Privacy and Data Protection Alert – December 2024

New Regulation of the Personal Data Protection Law

On November 30, 2024, Supreme Decree No. 016-2024-JUS was published, which approves the new Regulation of the Personal Data Protection Law, Law No. 29733.

The new Regulation will enter into force 120 calendar days after its publication, that is, on March 31, 2025, date on which it will replace the regulation that was approved by Supreme Decree N° 003-2013-JUS.

This new Regulation establishes new provisions with respect to the current regulation, such as the following:

• The new Regulation extends its scope of application to cases in which the owner of the database is not established in Peru, but uses means located in Peruvian territory. In this sense, it will be applicable in the following cases:
  • When the owner of the personal data bank is not established in Peruvian territory, but performs activities related to the offer of goods or services addressed to owners of personal data located in the country.
  • When the owner of the personal data bank is not established in Peruvian territory, but performs activities aimed at the analysis of the behavior of the owners of personal data located in the country, as well as to the creation of profiles.
• The designation of the representative by the owners of data banks that are not established in Peruvian territory (who must serve as a point of contact before the National Authority for the Protection of Personal Data) must be publicly reported or communicated to the Authority.
• The following principles applicable to the processing of personal data are recognized:
  • Principle of transparency: the processing of personal data must be reported in a permanent, clear, easy to understand and accessible manner to the owner of the personal data.
  • Principle of proactive responsibility: In the processing of personal data, legal, technical and organizational measures must be implemented in order to ensure compliance with personal data regulations.
• The duty to inform the owners of personal data about the aspects of the processing carried out is extended. In this regard, the owner of personal data must also be informed about the existence of automated decisions, including profiling, and the consequences thereof.
• In order for the owners of data banks to comply with the requirements to carry out cross-border flow of personal data, the National Authority for the Protection of Personal Data may issue a resolution to determine whether a country has a protection comparable to the provisions of Peruvian law.
• The obligation to notify the National Authority for the Protection of Personal Data of certain security incidents within 48 hours after becoming aware of them is incorporated. Such notification must be made when the incidents are of a certain magnitude.
• The obligation to appoint a Personal Data Officer, who will be in charge of informing and advising on the obligations regarding the protection of personal data, when the owner of the data bank carries out certain types of processing, is incorporated.
• It incorporates the power of the owner of the database to carry out an impact assessment regarding the protection of personal data, especially in the case of certain types of processing. Such assessment may be carried out by reference to certain ISO standards.
• In the case of processing of personal data for purposes of advertising and commercial prospecting of products and services, it will be possible to obtain consent for the processing of personal data through a first contact.
• Specific rules are included for the following types of personal data processing:
  • Processing of large volumes of personal data, in quantity or type of data.
  • Processing that may affect a large number of individuals.
  • Processing of sensitive data.
  • Processing that produces a clear prejudice to other rights or freedoms of the owner of the personal data.
• The right to personal data portability is recognized as a manifestation of the right of access. This new right will allow the holder of the personal data to transmit his data from one data bank holder to another, in a structured format, in certain cases.

For further information, please contact José Govea (jgovea@estudiorodrigo.com), Francisco Baldeón (fbaldeon@estudiorodrigo.com) and/or Ramón Vidurrizaga (rvidurrizaga@estudiorodrigo.com).