Barrios & Fuentes Abogados
What law(s) specifically govern personal data / information?
The Peruvian Constitution, Law #29733, Data Protection Act and the Supreme Decree #003-2013-JUS.
Furthermore, the voluntary code of conduct on data privacy deals with data protection.
What are the key data protection principles in this jurisdiction?:
The guiding principle of the Peruvian data protection regulatory framework is the express acceptance by the data subject for the processing of their personal data.
Besides that, data subjects have the rights to be informed, to have access, to rectify, and to eliminate the acceptance of the processing of personal data previously provided, among others. These rights are encompassed by the acronym “ARCO”.
What is the supervisory authority / regulator in charge of data protection?
The General Transparency, Information Access, and Data Protection Direction, which belongs to the Ministry of Justice, exercises the National Data Protection Authority, in charge of enforcement of the pertinent data protection laws.
Is there a requirement to register with a supervisory authority / regulator?
Personal data processed by any organisation that creates a database must be registered with the Ministry of Justice. This provision applies to the database instead of the organisation itself.
The data which is subject to registration relates to the purpose and kind of processing of the data and should detail the source of the data, how the data was obtained, the safety controls and if the data is going to be transferred abroad.
A fee is payable for such registration and its approval is made in an administrative ruling.
Is there a requirement to notify the supervisory authority / regulator?
If data is transferred to another jurisdiction, it is a mandatory requirement to report / notify this activity to the Data Protection Authority.
Is it possible to register with / notify the supervisory authority / regulator online?
Yes, the link is as follows: https://www.gob.pe/8060
What are the key data subject rights under the data protection laws of this jurisdiction?
Data subjects have the main rights:
- To be informed of the purpose for which personal data is being processed and the identity of the entity that holds the information;
- To access, update, reject, modify, include, accept and delete the private information and the personal data held by an entity about them as well as give their express acceptance for processing; and
- To request protection from the Data Protection Authority in case the rights are not respected and to be indemnified by an entity that processes personal data in case of damages.
Is there a requirement to appoint a data protection officer (or equivalent)?
A data protection officer can be appointed voluntarily in any organisation. Despite not being mandatory, it is a highly recommended practice. Their main functions would be to (i) supervise the implementation and application of internal personal data policies, (ii) train employees on personal data protection, (iii) ensure the security and protection of documents containing personal data and, (iv) handle requests submitted by data subjects in the exercise of their rights.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
In principle, no. Nevertheless, the applicable regulation obliges the controller and processor of personal data to store it in a way that enables the data subjects to exercise their rights. This implies the requirement to adopt technical, organisational, and legal measures to avoid alteration, loss and unauthorized access to or processing of personal data.
Therefore, it is undeniable that the data controller and processor, if applicable, might take actions to comply with these legal requirements, which impact how processes in organisations are carried out.
Does this jurisdiction have any specific data breach notification requirements?
Peru does not have any specific data breach notification requirements.
Instead, the applicable requirements depend on who committed the breach, who is the plaintiff and who is requesting sanctions of the person or entity responsible for the breach.
The data breach procedure is an administrative legal claim before the Data y Protection Authority.
What restrictions apply to the international transfer of personal data / information?
No restrictions apply to the international transfer of personal data except that:
- The consent of the data subject is needed prior to transferring the data;
- There is a requirement for the controller and processor to notify the Data Protection Authority; and
- If the data importer country doesn’t have at least the same standards of data privacy as Peru, the exporter must guarantee that the personal data is treated according to the Peruvian legal framework and the importer assumes the same obligations.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
No, it doesn’t in general terms. The National Data Protection Law applies to personal data treated in Peruvian territory.
What rules specifically deal with marketing?
Peru does not have rules specifically dealing with marketing; instead the general rules apply.
Do different rules apply to business-to-business and business-to-consumer marketing?
The same rules apply to business-to-business and business-to-consumer marketing.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
Peru does not have rules specifically dealing with electronic marketing; instead the general rules apply.
What rules specifically deal with cookies?
Peru does not have rules specifically dealing with cookies.
However, data gathering through cookies which enable the identification of individuals is considered data processing. Therefore, data protection regulation and principles are applicable, which includes the obligation to clearly inform the data subject of the use of the information and data (including the use of cookies), and to inform the data subject what will happen to such information once the data subject visits a website or other virtual site.
Moreover, the Data Protection Authority has advised that legal obligations vary depending on whether the entity responsible for the cookie is the domain owner or it is a third party, and the processing purpose, and may involve informing the data subject of an international transfer of personal data.
What are the consequences of non compliance with data protections laws (including marketing laws)?
The company, the person or the entity breaching data protection laws may receive a fine from the Ministry of Justice.
Fines range from 0.5 to 100 Tax Reference Units, depending on the infraction. One Peruvian Tax Reference Unit, until December 31st, 2022, was equal to S/4,600, and from January 1st, 2023, is equal to S/4,950 (USD1,308, approximately). In any case, the fine cannot be higher than the 10% of the annual net proceeds of the previous year.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Multinationals should be aware of the rules on international data transfers and the requirement to have a clause in the contract whereby the recipient guarantees that the minimum standard shall be the Peruvian law on data privacy.
Also, the trend in the region is that every organisation that is processing personal data should comply with the national regulations and international standards, and should prove this compliance status. This is known as the “principle of accountability”.
What upcoming data protection developments should multinational organisations be aware of?
Projects on data privacy are being discussed, but at the moment there are no changes approved by the Peruvian Government.
In spite of this, owing to Decision 897 of the Andean Community approved in July 2022, Peru is obliged to incorporate its guidelines within the next 2 years, as a member country. The legal system promoted by the Community is of a supranational nature, of mandatory compliance and is in force in Peru, Ecuador, Colombia and Bolivia. The decision itself seeks to replace a previous Decision on the matter and establish Community guidelines on the protection of users' rights in the area of access to and use of telecommunications networks and services.
On the other hand, in October 2022, the General Transparency, Information Access, and Data Protection Direction approved the Guide for the Implementation of Standard Contractual Clauses for International Transfers of Personal Data, published by the Ibero-American Network for the Protection of Personal Data which includes non-binding guidance for international transfers of personal data from member countries of the Network to non-adequate jurisdictions.
So, if the destination country is not recognized as providing an adequate level of protection, then the international transfer may be carried out through a transfer mechanism that provides adequate safeguards, such as standard contractual clauses.