the consequences for the data subject.
• The retention period for personal data.
• The mechanisms for exercising rights of access, rectification, opposition and cancellation.

The data controller and the data processor, when applicable, must comply with the following obligations:

• Not to collect personal data by fraudulent, unfair or illegal means;
• Collect up-to-date, necessary, relevant and adequate personal data in connection with a determined, explicit and legal purpose;
• Not to use personal data for any means other than those for which it was collected in the first place unless such data undergoes an anonymisation or dissociation process;
• Store personal data in such a manner that allows data subjects to enforce their rights;
• Delete or replace personal data upon knowledge of its inaccuracy or incompleteness;
• Delete personal data when it is no longer necessary for the purpose for which it was collected, unless such data undergoes an anonymisation or dissociation process;
• Provide the information that the DPA requests.

The following are the rights granted to data subjects:

• Right to request information;
• Right of access to personal data;
• Right to update, include or rectify personal data;
• Right to delete personal data;
• Right to prevent the supply of personal data;
• Right to oppose to the processing of personal data;
• Right of objective processing;
• Right to claim protection; and
• Right to be indemnified.

In general, the data processor must comply with the following obligations:

• It is prohibited to transfer personal data for the provision of processing services to third parties, unless authorised by the data controller and the personal data subject has given his or her consent;
• To carry out the processing of personal data according to the instructions of the data controller and exclusively for the purpose established in the agreement between the two;
• In order to contract a data sub-processor, the data processor must have the data controller’s authorisation; 
• The data processor may keep the data for a maximum of two years from the end of the last assignment;
• The data sub-processor assumes the same obligations as the data controller and data processor in accordance with the Personal Data Protection Law and its Regulation;
• Deploy the technical, organisational and legal measures that guarantee the security of personal data processing;
• To maintain confidentiality regarding the personal data processing ordered by the data controller.

Two rules may apply to the data transfer outside the country: 

• Personal data can be transferred to other countries whose protection level is adequate, according to the Peruvian Data Protection Law and its Regulation; and
• If the destination country does not have an adequate protection level, the sender shall guarantee that the data processing will be carried out in accordance with the Peruvian Data Protection Law and its Regulation.

Every owner of a Peruvian personal data bank and every processing entity of Peruvian personal data must appoint a Data Protection Officer if:

• The processing is carried out by a public entity, in accordance with Peruvian Law.
• The holder of the data bank or the person responsible for processing or the data processor carries out processing of large volumes of personal data, either in quantity or type of data, or when it may affect a large number of individuals, or when sensitive data is involved, or when there is a clear harm to other rights or freedoms of the personal data subject.
• The holder of the data bank, the person responsible for processing, or the data processor carries out main activities or business operations that involve the processing of sensitive data.

Other people or entities that don’t qualify in this three scenarios, are not mandated to appoint a Data Protection Officer.

Platforms, websites, mobile applications, digital services, and IT systems used to process personal data must have the following documented and implemented:

• Access control to personal data, which includes:
  • Management of access from the registration of a user to their removal or deactivation, including periodic events such as vacation periods or occasional leave.
  • Identification and authentication procedures.
  • Management of privileges assigned to that user, including periodic verification of those privileges, which must be performed at least every six months.
  • User authentication mechanisms for the system, which may include user-password assignment, the use of digital certificates, tokens, among others.
• Periodic monitoring and review of security measures, as well as staff training plans, depending on their roles and responsibilities regarding the processing of personal data they perform.
• The generation and maintenance of records that provide evidence of interactions with logical data, including for traceability purposes, information about user accounts with access to the system, login and logout times, and actions related to processing, viewing, modification, deletion, import, and export of personal data.
• These records must be readable, timely, and have a procedure for disposition, storage, transfer, and destruction once they are no longer useful, and must be generated and/or executed periodically. Such records must be kept for a minimum period of two (2) years.
• Logical interaction records corresponding to traceability of actions performed by system operators used to process personal data must be generated continuously and must be immediately available.
• Security measures that prevent unauthorized personnel from generating copies or reproducing digital documents containing personal data. In the case of the use of systems, instant messaging applications, use of non-institutional email accounts and/or social networks, these must be properly approved and formally established, in order to avoid generating risks and unauthorized transfers of personal data.

