Last modified 10 February 2026

Data Protection in Peru

Breach notification in Peru

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in Peru

Article 2 of the Political Constitution of Peru sets forth certain fundamental rights that every person has, including a right to privacy regarding information that affects personal and family privacy, which was the basis for the creation of a law that specifically protects the use of personal data of any natural person and applies to both private and state entities. The Personal Data Protection Law No. 29733 ('PDPL') was enacted in June 2011. In March 2013, Supreme Decree No. 003-2013-JUS-Regulation of the PDLP ('2013 Regulation') was published in order to develop, clarify and expand on the requirements of the PDPL and set forth specific rules, terms and provisions regarding data protection.

However, it should be noted that a new Regulation to the PDPL was enacted through Supreme Decree No. 016-2024-JUS, dated November 30, 2024 ('New Regulation'). The New Regulation seeks to strengthen the protection of personal data under the PDPL by introducing enhancements aimed at addressing the challenges arising from the rapid development of e-commerce, artificial intelligence, and similar digital technologies. The New Regulation entered into force on March 30, 2025, replacing the 2013 Regulation. In addition, it introduces new obligations, including, among others, the designation of a data protection officer and the obligation to notify personal data security breaches.

Taken together, the PDPL and the New Regulation constitute the primary data protection legal framework in Peru.

Further, enacted in 2001 and amended several times since then, Law No. 27489 regulates private risk centers and the protection of the owner's personal information. Law No. 27489 regulates activities related to risk centers and companies that handle:

Information posing higher risks to individuals (e.g., related to financial, commercial, tax, employment or insurance obligations or background of a natural or legal person that allows evaluating its economic solvency), and
Sensitive personal data (according to the PDPL)

On January 24, 2026, through Legislative Decree No. 1700, Law No. 30096 – the Cybercrime Law was amended to incorporate a new cybercrime offense consisting of the acquisition, possession, exchange, or commercialization of personal data databases obtained without consent, through the breach of security systems, or by committing another cybercrime, whether the unlawful origin of such data was known or should reasonably have been presumed.

Related resources

Definitions

Definitions in Peru

Definition of Personal Data

Any information, whether numerical, alphabetical, graphic, photographic, acoustic, or of any other nature, relating to an individual’s personal habits, location, online identifiers, or any other physical, economic, cultural, or social aspects, that identifies or may reasonably be used to identify a specific individual. Information is considered identifiable when the individual’s identity can be directly or indirectly verified from the combination of data through means that can be reasonably used.

Definition of sensitive personal data

Any informatoin revealing or related to an individual's

Genetics
Biometrics
Neural data
Moral or emotional data
Sexual or family life
Personal habits regarding the most intimate sphere
Union membership
Physical or mental health
Other similar informatoin impacting an individual's privacy in similar ways.

Definition of Health-related Personal Data

Any information concerning the past, present or predicted health, physical or mental, of an individual, including information derived from a medical act, the degree of disability, and genetic information.

Related resources

Authority

National data protection authority in Peru

The Directorate for the Protection of personal data, which is part of the General Directorate of Transparency, Access to Public Information and Protection of Personal Data (NDPA), is the primary agency in charge of enforcing data protection matters.

The NDPA’s current address is:

Scipion Llona 350
Miraflores, L-18
Lima
Peru

Website

Related resources

Registration

Registration in Peru

The National Data Protection Registry ('NDPR') maintains information about personal databases of public or private ownership and publishes a list of such databases to facilitate individuals’ exercise of their rights of access to information, rectification, cancellation, opposition and others regulated in the PDPL and its Regulation.

In addition, the NRPDP maintains records of:

Communications of cross-border flow of personal data, and
The sanctions, precautionary or corrective measures imposed by the NDPA

Database controllers must register their databases before the NDPR, providing the following information:

Identification details of the database controller
The channels (physical address, email address and/or telephone number) through which data subjects may exercise their privacy rights.
Database name, and
Purpose(s) for which the database is used

Likewise, cross-border transfers of personal data must be registered before the NDPA, indicating the identity of the recipient and the destination country.

