CMS Expert Guide: Data Law Navigator

Data protection

1. Local data protection laws and scope

General Data Protection Law ("LGPD") 13,709/2018, a comprehensive data protection law comparable to the GDPR. 

  • Law No. 29733, Personal Data Protection Law (“Personal Data Protection Law”), which includes the provisions (such as principles, obligations, data bank registration and fines) applicable in Peru regarding personal data protection.
  • Supreme Decree No. 003-2013-JUS, Regulation of the Personal Data Protection Law (“Regulations”), which details with further precision the provisions established in the Law.
  • Directorial Resolution No. 019-2013-JUS/DGPDP, Guidelines on Security of Information (optional and guidance standard), which provides guidance on the conditions, requirements and technical measures to be considered in order to comply with security measures for the personal data protection.  
  • Directorial Resolution No. 02-2020-JUS/DGTAIPD, Guidelines on the processing of personal data using video-surveillance systems (optional and guidance standard), which aims to establish guidelines for the treatment of personal data that are captured through video surveillance systems for security and labour control purposes.
  • Resolution No. 0326-2020-JUS, Methodology for the Calculation of Personal Data Protection Fines, which aims to provide uniform, predictable and objective guidelines and criteria regarding the imposition of fines.
    The main provisions established in the above-mentioned data protection laws are as follows: 
  • The data protection laws apply to information relating to data subjects who are identified or identifiable (natural persons).
  • The data protection laws apply to automated and non-automated data processing operations. 
  • The party determining the purposes and means of processing personal data established in Peru (“data controller”).
  • The party processing the data on behalf of the data controller (“data processor”).
  • The party processing the data on behalf of the data processor (“data sub-processor”). 

The Personal Data Protection Law and its Regulations applies to any person, legal entity or public entity that processes personal data:

  • within national territory;
  • when carried out by a data processor, regardless of its location, in the name of a data controller established in Peru;
  • when the data controller is not established in Peru, but the Peruvian legislation is applicable by contractual or international law; and
  • when the data controller is not located in Peru but uses means located in the territory, unless such transit does not involve data processing.

Thus, the existence of special rules, even when they include regulations on personal data, does not exclude compliance with the Personal Data Protection Law.

2. Data protection authority

National Authority of Data Protection ("ANPD”) 

3. Anticipated changes to local laws

The LGPD came into force on 18 September 2020. However, the law was amended in 2020, postponing the application of the administrative sanctions to 1 August 2021. 

There are no anticipated changes to local laws. 

4. Sanctions & non-compliance

Administrative sanctions: 
  • warning; 
  • fine of up to 2% of the entity, group or conglomerate in Brazil’s revenue in its last fiscal year limited to BRL 50m for infraction;
  • daily fine;
  • publication of infraction;
  • blockage of personal data that relates to infraction for regularisation; 
  • erasure of personal data that refers to infraction.
Criminal sanctions: 

None.

Others: 

Individual claims for damages and losses caused for violation of personal data. 

Claims from the Consumer Protection Units and Public Prosecutor for damages and losses caused for violation of the data subject's personal data. 

Administrative sanctions:

The DPA has powers to impose the following sanctions: 

  • Fines of up to approximately USD 120,500. Fines will depend on the type of infraction committed according to the Methodology for the Calculation of Personal Data Protection Fines. 
  • Corrective measures, such as the obligation to register a database, communicate the cross-border flow, delete personal data, among others.
Criminal sanctions:

The Criminal Code details certain offences in the field of personal data:

  • Illegal traffic of personal data: the person who illegitimately commercialises non-public information related to the personal and sensitive sphere, will be punished with imprisonment of not less than two nor more than five years.
  • Dissemination of images, videos or audio with sexual content: whoever reveals, disseminates or commercialises images (or audio without the person's consent) shall be punished with imprisonment of not less than two nor more than five years and with thirty to 120 days’ fine.
  • Disclosure of personal and family privacy: anyone who discloses aspects of someone personal or family lives because he/she was able to know for (i) the work he has done for the affected party or (ii) being someone of confidence shall be punished with imprisonment of nor more that on year.
  • Improper use of computer files: anyone who improperly uses any file containing data relating to political or religious beliefs and other aspects of the intimate life of one or more persons shall be liable to imprisonment for a term of not less than one year and not more than four years.   
Others: 

In addition to making a complaint to the DPA, a data subject may also make a claim damages in court, which may involve material and moral damages.

5. Registration / notification / authorisation

Provision for notification to the ANPD and data subjects of security incidents that may cause a risk or relevant damage to data subjects. 

There is no requirement to register data processing activities, databases or cross-border flow with the ANPD. There is no provision for payment of the data protection fee. 

The Personal Data Protection Law does not require prior notification or registration to the DPA for any data processing activities.

