Peru has a data privacy legal framework since 2011: the Peruvian Data Privacy Law, Nº 29733 (the ‘Law’) was published on 4 July 2011, and its implementing Regulations were published on 22 March 2013 (amended on 2017). Both entered fully into force in May 2013, so all the provisions of both Law and Regulations are mandatory for any individual or legal entity that processes personal information of individuals in Peru.
The purpose of both Law and Regulations is to ensure the fundamental right to protection of personal data as set forth in paragraph 6 of Article 2 of the Peruvian Constitution, in order to guarantee its appropriate processing, so that the respect of other fundamental rights is also assured.
The Peruvian Data Protection Authority (the ‘Peruvian DPA’) has been aware of the entry into force of the European GDPR, as it is one of the most important data protection reforms in recent years. Indeed, on 4 September 2018, almost four months after it came into force, the Peruvian DPA issued Advisory Opinion N° 46-2018-JUS/DGTAIPD, expressly analysing the applicability of the GDPR in Peruvian territory.
In this Advisory Opinion the Peruvian DPA stated:
‘1. The GDPR will be applicable when the processing of personal data of residents of the European Union is carried out in this territory or within the framework of the activities of a branch in the European Union.
2. The GDPR does not apply when European Union residents’ personal data is processed in Peru.
3. Considering the sovereignty of the Peruvian State, the processing of personal data treated in Peru is subject to the provisions of Law N° 29733, Law on Protection of Personal Data, and its Regulations.
4. If a legal entity, whose main domicile is Peru, has a branch or headquarters in the European Union, it must comply with the regulations of such territory, within the processing activities carried out in it.’
Therefore, the Peruvian DPA is conscious of the application of the GDPR provisions, although local regulations have prevailed. An example of this is that investigations into the processing of personal information on the Internet (web pages and platforms) have intensified, since the Law is extensive enough to include any type of processing. From our experience in the procedures regarding data processing, it has come to our knowledge that the Peruvian Authority uses the criteria applied by the Spanish Data Protection Authority as a first reference, so it is expected that in practice (using the investigation faculties granted by the Law), the authority will raise the standards of protection until an internal reform is enacted.
Finally, please note that Peruvian Law includes the following guiding principles: