Data Protection in Peru

Collection and processing in Peru

The collection and processing of personal data requires the data subject’s prior, informed, express and unequivocal consent. The consent may be expressed through electronic means.

The collection and processing of sensitive personal data requires the data subject’s prior, informed, express and unequivocal consent, and must be expressed in writing.

The data subject’s consent is not necessary if any of the following are true:

  • The data are compiled or transferred for the fulfillment of governmental agency duties
  • The data are contained or destined to be contained in a publicly available source
  • The data are related to credit standing and financial solvency, as governed by applicable law (Law NÂş 27489)
  • A law is enacted to promote competition in regulated markets, under the powers afforded by the Framework Law for Regulatory Bodies of Private Investmenton Public Services (Law NÂş 27332), provided that the information supplied does not breach the user’s privacy
  • The data are necessary for a contractual, scientific or professional relationship with the data subject, provided that such data is necessary for the development and compliance with such relationship
  • The data are needed to protect the health of the data subject, and data processing is necessary, in circumstances of risk, for prevention, diagnosis, and medical or surgical treatment, provided that the processing is carried out in health facilities or by professionals in health sciences observing professional secrecy
  • The data are needed for public interest reasons declared by law or public health reasons (both must be declared as such by the Ministry of Health) or to conduct epidemiological studies or the like, as long as dissociation procedures are applied
  • The data are dissociated or anonymized
  • The data are used by a nonprofit organization with a political, religious, ortrade union purpose, and refer to the data of its members within the scope of the organization´s activities
  • The data are necessary to safeguard the legitimate interest of the data subject orthe data handler
  • The data are being processed for purposes linked to money laundering and terrorist financing or others that respond to a legal mandate
  • In the case of economic groups made up of companies that are considered subjects obliged to inform, the data is processed in accordance with the rules that regulate the Financial Intelligence Unit, so that they may share information with each other about their respective clients to prevent money laundering and financing of terrorism (as well as in other instances of regulatory compliance, establishing adequate safeguards on the confidentiality and use of the information exchanged)
  • When the treatment is carried out in a constitutionally valid exercise of the fundamental right to freedom of information
  • Others expressly established by law

If the data controller outsources the processing of the personal data to a third party (ie, a processor), such party must also comply with the relevant requirements of the PDLP (eg, to maintain personal data as confidential and to use the personal data only for the purposes authorized and modify inaccurate information).

Upon termination or expiration of the outsourcing agreement, the personal data processed must be deleted, unless the data subject provides express consent to do otherwise.

The processing of personal data by cloud services, applications and infrastructure is permitted, provided compliance with the provisions of the PDPL and its Regulation is guaranteed.

Continue reading

  • no results

Previous topic
Back to top