Barrios & Fuentes Abogados
The following law(s) specifically govern personal data / information:
Law # 29733, Data Protection Law and the Supreme Decree # 003-2013-JUS.
Furthermore, the voluntary code of conduct on data privacy deals with data protection.
The key data protection principles in this jurisdiction are:
Express acceptance by the data subject for the treatment of personal data is required.
The data subject has a right to access their personal data, as well as cancel and modify the acceptance of the treatment of personal data provided.
The supervisory authority / regulator in charge of data protection is:
The Ministry of Justice, which has an internal Data Protection Authority.
Is there a requirement to register with a supervisory authority / regulator?
Only databases need to be registered, but not the organisations themselves.
The information provided relates to the purpose and kind of treatment of the data, details the source of the data, how the data was obtained, the safety controls and if the data is going to be transferred abroad.
A fee is payable for such registration.
Is there a requirement to notify the supervisory authority / regulator?
If data is transferred to another jurisdiction it is a mandatory requirement to report / notify this activity to the Data Protection Authority.
Is it possible to register with / notify the supervisory authority / regulator online?
Yes, the link is as follows:
The key data subject rights under the data protection laws of this jurisdiction are:
Data subjects have the right:
- To be informed of the purpose for which personal data is being processed and the identity of the entity that will hold the information;
- To access, update, reject, modify, include, accept and delete the private information and the personal data in general held by an entity about them; and
- To request protection from the authority in case the rights are not respected and to be indemnified in case of damages.
Is there a requirement to appoint a data protection officer (or equivalent)?
A data protection officer can be appointed voluntarily.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Does this jurisdiction have any specific data breach notification requirements?
This jurisdiction does not have any specific data breach notification requirements.
Instead, the applicable requirements depend on who committed the breach, who is the plaintiff, who is requesting sanctions of the person or entity responsible for the breach.
The data breach procedure is an administrative legal claim before the Data Privacy Protection Authority.
The following restrictions apply to the international transfer of personal data / information:
No restrictions apply to the international transfer of personal data except that:
- There is a requirement to notify the Data Protection Authority; and
- that any contract for such transfer contains a clause confirming that the country to which the data is transferred has at least the same standards of data privacy as Peru or the organisation receiving the data will comply the Peruvian data privacy laws.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
No, it doesn’t in general terms.
It only depends on the obligor (i.e. the entity that received and treated personal data) to comply with Peruvian regulation no matter if the obligor is located in Peru or abroad.
Peruvian law also applies in case a contract specifically establishes such jurisdiction or in case the International Law applies. It could be called as having extra-territorial effect.
The following rules specifically deal with marketing:
Peru does not have rules specifically dealing with marketing instead the general rules apply.
Do different rules apply to business-to-business and business-to-consumer marketing?
The same rules apply to business-to-business and business-to-consumer marketing.
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
Peru does not have rules specifically dealing with electronic marketing instead the general rules apply.
The following rules specifically deal with cookies:
Peru does not have rules specifically dealing with cookies.
However, the regulation (Law# 29733) applies if the data is treated.
The consequences of non compliance with data protections laws (including marketing laws) are:
The company, the person or the entity breaching data protection laws may receive a fine by the Ministry of Justice.
Fines range from 0.5 to 100 Tax Reference Units, depending on the infraction. Our Tax Reference Unit equals to S/4,400 (USD1,260 approximately). In any case, the fine cannot be higher than the 10% of the annual net proceeds of the previous year.
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
Multinationals should be aware of the rules on international data transfers and the requirement to have a clause in the contract whereby the recipient guarantees that the minimum standard shall be the Peruvian law on data privacy.
Multinational organisations should be aware of the following upcoming data protection developments:
Projects on data privacy are being discussed, but at the moment there are no changes due to be approved by the Peruvian Government.