IDC Names Securiti a Worldwide Leader in Data PrivacyView
Peru belongs to the group of countries that have had a data protection law in place before the GDPR came into effect. The Law for Personal Data Protection Law No. 29733 (DPL) (English translation here) was enacted in July 2011. Moreover, Supreme Decree No. 003-2013-JUS, Regulation of the Personal Data Protection Law (Regulations), was published in March 2013 to expand on the requirements of the law and lay down rules and provisions regarding data protection. The Law and its Regulation serve as the primary pieces of legislation that govern all issues related to data privacy within the country.
The Personal Data Protection Law was subsequently amended by Legislative Decree No. 1353 in January 2017. Unfortunately, the law is visibly less stringent compared to other prominent legislation such as the GDPR and the LGPD since the obligations of the data processors and data controllers are relatively limited. For example, there are no mandatory legal requirements for covered entities to carry out data protection impact assessments (DPIAs) or to appoint data protection officers (DPOs). Similarly, there are no express breach notification requirements in addition to the absence of a third-party/vendor processing assessment.
However, there are some strict penalties for data controllers and processors for non-compliance with the provisions of the law, while the regulatory authorities are advised to regularly produce educational material for organizations to aid their compliance efforts.
This is how the Peruvian data protection law applies to entities based on what data they collect and where they're based geographically:
The law covers all personal data contained or intended to be contained in personal data databases publicly and privately administered, processed in Peruvian territory by an organisation. It is to be noted that sensitive data is the object of special protection under the law. Additionally, this applies to all forms of data collection carried out by a data controller or a data processor on behalf of a data controller.
Any collection or processing of personal data that meets the following criteria is subject to the Peruvian data protection law:
Moreover, the provisions of this law would not apply to personal data that is to be:
One of the major hallmarks of any data protection law is the list of obligations it places on the organisations collecting the data. The Peruvian DPL comes a bit short on that front. As per Law No. 29733, any organisation processing or collecting data on users in Peru is subject to the following obligations :
One of the primary responsibilities of any data processor/controller is to process the personal data only after obtaining the prior,informed, express, and unequivocal consent of the data subject, unless there is an authoritative law that allows them to proceed with the data collection when deemed necessary for the national security or interests of the Peruvian state without the collection of consent. In the case of sensitive data, the consent for processing must also be given in writing. The data subject may also revoke its consent at any time, where the obligation to support their request has the same requisites that existed when they gave their consent.
Furthermore, there are express guidelines stating that any collected personal data is not to be used for purposes other than those that motivated its initial collection.
Moreover, the data subject’s consent is not necessary in the following situations:
When personal data processing services are rendered on behalf of third parties, the personal data may not be applied or used for a purpose other than that which appears in the contract or the agreement executed, or to be transferred to other persons, including for its storage.
Third parties are also required to comply with the relevant requirements of the DPL. After the performance of the service concerned by the contract or agreement, the processed personal data must be eliminated unless there is express authorization of the party on whose behalf such services are rendered when it is reasonably presumed that there is a possibility for additional tasks, in which case the personal data may be kept in the due security conditions for up to the term established by the regulation of the Law.
The Peruvian data protection law allows for cross-border data flows only if the proposed recipient countries have adequate data protection mechanisms. The transfer should be conducted through a formal written binding contract where the data controller is to effectively communicate to the recipients the conditions under which the data subject consented to their processing. The ANPD will evaluate which countries meet these adequate protection requirements.
However, these requirements will not be applicable in the following cases:
Like almost every other major data protection law, the Peruvian DPL laws down the rights of users, better known as data subject rights. These rights include the following:
However, it is to be noted that the controllers and processors may deny the exercise of the data subject rights, for reasons based on the protection of the rights and interests of third parties, or where it can prevent pending judicial or administrative proceedings related to the investigation of the compliance with tax or social security obligations, the performance of health and environmental control functions, or the verification of administrative violations.
The Autoridad Nacional de Protección de Datos Personales (National Authority for the Protection of Personal Data) or ANPD is the primary body responsible for enforcing Peru's data protection law across its borders.
The ANPD hears, investigates and resolves complaints lodged by the data subjects for the violation of the rights granted to them and issues provisional and/or corrective measures, as established in the regulation. Additionally, the ANPD is also responsible for recommending any minor or major amendments to the data protection law to ensure it keeps up with both technological advancements and potential legal challenges.
The ANPD has also established a National Register of Personal Data Protection, which keeps a public record of all the data processors and the type of data being collected on Peruvian residents.
Lastly, the ANPD is required to publish a yearly report on the state of data protection within the country as well as recommendations for organisations on how to better adhere to the Peruvian legislation related to data protection.
The sanctioning procedure is initiated ex officio by the National Authority for Personal Data Protection or by complaint of a party in case of presumed commission of acts contrary to the provisions of the Law or its regulation,The penalties prescribed in the Peruvian legislation for organisations found in non-compliance are unique. Mainly because all offending organisations are penalized "tax units" rather than a fixed monetary amount. One tax unit is equivalent to approximately $1022 or PEN 4400.
The organisation must then pay this amount directly as part of their taxes, ensuring the national treasury receives the penalty amount.
In case of violations the following fines may apply:
The fine imposed may not exceed under any circumstances 10% (ten percent) of the annual gross income received by the presumed violator during the previous fiscal year. Moreover, The fine will be imposed without prejudice to the disciplinary sanctions enforced on the staff of the public entities in the cases of publicly administered personal data databases as well as indemnity for damage and the applicable criminal sanctions.
Moreover the Law also instructs that the ANPD may impose coercive fines for an amount not exceeding ten (10) Tax Units, for violation of the obligations subject to sanction imposed in the sanctioning procedure. The coercive fines will be imposed after the end of the performance term. However, the imposition of coercive fines does not prevent the exercise of other forced execution mechanisms.
Even when the exact requirements are clear under a law, it can be difficult for businesses to initiate their compliance efforts since it can be hard to figure out where to start. Hence, here are a few ways a business can operationalize the law within their practices:
While data has always been considered a critical asset for businesses, data privacy has taken increased importance over the last couple of years. Various factors have played their roles, but businesses now realize how important it is to not only protect any collected user data but to be vigilant about collecting data only after getting proper consent.
Most countries now have their own versions of data protection laws that require organizations to take proactive measures to ensure users' rights are protected throughout the entire process of data collection. Adherence to these laws can prove a lot trickier for businesses themselves due to the sheer amount of data and due diligence.
This is where Securiti can be of service. Securiti is a market leader in providing enterprise data protection, data governance, and data compliance solutions.
Request a demo today and learn more about how Securiti can help you comply with Peru's Personal Data Protection Law.
The Law for Personal Data Protection Law No. 29733 in Peru is the legal framework that regulates the processing of personal data within the country. It was enacted in July 2011. The law was subsequently amended by Legislative Decree No. 1353 in January 2017.
The data protection law in Peru refers to Law No. 29733, which sets out principles, rights, and obligations related to the processing of personal data.
Data subject rights in Peru include the right to information, the right to revolve consent, the right to access, the right to update, inclusion, rectification, and elimination rectification, the right to prevent supply, the right to opposition, the right to objective processing, the right to protection, and the right to indemnification.
Peru is not a member state of the European Union, so GDPR (General Data Protection Regulation) does not apply. However, Peru has its own data protection law.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row
San Jose, CA 95128