Law for Personal Data Protection (LPDP) Peru

    Overview

    Peru’s Personal Data Protection Law (Law No. 29733) regulates the collection, processing, storage, and transfer of personal data to ensure individuals’ privacy rights are respected and was enacted to safeguard the fundamental right to personal data protection as guaranteed by Article 2, Paragraph 6 of the Peruvian Constitution. The law aims to promote transparency and security in data handling, balancing individual rights with organizational responsibilities and to align with international data protection standards and establishes the National Authority for Personal Data Protection (ANPDP) to oversee compliance.

     

    Regulation Summary

    Timeline
    • July 3, 2011: Enactment of Ley Núm. 29733.
    • July 3, 2013: Supreme Decree No. 003-2013-JUS approves the regulation of the law.
    • July 3, 2015: Compliance enforcement begins with administrative sanctions for violations.
    What Businesses Are Affected
    • Any entity processing personal data in Peru.
    • Businesses outside Peru targeting Peruvian residents or monitoring their behavior.
    • Public and private sector organizations managing personal data.
    Exemptions
    • Personal data used exclusively for personal or household activities.
    • Data processing for journalistic, artistic, literary, or academic purposes.
    • Data processing by government entities for national security or public safety.
    Responsibilities for Businesses
    • Obtain explicit and informed consent before collecting personal data.
    • Limit data processing to lawful and specified purposes.
    • Ensure data accuracy and relevance.
    • Implement technical and organizational measures to safeguard personal data.
    • Retain data only for the necessary duration.
    • Notify the ANPDP in case of a data breach.
    • Register personal data banks with the ANPDP.
    Specific Responsibilities for Website Owners
    • Implement cookie consent mechanisms.
    • Display clear and accessible privacy policies.
    • Provide secure online forms for data collection.
    • Allow users to exercise their rights (e.g., access, rectification, deletion) through online portals.
    Additional Requirements
    • International data transfers are only allowed to countries with adequate data protection standards or under specific safeguards like contractual clauses. If safeguards are not present, transfers require the data subject’s informed consent.
    • High-risk data processing requires prior approval or assessments.
    • Appoint a Data Protection Officer (DPO) if processing sensitive or large-scale personal data.
    Data Subject Rights
    • Access: Individuals can request access to their personal data.
    • Rectification: Individuals can correct inaccurate or incomplete data.
    • Erasure: Individuals can request the deletion of their personal data.
    • Opposition: Individuals can object to the processing of their data for certain purposes.
    • Portability: Individuals can request the transfer of their personal data in a structured format.
    Enforcement
    • Regulatory Authority: National Authority for Personal Data Protection (ANPDP).
    • Penalties: Fines range from 0.5 UIT ($660 USD) to 100 UIT ($132,000 USD), depending on the severity of the infraction (classified as minor, serious, or very serious).
    • Sanctions: Suspension of data processing activities for non-compliance.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596