On July 2, 2011, Peru adopted its first “Law on the Protection of Personal Data.” The law was published in the country’s official gazette of July 3, 2011 as Law No. 29733. Inspired from the Spanish data protection law and the APEC Privacy Framework, this new law is intended to bring Peru to a level of data protection that would be satisfactory to the European Union member states and other countries that have adopted similar data protection regimes.
Scope of the Law
The law applies to personal data that are held or intended to be held in personal data banks for processing within the country. The important criterion for determining whether the law applies is: where the processing occurs.
The law regulates personal data held in electronic or other form. “Personal Data” is defined as any information about a natural person that identifies, or allows identifying, the person through reasonable means. The law distinguishes “personal data” and “sensitive data.” The definition of “sensitive data” covers traditional items such as data relating to race or ethnicity, health and sexual life, political opinion, religious or philosophical beliefs, and union membership as well as items less frequently found in similar laws: biometric data and income.
Like many other countries, Peru excludes from the scope of the data protection law data that are held for personal purposes, or in connection with family life, as well as data that are held by public administrations but only to the extent that the data are used for criminal investigation or enforcement, public safety or national defense.
Data Protection Authority
The law establishes a national data protection authority, the Autoridad Nacional de Protección de Datos Personales, which is overseen by the Ministry of Justice. Among other things, the Autoridad manages the country’s national register of personal data protection. It has extensive powers, which are generally similar to those of the other data protection supervisory authorities in other countries.
Title I of the law identifies eight “guiding principles”:
Legality – The processing of personal data must be conducted in accordance with the law. The use of fraudulent, unfair, or illegal means for collecting personal data is prohibited.
Consent – The processing of personal data requires the prior informed, explicit consent of the individual (with exceptions).
Finality – Personal data may be collected only for a specified, explicit, and lawful purpose.
Proportionality – The data collected must be adequate, relevant, and not excessive in view of the purpose for which they are collected.
Quality – The data must be accurate, current, and appropriate for the purpose for which they are collected. They must be retained only as long as necessary to fulfill the purpose of the processing.
Security – Appropriate technical, organizational, and contractual measures must be taken to ensure the security of the personal data.
Enforcement – There must be appropriate administrative and judicial measures to allow individuals to claim and enforce their rights.
Restriction to Crossborder Transfers – The transfer of personal data across borders requires that the recipient ensure an adequate level of protection for personal data, or at least a level of protection comparable to those that are set forth in the relevant international standards.
Rights of Individuals
Like many other laws, the Peruvian Data Protection Law grants to individuals numerous rights, including the right to information, right of access, right of correction, right of opposition, right not to be subject to a decision based solely on automated processing of personal data.
In addition, the law grants data subjects the “right to protection,” which allows data subject to appeal to the Autoridad Nacional de Protección de Datos Personales, the country’s data protection authority in case of a violation of their rights, or to the judiciary, in the case of an action in Habeas Data. The law also provides for a “right to compensation”, which provides for the compensation of individuals by the entity that is responsible for the data, in the event of a violation of the law. The amount of the compensation is not specified in the law.
The law establishes a registration requirement, which is similar to that which is in force in the European Union. The National Authority for Data Protection will be responsible for managing and keeping the National Register of Data Protection.
Enforcement and Sanctions
The Autoridad Nacional de Protección de Datos Personales, is the primary organ vested with the power to enforce the law. The law distinguishes three categories of violations: minor, serious, and very serious.
Acting in contravention to the guiding principles, breaching confidentiality obligations, preventing individuals from exercising their rights constitute serious offenses. Creating databases without complying with the required formalities, providing false or incomplete documents, failure to comply with the registration requirements constitute very serious offenses.
The penalties are set in “tax units” or unidad impositiva tributaria. (UIT) The fines range from .5 tax units for minor offenses to 100 UIT for the most serious offenses. The UIT is a standard measure used in Peru for calculating tax payments and fines. One UIT is PEN3,600, i.e., approximately US$ 1,300. There is annual cap; it is equal to 10% of the gross annual income received by the organization.
It will take time before the law is fully implemented. First, the national data protection supervisory authority must be established. Then regulations must be drafted to fully explain the processes and procedures that are expected from the covered entities.
Text of the Law
The full text of the law (in Spanish) can be found at: