Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
Jun 2022
LinkedIn Created with Sketch. Twitter Created with Sketch.

Peru: Data Protection in the Financial Sector

Financial Services
sankai / Signature collection / istockphoto.com

1. INTRODUCTION

Peruvian financial legislation includes certain specific provisions addressing data privacy issues, although there are no specific regulations enacted, such as the ones included in Law No. 29733 on the Protection of Personal Data 2011 (only available in Spanish here) ('the Law') and its regulations enacted by Supreme Decree No. 003-2013-JUS which Approves the Regulation of Law No. 29733 (only available in Spanish here) ('the Decree') which are the main legal instruments relating to the protection of personal data, applicable to all industries and activities in Peru.

Additionally, there are laws, such as the Peruvian Constitution of 1993 (only available in Spanish here) ('the Constitution'), the Peruvian Civil Code of 1984 (only available in Spanish here) ('the Civil Code'), and the Peruvian Criminal Code of 1991 (only available in Spanish here), which regulate the right of individuals to their privacy in general, are the main legal instruments relating to the protection of personal data.

The Superintendence of Banking, Insurance and Pension Fund Administration Superintendence ('SBS'), which oversees the Peruvian financial system, has adopted major measures to improve the legal framework, including, but not limited to, measures related to transparency and the privacy of user data.

The SBS regulations do not set forth specific rules for the collection, processing, or transfer of personal financial data, such as those set forth in the Law and the Decree. However, as part of the SBS regulations, the financial institutions must comply with certain guidelines and procedures to manage and prevent operational risks and comply with data security measures.

1.1. Legislation

Data privacy and the topics addressed herein, in the financial sector, are governed by:

  • Article 2(7) of the Constitution, which recognises the fundamental right to personal and family privacy;
  • Article 2(10) of the Constitution, which recognises the fundamental right to secrecy and inviolability of private communications and documents;
  • Article 14 of the Civil Code, which stipulates that the privacy of personal or family life cannot be violated without the consent of the person involved;
  • the Law and the Decree - the Law and its regulations were approved by the Decree, and apply to personal data contained or destined to be contained in a public or private personal database to be processed in Peru;
  • Law No. 26702, The Peruvian Banking, Insurance and Pension Fund Administrators Act (only available in Spanish here);
  • Resolution SBS No. 272-2017, Regulations for Integral Risk Management (only available in Spanish here) ('the Corporate Governance and Risk Management Regulations');
  • Resolution SBS No. 2116-2009, Regulations for Operational Risk Management (only available in Spanish here) ('the Regulations for Operational Risk');
  • Resolution SBS No. 504-2021, Regulations for Data Security and Cybersecurity Management (only available in Spanish here) ('the Data Security and Cybersecurity Management Regulations);
  • Resolution SBS No. 877-2020, Regulations for Business Continuity Management (only available in Spanish here) ('Resolution 877-2020');
  • Resolution SBS No. 5860-2009, Provisions for the Storage and Substitution of Documentation (only available in Spanish here); and
  • Resolution SBS No. 2755-2018, SBS Regulations on Infractions and Sanctions (only available in Spanish here).

'Personal data' is defined in the Law as all numerical, alphabetical, graphic, photographic, sound, or any other type of information concerning an individual which identifies, or could be used to identify, the individual through reasonable means.

A 'personal database' is defined as an organised set of personal data, automated or not, regardless of their form, whether physical, magnetic, digital, optical, or other to be created, irrespective of the manner or means of creation, formation, storage, organisation, and access.

'Processing' is defined as any operation or technical procedure, automated or not, that allows compiling, registration, organisation, storage, conservation, preparation, modification, retrieval, consultation, use, blocking, suppression, communication by transfer or distribution, or any other form of processing that facilitates access thereto or the comparison and interconnection of personal data.

A 'data controller' is defined in the Law as any individual, private legal entity, or public entity that determines the purpose and content of the personal data database, their processing, and the security measures.

'Data processor' is any individual, private legal person, or public entity which, alone or jointly with others, processes the personal data by order of the data controller.

Note that the Peruvian data protection law only covers personal data of individuals, i.e. the data of companies or a representative of such entities is not protected data under the law.

