Peru: New regulations of the Personal Data Protection Law

13 Dec 2024 4 minute read

- Share by email
- Share on
- Twitter
- LinkedIn
- Facebook
- Google plus
- Get link
- Get QR Code
- Download
- Print

In brief

On 30 November 2024, Supreme Decree No. 016-2024-JUS was published, approving the regulations of Law No. 29733, the Personal Data Protection Law ("Regulations" and "Law," respectively) and repealing the previous regulations as of 30 March 2025.

The main regulatory changes are as follows:

I. Non-territorial application

The Law and the Regulations will apply to database owners or data controllers who are not located in Peru but who carry out the following activities:

Activities related to the offer of goods or services directed to personal data subjects located in Peru
Activities intended for the analysis of behavior of personal data owners located in Peru, as well as the elaboration of profiles that seek to predetermine behaviors, preferences, habits or similar information

II. Designation of a processing representative in Peru

Database owners or data controllers, whether or not located in Peru, must designate a representative in Peru to be the point of contact with the National Authority for the Protection of Personal Data ("Authority") through the following:

Publicly publishing it in a privacy policy
Communicating it to the Authority

III. Additional information for the owner of the personal data

In addition to the information set forth in Article 18 of the Law, for the purpose of processing personal data, the respective owner must be informed of the following:

Whether their data will be subject to automated decisions, including profiling
The source of collection of their personal data in case it has not been obtained directly from the holder

IV. Processing of personal data of children and adolescents

The database owner or data controller in digital platforms or services must make reasonable efforts to verify the identity of those who give consent, to comply with the obligations regarding processing the data of minors.

V. Processing of personal data for advertising purposes

Consent for advertising purposes may be obtained during the first contact with the personal data subject.
The personal data subject must be informed of the source of collection of their information upon request.

VI. Notification of security incidents

A security incident is any breach of security that results in the destruction, loss or unlawful alteration of personal data or unauthorized communication or exposure to such data.
The security incident must be notified to the Authority within 48 hours of becoming aware of it.
The affected personal data owner must be notified of the security incident within 48 hours of becoming aware that it may affect their rights.
Any security incident must be documented, including the related facts, effects and measures taken.

VII. Designation of a personal data officer

The database owner or data controller and processor of personal data must designate a personal data compliance officer if they carry out the following activities:

Processing large volumes of personal data in quantity or type of data; processing data that may affect a large number of individuals; when dealing with sensitive data; or when there is an evident prejudice to other rights or freedoms of the holder of the personal data
Main activities or business activities that involve the processing of sensitive data

The database owner or data controller and data processor of personal data must publish the contact details of the personal data officer in a visible place. This information must also be communicated to the Authority.

A corporate group may appoint a single personal data compliance officer.

VIII. New security measures

Those responsible for processing personal data have the following obligations:

Prepare an inventory of personal data and systems used for processing, specifying whether sensitive data is involved
Make backup copies at least once a week, unless the personal data has not been updated during that period

IX. Right to portability of personal data

The owner of the personal data may request that the personal data they provided to the data controller or to the database owner be transferred to another party, when the processing is based on consent or on a contractual relationship or is carried out by automated means.

X. Mitigating factors of liability

Under certain circumstances, the following may be considered as mitigating factors in an administrative sanctioning procedure:

The implementation of codes of conduct
The implementation of an impact assessment report on the processing of personal data

The Regulations will become effective on 30 March 2025. The obligations regarding the designation of the personal data compliance officer will become effective subsequently as of 30 November 2025, based on annual sales.

You can find the full text of the Regulations here.

*****

We hope this information is of relevance to you and your company. Please do not hesitate to contact us if you require any advice in this regard.

Click here to access the Spanish version.

* * * * *

© 2024 Estudio Echecopar. All rights reserved. Estudio Echecopar is a member firm of Baker & McKenzie International, a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "partner" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Contact Information

Teresa Tovar
Partner at BakerMcKenzie
Lima
Read my Bio
teresa.tovar@bakermckenzie.com

Crosbby Buleje
Associate at BakerMcKenzie
Lima
Read my Bio
crosbby.buleje@bakermckenzie.com

Viviana Chavez
Associate at BakerMcKenzie
Lima
Read my Bio
viviana.chavez@bakermckenzie.com

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.