By Carol Quiroz, Firm: Estudio Olaeche
This article analyses the impact of the GDPR in Peru, including the Advisory Opinion on its applicability issued by the Peruvian Data Protection Authority, only four months after its implementation in Europe.
Peru has a data privacy legal framework since 2011: the Peruvian Data Privacy Law, Nº 29733 (the ‘Law’) was published on 4 July 2011, and its implementing Regulations were published on 22 March 2013 (amended on 2017). Both entered fully into force in May 2013, so all the provisions of both Law and Regulations are mandatory for any individual or legal entity that processes personal information of individuals in Peru.
The purpose of both Law and Regulations is to ensure the fundamental right to protection of personal data as set forth in paragraph 6 of Article 2 of the Peruvian Constitution, in order to guarantee its appropriate processing, so that the respect of other fundamental rights is also assured.
The Peruvian Data Protection Authority (the ‘Peruvian DPA’) has been aware of the entry into force of the European GDPR, as it is one of the most important data protection reforms in recent years. Indeed, on 4 September 2018, almost four months after it came into force, the Peruvian DPA issued Advisory Opinion N° 46-2018-JUS/DGTAIPD, expressly analysing the applicability of the GDPR in Peruvian territory.
In this Advisory Opinion the Peruvian DPA stated:
‘1. The GDPR will be applicable when the processing of personal data of residents of the European Union is carried out in this territory or within the framework of the activities of a branch in the European Union.
2. The GDPR does not apply when European Union residents’ personal data is processed in Peru.
3. Considering the sovereignty of the Peruvian State, the processing of personal data treated in Peru is subject to the provisions of Law N° 29733, Law on Protection of Personal Data, and its Regulations.
4. If a legal entity, whose main domicile is Peru, has a branch or headquarters in the European Union, it must comply with the regulations of such territory, within the processing activities carried out in it.’
Therefore, the Peruvian DPA is conscious of the application of the GDPR provisions, although local regulations have prevailed. An example of this is that investigations into the processing of personal information on the Internet (web pages and platforms) have intensified, since the Law is extensive enough to include any type of processing. From our experience in the procedures regarding data processing, it has come to our knowledge that the Peruvian Authority uses the criteria applied by the Spanish Data Protection Authority as a first reference, so it is expected that in practice (using the investigation faculties granted by the Law), the authority will raise the standards of protection until an internal reform is enacted.
Finally, please note that Peruvian Law includes the following guiding principles:
- Personal information can only be processed with free, prior, informed, express and unequivocal consent (through ordinary or electronic means).
- The consent document must contain all the information regarding the collection and processing of data, data importers and cross-border flows of data.
- Express consent is only valid if the data subject can choose between an ‘Accept’ or ‘Reject’ option.
- Data collectors and data processors must adopt adequate technical, organisational and legal measures to ensure the safety of the information and avoid its alteration, loss or treatment or unauthorised access to it.
- Processors and sub-processors must guarantee adequate security measures.
- ARCO (access, rectification, cancellation and opposition) rights are guaranteed and any act or omission that contravenes or fails to comply with the provisions of the Law constitutes a punishable infraction.
- Administrative fines can be imposed for minor, serious or very serious infractions. The amount of fines is between USD 640.00 to USD 130,000 approximately depending on the infraction.