Data Protection in Peru

Transfer in Peru

Where personal data is transferred to another entity, recipients must be required to handle such personal data in accordance with the provisions of the PDPL and its Regulation.

Generally, data subject consent is required.

Cross-border transfers

The transferring entity may not transfer personal data to a country that does not afford adequate protection levels (protections that are equivalent to those afforded by the PDPL or similar international standards). If the receiving country does not meet these standards, the sender must ensure that the receiver in the foreign country is contractually obligated to provide 'adequate protection levels’ to the personal data, such as via a written agreement that requires that the personal data will be protected in accordance with the requirements of the PDPL, or under one of the following circumstances:

  • In accordance with international treaties in which Peru is a party
  • For purposes of international judicial cooperation or international cooperation among intelligence agencies to combat
    • Terrorism
    • Drug trafficking
    • Money laundry
    • Corruption
    • Human trafficking, and
    • Other forms of organized crime
  • When necessary for a contractual relationship with the data subject, or for a scientific or professional relationship
  • Bank or stock transfers concerning transactions in accordance with the applicable law
  • The transfer is performed to protect, prevent, diagnose or medically or surgically treat the data subject, or to perform studies of epidemiology or the like, provided a data dissociation procedure has been applied
  • The owner of the personal data has given its prior, informed, express and unequivocal consent to the transfer to the inadequate jurisdiction
  • Other exempt purposes established by the Regulations

For both domestic and cross-border transfers, the recipient must assume the same obligations as the transferor of the personal data. The transfer must be formalized, such as by binding written contract, and capable of demonstrating that the holder of the database or the data controller communicated to the recipients the conditions in which the data subject consented to their processing.

As an alternative to the above mentioned “adequate transfer” requirement, a Data Controller may execute with a Data Processor (or other Data Controller) the standard contractual clauses already approved by the Peruvian Data Protection Authority, which include several obligations and declarations regarding the data transfer between the parties.

Continue reading

  • no results

Previous topic
Back to top