6. Main obligations and processing requirements

The Controller and Data Processor must comply with the principle of good faith and the following principles: purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, liability and demonstration of compliance with the law. 

The Data Controller and Data Processor shall keep records of the processing of personal data. 

The Controller shall appoint an "in charge person" (DPO) who shall act as a communication channel between the Controller, Data Subject and the ANPD.

The processing agents shall adopt security, technical and administrative measures to protect personal data from unauthorised access, or illicit or accidental incidents that leads to the destruction, loss, alteration, communication or any other form of illicit or inadequate access. 

The Controller must notify the ANPD and the data subjects of any security incident that could result in a risk or relevant damage to data subjects.

Consent requirements

Personal data can only be processed with the consent of its owner, which must be prior, informed, express and unequivocal.

Consent may be obtained through written or verbal means. In the case of sensitive data, consent must be given in written form.

Information requirements

The data controller must comply with the following information on the data subjects: (i) the identity and address of the data controller and data processor, if applicable, (ii) the purpose of the personal data processing, (iii) who the recipients may be (national or international transfers), (iv) the existence of the data bank where the information will be stored, (v) the mandatory or optional nature of the proposed questionnaire, (vi) any consequences of providing personal data and any refusal to do so, (vii) transfer of personal data, (viii) time holding personal data, and (ix) means and possibility of exercising rights of access, rectification, opposition and cancellation.

General obligations

The data controller and the data processor, when applicable, must comply with the following obligations:

  • Not to collect personal data by fraudulent, unfair or illegal means;
  • Collect up-to-date, necessary, relevant and adequate personal data in connection with a determined, explicit and legal purpose;
  • Not to use personal data for any means other than the those for which it was collected in the first place unless such data undergoes an anonymisation or dissociation process;
  • Store personal data in such a manner that allows data subjects to enforce their rights;
  • Delete or replace personal data upon knowledge of its inaccuracy or incompleteness;
  • Delete personal data when it is no longer necessary for the purpose for which it was collected, unless such data undergoes an anonymisation or dissociation process;
  • Provide the information that the DPA requests.

7. Data subject rights

The Data Subject has the following rights:

  • confirmation of existence of personal data;
  • access to data;
  • correction of incomplete, inadequate or out of date data;
  • anonymisation, block, or erasure of unnecessary, excessive or incompliant processed data;
  • portability of data;
  • erasure of personal data obtained with consent; 
  • information regarding the sharing of data with private and public entities;
  • information on the possibility of not providing consent and the negative consequences;
  • revocation of consent;
  • complaint about data processing to the ANPD;
  • opposition to data processing obtained without consent, if it is not in compliance with the law;
  • review of automated decision making of personal data that may affect the data subject´s interests. 

The following are the rights granted to data subjects:

  • Right to request information;
  • Right of access to personal data;
  • Right to update, include or rectify personal data;
  • Right to delete personal data;
  • Right to prevent the supply of personal data;
  • Right to oppose to the processing of personal data;
  • Right of objective processing;
  • Right to claim protection; and
  • Right to be indemnified.

8. Processing by third parties

Processing by third parties is subject to the data subject’s consent. 

In general, the data processor must comply with the following obligations:

  • It is prohibited to transfer personal data for the provision of processing services to third parties, unless authorised by the data controller and the personal data subject has given his or her consent;
  • To carry out the processing of personal data according to the instructions of the data controller and exclusively for the purpose established in the agreement between the two;
  • In order to contract a data sub-processor, the data processor must have the data controller’s authorisation; 
  • The data processor may keep the data for a maximum of two years from the end of the last assignment;
  • The data sub-processor assumes the same obligations as the data controller and data processor in accordance with the Personal Data Protection Law and its Regulation;
  • Deploy the technical, organisational and legal measures that guarantee the security of personal data processing;
  • To maintain confidentiality regarding the personal data processing ordered by the data controller.

9. Transfers out of country

The international transfer of personal data is allowed in the following cases: 

  • to countries or international organisations that provide the appropriate level of personal data protection required by the LGPD;
  • where the controller demonstrates that compliance with the principles, data subject rights and data protection regime established in the LGPD, is assured either by: a) specific contractual provisions for a given transfer; b) standard terms and conditions; c) global corporate rules; d) seals, certificates or codes of conduct; 
  • where the transfer is required for international legal cooperation between government intelligence, investigation and police bodies; 
  • where the transfer is required for life protection or physical integrity of the data subject or any third party; 
  • where the ANPD authorises such a transfer; 
  • where the transfer results in a commitment undertaken under an international cooperation agreement; 
  • where the transfer is required for enforcement of a public policy or legal attribution of the public utility; 
  • where the data subject has provided specific and highlighted consent for such a transfer, with previous information on the international nature of the operation, clearly distinguishing it from any other purposes; or
  • where required for compliance with a statutory or regulatory obligation by the controller or whenever necessary for the performance of agreements or preliminary procedures relating to agreements to which the data subject is a party, at the request of the data subject or in the regular exercise of rights in lawsuits, administrative or arbitration proceedings.
General rules

Two rules may apply to the data transfer outside the country: 

  • Personal data can be transferred to other countries whose protection level is adequate, according to the Peruvian Data Protection Law and its Regulation; and 
  • If the destination country does not have an adequate protection level, the recipient shall guarantee that the data processing will be carried out in accordance with the Peruvian Data Protection Law and its Regulation.

