Data protection and cybersecurity laws in Peru

Data protection

1. Local data protection laws and scope

  • Law No. 29733, Personal Data Protection Law (“Personal Data Protection Law”), which includes the provisions (such as principles, obligations, data bank registration and fines) applicable in Peru regarding personal data protection.
  • Supreme Decree No. 003-2013-JUS, Regulation of the Personal Data Protection Law (“Regulations”), which details with further precision the provisions established in the Law.
  • Directorial Resolution No. 019-2013-JUS/DGPDP, Guidelines on Security of Information (optional and guidance standard), which provides guidance on the conditions, requirements and technical measures to be considered in order to comply with security measures for the personal data protection.  
  • Directorial Resolution No. 02-2020-JUS/DGTAIPD, Guidelines on the processing of personal data using video-surveillance systems (optional and guidance standard), which aims to establish guidelines for the treatment of personal data that are captured through video surveillance systems for security and labour control purposes.
  • Resolution No. 0326-2020-JUS, Methodology for the Calculation of Personal Data Protection Fines, which aims to provide uniform, predictable and objective guidelines and criteria regarding the imposition of fines.
    The main provisions established in the above-mentioned data protection laws are as follows: 
  • The data protection laws apply to information relating to data subjects who are identified or identifiable (natural persons).
  • The data protection laws apply to automated and non-automated data processing operations. 
  • The party determining the purposes and means of processing personal data established in Peru (“data controller”).
  • The party processing the data on behalf of the data controller (“data processor”).
  • The party processing the data on behalf of the data processor (“data sub-processor”). 

The Personal Data Protection Law and its Regulations applies to any person, legal entity or public entity that processes personal data:

  • within national territory;
  • when carried out by a data processor, regardless of its location, in the name of a data controller established in Peru;
  • when the data controller is not established in Peru, but the Peruvian legislation is applicable by contractual or international law; and
  • when the data controller is not located in Peru but uses means located in the territory, unless such transit does not involve data processing.

Thus, the existence of special rules, even when they include regulations on personal data, does not exclude compliance with the Personal Data Protection Law.

2. Data protection authority

3. Anticipated changes to local laws

There are no anticipated changes to local laws. 

4. Sanctions & non-compliance

Administrative sanctions:

The DPA has powers to impose the following sanctions: 

  • Fines of up to approximately USD 120,500. Fines will depend on the type of infraction committed according to the Methodology for the Calculation of Personal Data Protection Fines. 
  • Corrective measures, such as the obligation to register a database, communicate the cross-border flow, delete personal data, among others.
Criminal sanctions:

The Criminal Code details certain offences in the field of personal data:

  • Illegal traffic of personal data: the person who illegitimately commercialises non-public information related to the personal and sensitive sphere, will be punished with imprisonment of not less than two nor more than five years.
  • Dissemination of images, videos or audio with sexual content: whoever reveals, disseminates or commercialises images (or audio without the person's consent) shall be punished with imprisonment of not less than two nor more than five years and with thirty to 120 days’ fine.
  • Disclosure of personal and family privacy: anyone who discloses aspects of someone personal or family lives because he/she was able to know for (i) the work he has done for the affected party or (ii) being someone of confidence shall be punished with imprisonment of nor more that on year.
  • Improper use of computer files: anyone who improperly uses any file containing data relating to political or religious beliefs and other aspects of the intimate life of one or more persons shall be liable to imprisonment for a term of not less than one year and not more than four years.   
Others: 

In addition to making a complaint to the DPA, a data subject may also make a claim damages in court, which may involve material and moral damages.

5. Registration / notification / authorisation

The Personal Data Protection Law does not require prior notification or registration to the DPA for any data processing activities.

6. Main obligations and processing requirements

Consent requirements

Personal data can only be processed with the consent of its owner, which must be prior, informed, express and unequivocal.

Consent may be obtained through written or verbal means. In the case of sensitive data, consent must be given in written form.

