DLA Piper Intelligence

Data Protection
Laws of the World

Law

Paraguay
Paraguay

Legal framework

  • National Constitution, art. 135, Habeas Data: Any person may file an action to have access to (i) personal data about such person or its property; and (ii) information about the use of such data and purpose for which it is kept, whether it is stored in public or private data registries. Additionally, any person may request the suppression, correction, confidentiality or updating of the data where inaccurate or discriminatory;
  • Criminal Code, art. 174 (Unlawful access to computer systems) and art. 175 (Sabotage of computer systems): individuals or entities that unlawfully access or alter personal data contained in databases (computer systems) are criminally liable;
  • Law No. 1682/2001 “which regulates the use of private information” as amended by laws No. 1969/2002 and 5543/2015 (“Private Information Law”). There are two draft bills which aim to amend articles 5, 9 and 10 of the Private Information Law, that are currently being studied by Congress; and
  • Law No. 4868/2013 “Electronic Commerce” (“Electronic Commerce Law”) and its regulatory decree No. 1165/2014 (“Regulatory Decree of the Electronic Commerce Law”).   

It should be noted that a draft bill that provides a more comprehensive regulatory regime for data protection is pending to be approved by Congress. Thereafter, if approved, the draft bill will have to be approved by the President in order to become law.

Last modified 14 Jan 2020
Law
Paraguay

Legal framework

  • National Constitution, art. 135, Habeas Data: Any person may file an action to have access to (i) personal data about such person or its property; and (ii) information about the use of such data and purpose for which it is kept, whether it is stored in public or private data registries. Additionally, any person may request the suppression, correction, confidentiality or updating of the data where inaccurate or discriminatory;
  • Criminal Code, art. 174 (Unlawful access to computer systems) and art. 175 (Sabotage of computer systems): individuals or entities that unlawfully access or alter personal data contained in databases (computer systems) are criminally liable;
  • Law No. 1682/2001 “which regulates the use of private information” as amended by laws No. 1969/2002 and 5543/2015 (“Private Information Law”). There are two draft bills which aim to amend articles 5, 9 and 10 of the Private Information Law, that are currently being studied by Congress; and
  • Law No. 4868/2013 “Electronic Commerce” (“Electronic Commerce Law”) and its regulatory decree No. 1165/2014 (“Regulatory Decree of the Electronic Commerce Law”).   

It should be noted that a draft bill that provides a more comprehensive regulatory regime for data protection is pending to be approved by Congress. Thereafter, if approved, the draft bill will have to be approved by the President in order to become law.

Last modified 14 Jan 2020
Definitions

Definition of personal data 

Personal data is not expressly defined under Paraguayan Law.

Definition of sensitive personal data 

Art. 4 of Private Information Law establishes that sensitive personal data is the following: information related to race or ethnicity; political preferences; individual health status; religious, philosophical or moral convictions; sexual intimacy and, in general, those that foster bias and discrimination, or affect the dignity, privacy, domestic intimacy and private image of individuals or families.

Last modified 14 Jan 2020
Authority

There is no National Data Protection Authority in Paraguay. 

For activities that are considered to be “electronic commerce” as provided by the Electronic Commerce Law, the national authority is the General Direction of Digital Signature and Electronic Commerce – Ministry of Industry and Commerce (“Electronic Commerce Direction”).

Last modified 14 Jan 2020
Registration

Under the current legislation, no registration is required in order to process or store personal data. 

Even though the Electronic Commerce Law does not establish a registration requirement, according to Art. 7 of the Regulatory Decree of the Electronic Commerce Law, the Electronic Commerce Direction has the faculty to gather information from companies that render services via electronic means  (such as electronic storage data companies) regarding:

  • their commercial activity;
  • their identity; and
  •  other data established in current regulations.

Such companies have the duty to collaborate with the Electronic Commerce Direction and comply with all information requirements (Art. 8, Regulatory Decree of the Electronic Commerce Law).

Last modified 14 Jan 2020
Data Protection Officers

Under current legislation, the appointment of Data Protection Officers is not required.

