The Autoridad Nacional de Protección de Datos Personales (ANPDP) serves as Peru's dedicated supervisory authority for data protection, operating under the Ministry of Justice and Human Rights. As the primary enforcer of Law No. 29733 (Ley de Protección de Datos Personales), the ANPDP has progressively strengthened its oversight capabilities, conducting more investigations, issuing more directives and imposing increasingly significant penalties on non-compliant organisations. For businesses operating in Peru, understanding the ANPDP's role, powers and expectations is essential for maintaining compliance and avoiding enforcement actions.
The ANPDP's Role and Powers
The ANPDP was established as the national authority responsible for guaranteeing the fundamental right to the protection of personal data. Its mandate encompasses a broad range of functions that collectively shape the data protection landscape in Peru. The authority's core responsibilities include supervising compliance with Law 29733, maintaining the National Registry of Personal Data Banks, resolving complaints filed by data subjects, providing guidance and opinions on data protection matters, and promoting awareness of data protection rights and obligations.
The ANPDP operates with considerable autonomy in its enforcement activities. It has the power to initiate investigations either in response to complaints or on its own initiative, issue binding directives that interpret and supplement the provisions of Law 29733, impose administrative sanctions for non-compliance, and order corrective measures that organisations must implement within specified timeframes.
Supervisory and Sanctioning Authority
The ANPDP's supervisory authority extends to all entities that process personal data within Peru's jurisdiction. This includes both data bank holders (titulares del banco de datos personales) and data processors (encargados del tratamiento), as well as any third parties involved in data processing activities.
The authority's sanctioning powers are clearly defined in Law 29733 and its implementing regulations. The ANPDP can investigate alleged violations, determine whether infractions have occurred, impose fines proportionate to the severity of the violation, and mandate specific corrective actions. Importantly, the ANPDP can also order the temporary or permanent suspension of data processing activities, which represents one of the most impactful enforcement tools available to the authority.
Decisions issued by the ANPDP can be appealed through administrative channels and, ultimately, before the judiciary. However, organisations should be aware that the administrative process itself can be time-consuming and resource-intensive, making proactive compliance far more efficient than reactive dispute resolution.
Inspection and Audit Procedures
The ANPDP conducts inspections and audits to verify compliance with data protection obligations. These activities can be triggered by several factors, including complaints from data subjects, intelligence gathered through the National Registry, sector-specific reviews, or the authority's own surveillance activities.
During an inspection, ANPDP officials may request access to facilities where personal data is processed, examine documentation related to data processing activities, interview staff members responsible for data protection, review technical security measures and access controls, and verify that registered information in the National Registry accurately reflects actual processing activities.
Organisations are legally obligated to cooperate fully with ANPDP inspections. Obstruction or refusal to cooperate can itself constitute an infraction, potentially escalating the severity of any findings. Maintaining well-organised documentation and having designated staff who understand data protection obligations are critical factors in managing inspections effectively.
Our Data Protection Manager platform helps organisations maintain inspection-ready documentation by centralising all data protection records, consent evidence and compliance assessments in a single accessible system.
Penalty Framework
Law 29733 establishes a three-tiered penalty framework that classifies infractions by severity and prescribes corresponding fine ranges measured in UIT (Unidades Impositivas Tributarias).
Minor Infractions (0.5 to 5 UIT)
Minor infractions include procedural failures that do not directly compromise the security or integrity of personal data. Examples include failing to respond to data subject requests within the prescribed timelines, minor deficiencies in privacy notices, or administrative omissions in the registration of data banks that are subsequently corrected.
Serious Infractions (5 to 50 UIT)
Serious infractions involve more substantive violations that affect the rights of data subjects or undermine the integrity of the data protection framework. These include processing personal data without adequate consent, failing to register data banks with the National Registry, inadequate implementation of security measures that does not rise to the level of a very serious infraction, and non-compliance with ANPDP directives or orders.
Very Serious Infractions (50 to 100 UIT)
Very serious infractions represent the most egregious violations and carry the heaviest penalties. These include processing sensitive personal data without the explicit consent of the data subject, systematically obstructing the ANPDP's supervisory functions, collecting personal data through fraudulent or deceptive means, and transferring personal data internationally without adequate protections in place.
The ANPDP considers several factors when determining the specific fine within each range, including the nature and gravity of the infraction, the number of affected data subjects, the degree of intent or negligence, the economic capacity of the offender, and whether the organisation has previously been sanctioned for similar violations.
Recent Enforcement Actions
The ANPDP has demonstrated an increasingly active enforcement posture in recent years. The authority has pursued cases across multiple sectors, including healthcare, financial services, telecommunications and education. Notable enforcement trends include increased scrutiny of consent management practices, particularly in the context of digital services and marketing activities, growing attention to security measures and data breach prevention, and targeted reviews of specific sectors where personal data processing is particularly intensive.
These enforcement actions signal that the ANPDP is committed to ensuring meaningful compliance rather than merely formal adherence to registration requirements. Organisations should view the authority's increasing activity as a clear indicator that substantive compliance measures are essential.