Information requirements

The data controller must comply with the following information on the data subjects: (i) the identity and address of the data controller and data processor, if applicable, (ii) the purpose of the personal data processing, (iii) who the recipients may be (national or international transfers), (iv) the existence of the data bank where the information will be stored, (v) the mandatory or optional nature of the proposed questionnaire, (vi) any consequences of providing personal data and any refusal to do so, (vii) transfer of personal data, (viii) time holding personal data, and (ix) means and possibility of exercising rights of access, rectification, opposition and cancellation.

General obligations

The data controller and the data processor, when applicable, must comply with the following obligations:

  • Not to collect personal data by fraudulent, unfair or illegal means;
  • Collect up-to-date, necessary, relevant and adequate personal data in connection with a determined, explicit and legal purpose;
  • Not to use personal data for any means other than the those for which it was collected in the first place unless such data undergoes an anonymisation or dissociation process;
  • Store personal data in such a manner that allows data subjects to enforce their rights;
  • Delete or replace personal data upon knowledge of its inaccuracy or incompleteness;
  • Delete personal data when it is no longer necessary for the purpose for which it was collected, unless such data undergoes an anonymisation or dissociation process;
  • Provide the information that the DPA requests.

7. Data subject rights

The following are the rights granted to data subjects:

  • Right to request information;
  • Right of access to personal data;
  • Right to update, include or rectify personal data;
  • Right to delete personal data;
  • Right to prevent the supply of personal data;
  • Right to oppose to the processing of personal data;
  • Right of objective processing;
  • Right to claim protection; and
  • Right to be indemnified.

8. Processing by third parties

In general, the data processor must comply with the following obligations:

  • It is prohibited to transfer personal data for the provision of processing services to third parties, unless authorised by the data controller and the personal data subject has given his or her consent;
  • To carry out the processing of personal data according to the instructions of the data controller and exclusively for the purpose established in the agreement between the two;
  • In order to contract a data sub-processor, the data processor must have the data controller’s authorisation; 
  • The data processor may keep the data for a maximum of two years from the end of the last assignment;
  • The data sub-processor assumes the same obligations as the data controller and data processor in accordance with the Personal Data Protection Law and its Regulation;
  • Deploy the technical, organisational and legal measures that guarantee the security of personal data processing;
  • To maintain confidentiality regarding the personal data processing ordered by the data controller.

9. Transfers out of country

General rules

Two rules may apply to the data transfer outside the country: 

  • Personal data can be transferred to other countries whose protection level is adequate, according to the Peruvian Data Protection Law and its Regulation; and 
  • If the destination country does not have an adequate protection level, the recipient shall guarantee that the data processing will be carried out in accordance with the Peruvian Data Protection Law and its Regulation.

10. Data Protection Officer

There is no legal requirement to have a Data Protection Officer.

11. Security

The data controller and the data processor must deploy organisational, technical, and legal measures to protect personal data against damage, loss, alteration or unauthorised access or processing. Personal data should be stored in databases that meet the following conditions:

  • Access control and management;
  • Management of privileges and their periodic verification;
  • Identification and authentication procedures;
  • Preservation, back-up and recovery of personal data;
  • Implementation of security measures for the storage of non-authentic documents;
  • Authorisation of reproduction or copying;
  • Access to records limited to authorised personnel; 
  • Generate a record of logical data interactions, including access information, time of login and logout; and
  • Apply security measures when personal data are transferred.

12. Breach notification

In the field of personal data, there is currently no obligation to report a data breach to the Data Protection Authority applicable to private persons. This might change upon the passing of the Digital Confidence Law Regulations. 

However, in the cases of public entities, they must report any data breach involving personal data before the Data Protection Authority within 48 hours of becoming aware of the data breach. 

The Guidelines on Security of Information suggest keeping a record of incidents and actions taken that is documented, including notification to the data subject affected.

13. Direct marketing

  • The Data Protection Law and its Regulations apply to all marketing and advertising activities involving personal data. Personal data means any information relating to an identified or identifiable natural person.
  • Article 58.1 of the Consumer Code (Law No. 29571) prohibits the use of aggressive or deceptive communication commercial practices without the data subject’s consent. In this regard, it is prohibited to use call centres, telephone call systems, sending text messages to cell phones or mass emails to promote products and services, as well as to provide telemarketing services to all those telephone numbers and email addresses of consumers who have not provided their prior, informed, express and unequivocal consent. In case of non-compliance, a fine of up to USD 600,000 can be imposed.