If the processing of personal data of financial entities falls within the scope of the Law, there are certain obligations that will be applicable to such processing. The main obligations are the following:

  • data controllers must register their databases containing personal data and report cross-border transfers of personal data with the Peruvian data protection authority ('APDP') by filing the applicable form;
  • the processing of personal data should be carried out based on the consent of the data subject; however, the consent of the data subject is not necessary in certain cases, as described in section 2 below;
  • the data controller must refrain from making cross-border transfers of personal data if the destination country does not provide adequate protection levels; if the destination country fails to provide adequate protection levels, the data exporter must guarantee that the processing of personal data meets adequate protection levels;
  • confidentiality should be kept during the processing of personal data; the obligor may be relieved from the confidentiality obligation in case of prior, informed, express, and unequivocal consent of the data subject, among other things;
  • data controllers must adopt technical, organisational, and legal measures necessary to guarantee the security of the personal data they hold; the measures taken must ensure a level of security appropriate to the nature and purpose of the personal data involved;
  • personal data shall be collected for a specific, explicit, and lawful purpose; processing shall not occur for any purpose other than that unequivocally set forth at the time of the collection of such personal data, except in the case of activities with a historical, statistical, or scientific value in which a dissociation or anonymisation procedure is used;
  • the transfer of personal data must be conducted in a manner that shows that the recipient was informed of the conditions under which the data subject consented to the processing of their data; following a transfer of personal data, the recipient must process such data in line with the law and the terms under which consent was granted to the transferor by the data subject; and
  • data subjects have the right to the updating, inclusion, rectification, and suppression of their personal data, and the right to prevent their personal data from being disclosed; the data subject can also oppose the processing of their personal data and have the right to be informed and access their personal data.

Nonetheless, financial entities supervised by the SBS are also subject to specific regulations enacted by said supervising authority, which include certain obligations in connection to data security guidelines, storage, and processing risk management (operational risks).

1.2. Supervisory authorities

The SBS, in connection to its regulations and with regard to the entities under its supervision, acts as the supervisory authority. Entities supervised by the SBS include:

  • banks and other financial institutions, insurance and reinsurance companies, pension fund administrators, specialised companies, such as fiduciary agents, factoring companies, and surety bonds issuers; and
  • companies whose purpose is to perform ancillary activities, such as insurance brokers, e-money issuers, debit and credit card issuers, and money remittance companies, among others.

The General Directorate for Transparency, Access to Public Information and Protection of Personal Data is the national public body responsible for the protection of personal data and is part of the Ministry of Justice.

The APDP monitors and sanctions any non-compliance in this matter.

2. PERSONAL AND FINANCIAL DATA MANAGEMENT

2.1. Legal basis for processing

Subject to the Law, the processing of personal data requires the prior, free, informed, express, and unequivocal consent of the data subject. Sensitive data requires that the consent of the data subject is expressed in writing. Sensitive data includes racial and ethnic background, income, political or religious opinions or creed, union membership, data related to health or sexual orientation and, in general, physical, mental, and emotional characteristics, facts or circumstances of emotional or family life, and personal habits corresponding to the most intimate sphere of private life, among others.

However, the consent of the data subject is not necessary when:

  • the data is compiled or transferred for the fulfilment of governmental agency duties;
  • the data is contained or destined to be contained in a publicly available source;
  • the data is related to credit standing and financial solvency, as governed by applicable law;
  • a law is enacted to promote competition in regulated markets, under the powers afforded by the Framework Law for Regulatory Bodies of Private Investment on Public Services (only available in Spanish here), provided that the information supplied does not breach the user's privacy;
  • the data is necessary for a contractual, scientific, or professional relationship with the data subject, provided that such data is necessary for the development, entering into, and compliance with such relationship;
  • the data is needed to protect the health of the data subject, and data processing is necessary, in circumstances of risk, for prevention, diagnosis, and medical or surgical treatment, provided that the processing is carried out in health facilities or by professionals in health sciences observing professional secrecy;
  • the data is needed for public interest reasons declared by law or public health reasons (both must be declared as such by the Ministry of Health) or to conduct epidemiological studies or the like, as long as dissociation procedures are applied;
  • the data is used by a non-profit organisation with a political, religious, or trade union purpose, and refer to the data of its members within the scope of the organisation's activities;
  • the data is dissociated or anonymised;
  • the data is necessary to safeguard the legitimate interest of the data subject or the data handler;
  • processing is required for purposes related to the legal framework for the prevention of money laundering and the financing of terrorism ('AML/CFT') or others derived from a legal mandate;
  • in case of economic groups formed by companies that are subject to the aforementioned legal framework, the sharing of information about their clients for AML/CFT purposes, with adequate protection for the confidentiality and use of the exchanged information;
  • processing is made in the constitutionally valid exercise of the fundamental right to freedom of information; or
  • the data is used for other purposes recognised as exempt in law or regulations.

