The Peruvian Law 29733 for Personal Data Protection (the Law) was enacted in July 2011 however it was only recently in May 2013, two years on, that the law’s implementing regulations were approved through Supreme Decree No.003-2013-JUS (the Regulations). This blog intends to provide more details on the scope of the Regulations which we provided a high level summary of in our previous blog when the Regulations were first released.

The Law and Regulations will apply to any processing of data by an establishment in Peru, by a holder of a database in Peru or even where the holder of the database is not located in Peru but uses means located in Peru for the purposes of processing data. Processing for personal purposes relating to family or private life will not be regulated.

The key provisions of the Law to note are as follows:

Consent

  • Processing of personal data requires prior express and unequivocal consent of the data subject that is obtained freely without bad faith or fraud.
  • Sensitive data requires consent in writing by a handwritten signature, a fingerprint, or electronic digital signature.
  • Consent must be informed including details of the objective purpose, recipients, the database, identity of the database owner, intended transfers or disclosure to third parties, the consequences or providing their information or failure to do so, rights of the individual available under the Law. Informing by publication of privacy policies is acceptable.
  • Children over 14 and under 18 may consent to processing without parental authority which is compulsory for children under 14.
  • Exceptions to the consent requirement include when data is
    • related to a person’s health;
    • in the public domain;
    • related to financial solvency;
    • necessary for  the execution of a contractual relationship

Notification

  • All databases must be registered with the public National Registry for the Protection of Personal Data. Any subsequent amendments to notifications require cancellation of the prior registration and submission of a new registration.

Security

  • Security measures must be established to ensure the confidentiality and integrity of data stored implementing the following Peruvian technical standards:
    • NTP-ISO/IEC 177799: 2007 EDI Technology of Information Code of Good Practice for the Good Management of the Security of Information
    • NTP-ISO/IEC 27001: 2008 EDI Technology of Information Code of Good Practice for the Good Management of the Security of Information Requisites.

Data Transfers

  • Transfers of data within an organisational group are permitted provided there is an internal code of conduct regulating the protection of personal data with the group and processing in accordance with the Law and Regulations.
  • International transfers must be notified to the DPA and requires prior consent and can only be made to countries with adequate levels of protection for personal data similar to that offered under the Law and the recipient guarantees to provide the same level of protection
  • Cloud computing is permitted provided the service provided guarantees compliance with the Law and Regulations and any subcontracting must be reported.
  • Data processors by subcontract to third parties provided an agreement is entered into and prior consent of the database holder must be obtained.

Subject Access Requests

  • A holder of a database will have the following time limits to respond to data subject requests:
    • Information request – 80 days
    • Access request – 20 days
    • Requests for correction or deletion -10 days

There will be a two year transition period for owners of existing databases to comply with the provisions of the Law implemented by the Regulations, however the obligation to register all databases with the DPA will take immediate effect. Violation of the Law or Regulations can result in a fine ranging from US $7,150 to $142,000.