Paraguay: Data Protection

Territory: Paraguay

Data Protection Regulations: Remark: Paraguay does not currently have a comprehensive data protection law, however, Law № 6534/20 "de Protección de datos crediticios" is in force.

Link: https://www.bacn.gov.py/leyes-paraguayas/9417/ley-n-6534-de-proteccion-de-datos-personales-crediticios

Regulatory purpose: Guarantee the protection of credit data of all persons, whatever their nationality, residence or domicile. Regulate the activity of collection and access to credit information data, the constitution, organisation, operation, rights, obligations and termination of legal persons engaged in the collection and provision of credit information, in order to preserve the fundamental rights, privacy, informational self-determination, freedom, security and fair treatment of persons, in accordance with the provisions of the National Constitution, this Law and the Treaties signed and ratified by the Republic of Paraguay. (Art. 1)

Parties: This law applies only in relation to personal credit data.

Data controller: Natural or legal person, public authority or other body which alone or jointly with others determines the purposes and means of the data processing. (Art. 2 (f))
Data Processor: Natural or legal person, public authority, or other body processing personal data on behalf of the controller. (Art. 2 (g))
Data Protection Officer: No.

Supervisory Authority: Secretariat for Consumer and User Defence (SEDECO)

Other: Central Bank of Paraguay, through the Superintendency of Banks.

Principles: No.

Obligations:

Register of Processing Activities: No.
Impact Assessments: No.
Risk analysis: Yes.
Technical and organisational security measures: Yes.
Duty to inform: Yes.
Data Protection Officer: No.
Other obligations:

Handle information with high standards of ethics, confidentiality and security (Art. 17 inc. a);

Have efficient measures in place to prevent credit information from being lost or altered. (Art. 17 inc. b);

Report credit information without any alteration or modification. (Art. 17 inc. c);

Rectify credit information, at the request of the source or the owner of the information. Credit reporting agencies may not rectify ex officio information transmitted to them, unless the error can be attributed to the credit reporting agencies. (Art. 17 inc. d);

Channel to the sources of the information, the claims of the holders in relation to illegal, inaccurate, erroneous information, when the illegality, inaccuracy or error is not attributable to the credit reporting company. (Art. 17 inc. e);

Eliminate information that has expired in accordance with the terms of the present law. (Art. 17 inc. g).

Data subjects' rights:

Right of Access: Yes.
Right of rectification: Yes.
Right of Suppression: Yes.
Right to limitation: Yes.
Right to portability: No.
Right to object: No.
Automated individual decisions, including profiling: No.
Other rights:

Right to informational self-determination (Art. 5);

Informed consent (Art. 6);

Quality of information (Art. 7);

Right to be forgotten (Art. 9);

Data security (Art. 10).

International transfers:

Warning (Art. 23 inc. a); Fine of up to 15,000 minimum wages in force at the time of imposition of the sanction (Art. 23 inc. b); In the event of a repeat offence, the fine shall be double the initial fine applied, which may be increased to 50,000 minimum wages in force at the time of imposition of the sanction for the natural or legal person who registers an annual turnover of more than Gs. 6,000,000,000,000 (Art. 23 inc. c); Suspension of activities related to data processing for up to 6 months; the act of suspension shall indicate the corrective measures to be adopted (Art. 23 inc. d); Disqualification from holding a job, position or commission within the financial and credit system and in personal data information companies, for a period of 6 months to 5 years (Art. 23 inc. e); Temporary closure of the company for a period of 6 months to 5 years (Art. 23 inc. f); Temporary closure of the company for a period of 6 months to 5 years (Art. 23 inc. g); Suspension of the company for a period of 6 months to 5 years (Art. 23 inc. h). 23 inc. e); Temporary closure of the operations related to the processing of data once the term of suspension has elapsed without the corrective measures ordered by the supervisory authority having been adopted (Art. 23 inc. f); Immediate and definitive closure of the operation involving the processing of sensitive data (Art. g).

Sanctioning regime: No.

Certification or accreditation of compliance for companies: No.

Other highlights: No.

Other related legislation: No.

Cookie	Type	Duration	Description
cookielawinfo-checkbox-analytics	persistent	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Google Analytics".
cookielawinfo-checkbox-necessary	0	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "GDPR Cookie Consent".
cookielawinfo-checkbox-non-necessary	Persistent	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "test_cookie".
cookielawinfo-checkbox-optinmonster	persistent	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "OptinMonster".
cookielawinfo-checkbox-phpsessid	persistent	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "phpsessid".
cookielawinfo-checkbox-test_cookie	persistent	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "test_cookie".
cookielawinfo-checkbox-tt_cookie_content_22	persistent	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "tt_cookie_content_22".
cookielawinfo-checkbox-wp-settings-1	persistent	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "wp-settings-1".
cookielawinfo-checkbox-wp-settings-time	persistent	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "wp-settings-time".
viewed_cookie_policy	0	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Type	Duration	Description
__utma	persistent	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	persistent	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	persistent	1 year	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	persistent	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	persistent	5 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.
_ga	Persistent	2 years	Internal measurement with Google Analytics.These cookies store a unique identifier to recognise the user when they visit the website in the future.
_gat_UA-124173004-1	Persistent	1 minute	Internal measurement with Google Analytics.
_gid	Persistent	1 day	Internal measurement with Google Analytics.

Cookie	Type	Duration	Description
_omappvp	Persistente	10 años	Determina si el visitante ha visitado el sitio web anteriormente.Estas cookies almacenan un identificador único para reconocer al usuario las futuras ocasiones que visite el sitio web. Son de Retyp, LLC d/b/a OptinMonster, por lo que la información recabada podrá ser transferida fuera del Espacio Económico Europeo.
_omappvs	Persistent	10 minutes	Determines if the visitor has visited the website previously.These cookies store a unique identifier to recognise the user when they visit the website in the future. They belong to Retyp, LLC d/b/a OptinMonster, thus the information collected may be transferred outside the European Economic Area.

Paraguay

H&A CAN HELP YOU

¿QUÉ NECESITAS?