The SBS regulations do not set forth specific regulations for the collection, processing, or transfer of personal financial data, such as the ones set forth in the Law and the Decree. Nonetheless, as part of the SBS regulations, a financial entity must comply with certain guidelines and procedures to manage and prevent operational risks and comply with security data provisions, before the SBS.

2.2. Privacy notices and policies

The SBS does not provide specific regulations in connection to privacy notices to its clients. Privacy policies are related to data security and cybersecurity.

However, the Law states that the data subject has the right to be informed in detail, in a simple, express, and unequivocal manner, prior to the collection of their personal data, of the following:

  • the purpose for which their personal data will be processed;
  • the identity of the recipients of the information;
  • the existence of the database, the identity and address of the data controller and, if applicable, the data processor;
  • whether the questions provided are mandatory or optional, especially when they concern sensitive data;
  • the transfer of personal data;
  • the consequences of providing or not providing personal data;
  • the time during which their personal data will be kept; and
  • the possibility to exercise the rights granted to the data subject by law.

The Law does not provide a mechanism to comply with the duty to inform and, therefore, the data controller may satisfy this duty via a privacy policy, a notice, and the like.

2.3. Data security and risk management

Rules regarding data security are set forth in the Data Security and Cybersecurity Management Regulations, and are applicable to all types of financial entities and pension fund administrators. The Data Security and Cybersecurity Management Regulations consider under the scope of 'data' any form of electronic, optical, magnetic, or other means of recording, capable of being processed, distributed, and stored.

The purpose of the Data Security and Cybersecurity Management Regulations, among others, is to set forth the obligation of supervised entities to implement a system for data security protection and cybersecurity prevention ('SGSI-C') that fulfils at least the following measures:

  • creation of a data security policy passed by the Board of Directors;
  • creation and implementation of a risk management methodology, consistent with the operational risk management of the company;
  • proper recording that allows the control of the compliance of regulations, standards, policies, proceedings, and others established by the company and to comply with its corresponding audit; and
  • proper training provided to the company's personnel.

Likewise, supervised companies shall have an adequate corporate and organisational structure to implement and comply with the SGSI-C. Depending on the size, nature, and complexity of the supervised entity, they may be required to follow either a simplified, general, or reinforced regime.

The general regime obliges the supervised entities to implement at least the following information security measures:

  • human resources security;
  • logistics and personnel controls;
  • transactions security;
  • communications security;
  • acquisition, development, and maintenance of informatics systems;
  • identification and management of cybersecurity incidents;
  • security of premises;
  • data encryption; and
  • data asset management.

With regards to cybersecurity policies, the supervised entities are required to notify the SBS of any breach that may occur which could involve the loss or theft of data pertaining to the company or its clients, internal or external fraud, a negative impact on its image and reputation, and/or interruption of its services as described below.

Supervised entities will have to implement authentication procedures to permit access to their services through digital channels, which will have to consider authentication factors, encryption standards, baseline security controls to prevent potential threats to the authentication procedure, among others.

Rules relating to operational risk for financial entities are set forth in Resolution SBS No. 0877-2020, Corporate Governance and Risk Management Regulations (only available in Spanish here) ('the Business Continuity Regulations'), and the Regulations for Operational Risk.

From the data protection standpoint, data controllers and those responsible for the processing must adopt technical, organisational, and legal measures necessary to guarantee the security of the personal data they hold. The measures taken must ensure a level of security appropriate to the nature and purpose of the personal data involved.

The APDP has passed, through Directorial Resolution No. 019-2013-JUS/DGPDP (only available in Spanish here), the Security Directive (only available in Spanish here), which establishes security standards for the processing of personal data. The Security Directive establishes different standards depending on the following database criteria:

  • number of data subjects whose data are contained in the database;
  • number of fields of the database (for example, name, address, phone number);
  • existence of sensitive data; and
  • owner of the database (an individual or entity).