Related resources

Data protection officers

Data protection officers in Peru

The New Regulation introduces the requirement to appoint a Data Protection Officer ('DPO') under certain circumstances. This requirement applies to Data Controllers and Data Processors who either:

Are public entities
Process large volumes of Personal Data, in terms of quantity or the nature of the data processed, or
Carry out data processing activities that involve the processing of:
- Pesonal Data relating to a large number of data subjects,
- Sensitive Personal Data as part of the entity's core activity or main line of business, or
- Personal Data whose processing may result in evident prejudice to the fundamental rights or freedoms of data subjects

Compliance with this obligation is subject to staggered grace periods, ranging from November 30, 2025 to November 30, 2028, depending on the entity’s annual revenue, as follows:

Company Type / Size	Annual Revenue	Grace Period
Large	Over S/ 12’650,000 (approx. USD 3’756,050).	November 30, 2025
Medium	Over S/ 9’350.000 (approx. USD 2’777,000.00) and up to S/ 12’650,000 (approx. USD 3’756,050).	November 30, 2026
Small	Over S/ 825,000 (approx. USD 245,000.00) and up to S/ 9’350.000 (approx. USD 2’777,000.00).	November 30, 2027
Micro	Up to S/ 825,000 (approx. USD 245,000.00).	November 30, 2028

In this regard, on December 31, 2025, through Directorial Resolution No. 100-2025-JUS-DGTAIPD, the authority published the Directive establishing provisions on the designation, performance, and functions of the DPO ('Directive').

According to the Directive, the individual appointed as DPO must meet the following requirements:

Have at least two (2) years of general professional experience in functions related to personal data protection or related fields, such as information security, cybersecurity, digital governance, artificial intelligence, or other activities related to the processing of personal data.
Have at least one (1) year of specific experience in activities directly related to personal data protection, at a national or international level, in either the public or private sector.
Possess duly accredited knowledge of personal data protection. Such knowledge may be evidenced through proven and continuous experience in university teaching or research in the field, completed postgraduate studies or academic degrees, or certifications and/or diplomas in personal data protection or related matters, in accordance with the criteria set out in the Directive.
Demonstrate moral and ethical integrity, which includes not having a final criminal conviction for intentional crimes, being subject to a formal criminal investigation, or having been convicted of computer-related crimes, among other circumstances set out in the Directive.

Additionally, the DPO must:

Act with functional independence in the performance of their duties, meaning that they may not be instructed or directed regarding the substance of their opinions, recommendations, or technical decisions.
Be familiar with the internal regulations, directives, and guidelines governing the company’s data protection management framework.
Have knowledge of the sector in which the company operates, as well as the regulations and obligations that directly or indirectly affect personal data processing activities.

The key responsibilities of the DPO include:

Informing and advising on the obligations established under personal data protection regulations.
Monitoring and reporting on compliance with applicable laws and with the policies of the data controller or data processor, including the allocation of responsibilities, awareness-raising and training of personnel involved in processing activities, and the performance of audits.
Cooperating with the NDPA in the exercise of its functions and powers.
Acting as the primary point of contact with the NDPA on matters related to the processing of personal data.

The DPO may be either internal or external to the company. The appointment of the DPO must be notified to the NDPA within 15 business days following the designation. Likewise, the identification and contact details of the DPO must be made available to data subjects.

Related resources

Collection and processing

Collection and processing in Peru

As a general rule, the collection and processing of personal data require the data subject’s prior, informed, express, and unequivocal consent, which may be granted through electronic means.

Likewise, the collection and processing of sensitive personal data require the data subject’s prior, informed, express, and unequivocal consent, which must be granted in writing.

The data subject’s consent is not required in the following cases:

The data are compiled or transferred for the fulfillment of governmental agency duties
The data are contained or destined to be contained in a publicly available source
The data are related to credit standing and financial solvency, as governed by applicable law (Law Nº 27489)
A law is enacted to promote competition in regulated markets, under the powers afforded by the Framework Law for Regulatory Bodies of Private Investmenton Public Services (Law Nº 27332), provided that the information supplied does not breach the user’s privacy
The data are necessary for a contractual, scientific or professional relationship with the data subject, provided that such data is necessary for the development and compliance with such relationship
The data are needed to protect the health of the data subject, and data processing is necessary, in circumstances of risk, for prevention, diagnosis, and medical or surgical treatment, provided that the processing is carried out in health facilities or by professionals in health sciences observing professional secrecy
The data are needed for public interest reasons declared by law or public health reasons (both must be declared as such by the Ministry of Health) or to conduct epidemiological studies or the like, if dissociation procedures are applied
The data are dissociated or anonymized
The data are used by a nonprofit organization with a political, religious, ortrade union purpose, and refer to the data of its members within the scope of the organization´s activities
The data are necessary to safeguard the legitimate interest of the data subject orthe data handler
The data are being processed for purposes linked to money laundering and terrorist financing or others that respond to a legal mandate
In the case of economic groups made up of companies that are considered subjects obliged to inform, the data is processed in accordance with the rules that regulate the Financial Intelligence Unit, so that they may share information with each other about their respective clients to prevent money laundering and financing of terrorism (as well as in other instances of regulatory compliance, establishing adequate safeguards on the confidentiality and use of the information exchanged)
When the treatment is carried out in a constitutionally valid exercise of the fundamental right to freedom of information
Others expressly established by law

If the data controller outsources the processing of the personal data to a third party (ie, a processor), such party must also comply with the relevant requirements of the PDLP (eg, to maintain personal data as confidential and to use the personal data only for the purposes authorized and modify inaccurate information).

Upon termination or expiration of the outsourcing agreement, the personal data processed must be deleted, unless the data subject provides express consent to do otherwise.

The processing of personal data by cloud services, applications and infrastructure is permitted, provided compliance with the provisions of the PDPL and its Regulation is guaranteed.

Related resources

Transfer of personal data

Transfer of personal data in Peru

Transfer

Where personal data is transferred to another entity, recipients must be required to handle such personal data in accordance with the provisions of the PDPL and its Regulation. Generally, data subject consent is required.

Cross-border transfers

The transferring entity may not transfer personal data to a country that does not afford adequate protection levels (protections that are equivalent to those afforded by the PDPL or similar international standards).

If the receiving country does not meet these standards, the sender must ensure that the receiver in the foreign country is contractually obligated to provide 'adequate protection levels’ to the personal data, such as via a written agreement that requires that the personal data will be protected in accordance with the requirements of the PDPL, or under one of the following circumstances:

In accordance with international treaties in which Peru is a party
For purposes of international judicial cooperation or international cooperation among intelligence agencies to combat
- Terrorism
- Drug trafficking
- Money laundry
- Corruption
- Human trafficking, and
- Other forms of organized crime
When necessary for a contractual relationship with the data subject, or for a scientific or professional relationship
Bank or stock transfers concerning transactions in accordance with the applicable law
The transfer is performed to protect, prevent, diagnose or medically or surgically treat the data subject, or to perform studies of epidemiology or the like, provided a data dissociation procedure has been applied
The owner of the personal data has given its prior, informed, express and unequivocal consent to the transfer to the inadequate jurisdiction
Other exempt purposes established by the Regulations

For both domestic and cross-border transfers, the recipient must assume the obligations set for in the PDPL and its Regulations. The transfer must be formalized, such as by binding written contract, and capable of demonstrating that the database holder or the data controller communicated to the recipients the conditions in which the data subject consented to their processing.

As an alternative to the above mentioned “adequate transfer” requirement, a Data Controller may execute with a Data Processor (or other Data Controller) the standard contractual clauses already approved by the Peruvian Data Protection Authority, which include several obligations and declarations regarding the data transfer between the parties.

Related resources

Security

Security in Peru

Database holders and data controllers must adopt technical, organizational and legal measures necessary to guarantee the security of the personal data they hold. The measures taken must ensure a level of security appropriate to the nature and purpose of the personal data involved.

Therefore, they must comply with, among others, the following security measures:

Document and implement mechanisms for access management, identification and authentication procedures, biannual verification of privileges and use of mechanisms such as passwords, digital certificates and tokens.
Monitor and periodically review security measures and staff training according to their roles and responsibilities.
Document and implement the generation of legible and timely records of interactions with data, including for traceability purposes, account information, schedules, actions, among others. Such records should have a procedure for disposal, storage, transfer, destruction, a minimum retention of two years and secure disposal; and should be generated continuously and immediately.
Document and implement measures to prevent unauthorized access and reproduction of digital documents, and exclusive use of approved institutional systems and tools, and
Implement at least: (i) controls to maintain secure areas, (ii) controls to maintain secure equipment inside and outside the facilities, and (iii) controls to ensure the generation of secure and continuous backup copies and their integrity verification. Taking as a reference the recommendations indicated in the 'NTP-ISO/IEC 27001' in the current edition.

Likewise, with the entry into force of the New Regulation, the holder of the personal database shall implement a Security Document that must have a certain date. The Security Document must be updated and contain, as a minimum, the procedures for access management, privilege management and periodic verification of the privileges assigned to the information systems. This includes technological platforms, mobile applications, database engines, among others, used for the processing of personal data, as well as internal policies for the management and processing of personal data, which must consider the context and life cycle of the data.

Furthermore, the NDPA has issued a Security Directive trough the Directorial Resolution No. 019-2013-JUS/DGPDP, as an instrument that makes it possible for those actors who process personal data to act in accordance with the applicable law as it provides guidance on the conditions, requirements and technical measures that shall be considered to comply with the applicable regulation.

Related resources

Breach notification

Breach notification in Peru

According to the New Regulation, a 'personal data security incident' is defined as any breach of security that results in destruction, loss, unlawful alteration, or unauthorized disclosure of, or access to, personal data.

Where a personal data security incident results in the exposure of large volumes of personal data -whether by volume or by the nature of the data- or affects a large number of data subjects, involves Sensitive Personal Data, or gives rise to evident prejudice to the data subject’s fundamental rights or freedoms, the database holder must notify the NDPA no later than 48 hours after becoming aware of the incident.

If the notification is submitted after this period, it must include the reasons for the delay, together with supporting evidence. At a minimum, the personal data security incident notification must include the following information:

The nature of the personal data security incident, including, where possible, the categories of personal data involved and the approximate number of affected data subjects;
The name and contact details of the DPO or another contact point from whom additional information may be obtained;
The potential consequences of the personal data security incident; and
The measures adopted or proposed by the data controller to address the personal data breach, including, where applicable, measures taken to mitigate its possible adverse effects.

The personal data security incident reporting form may be accessed through the following link: https://reporte.cnsd.gob.pe/home/minjus

It should be noted that this notification obligation applies even if the data controller considers that the incident has already been remedied or internally resolved.

Likewise, when a database holder becomes aware of a personal data security incident that affects the data subject’s other rights, it must inform the affected data subject without undue delay and, in any event, within 48 hours.

Such communication must be made in clear and simple language and include information on the measures adopted to mitigate the effects of the incident. If the communication is made after the 48-hour period, the reasons for the delay must be provided.

Furthermore, where a personal data security incident occurs in and/or through a digital environment, the incident must be reported not only to the NDPA but also to the National Center for Digital Security, for its registration in the National Register of Digital Security Incidents, in accordance with Emergency Decree No. 007-2020, which approves the Digital Trust Framework ('Emergency Decree').

Pursuant to the Emergency Decree, public administration entities, digital service providers in the financial sector, public utilities providers (electricity, water, and gas), healthcare and passenger transportation service providers, internet service providers, other providers of critical activities (defined as economic and/or social activities whose disruption would have serious consequences for public health and safety, the continuity of essential services, or the overall economic and social well-being) and educational service providers must comply with the following obligations: (a) notify the National Center for Digital Security of every digital security incident; and (b) report and cooperate with the NDPA in the event of a digital security incident involving personal data.

Related resources

Enforcement

Enforcement in Peru

At a glance

The Inspection and Investigation Directorate (part of the NDPA) is the organizational unit responsible for supervising and monitoring compliance with the obligations and prohibitions set forth in the Personal Data Protection Law and its Regulations. It is also in charge of initiating administrative sanctioning proceedings for infringements of personal data protection regulations and conducting the investigation phase of such proceedings.

The Personal Data Protection Directorate (part of the NDPA) is the organizational unit responsible for resolving, at first instance, administrative sanctioning proceedings related to personal data protection, as well as trilateral administrative proceedings for the protection of data subjects’ rights. It is also responsible for administering the National Register of Personal Data Protection.

The Transparency, Access to Public Information and Personal Data Protection General Directorate (part of the NDPA) resolves in the second and last instance the sanctioning procedure and its decision exhausts the administrative route.

Possible sanctions for breaching data protection standards vary depending on the nature or magnitude of the offense:

The fine applicable to minor infringement ranges from S/ 2,750 to S/ 27,500 (approximately between USD 817 and USD 8,168).
The fine applicable to severe infringements ranges from S/ 27,500 to S/ 275,000 (approximately between USD 8,168 and USD 81,675).
The fine applicable to very severe infringements ranges from S/ 275,000 to S/ 550,000 (approximately between USD 81,675 and USD 163,350).

Related resources

Electronic marketing

Electronic marketing in Peru

The PDPL does not expressly regulate electronic marketing. However, the PDPL does apply to electronic marketing activities if personal data is processed as a result.

If consent is obtained through electronic media, the notice requirements can be met by publishing accessible and identifiable privacy policies with the relevant consent language and mechanism. The PDPL establishes the possibility of obtaining express consent by presenting the option to agree with the privacy policies in clickable ways (eg, by clicking, ticking a box).

Written consent may be provided by other options, including:

Through an electronic signature
A written document possible to read or print
A mechanism or procedure that allows one to identify the subject and to receive his consent through a written text
A pre-established text as long as it is easily visible, legible and written in simple language

The laws governing electronic signatures are:

Law N° 27291
The Digital Certificates and Signatures Law (Law N° 27269)
Supreme Decree N° 052-2008-PCM (Regulation of Law No. 27269)

Note that expressing the will in any of the regulated forms does not eliminate the other requirements of consent referring to that consent must be prior, informed, express and unequivocal.

Additionally, pursuant to Article 58.1 of Law No. 29571 – the Consumer Protection and Defense Code, the use of call centers, automated or manual telephone calling systems, the sending of text messages to mobile phones, or the mass distribution of electronic messages for the purpose of promoting products or services is prohibited, as is the provision of telemarketing services to consumers. The sole exception to this prohibition applies where a consumer, on their own initiative, has directly contacted the supplier and has granted their free, prior, informed, express, and unequivocal consent to be contacted through a telephone number, e-mail address, or any other analogous means of communication. Such consent may be revoked at any time, with immediate effect and without cause, in accordance with the applicable personal data protection regulations.

Related resources

Online privacy

Online privacy in Peru

The New Regulation introduces specific provisions on online privacy, expressly recognizing localization data as a category of personal data. Likewise, although cookies are not expressly regulated, the PDPL applies where personal data is collected and processed through the use of such mechanisms.

This requires that the use and deployment of cookies, location data or another personal data that will be collected must comply with data privacy laws. As a general rule, the data subject’s consent must be obtained before cookies and/or location data can be used. Nevertheless, consent won’t be necessary when an exception is in place. For example, regarding cookies, the NDPA considers that consent is not required for necessary cookies (i.e. those required for the functionalities of a webpage); however, consent will be required for marketing cookies (as they are not strictly required for the functionalities of a webpage but respond to a commercial purpose).

With respect to criminal law enforcement, Legislative Decree No. 1182 permits the National Police of Peru to access the location and geolocation of mobile phones or electronic devices of similar nature in cases of flagrante delicto.

It establishes the obligation for public communications services providers and public entities to keep the data from their users derived from telecommunication services during the first 12 months in computer systems an additional period of 24 months in an electronic storage system.

Such service providers are bound to provide the location and geolocation data immediately, 24 hours a day, 365 days of the year, under warning of being liable to the responsibilities regarded by law in the event of noncompliance.

Related resources

Key contacts

Data protection lawyers in Peru

Daniel Flores

Partner

DLA Piper

Lima

Email Full bio

The nature of the personal data security incident, including, where possible, the categories of personal data involved and the approximate number of affected data subjects;
The name and contact details of the DPO or another contact point from whom additional information may be obtained;
The potential consequences of the personal data security incident; and
The measures adopted or proposed by the data controller to address the personal data breach, including, where applicable, measures taken to mitigate its possible adverse effects.

The personal data security incident reporting form may be accessed through the following link: https://reporte.cnsd.gob.pe/home/minjus

It should be noted that this notification obligation applies even if the data controller considers that the incident has already been remedied or internally resolved.

Quick links

Data Protection in Peru

Breach notification in Peru

Continue reading