Data Protection in Peru

Data protection laws in Peru

Article 2 of the Political Constitution of Peru sets forth certain fundamental rights that every person has, including a right to privacy regarding information that affects personal and family privacy, which was the basis for the creation of a law that specifically protects the use of personal data of any natural person and applies to both private and state entities.

The Personal Data Protection Law N° 29733 ('PDPL') was enacted in June 2011. In March 2013, the Supreme Decree N° 003-2013-JUS-Regulation of the PDLP ('Regulation') was published in order to develop, clarify and expand on the requirements of the PDPL and set forth specific rules, terms and provisions regarding data protection. 

However, it should be noted that a new Regulation to the PDPL was enacted through Supreme Decree 016-2024-JUS, dated November 30, 2024 ('New Regulation'). The New Regulation aims to enhance the protection of personal data under the PDPL by including improvements to contribute to the defense of the protection of personal data considering the rapid development of e-commerce, artificial intelligence, and similar digital technologies. The New Regulation will formally enter into force on March 30, 2025, except for some dispositions that will enter into force subsequently, and will replace the current Regulation. Likewise, this New Regulation includes new obligations (eg, designation of a data protection officer or the notification of security incidents).  

Together, the PDLP and its Regulation are the primary data protection laws in Peru.

Further, enacted in 2001 and amended several times since then, Law NÂş 27489 regulates private risk centers and the protection of the owner's personal information. Law NÂş 27489 eregulates activities related to risk centers and companies that handle:

  • Information posing higher risks to individuals (eg, related to financial, commercial, tax, employment or insurance obligations or background of a natural or legal person that allows evaluating its economic solvency), and
  • Sensitive personal data (according to the PDPL)

Continue reading

  • no results

Back to top