The Ministry of Justice and Human Rights issued a report last January on the most relevant actions carried out by the National Authority for the Protection of Personal Data during 2022.
Administrative trilateral proceedings
Procedures initiated by the personal data owners with the aim of exercising their ARCO rights (Access, Rectification, Cancellation and Objection) on the processing of their personal data.
173 resolutions between first and second instance
Inspection and sanctioning procedures
59 preventive inspections
317 audited entities, both public and private, mainly from the financial and telecommunications sectors.
128 sanctioning procedures
S/ 8 million in fines imposed approximately
National Register for Personal Data Protection
The National Authority for the Protection of Personal Data is also in charge of the National Register for Personal Data Protection, through which natural or legal persons, public or private, register the personal data banks they manage. Likewise, citizens can know the types of personal data collected and the purposes of their treatment.
4,076 procedures regarding personal data banks (registration, modification, cancellation and registration of sanctions imposed)
2,808 registered personal data banks
Advisory opinions
The purpose of The National Authority for the Protection of Personal Data is to establish criteria for the interpretation of the Law and answer questions from citizens and entities.
21 advisory opinions issued,
11 legal reports and two technical opinions.
In the opinion of The National Authority for the Protection of Personal Data, the most relevant advisory opinions that were issued during 2022 are the following:
Advisory Opinion N° 35
When asked about the installation of software whose purpose is to prevent the commission of the crime of child pornography, The National Authority for the Protection of Personal Data issued Advisory Opinion N° 35-2022-DGTAIPD, in which it stated that the installation and use of software in Company computers that are assigned to their workers do not require their prior consent, since they are within the exception of the rule (execution of a contractual relationship).
However, this does not exempt the employer from clearly informing about the existence of the software, in addition to indicating under what circumstances it would be activated; Otherwise, it could be an indiscriminate use of the software, which could violate the principle of proportionality of the processing of the personal data of the worker.
Advisory Opinion N° 07
In response to the consultation on the use of video surveillance systems in the case of complaints of sexual harassment in educational institutions, The National Authority for the Protection of Personal Data issued Advisory Opinion N° 07-2022-JUS/DGTAIPD in which it stated that in accordance with the Data Processing Directive through Video Surveillance Systems, and article 14 of the Personal Data Protection Law, it is possible to process personal data in classrooms of an educational institution in the event of recurring complaints or reasonable suspicions about the commission of a crime such as sexual harassment. Likewise, it would not be necessary to have the prior consent of the owner of the personal data, as the objective is to safeguard the legitimate interests of the latter.
Advisory Opinion N° 15
In view of the inquiry by the Military Police Pension Fund regarding the possibility of publishing the list of its debtors on its website, in its capacity as manager of the pension and compensation payment regime for its members, The National Authority for the Protection of Personal Data issued the Advisory Opinion N° 015-2022-DGTAIPD in which it stated that personal data processing activities such as dissemination (regardless of the medium), must adhere to the principles and obligations of the Personal Data Protection Law and its regulations. Likewise, the Military Police Pension Fund must follow the established form of collection provided in the Civil Code and the Civil Procedure Code, which does not include the publication of the list of debtors on the entity’s website.
Activities for 2023
The National Authority for the Protection of Personal Data will focus on the modification of the Regulations of the Personal Data Protection Law, as well as the preparation of guides, especially linked to digital environments.