During 2018, the DPPD initiated 45 Administrative Sanctioning Proceedings, finding infringements were committed by 42 of the companies. The total amount of sanctions imposed in these procedures was 221.2 Tax Units (PEN 4150 each unit), which is equivalent to PEN 917,980 in fines for breaches of personal data protection regulations.

The breaches detected by the DPPD are set out in the Personal Data Protection Law and its Regulations. The DPPD imposed seven types of sanctions for mishandling and misuse of personal data committed by companies through the use of unregistered databases.

These infringements were detected and penalised in varying proportions, as set out in the following chart.

The companies that were sanctioned by the DPPD belong to different sectors of the economy. These include gymnasiums, hotels, tourism companies, fund administrators, educational centres, agricultural companies, medical services, casinos, transportation companies, companies in the telecommunications sector, pharmaceutical companies, clubs, the textile sector, cinemas and marketing companies.

As the above chart shows, the DPPD makes active use of its sanctioning power. It is expected that in the following years, this scrutiny will intensify. It is recommended that companies conduct an internal review of their compliance with personal data protection regulations in order to avoid (or minimise) the imposition of sanctions.