Peru's Law 29733: A Complete Guide to Personal Data Protection

Peru's Personal Data Protection Law, formally known as Law No. 29733 (Ley de Protección de Datos Personales), represents a comprehensive framework for safeguarding the personal data of individuals within the country. Enacted in 2011 and supplemented by its implementing regulations under Supreme Decree 003-2013-JUS, this legislation establishes clear obligations for organisations that collect, process and store personal data. For businesses operating in Peru or handling data belonging to Peruvian citizens, understanding this law is essential for avoiding regulatory penalties and maintaining consumer trust.

Scope and Applicability

Law 29733 applies to any personal data contained in or destined for personal data banks, whether managed by public or private entities within Peru. The law covers the processing of personal data carried out in Peruvian territory, including cases where a data controller not established in Peru uses means located within the country to process data. Certain exemptions exist for personal or domestic data use, data processed for national security purposes, and data contained in publicly accessible sources.

The law distinguishes between data controllers (titulares del banco de datos personales) who determine the purposes and means of processing, and data processors (encargados del tratamiento) who process data on behalf of the controller. Both roles carry distinct obligations under the regulatory framework.

The Eight Guiding Principles

Law 29733 is built on eight foundational principles that govern how personal data must be handled. These principles form the backbone of compliance and guide all processing activities.

1. Principle of Legality

All processing of personal data must be carried out in accordance with the law. Data must be collected through lawful and fair means, and any processing activity must have a valid legal basis. This principle prohibits the use of fraudulent, deceptive or illicit methods for obtaining personal data.

2. Principle of Consent

The data subject's free, prior, express, informed and unequivocal consent is required for the processing of their personal data. Consent must be obtained before the data is collected and must specify the purposes of processing. Certain exceptions apply, such as when processing is required by law or when data is obtained from publicly accessible sources.

3. Principle of Purpose

Personal data must be collected for a specific, explicit and lawful purpose. The data must not be processed in a manner incompatible with the declared purpose. If a new purpose arises, fresh consent must be obtained from the data subject unless a legal exception applies.

4. Principle of Proportionality

The processing of personal data must be adequate, relevant and not excessive in relation to the purpose for which the data was collected. Organisations should collect only the minimum amount of data necessary to fulfil the stated objective.

5. Principle of Quality

Personal data must be accurate, complete, up to date and necessary for the purpose of processing. Data controllers are responsible for ensuring the quality of the data they hold and must take reasonable steps to correct or delete inaccurate or outdated information.

6. Principle of Security

Data controllers must implement appropriate technical, organisational and legal measures to guarantee the security of personal data and prevent its alteration, loss, unauthorised processing or access. The level of security must be proportionate to the nature of the data and the risks involved in its processing.

7. Principle of Right of Recourse

Data subjects must have effective means of recourse to exercise their rights regarding their personal data. This includes access to administrative and judicial channels to file complaints and seek remedies when their data protection rights have been violated.

8. Principle of Level of Protection

For international transfers of personal data, the receiving country must provide a level of protection equivalent to that established by Peruvian law. This principle ensures that personal data does not lose its protections when transferred across borders.

Data Subject Rights

Law 29733 grants data subjects a comprehensive set of rights known collectively by the acronym ARCO (Acceso, Rectificación, Cancelación, Oposición). These rights empower individuals to maintain control over their personal information.

• Right of Access: Data subjects may request information about the personal data held about them, including the purpose of processing and any recipients of the data
• Right of Rectification: Individuals can request the correction of inaccurate, incomplete or outdated personal data
• Right of Cancellation: Data subjects may request the deletion or suppression of their personal data when it is no longer necessary for the purpose for which it was collected
• Right of Opposition: Individuals can object to the processing of their personal data when they have legitimate grounds for doing so

Data controllers must respond to ARCO requests within a maximum of twenty business days. Our Data Protection Manager module provides structured workflows for managing these requests efficiently and within regulatory timeframes.

Obligations of Data Bank Holders

Organisations that maintain personal data banks have specific obligations under Law 29733. These include registering their data banks with the National Registry, obtaining valid consent prior to data collection, implementing appropriate security measures, and ensuring that data is processed only for the declared purposes. Data bank holders must also appoint a person responsible for handling data subject requests and maintaining compliance with the law.

