Personal data protection in Peru is governed by the Ley de Protección de Datos Personales (Law No. 29733) and its implementing regulation, Decreto Supremo No. 003-2013-JUS. This Supreme Decree provides guidelines and clarification for the enforcement of the law. Additionally, in 2017, Decreto Legislativo No. 1353 was enacted with the purpose of enhancing the Data Protection Law and establishing a National Authority for Transparency and Access to Public Information. This legislative decree modified several articles of the original law and added additional requirements to it.
The above provisions have been designed to protect the fundamental rights of the Peruvian people as granted to them in Article 2, Paragraph 6 of the Political Constitution of Peru. The Constitution guarantees Peruvians the right “to the assurance that information services, whether computerized or not, whether public or private, will not provide information affecting personal and family privacy.” This includes the protection of sensitive information such as economic, biometric, health, and personal data related to, but not limited to, religious, political, or ethnic opinions.
Collectively, these laws and regulations constitute the framework for data privacy legislation in Peru.
Principles that Guide Peru’s Data Protection
Articles 4-11 of Title II, Guiding Principles of Ley No. 29733, define the principles that decide the processing of personal data by data controllers in public and private administration within the national territory of Peru. In addition, Article 12, Value of the Principles, states that the owners of personal data banks must comply with the guiding principles. In Decreto Supremo No. 003-2013-JUS, Articles 6-10 of Title II expand upon and provide more depth to the principles as stated in Ley No. 29733. The principles covered in both the law and decree are explained below:
- Principle of Legality: The provisions of the law should be followed in order to process personal data. Personal data cannot be collected or compiled by illegal, unfair, or fraudulent means, which is prohibited by the law. (Article 4 of Ley No. 29733)
- Principle of Consent: Article 5 of Ley No. 29733 and Article 7, Title II of Decreto Supremo No. 003-2013-JUS explains that the consent for the processing of personal data must be expressed clearly, freely, and unequivocally. Furthermore, if the owner of personal data provides consent in an informed and direct manner and the existence of their will has not been assumed implicitly, the processing is considered lawful.
- Principle of Purpose: Article 6, Title I of Ley No. 29733, and Article 8, Title II of Decreto Supremo No. 003-2013-JUS specify that the purpose of collecting data must be lawful, specific, and explicit. Also, the processing of personal data cannot be extended beyond the purpose it was collected for, unless the activities are historical, statistical, or creating scientific value.
- Principle of Proportionality: According to this principle, the processing of personal data must not be inadequate, excessive, or irrelevant. (Article 7 of Ley No. 29733)
- Principle of Quality: Article 8 of Ley No. 29733 and Article 9 of Decreto Supremo No. 003-2013-JUS state that the personal data collected for processing must be accurate, true, necessary, adequate, pertinent, and updated. It also must be retained in a way that its security can be ensured and only for the time it takes to achieve the purpose of its processing.
- Principle of Security: Article 9 of Ley No. 29733 and Article 10 of Decreto Supremo No. 003-2013-JUS mandate that appropriate security measures must be adopted by the data owner and processor to avoid any loss, adulteration, or deviation of information.
- Principle of Availability of Recourse: This principle, also known as the ‘Principle of Provision of Appeal’, states that if a data subject’s rights are being violated, they must have necessary jurisdictional and/or administrative channels for recourse. (Article 10 of Ley No. 29733)
- Principle of Adequate Level of Protection: In the case of cross-border data flow, the receiving country should have an equivalent level of data protection comparable to this law. (Article 11 of Ley No. 29733)
Note: In the context of Ley No. 29733, Decreto Supremo No. 003-2013-JUS, and Decreto Legislativo No. 1353, owner of personal data implies data subject, and personal data bank implies database maintained by data controller and processor (public and private businesses).
