Peru belongs to the group of countries that have had a data protection law in place before the GDPR came into effect. The Law for Personal Data Protection Law No. 29733 (DPL) (English translation here) was enacted in July 2011. Moreover, Supreme Decree No. 003-2013-JUS, Regulation of the Personal Data Protection Law (Regulations), was published in March 2013 to expand on the requirements of the law and lay down rules and provisions regarding data protection. The Law and its Regulation serve as the primary pieces of legislation that govern all issues related to data privacy within the country.
The Personal Data Protection Law was subsequently amended by Legislative Decree No. 1353 in January 2017. Unfortunately, the law is visibly less stringent compared to other prominent legislation such as the GDPR and the LGPD since the obligations of the data processors and data controllers are relatively limited. For example, there are no mandatory legal requirements for covered entities to carry out data protection impact assessments (DPIAs) or to appoint data protection officers (DPOs). Similarly, there are no express breach notification requirements in addition to the absence of a third-party/vendor processing assessment.
However, there are some strict penalties for data controllers and processors for non-compliance with the provisions of the law, while the regulatory authorities are advised to regularly produce educational material for organizations to aid their compliance efforts.
1. Who Needs to Comply with the Law
This is how the Peruvian data protection law applies to entities based on what data they collect and where they're based geographically:
a. Material Scope
The law covers all personal data contained or intended to be contained in personal data databases publicly and privately administered, processed in Peruvian territory by an organisation. It is to be noted that sensitive data is the object of special protection under the law. Additionally, this applies to all forms of data collection carried out by a data controller or a data processor on behalf of a data controller.
b. Territorial Scope
Any collection or processing of personal data that meets the following criteria is subject to the Peruvian data protection law:
- Personal data collected within Peru;
- Personal data collected by a data processor, regardless of location, for a data controller based in Peru;
- Personal data collected for a data controller not based in Peru but subject to Peruvian law based on contractual obligations or international agreements;
- The data controller is not based in Peru, but it uses means located in Peru for the processing of personal data, except for those situations where such means are only used for transit purposes and do not intend data processing.
Moreover, the provisions of this law would not apply to personal data that is to be:
- Used exclusively by individuals for the purposes related to their private and family life;
- Contained or intended to be contained in publicly administered databases where the extent of their processing is necessary for strict compliance according to law for national defense, public security, in criminal matters for the investigation and repression of crime.
Obligations for Data Controllers/Processors Under that Specific Law
One of the major hallmarks of any data protection law is the list of obligations it places on the organisations collecting the data. The Peruvian DPL comes a bit short on that front. As per Law No. 29733, any organisation processing or collecting data on users in Peru is subject to the following obligations :
- Process the personal data only after obtaining the informed, express and unequivocal consent of the data subject;
- Avoid compiling personal data through fraudulent, unfair or illegal means;
- Compile personal data that is updated, necessary, relevant and adequate in connection with the determined, explicit and legal purposes for which it was obtained;
- Not to use the personal data processed for purposes other than those that motivated its initial collection, except in case of anonymization or dissociation procedure;
- Store the personal data in a manner that would make it possible for, and facilitate, the data subject to exercise his or her rights;
- Eliminate and replace or, if applicable, complete the personal data processed when it is aware of its inaccurate or incomplete character, without prejudice to the rights of the data subject in this regard;
- Eliminate the personal data processed when it is no longer necessary or relevant for the purpose for which it was collected or when the term for processing has expired, unless there is an anonymization or dissociation process;
- Ensure that the marketing of personal data contained or intended to be contained in personal data databases is subject to the provisions of the regulation of the Law;
- Adopt technical, organization and legal measures to guarantee the security of retained or held personal data.
- Avoid the alteration, loss, unauthorized processing or access of stored or retained personal data. The requisites and conditions to be met by personal data databases in matters of security have to be in line with ANPD guidelines. It is prohibited to process personal data in databases that do not meet the requisitions and security conditions referred to in the Law;
- Provide to the National Authority for Personal Data Protection (ANPD) the information concerning the processing of personal data required by it and allow it access to the personal data databases for the performance of their functions.
One of the primary responsibilities of any data processor/controller is to process the personal data only after obtaining the prior,informed, express, and unequivocal consent of the data subject, unless there is an authoritative law that allows them to proceed with the data collection when deemed necessary for the national security or interests of the Peruvian state without the collection of consent. In the case of sensitive data, the consent for processing must also be given in writing. The data subject may also revoke its consent at any time, where the obligation to support their request has the same requisites that existed when they gave their consent.
Furthermore, there are express guidelines stating that any collected personal data is not to be used for purposes other than those that motivated its initial collection.
