On November 30, the new Regulation of the Personal Data Protection Law was published, which will come into effect on March 31, 2025. This new regulation introduces significant changes in the field, among which the following stand out:
1. Territorial scope of application
The regulation will also apply when the data controller or data processor is not established in Peru but carries out activities offering goods or services targeted at data subjects within the country or conducts behavior analysis and profiling of those individuals.
2. Guiding principles
The regulation incorporates the following principles:
- Transparency: The processing of personal data must be communicated in a permanent, clear, easily understandable, and accessible manner to the data subject.
- Proactive Accountability: Legal, technical, and organizational measures must be applied during data processing to ensure compliance with the law. The data controller must be able to demonstrate such compliance.
3. Data Protection Officer
The regulation introduces the role of the Personal Data Officer, who must be appointed under certain conditions outlined in the regulation. The implementation of this requirement will be phased as follows:
For companies with annual sales exceeding 2,300 UIT | → One year after the publication date of this regulation. |
For medium-sized companies with annual sales between 1,700 UIT and 2,300 UIT | → Two years after the publication date of this regulation. |
For small businesses with annual sales between 150 UIT and 1,700 UIT | → Three years after the publication date of this regulation. |
For micro-businesses with annual sales of up to 150 UIT | → Four years after the publication date of this regulation. |
4. Exemption from fees for the registration of personal data banks
The registration, modification, and cancellation of personal data banks will be free of charge.
5. Impact assessment
The regulation mandates an impact assessment to analyze risks before personal data processing is undertaken.
6. Security incident and its notification
In the event of a security breach, the incident must be reported to the National Authority for Personal Data Protection within a maximum of 48 hours, even if remedied. Additionally, the incident must be documented.
If the breach affects the data subject’s other rights, the data subject must also be notified within 48 hours.
For digital environments, incidents must also be reported to the National Center for Digital Security for inclusion in the National Registry of Digital Security Incidents.
7. Data Portability
The regulation introduces the right to data portability, allowing data subjects to request that their personal data be transferred from one data controller to another when technically feasible. If the data controller cannot comply, they must demonstrate this incapacity in any applicable tri-party proceedings.
8. Personal data Processing for advertising and commercial prospecting
The regulation allows for an initial contact with the data subject to obtain their consent for advertising or commercial prospecting purposes.
9. Corrective Measures
The regulation clarifies the scope of certain corrective measures, including:
- Cessation of data processing.
- Deletion of personal data.
- Actions to reverse the harmful effects of an infringing act.
- Immediate response to the data subject’s exercise of their rights.
10. Mitigating factors of liability
In addition to cooperation with the authority and acknowledgment of the infringement, the regulation includes the following as mitigating factors for administrative liability: (1) implementation of a Code of Conduct; and (2) conducting a Data Protection Impact Assessment.
11. New violations
The regulation identifies new categories of infractions:
Minor Infractions:
- Providing incomplete information on data processing (two or fewer conditions).
- Failure to appoint a Personal Data Officer when required.
Serious Infractions:
- Failure to inform or providing incomplete information on data processing (three or more conditions).
- Failure to notify the National Authority of a security incident.
Very Serious Infractions:
- Processing sensitive personal data without adequate security measures, resulting in harm to the data subject or unauthorized exposure of their personal data.
For more information, contact Alejandro Castro (alejandrocastro@unionandina.com)