Peru issued - on 22 March 2013 - Regulations implementing its Personal Data Protection Law (Law No. 29733), which was enacted in July 2011. The Regulations establish rules on a variety of topics including consent, data transfers, security measures and sanctions.
Erick Iriarte, Partner and Head of Information Technology Law at Iriarte & Asociados, told DataGuidance: "The Regulations will take effect within 30 business days after publication. The National Data Protection Authority has authority over all databases containing personal data processed in Peruvian territory, whether the processing is performed by the data processor, owner, officer, manager or the person responsible for administration of a personal data database".
Article 12 of the new Regulation states that consent, which must be obtained prior to data collection, must be unequivocal, informed and expressly and freely given. Data controllers must inform individuals - using clear and simple language - about the identity of the data controller, the purposes for data processing, the identity of the recipients of the data, the consequences of providing personal data or refusal to do so, and, where necessary, whether any national or international transfers are to be made.
If individuals opt-out of the data processing, data controllers have a maximum of five days to honour said opt-out, with measures in place to ensure opt-out is simple and fast. If the opt-out affects the entire processing of personal data, the controller must ensure the relevant individual's data is deleted.
The Regulations state that intra-group transfers will be considered compliant with personal data processing requirements if there is an internal code of conduct based on the guiding principles of the Law. Cross border data transfers are possible where the recipient of the personal data undertakes the same obligations as the data controller or if the data controller uses contractual clauses or other legal instruments to set out at least the same obligations. Any cross border data transfers must be reported to the Peruvian Data Protection Authority.
Iriarte said: "The Regulations set a deadline of two years for databases created before the effective date of the Regulation to comply; those created after the enactment itself must be in accordance with the Law. This Regulation should reduce smuggling of personal data, benefit citizens in their relation to companies and public bodies in the exchange of data."