Moreover, the data subject’s consent is not necessary in the following situations:
- The personal data is compiled or transferred for the performance of the functions of the public entities within their competence;
- The personal data is contained or intended to be contained in sources accessible to the public;
- The personal data is related to financial solvency and credit, pursuant to the Law;
- In case of a law for the promotion of competition in regulated markets issued in the performance of the regulatory function by the regulatory entities referred to in Law No. 27332, Framework Law of Regulatory Entities of Private Investment in Public Services or its replacement, provided that the information contributed is not used in violation of the user’s privacy;
- In case the collection or use of the personal data is necessary to perform a contract to which the data subject is a party;
- In case the personal data collection or use is related to the health of the data subject and, if it is necessary, if they are under risk circumstances, for the prevention, diagnosis and medical or surgical treatment of the data subject provided that such treatment is carried out by health science professionals/establishments; or in case of reasons of public interest provided by Law; or if they must be processed for reasons of public health or to conduct epidemiological or similar studies, provided that adequate dissociation procedures are applied;
- In case when the processing is carried out by not-for-profit organizations with political,religious or union purposes, and refers to the compiled personal data of their respective members, in which case the data must be related to the purpose of their activities and may not be transferred without the consent of the members;
- In case of application of an anonymization or dissociation procedure.
Third Party Processing Requirements
When personal data processing services are rendered on behalf of third parties, the personal data may not be applied or used for a purpose other than that which appears in the contract or the agreement executed, or to be transferred to other persons, including for its storage.
Third parties are also required to comply with the relevant requirements of the DPL. After the performance of the service concerned by the contract or agreement, the processed personal data must be eliminated unless there is express authorization of the party on whose behalf such services are rendered when it is reasonably presumed that there is a possibility for additional tasks, in which case the personal data may be kept in the due security conditions for up to the term established by the regulation of the Law.
Cross border data transfer Requirements
The Peruvian data protection law allows for cross-border data flows only if the proposed recipient countries have adequate data protection mechanisms. The transfer should be conducted through a formal written binding contract where the data controller is to effectively communicate to the recipients the conditions under which the data subject consented to their processing. The ANPD will evaluate which countries meet these adequate protection requirements.
However, these requirements will not be applicable in the following cases:
- Agreements under international treaties on the matter to which the Republic of Peru is a party;
- Cases of data transfer subject to international judicial cooperation;
- International cooperation between intelligence agencies for the fight against terrorism, illegal drug trafficking, money laundering, corruption, human trafficking, and other forms of organized crime;
- When the transfer of personal data is necessary to implement a contract to which the data subject is a party;
- In case of bank or stock exchange transfers, concerning the respective transactions according to the applicable law;
- When the transborder flow of personal data takes place for the prevention, diagnosis, or medical or surgical treatment of the data subject; or when it is necessary to carry out epidemiological or similar studies, provided that adequate dissociation procedures are applied;
- When the data subject has given his prior, informed, express, and unequivocal consent to the international transfer of data.
Data Subject Rights
Like almost every other major data protection law, the Peruvian DPL laws down the rights of users, better known as data subject rights. These rights include the following:
- Right to Information - The data subject has the right to be informed in detail, simply, expressly, unequivocally, and prior to compiling, about the purpose for which their personal data will be processed; who will be or who may be the recipients, the existence of the database in which they will be stored, as well as the identity and address of the controller and, if applicable, the processor of their personal data; the mandatory and optional character the answers to the questionnaire proposed to them especially concerning sensitive data; of the the transfer of personal data; the consequences of providing their personal data and of his refusal to do so; the time during which their personal data will be kept; and the possibility to exercise the rights granted to them by law.
- Right to Revoke Consent - The data subject has the right to revoke their consent at any time.
- Right to Access - The data subject has the right to obtain information processed about them in any publicly or privately administered databases, as well as details regarding the collection, processing, transfers and the reasons for compiling their data. It is pertinent to note that data controllers must respond to an access request without undue delay within 20 business days of receipt, which can be extended by another 20 business days, if necessary.
- Right to Update, Inclusion, Rectification, and Elimination - The data subject has the right to the update, inclusion, rectification, and elimination of their personal data when it is partially or totally inaccurate or incomplete or it has an omission, error, or inaccuracy or when it is no longer necessary or relevant for the purpose for which it was collected. If the personal data was previously transferred, the personal data database controller must communicate the changes to the party to whom the data was transferred. It is significant to note that data controllers must respond to a request of rectification without undue delay within ten business days of receipt which may be extended by another ten business days, where necessary.
- Right to Prevent Supply - The data subject has the right to prevent the data from being supplied, (i.e., sold/shared) to third parties, especially when it affects their fundamental rights;
- Right to Opposition - The data subject has the right to object to any form of data processing, according to the provisions of law and in the absence of consent, if they have a legitimate reason. If there exists a justified opposition, the data processor/controller must cease to process their data immediately. It is important to state that data controllers must respond to an opposition request without undue delay within ten business days of receipt of the request.
- Right to Objective Processing - The data subject has the right to object to the processing of personal data intended to evaluate certain aspects of their personality without proper consent, unless it occurs within an execution of contractual obligations or in cases of evaluation with purposes of incorporation into a public entity.
