Law No. 6534/20 on the Protection of Personal Credit Data

Law No. 6534/20 on the Protection of Personal Credit Data

Paraguay’s Law No. 6544/20 on the Protection of Personal Credit Data, known as the Credit Data Law for short, is a data protection that was entered into force in October of 2020. In contrast to many other South American data privacy laws, such as Uruguay’s Law No. 18.331 and Brazil’s General Data Protection Law or LGPD for short, Law No. 6542/20 protects both the personal and credit data of data subjects. To this end, Law No. 6544/20 sets forth the legal framework that data controllers and processors within the country of Paraguay must adhere to when collecting, processing, or disclosing the personal data of data subjects.

What is the scope and application of the Credit Data Law?

As it relates to the personal scope of the Credit Data Law, the law applies to “any physical person or legal entity that has a legal domicile or local offices or branches in Paraguay”. Alternatively, the Credit Data Law has no extraterritorial jurisdiction or application, as the scope of the law is limited to the country of Paraguay. In terms of the material scope of the law, the Credit Data Law protects the “credit data of all persons, regardless of their nationality, residence, or domicile, is guaranteed”. Moreover, “the Credit Data Law determines that it is applicable to the processing of personal data in public or private registries collected or stored in Paraguay in information systems, archives, physical, electronic, or digital records or databases through manual, automated, or partially automated data collection mechanisms”.

What are the obligations of data controllers and processors under the law?

Under the Credit Data Law, data controllers and processors operating within the country of Paraguay are required to abide by the following principles as it relates to the protection of personal data:

  • Personal and family intimacy, as well as the respect of private life, is inviolable under the law.
  • A person’s conduct, permitting it does not affect the public order established by the law or the rights of third parties, is exempt from all public authority under the law.
  • The right to a person’s protection of intimacy, as well as dignity and private image is guaranteed under the law.
  • The Law guarantees the right to information and regulates the constitutional right known as habeas data as a means for data protection.
  • The right to know how personal information is to be used and for what purpose, while allowing for the updating, rectification, or destruction of such information if it is incorrect or illegitimately affects a data subject’s rights under the law.

In addition to these data protection principles, data controllers and processors must follow various other obligations as it relates to law, particularly with respect to credit data. For example, as it pertains to data retention, the credit data law states that the persona or credit data of a data subject can be held in the database of an applicable data controller or processor for no more than five years. Additionally, data controllers and processors must also obtain consent from data subjects before transferring their personal or credit data to a third party, and transferring the personal or credit data of an individual to another country who does not have adequate data protection has not been established by law is prohibited.

Conversely, the Credit Data Law does require data controllers and processors to fulfill certain obligations that are commonly found in other privacy policies around the world. To illustrate this point further, the law does not require data controllers and processors to issue data processing notifications, maintain data processing records, or conduct Data Protection Impact Assessments or DPIA’s. Furthermore, the Credit Data Law does not require data controllers or processors to process special categories of personal data, such a criminal conviction data, in a different manner than other forms of personal data, and the law does not require data controllers and processors to have contracts in place between one another.

What are the rights of data subjects under the Credit Data Law?

The Credit Data Law affords Paraguayan citizens the following rights as it relates to the protection of their credit and personal data and in turn, their privacy:

  • The right to be informed– Under the law, data subjects maintain the right to be informed “expressly and clearly” concerning the purposes for which their personal and credit data will be used.
  • The right to access– Under the law, data subjects maintain the right to access any personal data that a data controller, processor, or credit bureau may hold concerning them.
  • The right to rectification– Under the law, data subjects maintain the right to request that a data controller, processor, or credit bureau rectify any personal or credit data relating to them that has been found to be inaccurate, incomplete, or illegally obtained.
  • The right to erasure– Under the law, data subjects maintain the right to request that a data controller, processor, or credit bureau erase data pertaining to them that has been found to be inaccurate, incomplete, or illegally obtained.
  • The right to data portability– Under the law, data subjects have the right to request a copy of their personal or credit data in a commonly used sharable form.
    The right not to be subject to automated decision making- Under the law, data subjects maintain the right not to be subject to data processing decisions made solely on the basis of automated processing.

In terms of penalties that can be imposed against violators of the law, the Credit Data Law is enforced by the Central Bank of Paraguay or BCP and the Secretariat for the Defence of the Consumer and the User or SEDECO. As such, the following administrative fines and criminal penalties can be levied against individuals and agencies who are found to be in non-compliance

  • A warning.
  • A monetary fine of up to 15,000 minimum wages ($174,993), which can double in the event of repetition of the offence.
  • The suspension of activities related to data processing for up to six months, as well as indication of the correct data processing measures that must be adopted in order to achieve compliance.
  • Immediate and definitive closure of an operation that involves the processing of personal or credit data.

The Credit Data Law is interesting in that it in many ways contains provisions that are more far reaching than other recently passed data privacy laws while simultaneously providing data subjects with less rights than said privacy laws. As such, the effectiveness of the law will have to be monitored in upcoming years, as countries around the world continue to pass legislation with the goal of protecting the personal data and privacy of their citizens. Nevertheless, the Credit Data Law does provide Paraguayan citizens with a means of defending their personal and credit data against potential infringement and intrusion.