10. Data Protection Officer

An “in charge” person shall be appointed by the Controller to:

  • accept complaints and communication by data subjects, provide clarification and take measures;
  • receive communication from the ANPD and take appropriate measures;
  • instruct staff and contractors in respect of data processing practices; and
  • perform any other instructions by the Controller or established by complimentary rules. 

There is no legal requirement to have a Data Protection Officer.

11. Security

The LGPD establishes that the ANPD may provide for minimum standard technical security measures. 
The processing agents shall adopt security, technical and administrative measures to protect personal data from unauthorised access, or illicit or accidental incidents that leads to the destruction, loss, alteration, communication or any other form of illicit or inadequate access. 

The data controller and the data processor must deploy organisational, technical, and legal measures to protect personal data against damage, loss, alteration or unauthorised access or processing. Personal data should be stored in databases that meet the following conditions:

  • Access control and management;
  • Management of privileges and their periodic verification;
  • Identification and authentication procedures;
  • Preservation, back-up and recovery of personal data;
  • Implementation of security measures for the storage of non-authentic documents;
  • Authorisation of reproduction or copying;
  • Access to records limited to authorised personnel; 
  • Generate a record of logical data interactions, including access information, time of login and logout; and
  • Apply security measures when personal data are transferred.

12. Breach notification

The Controller is required to report any security incident to the ANPD and the data subjects in the event of incidents that may cause a risk or relevant damages to data subjects. It is also recommended to report the incidents to the company’s sector regulator or consumer protection units (if related to consumer relations). 

In the field of personal data, there is currently no obligation to report a data breach to the Data Protection Authority applicable to private persons. This might change upon the passing of the Digital Confidence Law Regulations. 

However, in the cases of public entities, they must report any data breach involving personal data before the Data Protection Authority within 48 hours of becoming aware of the data breach. 

The Guidelines on Security of Information suggest keeping a record of incidents and actions taken that is documented, including notification to the data subject affected.

13. Direct marketing

The LGPD does not specifically provide for direct marketing, but it is understood that the data processing for direct marketing requires the data subject’s consent.

  • The Data Protection Law and its Regulations apply to all marketing and advertising activities involving personal data. Personal data means any information relating to an identified or identifiable natural person.
  • Article 58.1 of the Consumer Code (Law No. 29571) prohibits the use of aggressive or deceptive communication commercial practices without the data subject’s consent. In this regard, it is prohibited to use call centres, telephone call systems, sending text messages to cell phones or mass emails to promote products and services, as well as to provide telemarketing services to all those telephone numbers and email addresses of consumers who have not provided their prior, informed, express and unequivocal consent. In case of non-compliance, a fine of up to USD 600,000 can be imposed.

14. Cookies and adtech

The LGPD does not specifically deal with cookies and adtech, but it is understood that the data processing for cookies and adtech requires the data subject’s consent.

Cookies, adtech and online marketing are not regulated directly by the Personal Data Protection Law. However, the Personal Data Protection Law and its Regulations will apply if personal identifiable information is collected and processed through cookies, adtech and online marketing. 

15. Risk scale

Moderate

Moderate

Cybersecurity

1. Local cybersecurity laws and scope

There are no dedicated laws related specifically to cybersecurity in Brazil. However:

  • The Consumer Code and the Internet Act provide for certain principles and rules; 
  • The Criminal Code (Decree Law 2,848/1940) establishes the crime of “invasion” of a computing device;
  • LGPD extends to any category of personal data (both offline and online).

The Emergency Decree No. 007-2020, Digital Confidence Law (“DCL”) aims to establish the necessary measures to ensure trust with digital services, including digital security.

The Supreme Decree No. 029-2021-PCM, Digital Government Law Regulations (“DGL”) regulates the management of new technologies in public entities during the provision of digital services to citizens, which includes the Digital Security Incident Response management. 

2. Anticipated changes to local laws

Despite the lack of cybersecurity-specific law or regulator, an “E-Ciber” strategy was introduced in 2020: 

  • It aims to make Brazil into a “country of excellence” in the sector;
  • It has set out ten strategic ways to strengthen the cybersecurity arena, including: centralisation of the national cybersecurity system; an increase in international cooperation; an improvement in cyber governance in both the public and private sectors; and enhanced protection of critical infrastructure;
  • It also envisages the creation of a new cybersecurity law (yet to materialise).