A personal data security incident that results in the exposure of large volumes of data, whether by quantity or type, or that may affect a large number of individuals, or when sensitive data is involved, or when there is evident harm to other rights or freedoms of the personal data subject, must be notified to the DPA no later than 48 hours after becoming aware of or having evidence of the incident. This obligation remains even if the data controller considers that the incident has been remedied or resolved internally.

The Data Protection Law and its Regulations apply to all marketing and advertising activities involving personal data. Personal data means any information relating to an identified or identifiable natural person. Article 58.1 of the Consumer Code (Law No. 29571) prohibits the use of aggressive or deceptive communication commercial practices without the data subject's consent.

In this regard, it is prohibited to use call centres, telephone call systems, sending text messages to cell phones or mass emails to promote products and services, as well as to provide telemarketing services to all those telephone numbers and email addresses of consumers who have not provided their prior, informed, express and unequivocal consent. In case of non-compliance, a fine of up to USD 600,000 can be imposed.

Cookies, adtech and online marketing are not regulated directly by the Personal Data Protection Law. However, the Personal Data Protection Law and its Regulations will apply if personal identifiable information is collected and processed through cookies, adtech and online marketing.

Moderate

• Guidelines on the processing of personal data using video-surveillance systems.

The Emergency Decree No. 007-2020, Digital Confidence Law ("DCL") aims to establish the necessary measures to ensure trust with digital services, including digital security. The Supreme Decree No. 029-2021-PCM, Digital Government Law Regulations ("DGL") regulates the management of new technologies in public entities during the provision of digital services to citizens, which includes the Digital Security Incident Response management.

No anticipated changes to local laws.

In accordance with the DCL, the obligations regarding Digital Security apply to the following:

• Public entities;
• Providers of digital services from: 
  • Financial sector;
  • Basic services (electricity, water and gas);
  • Health; and 
  • Passenger transport,
• Internet service providers;
• Critical service providers; and
• Educational providers.

The obligations detailed in the DGL only apply to public entities.

• Digital Government Secretariat

The obligations related to Digital Security are the following: 

• Report every data breach to the National Centre for Digital Security;
• Deploy physical, technical, organisational and legal security measures to guarantee the confidentiality of messages, content and information transmitted through its communications services;
• Manage digital security risks in the organisation in order to establish controls to protect the confidentiality, integrity and availability of information;
• Set up mechanisms to verify the identity of persons accessing a digital service in accordance with the risk level involved and current regulations on personal data protection;
• In the event of a digital security incident that has affected personal data, the public entity must notify the Data Protection Authority (DPA);
• Keep a secure, scaleable and interoperable infrastructure.

The public entities must comply with the following obligations: 

• Report every data breach to the National Centre for Digital Security;
• Implement an Information Security Management System, which requires that the public entity develop a set of cybersecurity policies, guidelines, procedures and resources to protect its information assets against information security and digital security risks and incidents;
• Adopt measures for the management of digital security risks and incidents affecting the entity's assets;
• Spread early warnings, alerts and information about digital security risks and incidents in their entity;
• Ensure effective, efficient and secure research and cooperation with the National Centre for Digital Security;
• Provide the necessary resources and measures to ensure the effective management of digital security incidents;
• Require its software development suppliers to comply with standards, technical rules and security best practices;
• In the event of a digital security incident that has affected personal data, the public entity must notify the Data Protection Authority (DPA) within 48 hours of becoming aware of the security breach.

According with the obligations detailed in the DGL, in the event of non-compliance, the person in charge of executing the obligation may receive a (i) verbal or written warning, (ii) suspension without pay for up to 12 months, or (iii) dismissal. 

The DCL provides that the National Centre for Digital Security is responsible for identifying, protecting, detecting, responding to, retrieving and collecting information on digital security incidents.

Likewise, the DCL and the DGL incorporate the National Digital Security Incident Response Team responsible for: (i) managing the response and/or recovery to digital security incidents in the country and (ii) coordinating and articulating actions with other teams of a similar nature at the national and international level to deal with digital security incidents.

There is not a National cybersecurity incident management structure yet. 

• On 1 February 2019, Peru joined the Budapest Agreement known as the Budapest Convention, which is the first international treaty to address computer and internet crime.
• Through the publication of Supreme Decree No. 050-2018-PCM, which defines the term ‘digital security’ as the state of confidence in the digital environment resulting from the management and implementation of proactive and reactive measures against risks that affect the security of people.

• Digital Confidence Law. 
• Digital Government Law Regulations.