New Found Privacy Regulations for Peruvian Citizens

Peru’s Law No. 29733 on the Protection of Personal Data, also known as the Law for short, is a data protection law that was passed in 2011 and recently amended in 2017. Law No. 29733 on the Protection of Personal Data was amended through the enactment of Legislative Decree No. 1353 of 7 January 2017, for the purposes of providing Perusian citizens with an updated level of data protection, as well as placing stipulations on individuals and organizations within Peru who collect and process personal data. Law No. 29733 on the Protection of Personal Data is enforced through the Peruvian data protection authority or APDP, and the regulatory body is authorized to impose a multitude of administrative and monetary penalties against parties who are found to have violated the provisions of the law.

What is the scope and application of Law No. 29733 on the Protection of Personal Data?

In terms of the scope and application of Law No. 29733 on the Protection of Personal Data applies “to data contained, or intended to be contained, in public or private databases, which refer to natural persons, and whose processing is carried out in Peruvian territory”. Alternatively, the material scope of the law applies to all collection and processing of personal data that takes place within Peru, subject to certain exceptions, such as data processing related to “family or private purposes”. Moreover, the territorial scope of the law is applicable under the following circumstances:

• When the collection or processing of personal data is carried out in an establishment that is located within Peruvian territory, or said establishments belong to a data controller or processor within Peru.
• When the processing of personal data is carried by a data processor out on behalf of a data controller who is established within Peru, regardless of the location of said data processor.
• When a data controller or processor is not physically present or established within Peru, “but the law is applicable to them by contractual provisions or international law”.
• When a data controller or processor is not physically present or established within Peru but still uses means within Peru for the purpose of processing data, unless said means are used strictly for the purpose of data transit that does not involve processing.

What are the requirements of data controllers and processors under Law No. 29733 on the Protection of Personal Data?

Much like the European Union’s General Data Protection Regulation or GDPR, Law No. 29733 on the Protection of Personal Data established various principles that data controllers and processors who process the personal data of Peruvian citizens must comply with when processing personal data. These principles include the following:

• Legality– All collection and processing of personal data must be carried out in accordance with Law No. 29733 on the Protection of Personal Data. The collection or processing of personal data that is conducted via unfair, unlawful, or illegal means is strictly prohibited.
• Purpose– The collection and processing of personal data must be done for purposes that are explicit, specific, and legitimate. “The processing of personal data should not be extended to other purposes than those established at the time of collection, except in cases of historical, statistical or scientific activities, where dissociation or anonymization processes are applied”.
• Proportionality– The collection and processing of personal data must be done in a manner that is relevant, adequate, and non-excessive with respect to the purposes for which it was collected.
• Quality– Personal data must be collected and processed in a manner consistent with the principles of truthfulness and accuracy. Personal data must also be updated when possible, as well as kept appropriate and relevant in relation to the purposes for which said personal data was collected and processed.
• Security– Data controllers and processors are responsible for implementing technical, physical, and organizational measures for the purposes of protecting personal data.
• An adequate level of protection– In terms of cross-border transfers of personal data, the person who is responsible for the processing of said personal data must ensure that the data is protected sufficiently. This level of protection must be comparable or on par with either the law or international standards.

What are the rights of Peruvian citizens under Law No. 29733 on the Protection of Personal Data?

Under Law No. 29733 on the Protection of Personal Data, Peruvian citizens are guaranteed the following right as it relates to data protection and personal privacy:

• The right to be informed– Data subjects have the right to receive a detailed explanation concerning the purposes for which their personal data has been collected or processed.
• The right to access– “Data subjects have the right to access information about themselves that is processed in private or public administration databanks”.
• The right to rectification– Data subjects have the right to rectify personal data concerning themselves that has been processed, permitting said personal data has been found to be incomplete, inaccurate, or erroneous.
• The right to erasure– Data subjects have the right to erase personal data concerning themselves that has been processed, permitting said personal data has been found to be incomplete, inaccurate, or erroneous.
• The right to object or opt-out– Data subjects have the right to object or opt-out of the processing of their personal data under certain circumstances, such as instances in which their personal data was obtained illegally.
• The right to data portability– Data subjects have the right “not to be subjected to a decision with legal effects over them, or that significantly affects them, based on the processing of personal data intended to evaluate certain aspects of their personality or conduct”.
• The right to protection– Data subjects have the right to file a claim with the Peruvian data protection authority or APDP when their rights have been violated.
• The right to be compensated– Data subjects have the right to seek compensation when their rights are violated.

What are the penalties for failing to comply with the law?

In terms of penalties for non-compliance, the Peruvian data protection authority or APDP separates infractions in accordance with the law into three tiers, minor, serious, and very serious infringements. Under the law, “processing personal data without adopting security measures” is considered a minor infringement, while “giving false documents or information to the APDP” is considered to be a very serious infringement. As such, data controllers and processors who fail to adhere to the provisions of the law are subject to the following monetary penalties:

• “For minor infringements: fines of up to 5 tax units ($5,469)”.
• “For serious infringements: fines of up to 50 tax units ($54,741)”.
• “For very serious infringements: fines of up to 100 tax units ($109,493)”.

As the protection of personal data and privacy has gained a greater level of pertinence in not only the country of Peru, but the world at large, legislation such as Law No. 29733 on the Protection of Personal Data only continues to become more common. This fact is evidenced by other South American countries that have also passed comprehensive data protection laws in recent years, such as Brazil’s General Data Protection Law or LGPD for short, as well as Uruguay’s Law No. 18.331 on the Protection of Personal Data. As such, Law No. 29733 on the Protection of Personal Data stands as the foremost form of legal protection for the personal data and privacy of Peruvian citizens.