14. Cookies and adtech

Cookies, adtech and online marketing are not regulated directly by the Personal Data Protection Law. However, the Personal Data Protection Law and its Regulations will apply if personal identifiable information is collected and processed through cookies, adtech and online marketing. 

15. Risk scale

Moderate

Cybersecurity

1. Local cybersecurity laws and scope

The Emergency Decree No. 007-2020, Digital Confidence Law (“DCL”) aims to establish the necessary measures to ensure trust with digital services, including digital security.

The Supreme Decree No. 029-2021-PCM, Digital Government Law Regulations (“DGL”) regulates the management of new technologies in public entities during the provision of digital services to citizens, which includes the Digital Security Incident Response management. 

2. Anticipated changes to local laws

The passage of the DCL Regulations is pending. It is expected that this regulation will detail the process that obligated subjects must follow to report data breaches. The regulation is expected to be issued in 2021.

3. Application 

In accordance with the DCL, the obligations regarding Digital Security apply to the following:

  • Public entities;
  • Providers of digital services from: 
    • Financial sector;
    • Basic services (electricity, water and gas);
    • Health; and 
    • Passenger transport,
  • Internet service providers;
  • Critical service providers; and
  • Educational providers.

The obligations detailed in the DGL only apply to public entities.

5. Key obligations 

DCL

The obligations related to Digital Security are the following: 

  • Report every data breach to the National Centre for Digital Security;
  • Deploy physical, technical, organisational and legal security measures to guarantee the confidentiality of messages, content and information transmitted through its communications services;
  • Manage digital security risks in the organisation in order to establish controls to protect the confidentiality, integrity and availability of information;
  • Set up mechanisms to verify the identity of persons accessing a digital service in accordance with the risk level involved and current regulations on personal data protection;
  • In the event of a digital security incident that has affected personal data, the public entity must notify the Data Protection Authority (DPA);
  • Keep a secure, scaleable and interoperable infrastructure.  
DGL

The public entities must comply with the following obligations: 

  • Report every data breach to the National Centre for Digital Security;
  • Implement an Information Security Management System, which requires that the public entity develop a set of cybersecurity policies, guidelines, procedures and resources to protect its information assets against information security and digital security risks and incidents;
  • Adopt measures for the management of digital security risks and incidents affecting the entity's assets;
  • Spread early warnings, alerts and information about digital security risks and incidents in their entity;
  • Ensure effective, efficient and secure research and cooperation with the National Centre for Digital Security;
  • Provide the necessary resources and measures to ensure the effective management of digital security incidents;
  • Require its software development suppliers to comply with standards, technical rules and security best practices;
  • In the event of a digital security incident that has affected personal data, the public entity must notify the Data Protection Authority (DPA) within 48 hours of becoming aware of the security breach. 

6. Sanctions & non-compliance 

The DCL regulation is expected to detail infringements and penalties for non-compliance with Digital Security provisions.

According with the obligations detailed in the DGL, in the event of non-compliance, the person in charge of executing the obligation may receive a (i) verbal or written warning, (ii) suspension without pay for up to 12 months, or (iii) dismissal.

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

The DCL provides that the National Centre for Digital Security is responsible for identifying, protecting, detecting, responding to, retrieving and collecting information on digital security incidents. 

Likewise, the DCL and the DGL incorporate the National Digital Security Incident Response Team responsible for: (i) managing the response and/or recovery to digital security incidents in the country and (ii) coordinating and articulating actions with other teams of a similar nature at the national and international level to deal with digital security incidents. 

8. National cybersecurity incident management structure

There is not a National cybersecurity incident management structure yet. 

9. Other cybersecurity initiatives 

  • On 1 February 2019, Peru joined the Budapest Agreement known as the Budapest Convention, which is the first international treaty to address computer and internet crime.
  • Through the publication of Supreme Decree No. 050-2018-PCM, which defines the term ‘digital security’ as the state of confidence in the digital environment resulting from the management and implementation of proactive and reactive measures against risks that affect the security of people.
Cecilia Kahn
Ana Lucia Taboada
Maria Alejandra Ortiz