Barrios & Fuentes Abogados
What law(s) specifically govern personal data / information?
The Peruvian Constitution, Law #29733, Data Protection Act and the Supreme Decree #016-2024-JUS entered into effect in March 30th, 2025.
Furthermore, the voluntary code of conduct on data privacy deals with data protection.
What are the key data protection principles in this jurisdiction?:
The guiding principle of the Peruvian data protection regulatory framework is the express acceptance and consent by the data subject for the processing of the personal data.
Besides that, data subjects have the rights to be informed, to have access, to rectify, and to eliminate the acceptance of the processing of personal data previously provided, among others. These rights are encompassed by the acronym 'ARCO'.
From November 30th, 2025 the position of Data Protection Officer will be mandatory for companies and entities who handle sensitive data and companies with a threshold of USD$3 500 000 of annual sales.
What is the supervisory authority / regulator in charge of data protection?
The General Transparency, Information Access, and Data Protection Direction, which belongs to the Ministry of Justice, exercises the National Data Protection Authority, in charge of enforcement of the pertinent data protection laws.
Is there a requirement to register with a supervisory authority / regulator?
Personal data processed by any organisation that creates a database must be registered with the Ministry of Justice. This provision applies to the database instead of the organisation itself.
The data which is subject to registration relates to the purpose and kind of processing of the data and should detail the scope of the data and if the data is going to be transferred abroad.
Registration has no costs, it is for free from March 30th, 2025.
Is there a requirement to notify the supervisory authority / regulator?
If data is transferred to another jurisdiction, it is a mandatory requirement to report / notify this activity to the Data Protection Authority.
Is it possible to register with / notify the supervisory authority / regulator online?
Yes, all the registration process is fully online.
What are the key data subject rights under the data protection laws of this jurisdiction?
Data subjects have the main rights:
- To be informed of the purpose for which personal data is being processed and the identity of the entity that holds the information;
- To access, update, reject, modify, include, accept and delete the private information and the personal data held by an entity about them as well as give their express acceptance for processing;
- To request protection from the Data Protection Authority in case the rights are not respected and to be indemnified by an entity that processes personal data in case of damages; and.
- To provide express and written consent on behalf of minors
Is there a requirement to appoint a data protection officer (or equivalent)?
Yes, recently approved. It will be effective from November, 2025. The main functions will be to (i) supervise the implementation and application of internal personal data policies, (ii) train employees on personal data protection, (iii) ensure the security and protection of documents containing personal data, (iv) be the liaison officer with the Data Protection Authority and (v) handle requests submitted by data subjects in the exercise of their rights, among others as indicated by the company involved.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
In principle, no, it is voluntary to count with ISO 27001. Nevertheless, the applicable regulation obliges the controller and processor of personal data to store it in a way that enables the data subjects to exercise their rights. This implies the requirement to adopt technical, organisational, and legal measures to avoid alteration, loss and unauthorised access to or processing of personal data.
Therefore, it is undeniable that the data controller and processor, if applicable, might take actions to comply with these legal requirements.
Does this jurisdiction have any specific data breach notification requirements?
Yes, within the first 48 hours of the breach. The communication is made to the authority.
Besides, the data breach procedure is an administrative legal claim before the Data Protection Authority.
What restrictions apply to the international transfer of personal data / information?
No restrictions apply to the international transfer of personal data except that:
- The consent of the data subject is needed prior to transferring the data;
- There is a requirement for the controller and processor to notify the Data Protection Authority; and
- If the data importer country doesn't have at least the same standards of data privacy as Peru, the exporter must guarantee that the personal data is treated according to the Peruvian legal framework and the importer assumes the same obligations, in general, with an agreement.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes, if the data is transferred from Peru. The Data Protection Law applies to personal data treated in Peruvian territory and outside it.
What rules specifically deal with marketing?
General rules for consumers and exceptions are applicable.
Furthermore, the consent must be express and previous in case a company, entity or any party will or have interest in performing any marketing task.
There is a first contact mandate prior to entering into a marketing contact for business-to-business parties.
Do different rules apply to business-to-business and business-to-consumer marketing?
Yes. In business-to-business the first contact is legal. However, in business-to-consumer marketing such first-contact option it is not allowed, in which the consumer will necessarily contact the merchant or provider.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
In business-to-business the first contact is legal by different means including electronic marketing. However, in business-to-consumer marketing such first-contact option it is not allowed, in which the consumer will necessarily contact the merchant or provider. The prohibition to consumers includes electronic means.
What rules specifically deal with cookies?
Cookies policy shall be informed and express consent is needed.
Data which is obtained through cookies is considered data processing. Therefore, data protection regulation and principles are applicable, which includes the obligation to clearly inform the data subject of the use of the information and data (including the use of cookies), and to inform the data subject what will happen to such information once the data subject visits a website or other virtual site.
Moreover, the Data Protection Authority has advised that legal obligations vary depending on whether the entity responsible for the cookie is the domain owner or it is a third party, informing as well if an international transfer of personal data will happen.
What are the consequences of non compliance with data protections laws (including marketing laws)?
The company, the person or the entity breaching data protection laws may receive a fine from the Ministry of Justice.
Fines range from 0.5 to 100 Tax Reference Units, depending on the infraction. One Peruvian Tax Reference Unit, for 2025 equals to S/5,350 (USD$1,486, approximately). In any case, the fine cannot be higher than the 10% of the annual net proceeds of the previous year.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Multinationals should be aware of the rules on international data transfers and the requirement to have a clause in the contract whereby the recipient guarantees that the minimum standard shall be the Peruvian law on data privacy.
Also, any organisation that is processing personal data from Peru shall comply with Peruvian law and shall prove this compliance status. This is known as the 'principle of accountability'.
What upcoming data protection developments should multinational organisations be aware of?
The Peruvian Authority of Data Protection recommends the companies which handle personal data to be certified with the ISO 27001 counting with clear cybersecurity efforts.