Law No. 6534/20 on the Protection of Personal Credit Data

Law No. 6534/20 on the Protection of Personal Credit Data

Paraguay’s Law No. 6544/20 on the Protection of Personal Credit Data, known as the Credit Data Law for short, is a data protection that was entered into force in October of 2020. In contrast to many other South American data privacy laws, such as Uruguay’s Law No. 18.331 and Brazil’s General Data Protection Law or LGPD for short, Law No. 6542/20 protects both the personal and credit data of data subjects. To this end, Law No. 6544/20 sets forth the legal framework that data controllers and processors within the country of Paraguay must adhere to when collecting, processing, or disclosing the personal data of data subjects.

What is the scope and application of the Credit Data Law?

As it relates to the personal scope of the Credit Data Law, the law applies to “any physical person or legal entity that has a legal domicile or local offices or branches in Paraguay”. Alternatively, the Credit Data Law has no extraterritorial jurisdiction or application, as the scope of the law is limited to the country of Paraguay. In terms of the material scope of the law, the Credit Data Law protects the “credit data of all persons, regardless of their nationality, residence, or domicile, is guaranteed”. Moreover, “the Credit Data Law determines that it is applicable to the processing of personal data in public or private registries collected or stored in Paraguay in information systems, archives, physical, electronic, or digital records or databases through manual, automated, or partially automated data collection mechanisms”.

What are the obligations of data controllers and processors under the law?

Under the Credit Data Law, data controllers and processors operating within the country of Paraguay are required to abide by the following principles as it relates to the protection of personal data:

In addition to these data protection principles, data controllers and processors must follow various other obligations as it relates to law, particularly with respect to credit data. For example, as it pertains to data retention, the credit data law states that the persona or credit data of a data subject can be held in the database of an applicable data controller or processor for no more than five years. Additionally, data controllers and processors must also obtain consent from data subjects before transferring their personal or credit data to a third party, and transferring the personal or credit data of an individual to another country that does not have adequate data protection has not been established by law is prohibited.

Conversely, the Credit Data Law does require data controllers and processors to fulfill certain obligations that are commonly found in other privacy policies around the world. To illustrate this point further, the law does not require data controllers and processors to issue data processing notifications, maintain data processing records, or conduct Data Protection Impact Assessments or DPIAs. Furthermore, the Credit Data Law does not require data controllers or processors to process special categories of personal data, such as criminal conviction data, in a different manner than other forms of personal data, and the law does not require data controllers and processors to have contracts in place between one another.

What are the rights of data subjects under the Credit Data Law?

The Credit Data Law affords Paraguayan citizens the following rights as it relates to the protection of their credit and personal data and in turn, their privacy:

In terms of penalties that can be imposed against violators of the law, the Credit Data Law is enforced by the Central Bank of Paraguay or BCP and the Secretariat for the Defence of the Consumer and the User or SEDECO. As such, the following administrative fines and criminal penalties can be levied against individuals and agencies who are found to be in non-compliance

The Credit Data Law is interesting in that it in many ways contains provisions that are more far-reaching than other recently passed data privacy laws while simultaneously providing data subjects with fewer rights than said privacy laws. As such, the effectiveness of the law will have to be monitored in upcoming years, as countries around the world continue to pass legislation with the goal of protecting the personal data and privacy of their citizens. Nevertheless, the Credit Data Law does provide Paraguayan citizens with a means of defending their personal and credit data against potential infringement and intrusion.

Related Reads