The passage of the DCL Regulations is pending. It is expected that this regulation will detail the process that obligated subjects must follow to report data breaches. The regulation is expected to be issued in 2021.

3. Application 

Not applicable.

In accordance with the DCL, the obligations regarding Digital Security apply to the following:

  • Public entities;
  • Providers of digital services from: 
    • Financial sector;
    • Basic services (electricity, water and gas);
    • Health; and 
    • Passenger transport,
  • Internet service providers;
  • Critical service providers; and
  • Educational providers.

The obligations detailed in the DGL only apply to public entities.

4. Authority

Brazil does not have a cybersecurity-specific regulator. The regulatory authority for cybercrime is the Ministry of Justice and Public Security.

5. Key obligations 

Not applicable.

DCL

The obligations related to Digital Security are the following: 

  • Report every data breach to the National Centre for Digital Security;
  • Deploy physical, technical, organisational and legal security measures to guarantee the confidentiality of messages, content and information transmitted through its communications services;
  • Manage digital security risks in the organisation in order to establish controls to protect the confidentiality, integrity and availability of information;
  • Set up mechanisms to verify the identity of persons accessing a digital service in accordance with the risk level involved and current regulations on personal data protection;
  • In the event of a digital security incident that has affected personal data, the public entity must notify the Data Protection Authority (DPA);
  • Keep a secure, scaleable and interoperable infrastructure.  
DGL

The public entities must comply with the following obligations: 

  • Report every data breach to the National Centre for Digital Security;
  • Implement an Information Security Management System, which requires that the public entity develop a set of cybersecurity policies, guidelines, procedures and resources to protect its information assets against information security and digital security risks and incidents;
  • Adopt measures for the management of digital security risks and incidents affecting the entity's assets;
  • Spread early warnings, alerts and information about digital security risks and incidents in their entity;
  • Ensure effective, efficient and secure research and cooperation with the National Centre for Digital Security;
  • Provide the necessary resources and measures to ensure the effective management of digital security incidents;
  • Require its software development suppliers to comply with standards, technical rules and security best practices;
  • In the event of a digital security incident that has affected personal data, the public entity must notify the Data Protection Authority (DPA) within 48 hours of becoming aware of the security breach. 

6. Sanctions & non-compliance 

Administrative sanctions:

Under the LGPD:

  • warning; 
  • fine of up to 2% of the entity, group or conglomerate in Brazilian revenue in its last fiscal year limited to BRL 50m for infraction;
  • daily fine;
  • publication of infraction;
  • blockage of personal data that relates to infraction for regularisation; 
  • erasure of personal data that refers to infraction.
Criminal sanctions:

A breach of an IT device could be subject to a fine and imprisonment (from three months to two years).

Others: 

Under the LGPD:

Individual claims for damages and losses caused for violation of personal data. Claims from the Consumer Protection Units and Public Prosecutor for damages and losses caused for violating the data subject's personal data. 

The DCL regulation is expected to detail infringements and penalties for non-compliance with Digital Security provisions.

According with the obligations detailed in the DGL, in the event of non-compliance, the person in charge of executing the obligation may receive a (i) verbal or written warning, (ii) suspension without pay for up to 12 months, or (iii) dismissal.

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

CERT.br is the Brazilian National Computer Emergency Response Team.

A list of CSIRTs can be found here: www.cert.br

The DCL provides that the National Centre for Digital Security is responsible for identifying, protecting, detecting, responding to, retrieving and collecting information on digital security incidents. 

Likewise, the DCL and the DGL incorporate the National Digital Security Incident Response Team responsible for: (i) managing the response and/or recovery to digital security incidents in the country and (ii) coordinating and articulating actions with other teams of a similar nature at the national and international level to deal with digital security incidents. 

8. National cybersecurity incident management structure

N/A

There is not a National cybersecurity incident management structure yet. 

9. Other cybersecurity initiatives 

Cybersecurity law as envisaged by E-Ciber, but this has yet to materialise.

  • On 1 February 2019, Peru joined the Budapest Agreement known as the Budapest Convention, which is the first international treaty to address computer and internet crime.
  • Through the publication of Supreme Decree No. 050-2018-PCM, which defines the term ‘digital security’ as the state of confidence in the digital environment resulting from the management and implementation of proactive and reactive measures against risks that affect the security of people.
Portrait of Carolina Vaissman Uribe
Carolina Vaissman Uribe
Senior Associate
Rio de Janeiro
Portrait of Cecilia Kahn
Cecilia Kahn
Associate
Lima
Ana Lucia Taboada
Maria Alejandra Ortiz