Insights

New Regulations passed under Data Protection Law

On November 30, 2024, New Regulations for the Data Protection Law, Law No. 29733, have been published through Supreme Decree No. 016-2024-JUS (“New Regulations”).  The New Regulations maintain some of the key obligations included in previous laws, but it implements the following new rules:

  • First Contact is Allowed.  New Regulations confirm that it is possible to reach out to data subjects to obtain consent for data processing, when data controller has obtained such data lawfully.  If consent is not obtained, it is not lawful to make a new contact or deploy any data processing.
  • Attribution of Liability in Direct Marketing.  It is presumed that the liability for the processing of personal data for advertising and commercial prospecting lies with the beneficiary of such processing, unless proven otherwise.
  • Data Breach Reporting to the Authority.  Security incidents that (i) expose large volumes of data, (ii) exposes sensitive data, or (iii) generate an evident harm to the rights or freedoms of data subjects must be notified to the National Authority for the Protection of Personal Data within 48 hours.  This notification will be required even if the breach is considered to have been resolved internally.  Such notification must include the nature of the incident, the categories of data affected and number of potential victims, the name and contact information of the DPO or any other point of contact, potential consequences of the incident, and measures taken to mitigate its effects
  • Data Breach Reporting to the Data Subject.  Security incidents that affect the rights of data subject must be communicated to such data subjects within 48 hours, in clear and simple language, along with the measures taken to mitigate its effects.
  • Designation of a Data Protection Officer (DPO).  Data controllers must designate a DPO in any of the following scenarios: (i) the processing is carried out by a public entity, (ii) large volumes of personal data are processed by the entity, or a large number of people may be affected through such processing, or sensitive data is involved, or the processing may result in an evident harm to the rights or freedoms of data subjects, or (iii) when main or business activities of the entity involve the processing of sensitive data.
  • Inclusion of the Right to Portability.  Data subjects can request data controllers to provide their personal data to another controller, in a structured, commonly used, and machine-readable format.
  • Designation of Representatives.  Data controllers that are not located in Peru must designate a representative for the Peruvian territory for them to act as a point of contact with the National Authority for the Protection of Personal Data.
  • Effective Date.  New Regulations come into effect on March 30, 2025.  A few obligations, however, come into effect at a later time.  The right of portability obligations come into effect 6 months after the New Regulations come into force.  The obligation to appoint a DPO will come into force in stages:

Company

Effective date

For companies with annual sales exceeding 2300 Tax Units (USD 3,168,000 approximately)

1 year after the publication date of the New Regulations

For medium-sized companies with annual sales exceeding 1700 (USD 2,342,000 approximately) Tax Units and up to the maximum amount of 2300 Tax Units (USD 3,168,000 approximately)

2 years after the publication date of the New Regulations

For small companies with annual sales exceeding 150 Tax Units (USD 207,000 approximately) and up to the maximum amount of 1700 Tax Units (USD 2,342,000 approximately)

3 years after the publication date of the New Regulations

For micro-enterprises with annual sales up to the maximum amount of 150 Tax Units (USD 207,000 approximately) and other equivalents

4 years after the publication date of the New Regulations

If you have any questions about this note, please contact Enrique Felices ([email protected]), Willy Pedreschi ([email protected]), and/or Fiorella Zumaeta ([email protected]).

Related news

The website www.mafirma.pe uses cookies to collect certain information that helps optimize your visit under the following conditions. If you ACCEPT and continue on this site, you acknowledge that these conditions will apply to your browsing. I ACCEPT