The National Authority for the Protection of Personal Data ('ANPD') published, on 16 February 2022, its decision in Proceedings No. 025-2021-JUS/DGTAIPD-PAS, as issued on 14 February 2022, in which it imposed a fine of PEN 171,644 (approx. €39,470) to the National Superintendence of Migration, for violations of Articles 17 of Law No. 29.733 on the Protection of Personal Data 2011 ('the Law') in conjunction with Article 9 of the Law, and Article 132 of Supreme Decree No. 003-2013-JUS which Approves the Regulation of Law No. 29733 ('the Regulation') in conjunction with Article 43 of the Regulation, following a journalist report alleging the leaking of personal information of individuals and an investigation on the same.

Background to the decision

In particular, the ANPD stated that, on 17 October 2021, a television report had been broadcasted, which alleged that the Superintendence had inappropriately processed the data of individuals by making copies of migratory reports and passports and shared this information with its employees through insecure networks. Furthermore, the ANPD noted that following this television report, an investigation was conducted into the alleged actions in violation of the Law.

Findings of the ANPD

Following the investigation, the ANPD found that the Superintendence did not guarantee the confidentiality of individuals' personal data, as this information was shared with employees through WhatsApp on their personal mobile phones. In addition, the ANPD held that the Superintendence had not implemented the necessary security measures to restrict generating copies of personal information.

In summary, the ANPD found the Superintendence in violation of the Law and the Regulation for failure to maintain the confidentiality of personal information, as well as for carrying out the processing of sensitive personal data with insufficient security measures.

Outcomes

As a result of the above findings, the ANPD imposed the aforementioned fine and ANPD imposed corrective measures, including:

• establishing and disseminating, among the staff, management documents through which controls are imposed on the access, collection, use, dissemination, and transmission of personal information;
• implementing security measures to block the function of recording files, USB ports, and DVD readers of computers, and restrictions on email accounts for the sending of documents to non-institutional email accounts; and
• implementing and disseminating instructions for the use of mobile phones to prevent the extraction of documents and images of personal data.

In addition, the decision provides, among other things, that the corrective measures must be complied with within 55 business days from the notification of the decision to the Superintendence, and that the fine must be paid within 25 business days from the notification of the decision to the Superintendence.

You can read the press release here and the decision here, both only available in Spanish.