When engaging third-party data processors, the data bank holder remains responsible for ensuring compliance. Processing agreements must be in place that specify the scope of processing, security measures and confidentiality obligations.

ANPDP Oversight and Enforcement

The Autoridad Nacional de Protección de Datos Personales (ANPDP), operating under the Ministry of Justice and Human Rights, serves as Peru's supervisory authority for data protection. The ANPDP is responsible for overseeing compliance with Law 29733, maintaining the National Registry of Personal Data Banks, resolving complaints, conducting investigations and imposing sanctions.

The ANPDP has the power to conduct inspections, request information from data controllers, and issue binding directives. Its enforcement capabilities have strengthened considerably since its establishment, with an increasing number of investigations and sanctions being issued each year.

Supreme Decree 003-2013-JUS

The implementing regulations contained in Supreme Decree 003-2013-JUS provide detailed guidance on how the provisions of Law 29733 are to be applied in practice. These regulations elaborate on consent requirements, the procedures for exercising ARCO rights, security measures, international data transfers, and the registration process for personal data banks. The decree also establishes specific timelines for compliance and defines the technical standards that organisations must meet.

Penalties and Enforcement

Law 29733 establishes a tiered penalty framework with three categories of infractions. Minor infractions can result in fines ranging from 0.5 to 5 UIT (Unidades Impositivas Tributarias). Serious infractions attract fines of 5 to 50 UIT. Very serious infractions, such as processing sensitive data without consent or obstructing the ANPDP's supervisory functions, can result in fines of 50 to 100 UIT. Beyond financial penalties, the ANPDP can order the suspension of data processing activities and require corrective measures to be implemented.

The UIT value is adjusted annually by the Peruvian government. At current rates, maximum penalties for very serious infractions represent a significant financial exposure for non-compliant organisations.

Registration of Personal Data Banks

One of the most distinctive requirements of Peru's data protection framework is the mandatory registration of personal data banks with the ANPDP's National Registry. All public and private entities that maintain personal data banks must register them, providing details on the purpose of the data bank, the categories of data stored, the security measures in place, and any international data transfers. Failure to register constitutes an infraction under the law.

The registration process requires careful documentation of each data bank's characteristics. Our Data Protection Manager helps organisations maintain comprehensive records that facilitate this registration requirement.

Practical Steps for Compliance

Achieving compliance with Law 29733 requires a structured approach that addresses all aspects of the regulatory framework. Here are the essential steps organisations should take:

1. Conduct a data inventory: Identify all personal data banks within your organisation, mapping what data is collected, how it is processed, where it is stored and who has access
2. Register your data banks: Submit registration applications to the ANPDP's National Registry for all identified personal data banks
3. Review consent mechanisms: Ensure that valid, informed consent is obtained before collecting personal data, and document all consent records systematically
4. Implement security measures: Deploy technical and organisational safeguards appropriate to the sensitivity of the data being processed
5. Establish ARCO request procedures: Create clear workflows for handling access, rectification, cancellation and opposition requests within the twenty-business-day deadline
6. Review international transfers: Assess whether any personal data is transferred outside Peru and ensure adequate protections are in place
7. Train your staff: Ensure employees understand their data protection obligations through regular awareness training programmes
8. Appoint a compliance officer: Designate a person or team responsible for overseeing data protection compliance, or consider engaging an outsourced DPO service
9. Document everything: Maintain detailed records of processing activities, consent records, security measures and compliance evidence

Conclusion

Peru's Law 29733 establishes a robust data protection framework that demands proactive compliance from organisations handling personal data. With the ANPDP increasing its enforcement activities and penalties carrying significant financial consequences, businesses cannot afford to overlook their obligations. By understanding the eight guiding principles, respecting data subject rights and implementing comprehensive compliance measures, organisations can meet their legal obligations while building lasting trust with Peruvian consumers. A digital compliance platform like the ResGuard Compliance Map can streamline this process by centralising data protection management and providing continuous oversight of your compliance posture.