Data Privacy in Peru: Rules of Mandatory Compliance for Companies Which Store Private Data
Not all foreign investors are aware that Peru has a law for the protection of private data, which imposes some obligations upon companies in regard how data is processed and treated. This article is meant to introduce the reader into the basics of the Peruvian Law for the Protection of Private Data – Law N° 29733 (hereinafter the “Law”).
What is Private Data?
The Law distinguishes two classes of Private Data: Personal Data and Sensible Data. The first is defined as “all information of a natural person which will help identify them, through methods reasonably used”. Personal Data includes information such as numbers, letters, graphics, photos and acoustic files. In other words names, address, ID number, photos, and voice recordings, among others.
Sensible Data is information relative to the person’s physical, moral or emotional characteristics. It includes information such as race or ethnicity, income, political or religious opinions, convictions union membership, and information relative to physical, mental and sex life.
Thus, when a company is collecting and storing data from their clients they may inadvertently be collecting Personal and Sensible Data, thus becoming a holder of a Personal Information Database subject to the obligations imposed by the Law.
What obligations are imposed upon companies by the Law?
- Consent: The first thing to keep in mind is that, before you collect any Personal or Sensible Data from a person you must obtain their prior consent. In the case of Sensible Data, this prior consent must be in writing.
Likewise, the people whose data is being collected must be informed precisely what their data will be used for, who will have access to the data and the existence of the database where their information will be stored as well the name and address of the person in charge of such.
- Registration: on the other hand, when a company collects and stores Private Data, by any means, it becomes a holder of a Personal Information Database, in accordance with the Law. Thus the company is required to register said database with the Peruvian General Direction for the Protection of Private Data (hereinafter the “DPPD”), by filling out the forms provided by the DPPD.
Personal Information Databases vary according to (i) the type of information they store, (ii) the means of collecting the data and (iii) the support used to store the data. Thus a single company can, at any given time, be in control of several databases. Companies in possession of more than one database must register each one, in order to be in compliance with the law.
- Access: the Law grants the right to the person whose data is being collected to (i) revoke his consent at any given time for the storage of their private data, (ii) access their personal information that is being stored by the company, (iii) ask the holder of the database to rectify any mistakes regarding their personal information, (iv) have the information cancelled/deleted from the database.
- Protection: holders of Personal Information Databases are required to guard and protect such information from people who have not been authorized, by the person who gave out the data, to treat or use their private data. Thus, companies who collect and store private data must be sure to restrict the access to the database, in accordance with the guidelines established by the DPPD, depending on the type of private data being stored and the amount of people to whom it belongs.
- Communication of cross-border flow of data: the holder of a Personal Information Database must communicate the DPPD the transference or flow of private data to sources located outside of Peruvian territory.
What are the exceptions to these obligations?
Notwithstanding the aforementioned, the person or entity collecting Private Data will not require consent in the following circumstances:
- When the treatment of Private Data is carried out by natural persons, for exclusively domestic or personal purposes, related to their private or family life;
- When the contents of the Personal Information Database will be stored in a database open to the public.
- When the information being collected and stored is Personal Data relative to the financial and credit history of the person, in accordance with the Law;
- When the data is collected in the context of a law promoting competition in regulated markets, so long as the information is not used in detriment of the user’s privacy;
- When the Personal Data is necessary for the execution of a contract of which the owner of the data is a party to, or when the Personal Data derives from a scientific or professional relation and are necessary for its development or fulfillment;
- When the Personal Data is related to health and its necessary, in circumstances of risk, for the prevention, diagnosis and medical or surgical treatment of the owner;
- When the treatment of the data is carried out by non-profit organizations whose purpose may be political, religious or related to unions, and the collection is carried out in the context of their activities;
- When the treatment of the Personal Data is necessary to safeguard the interests of the owner of said data.
What are the legal consequences of not complying with the Law?
It should be noted that the Law is currently being applied by the DPPD, and companies not found in compliance can face fines between PEN 810.00 (approximately USD 250.00) and PEN 405,000.00 (approximately USD 125,000.00). Thus, it is in the best interest of investors to be mindful of the Law, when collecting and storing private data.