Directive No. 01-2020-JUS/DGTAIPD on Video Surveillance
One of the ANPDP's most significant regulatory interventions has been Directive No. 01-2020-JUS/DGTAIPD, which establishes specific rules for the processing of personal data through video surveillance systems. This directive addresses a gap in the original legislation and reflects the authority's proactive approach to emerging data protection challenges.
The directive requires organisations operating video surveillance systems to register the associated data banks, display visible notices informing individuals that they are being recorded, implement appropriate security measures for stored footage, establish retention periods for recorded material, and comply with data subject access requests related to video recordings. Non-compliance with the video surveillance directive can result in the same penalties as other violations under Law 29733, making it essential for organisations with CCTV systems to review their practices against the directive's requirements.
Consent Management Requirements
The ANPDP places particular emphasis on proper consent management as a cornerstone of data protection compliance. Under Law 29733, consent for the processing of personal data must be free, prior, express, informed and unequivocal. The authority has issued guidance clarifying that pre-ticked boxes, bundled consents and implied consent mechanisms generally do not meet the legal standard.
Organisations must be able to demonstrate that consent was obtained before data processing commenced, that data subjects were clearly informed about the purposes of processing, the identity of the data controller, any planned international transfers, and their ARCO rights. Consent records should be maintained systematically and be readily accessible for inspection by the ANPDP.
For sensitive personal data, including information about health, religious beliefs, political opinions, ethnic origin and sexual orientation, explicit and written consent is required. The heightened consent requirements for sensitive data reflect the potential for greater harm when such information is mishandled.
Security Measures Requirements
The ANPDP expects organisations to implement security measures proportionate to the nature and sensitivity of the personal data they process. While Law 29733 does not prescribe specific technologies, the implementing regulations and ANPDP guidance outline the types of measures that are considered appropriate.
Technical measures include access controls and authentication mechanisms, encryption of personal data both in transit and at rest, regular backup and recovery procedures, intrusion detection and prevention systems, and logging and monitoring of data access activities. Organisational measures encompass data protection policies and procedures, staff training and awareness programmes, incident response plans, regular security assessments and audits, and clear roles and responsibilities for data protection. Our Policy Framework module provides ready-to-deploy templates for documenting these organisational measures effectively.
Data Breach Notification Practices
While Law 29733 does not contain the same prescriptive breach notification requirements found in regulations like the GDPR, the ANPDP has increasingly emphasised the importance of data breach management as part of overall compliance. The security principle under Law 29733 implicitly requires organisations to take prompt action when security incidents occur.
Best practices endorsed by the ANPDP include maintaining a data breach response plan, promptly investigating and containing security incidents, assessing the impact on affected data subjects, notifying the ANPDP of significant breaches, communicating with affected individuals when the breach poses a risk to their rights, and documenting all incidents and response actions for audit purposes. Organisations should establish clear breach detection and response procedures rather than waiting for a regulatory mandate, as the ANPDP may view inadequate breach management as a failure to implement appropriate security measures.
Practical Steps to Maintain ANPDP Compliance
Maintaining ongoing compliance with ANPDP requirements demands a systematic approach that integrates data protection into everyday business operations. Here are the essential steps organisations should take:
- Conduct regular compliance assessments: Periodically review your data protection practices against Law 29733 requirements and ANPDP guidance to identify and address gaps
- Maintain accurate registry entries: Ensure all personal data banks are registered and that registry information is kept current with any changes to processing activities
- Strengthen consent mechanisms: Review and improve consent collection processes to meet the ANPDP's expectations for free, prior, express, informed and unequivocal consent
- Implement robust security measures: Deploy technical and organisational safeguards proportionate to the data you process and regularly test their effectiveness
- Prepare for inspections: Maintain organised, readily accessible documentation of all data protection activities, including consent records, security measures and processing records
- Establish a breach response plan: Develop and test procedures for detecting, investigating, containing and reporting data security incidents
- Train your workforce: Ensure all employees understand their data protection responsibilities through regular awareness training programmes
- Monitor ANPDP directives: Stay informed about new directives, guidelines and enforcement trends issued by the ANPDP that may affect your obligations
- Engage expert support: Consider appointing a dedicated compliance officer or engaging DPO support services to provide ongoing guidance and oversight
Conclusion
The ANPDP's growing enforcement activity makes it clear that Peruvian data protection compliance is not optional. With the authority conducting more inspections, issuing more detailed guidance and imposing meaningful penalties, organisations must take a proactive approach to meeting their obligations. By understanding the ANPDP's expectations, implementing comprehensive security measures, maintaining rigorous consent practices and preparing for regulatory scrutiny, businesses can protect themselves from enforcement actions while demonstrating genuine commitment to the protection of personal data. A digital compliance platform like the ResGuard Compliance Map provides the tools needed to manage ANPDP compliance efficiently, from data bank registration to ongoing monitoring and audit readiness.