Cyber Law at Peru
Peru has established a comprehensive legal framework to address cybercrime, data protection, and cybersecurity, aligning with international standards and enhancing digital governance.
🛡️ Cybercrime Legislation
Peru is a signatory of the Budapest Convention on Cybercrime, the first international treaty aimed at combating computer and internet crime, This commitment underscores Peru's dedication to international cooperation in addressing cybercrime, Additionally, the GLACY+ project, supported by the Council of Europe, has been instrumental in strengthening Peru's cybercrime strategy, Through this initiative, Peru has developed a pool of national trainers, including judges and prosecutors, who are continuously trained to handle cybercrime cases effectively
🔐 Data Protection Law (Law No. 29733)
Peru's Personal Data Protection Law (Law No. 29733), enacted in 2011, provides a robust framework for the protection of personal dat. The law applies to both public and private entities processing personal data within Peru and extends to foreign entities processing data of Peruvian citizen.
Key Provisions:
Consent Data processing requires the informed, express, and unequivocal consent of the data subject.
Purpose Limitation Data must be collected for specified, legitimate purposes and not further processed in a manner incompatible with those purpose.
Data Minimization Only data necessary for the purposes stated should be collected.
Accuracy Data should be accurate and kept up to data.
Security Appropriate technical and organizational measures must be implemented to protect data.
Accountability Data controllers and processors are responsible for complying with the law and must demonstrate compliance.
🧠 Cybersecurity and Digital Security Regulation
In November 2024, Peru adopted new regulations under Supreme Decree No. 016-2024-JUS to enhance the implementation of Law No. 2973, These regulations, effective from March 30, 2025, introduce several cybersecurity requiremens:
*Security Incident Notification: Entities must notify the National Authority for Personal Data Protection within 48 hours of becoming aware of a security incident that causes significant harm or exposes large volumes of personal data.
*Data Protection Officer Appointment: Organizations processing large volumes of personal or sensitive data are required to appoint a Personal Data Protection Officer to oversee compliance and act as a liaison with the authoriy.
*Cross-Border Data Transfers: The regulations apply to data controllers outside Peru who offer goods or services to individuals in Peru or analyze their behavior.
Public entities are also mandated to report data breaches to the National Centre for Digital Security and implement an Information Security Management System to protect information assets against digital security risks and incidens.
⚖️ Enforcement and Penalties
Violations of the data protection law can result in administrative and coercive sanctios:
*Administrative Sanctions: Fines ranging from 0.5 to 100 Tax Units (UIT), depending on the severity of the violation.
*Coercive Sanctions: Fines ranging from 0.2 to 10 UIT for non-compliance with obligatios.
These penalties aim to ensure compliance and protect individuals' personal data righs.
RELATED Blog
0 comments