Territory: Perú
Data Protection Regulations: Ley No. 29733, Ley de Protección de Datos Personales
Link: https://cdn.www.gob.pe/uploads/document/file/1401560/Directiva%20de%20seguridad.pdf
Regulatory purpose: Guarantee the fundamental right to the protection of personal data, provided for in Article 2.6 of the Political Constitution of Peru, through its appropriate processing, within a framework of respect for the other fundamental rights recognised therein.
Parties:
- Data controller: Yes: Natural person, legal person under private law or public entity that determines the purpose and content of the personal data bank, the processing of personal data and the security measures.
- Data Processor: Yes: Any natural person, legal person under private law or public entity who alone or acting jointly with another person carries out the processing of personal data on behalf of the owner of the personal data bank by virtue of a legal relationship that binds him/her to the owner and delimits the scope of his/her action. It includes whoever carries out the processing without the existence of a personal data bank.
- Data Protection Officer: Yes, it does not apply to the private sector, only to the public sector.
Supervisory Authority: National Authority for the Protection of Personal Data: General Directorate for Transparency, Access to Public Information and Protection of Personal Data.
Principles:
- Principle of legality
- Principle of purpose
- Principle of proportionality
- Principle of quality
- Principle of security
- Principle of adequate level of protection
- Principle of consent
Obligations:
- Register of Processing Activities: No.
- Impact Assessments: No. However, according to the principle of proportionality and purpose, it must be assessed that the data processing is proportionate to its purpose.
- Risk analysis: No. However, according to the principle of proportionality and purpose, it must be assessed that the data processing is proportionate to its purpose.
Technical and organisational security measures: Yes. - Duty to inform: Yes.
- Data Protection Officer: Only in the case of public entities.
- Other obligations: Register personal data banksRegister transborder flows of personal data. Implement mechanisms for handling requests for the exercise of ARCO rights.
Data subjects' rights:
- Right of Access: Yes.
- Right of rectification: Yes.
- Right of Suppression: Yes.
- Right to limitation: Yes.
- Right to portability: No, however, by virtue of the right of access, the data controller is under an obligation to provide the information to the data subject in a readable and accessible format.
- Right to object: Yes.
- Automated individual decisions, including profiling: No.
- Other rights:
Right to objective processing: The holder of personal data has the right not to be subjected to a decision with legal effects on him or significantly affecting him, based solely on a processing of personal data aimed at evaluating certain aspects of his personality or conduct, unless this occurs within the framework of the negotiation, conclusion or execution of a contract or in cases of evaluation for the purpose of incorporation into a public entity, in accordance with the law, without prejudice to the possibility of defending his point of view, in order to safeguard his legitimate interest.
Right of safeguard: In the event that the holder or the person in charge of the personal data bank denies the holder of personal data, totally or partially, the exercise of the rights established in the Personal Data Protection Law, the holder may appeal to the National Authority for the Protection of Personal Data by means of a complaint or to the Judicial Power for the purposes of the corresponding action of habeas data.
Right to be compensated: The holder of personal data who is affected as a result of non-compliance with the Personal Data Protection Law, by the holder or by the person in charge of processing personal data or by third parties, has the right to obtain the corresponding compensation, in accordance with the law.
International transfers:
For the international transfer or transborder flow of personal data, a sufficient level of protection for the personal data to be processed or at least comparable to that provided by the Personal Data Protection Act, or by international standards in the field, must be ensured.
A sufficient level implies a level of protection that encompasses at least the provision of and compliance with the guiding principles of that law, as well as technical security and confidentiality measures, appropriate to the category of data concerned.
Where the recipient country does not have an adequate level of protection, the sender of the transborder flow of personal data must ensure that the processing of personal data is carried out in accordance with the provisions of the Personal Data Protection Act, subject to certain exceptions set out in the Act.
There is no list of countries considered safe or with adequate levels, but through advisory opinions, the authority has indicated that some jurisdictions, such as the European Space or Mexico, do have adequate levels.
Sanctioning regime:
Failure to comply with the provisions of the Personal Data Protection Act may result in the imposition of fines of up to USD 107,000 approx. The authority may also impose corrective measures, such as the issuance of orders for the cessation of the infringing conduct. The authority can also issue interim measures.
Certification or accreditation of compliance for companies: No.
Other highlights: Cross-border flows, as well as the processing of personal data, in general, should be laid down in legal instruments (contracts), which regulate the obligations and responsibilities of the data subject and the data processor.
Other related legislation: Law No. 29571, Code of Consumer Protection and Defence: This law establishes, based on the provisions of the Personal Data Protection Law, that consumer data such as e-mail, telephone, etc., can only be subject to marketing with prior, express, free and informed consent.
