Privacy Law at Peru
Peru's data protection framework is governed by Law No. 29733, the Personal Data Protection Law, and its regulations. The most recent regulatory updates were published on November 30, 2024, through Supreme Decree No. 016-2024-JUS, which will come into effect on March 30, 2025. These updates introduce significant changes to enhance data privacy and align with international standards.
Key Aspects of Peru's Data Protection Law
1. Territorial Scope
The law applies not only to entities within Peru but also to foreign data controllers or processors who:
Offer goods or services to individuals located in Per.
Analyse behaviour or create profiles of individuals in Per.
2. Designation of a Personal Data Officer
Organizations processing large volumes of personal or sensitive data are required to appoint a **Personal Data Protection Officer (PDO)*. This officer oversees compliance and serves as the point of contact with the National Authority for Personal Data Protection. The obligation to appoint a PDO will be phased in based on annual sales, starting on November 30, 2025, and continuing through *November 30, 2028.
3. Enhanced Transparency and Consent
Organizations must provide clear information to data subjects, including:
Whether their data will be subject to automated decisions or profilin.
The source of their personal data if not directly collected.
The possibility of first-contact consent for advertising purpose.
4. Data Portability
Data subjects have the right to request the transfer of their personal data to another controller when processing is based on consent or a contractual relationship, and when carried out by automated mean. This right will be enforceable starting *September 30, 2025.
5. Security Incident Notification
Organizations must notify the National Authority for Personal Data Protection within 48 hours of becoming aware of a security incident that exposes personal dat. Affected individuals must also be informed within the same timeframe if their rights may be compromise.
⚖️ Penalties for Non-Compliance
Violations of the data protection law can result i:
Administrative fines Ranging from 0.5 to 100 Tax Units (UIT), depending on the severity of the infraction. One UIT is approximately PEN 5,150 (about USD 1,380.
Criminal sanctions Including fines and imprisonment for serious offenses such as unauthorized data processing or obstruction of data subjects' right.
🏛️ Enforcement Authority
The National Authority for Personal Data Protection is responsible for overseeing compliance with the law, providing guidance, and imposing sanctions when necessary Organizations are encouraged to consult with this authority to ensure adherence to data protection requirements.
✅ Summary
Peru's updated data protection regulations strengthen privacy rights and impose new obligations on organizations, both domestic and foreign, that process personal data of individuals in Peu Entities are advised to review their data processing practices, appoint a Personal Data Protection Officer if required, and ensure compliance with the enhanced transparency, consent, and security measures outlined in the new regulations.
RELATED Blog
0 comments