Last modified 14 Jan 2020
Collection & Processing

In accordance with the Private Information Law, every person has the right to collect, store and process personal information for a strictly private use (Art. 2).  

Similarly, the collection, storage, processing and publication of personal information are licit, provided such publications do not identify the data subjects (Art. 4). 

Furthermore, the Private Information Law establishes that Financial information about persons or entities may be published or diffused provided that:

  • the data subject gave written and express consent;
  • the information is related to information that private or governmental entities have the duty to publish;
  • the information is public; and
  • the information relates to the fulfilment of financial and commercial obligations such as credit limits, monthly commitments and balances due (Art. 5). 

The Private Information Law also establishes a duty to the person/entity responsible for collecting and/or storing the data, to permanently update (when necessary) any personal information regarding the financial situation, solvency and/or the fulfilment of commercial and financial obligations (Art. 7).  

A data subject can:

  • access the information and data about themselves, their partners, dependents and/or property; and
  • know the use of such data (Art. 8 of Private Information Law).

Where any information is incorrect, inexact or misleading, the data subject has the right to request its prompt correction, modification or withdrawal. 

In addition, the Regulatory Decree of the Electronic Commerce Law establishes that the express consent of the data subject is required in order to obtain any personal information (Art. 13).  In such scenarios, electronic collection, storage and processing data companies (and other companies that render services via electronic means who collect personal data), have the duty to inform to the data subject:

  • the purpose of the collection of such data; and
  • the treatment that the personal information collected will be given.
Last modified 14 Jan 2020
Transfer

Under current legislation, there are no specific provisions that regulate the transfer of private information. However, the transfer of private information may be considered as a form of data processing, in which case, the same rules for collection and processing private information should apply.

Last modified 14 Jan 2020
Security

Under current legislation, there are no security requirements regarding the protection of private information. 

The Regulatory Decree of the Electronic Commerce Law establishes, however, that companies that render services via electronic means (that also collect or process personal or private data), have the duty to:

  • inform to the recipient of such data, who is the person in charge of its custody and storage; and
  • employ secure systems to avoid the loss, alteration and/or third party access to such data (Art. 11). 

Additionally, such companies have the duty to inform consumers and users (in a transparent, clear and simple manner) the specifics about the:

  • level of security and privacy policy used for the permanent protection of personal data (Art. 7 of Private Information Law); and
  • security measures and technology used to protect the means of payment and the transfer, processing and/or storage of financial data (Art. 12).
Last modified 14 Jan 2020
Breach Notification

The obligation to notify a data security breach is not established under the current data protection regime.

Last modified 14 Jan 2020
Enforcement

The current legal regime contemplates the following enforcement mechanisms:

  • Without the need of a court order, a data subject can (i) access the information and data about themselves, their partners, dependents and/or property and know the use that such data is given (Art. 8 of Private Information Law); and (ii) request the correction and suppression of the information (Art. 7 of Private Information Law). However, where the data subject’s efforts in obtaining the above are unsuccessful, court actions may be brought by him/her to get access to personal data and request the correction, suppression or updating of such data; and
  • Violations of the obligations established in the Private Information Law and the Electronic Commerce Law are subject to fines.
Last modified 14 Jan 2020
Electronic Marketing

The Electronic Commerce Law requires that all marketing communications and promotional offers:

  • state that they are commercial communications;
  • include the name of the sender; and
  • provide a mechanism through which the recipient may choose not to receive any further communications from the particular sender. 

Additionally, the communication shall state that the private data of the recipient was obtained without violating privacy rights (Arts. 22 and 23 of the Private Information Law).

Electronic Marketing is also subject to the provisions regarding general marketing and advertisement established in the Consumer’s Protection Law.

Last modified 14 Jan 2020
Online Privacy

The current legal framework does not address location data, cookies, local storage objects or other similar data-gathering tools.

Last modified 14 Jan 2020
Contacts
Jorge Angulo
Jorge Angulo
Junior Partner
Fiorio, Cardozo & Alvarado Law Firm
Francisca Peroni
Francisca Peroni
Associate
Fiorio, Cardozo & Alvarado Law Firm
Last modified 14 Jan 2020