Rights of the Data Subject
The rights of the data subject granted by the Peruvian data protection laws were initially covered under Articles 18-25 of Ley No. 29733 and Articles 60, 61, 64-67, 71, and 72 of the Decreto Supremo. However, some of the rights were modified by the 'Third Modified Complementary Provision' of Legislative Decree No. 1353. Following are the rights granted to the data owners that they can exercise in order to protect their data:
- Right to Information: It grants the data subject the right to be informed in a simple and detailed manner about the purpose, recipients, and duration of data storage. Further, the data subject must be informed about the existence of the data bank, the identity and address of the data owner and/or processor, etc., prior to the collection of personal data. However, if the data is collected online, the right to information can be fulfilled by easily accessible privacy policies. (Article 18 of Ley No. 29733 and Article 60 of Decreto Supremo No. 003-2013-JUS)
- Right of Access: It provides the data subject the right to obtain information about the processing of personal data in publicly and privately administered databases. Further, the data subject has the right to know the reasons for, the way, and at whose request their data was collected. (Article 19 of Ley No. 29733 and Article 61 of Decreto Supremo No. 003-2013-JUS)
- Right to Update, Inclusion, Rectification, and Elimination or Deletion: In case the collected personal data is partially or completely erroneous, inaccurate, incomplete, irrelevant, modified, unnecessary, impertinent to the purpose, or has exceeded the retention period, or if the data subject has revoked their consent, then the data subject has the right to get their data updated, rectified, or removed. (Article 20 of Ley No. 29733 and Article 64-67 of Decreto Supremo 003-2013-JUS)
- Right to Prevent the Supply: The data subject has the right to prevent their personal data from being provided or supplied, especially if their fundamental rights are being affected. (Article 21 of Ley No. 29733)
- Right of Opposition: The data subject has the right to oppose the processing of their personal data if they have legitimate and well-founded reasons. If the opposition is justified, the data controller or processor must proceed pursuant to the law and delete (data erasure) the concerned personal data. (Article 22 of Ley No. 29733 and Article 71 of Decreto Supremo 003-2013-JUS)
- Right to Objective Processing: This right, also known as ‘Right to Objective Treatment’, states that the data subject cannot be subjected to a decision based solely on the automated processing of personal data that can impact them significantly in a legal or non-legal manner. (Article 23 of Ley No. 29733 and Article 72 of Decreto Supremo 003-2013-JUS)
- Right to Protection: This right, also known as the ‘Right to Guardianship,' states that if the data controller or processor denies the data subject the right to exercise their rights, then the data subject may lodge a complaint to the National Authority for Personal Data Protection (NAPDP) or to the judiciary. (Article 24 of Ley No. 29733)
- Right to be Indemnified: In other words, ‘Right to be Compensated’ gives the data subject the right to obtain indemnity or compensation in case they get affected by non-compliance caused by data controllers, processors, or third parties. (Article 25 of Ley No. 29733)
Penalties as per the Violations
Non-compliance with the Peru Data Protection Law can result in severe actions such as disqualification, written warning, dismissal, fine, or suspension. (Article 35, Types of Sanctions, Title V, Sanctions of Regime of Decreto Legislativo No. 1353)
Peru’s data protection laws have divided the sanctions into two categories: Administrative and Coercive.
- Administrative Sanctions: According to Article 39 of Ley No. 29733, the National Authority for Personal Data Protection (NAPDP) imposes the following fines as per the corresponding violations:
- For the violations qualified as mild, the fine will be between 0.5 and 5 Tax Units (UIT).
- For the violations qualified as serious, the fine will be between 5 and 50 Tax Units (UIT).
- For the violations qualified as very serious, the fine will be between 50 and 100 Tax Units (UIT).
The maximum amount of administrative fine is 10% of the annual gross income of the alleged violator in the previous year, which is similar to other fines imposed by the NAPDP.
Article 124 of Decreto Supremo states that the fines in terms of UIT are determined by the date on which the infraction is detected by the General Directorate of Personal Data Protection.
- Coercive Fines: Article 40 of Ley No. 29733 deliberates that the coercive fine imposed by the NAPDP cannot exceed 10 UIT in case of non-compliance. Article 131 of Decreto Supremo governs the aspects related to how coercive fines are applied. It states that the coercive fines due to non-compliance with the law and this regulation may be imposed by the Sanctions Directorate as per the grading of the infraction, which is as follows:
- Minor Infraction: The coercive fine will be from 0.2 to 2 UIT.
- Serious Infraction: The coercive fine will be from 2 to 6 UIT.
- Very Serious Infraction: The coercive fine will be from 6 to 10 UIT.
Note: One Tax Unit is equal to 5,150 Peruvian soles (PEN) or US $1381 (approx.) in 2024.
Complying with the Data Protection Law and Regulation of Peru
Businesses in public and private administration that control and process the personal data of people in Peru are supposed to follow the ley de protección de datos personales, along with the Decreto Supremo (also known as reglamento de la ley no. 29733), which protects the personal data of people in Peru. To comply with the laws, organizations must:
- Obtain personal data by fair and legal means.
- Get clear, explicit, free, and direct consent from the owners of personal data.
- Have a specific and lawful purpose for processing.
- Collect accurate, true, and necessary personal data.
- Process relevant personal data in adequate amounts.
- Erase (delete) data from the personal data bank permanently after the purpose is fulfilled, the retention period is over, or the consent of the owner gets revoked.
- Have a certificate of data destruction that acts as an audit trail and helps comply with Ley No. 29733.
It is recommended that data controllers and processors use a certified data erasure tool like BitRaser to erase data from the personal data bank permanently. BitRaser is a tested and certified data wiping tool that generates a tamper-proof certificate of data destruction, helping businesses comply with various data protection laws, including EU-GDPR, Brazil’s LGPD, Mexico’s LFPDPPP, and many more.
+1-844-775-0101