- Right to Protection - If a data processor or data controller does not fulfill a data subject's request for access, the data subject has the right to approach the National Authority for Personal Data Protection directly by lodging their complaint or seeking redressal from the Judiciary to exercise their rights;
- Right to Indemnification - The affected data subject, in case of a violation of this Law by the controller or processor of the personal data database or by third parties, has the right to obtain the corresponding indemnity.
However, it is to be noted that the controllers and processors may deny the exercise of the data subject rights, for reasons based on the protection of the rights and interests of third parties, or where it can prevent pending judicial or administrative proceedings related to the investigation of the compliance with tax or social security obligations, the performance of health and environmental control functions, or the verification of administrative violations.
The Autoridad Nacional de Protección de Datos Personales (National Authority for the Protection of Personal Data) or ANPD is the primary body responsible for enforcing Peru's data protection law across its borders.
The ANPD hears, investigates and resolves complaints lodged by the data subjects for the violation of the rights granted to them and issues provisional and/or corrective measures, as established in the regulation. Additionally, the ANPD is also responsible for recommending any minor or major amendments to the data protection law to ensure it keeps up with both technological advancements and potential legal challenges.
The ANPD has also established a National Register of Personal Data Protection, which keeps a public record of all the data processors and the type of data being collected on Peruvian residents.
Lastly, the ANPD is required to publish a yearly report on the state of data protection within the country as well as recommendations for organisations on how to better adhere to the Peruvian legislation related to data protection.
Penalties for Non-compliance
The sanctioning procedure is initiated ex officio by the National Authority for Personal Data Protection or by complaint of a party in case of presumed commission of acts contrary to the provisions of the Law or its regulation,The penalties prescribed in the Peruvian legislation for organisations found in non-compliance are unique. Mainly because all offending organisations are penalized "tax units" rather than a fixed monetary amount. One tax unit is equivalent to approximately $1022 or PEN 4400.
The organisation must then pay this amount directly as part of their taxes, ensuring the national treasury receives the penalty amount.
In case of violations the following fines may apply:
- Mild violations will be sanctioned with a minimum fine of 0.5 (zero point five) Tax Units up to 5 (five) Tax Units;
- Serious violations will be sanctioned with a fine of more than 5 (five) Tax Units up to 50 (fifty) Tax Units;
- Very serious violations will be sanctioned with a fine of more than 50 (fifty) Tax Units up to 100 (one hundred) Tax Units.
The fine imposed may not exceed under any circumstances 10% (ten percent) of the annual gross income received by the presumed violator during the previous fiscal year. Moreover, The fine will be imposed without prejudice to the disciplinary sanctions enforced on the staff of the public entities in the cases of publicly administered personal data databases as well as indemnity for damage and the applicable criminal sanctions.
Moreover the Law also instructs that the ANPD may impose coercive fines for an amount not exceeding ten (10) Tax Units, for violation of the obligations subject to sanction imposed in the sanctioning procedure. The coercive fines will be imposed after the end of the performance term. However, the imposition of coercive fines does not prevent the exercise of other forced execution mechanisms.
How an Organization Can Operationalize the Law
Even when the exact requirements are clear under a law, it can be difficult for businesses to initiate their compliance efforts since it can be hard to figure out where to start. Hence, here are a few ways a business can operationalize the law within their practices:
- Deploy an automated consent management platform to collect, record and organize consent permissions received by data subjects;
- It is recommended that organisations would be well-advised to appoint a permanent data protection officer (DPO) voluntarily that would ensure all business practices within the organisation comply with the PDPL;
- Ensure all the company's employees and staff are acutely aware of their responsibilities under the law;
- Ensure that the use and deployment of cookies, location data or other personal data that will be collected must comply with data privacy laws and that the data subject’s consent must be obtained before cookies and/or location data can be used.
- Have strong data protection policies in place along with regular training for staff which assist your organization in fulfilling Data Subject Right requests in a timely and accurate manner.
- Although it is not a legal requirement, organizations should conduct regular data protection impact assessments as well as data mapping exercises to ensure sensitive personal data is identified and appropriate security measures are employed to protect the data.;
- Implement security measures to prevent unauthorized access to personal data.
How can Securiti Help
While data has always been considered a critical asset for businesses, data privacy has taken increased importance over the last couple of years. Various factors have played their roles, but businesses now realize how important it is to not only protect any collected user data but to be vigilant about collecting data only after getting proper consent.
Most countries now have their own versions of data protection laws that require organizations to take proactive measures to ensure users' rights are protected throughout the entire process of data collection. Adherence to these laws can prove a lot trickier for businesses themselves due to the sheer amount of data and due diligence.
This is where Securiti can be of service. Securiti is a market leader in providing enterprise data protection, data governance, and data compliance solutions.
Request a demo today and learn more about how Securiti can help you comply with Peru's Personal Data Protection Law.