2.4. Data retention/record keeping

The Law establishes a general principle that provides that personal data should not be kept for longer than is necessary for the purpose for which it is processed (Article 8 of the Law). Note that storing personal data is considered an act of processing as well. As a result, one will want to ensure that this element of data is kept for only as long as is necessary for a particular purpose and should not be kept for longer than is necessary for that purpose.

However, financial entities are bound to keep their books and documents for a period of no less than ten years. If a judicial action is filed, the company shall maintain the documents related to the dispute during the proceeding even if it exceeds such terms.

3. FINANCIAL REPORTING AND MONEY LAUNDERING

According to Law No. 27693 Creating the Financial Intelligence Unit (FIU-Peru) 2012 (only available in Spanish here), the Regulation of Law No. 27693 (approved by Supreme Decree No. 020-2017-JUS) (only available in Spanish here), and Law No. 29038 Incorporating the Financial Intelligence Unit of Peru (FIU-Peru) into the SBS (only available in Spanish here) (collectively 'the AML/CFT Regulatory Framework'), certain individuals or legal entities have the status of obliged entities and therefore, have the regulatory obligation to inform FIU-Peru in a timely manner and to implement a model related to the national AML/CFT system ('SPLAFT').

The obligations for those obliged entities arising from the implementation of a SPLAFT include, but are not limited to, the following:

  • establishing and maintaining a registry of operations;
  • preparing suspicious transactions reports;
  • developing Know Your Customer ('KYC') and final beneficiary policies;
  • conducting due diligence procedures on directors, workers, suppliers, and counterparts;
  • attending the requests for information from the authorities;
  • appointing a compliance officer; and
  • approving and disseminating a code of conduct.

As a result, when complying with SPLAFT requirements, the obliged entities process the personal data of clients, directors, managers, workers, suppliers, and counterparts.

Firstly, it should be pointed out that the personal data processing carried out by obliged entities, in compliance with the SPLAFT, falls within an exception to the rule that requires the consent of the controller (Article 14 of the Law). Nonetheless, obliged entities must observe all the other personal data protection related obligations provided for in relevant regulations on this matter (e.g. legitimate purpose, registration of databases, security measures, data subjects rights, the duty of information, confidentiality, breach notification, and data retention, among others). Below, you shall find some specifications related to the obligations that must be observed by obliged entities when complying with personal data protection regulations:

In line with the Peruvian privacy framework, obliged entities must develop and implement information systems to store the information related to the SPLAFT for a period of not less than ten years (including information obtained in application of the due diligence measures, policies, procedures, and analysis carried out). Likewise, obliged entities have an obligation to maintain a confidential and computerised register in which each operation must be kept for the period stated, containing minimum information related to:

  • the identity of the people involved in the operations (e.g. identification document, telephone number, and address); and
  • the operations carried out (e.g. date, amount, currency, accounts, place, and supporting documents).

In addition, the AML/CFT Regulatory Framework emphasises the importance of the confidentiality of the information collected for the purposes of implementing the SPLAFT. Indeed, it states that the communications, operations, records, and other information referred to in the AML/CFT Regulatory Framework are kept confidential and all those involved are forbidden of informing any person, entity, or body, under any means or modality, that said information has been requested and/or provided to the FIU-Peru, except for a jurisdictional body or competent authority according to law. In particular, the FIU-Peru holds the designated compliance officer of the obliged entities responsible for adopting the necessary measures to ensure the accuracy and confidentiality of the information and requires that the importance of confidentiality be reflected in the code of conduct required as a component of the SPLAFT.

As mentioned, obliged entities may collect the personal data required by the SPLAFT without requiring the data subject's consent. However, this information must be strictly referred to, and in accordance wit,h the AML/CFT Regulatory Framework. For example, regarding KYC requirements, obliged entities have the responsibility of duly identifying the natural or legal person who is considered a client and the final beneficiary of the operation, regardless of the frequency of the interaction. Indeed, these provisions require that the obliged entity request the following information: name and surname, identification document, address, nationality and residence, telephone number and/or email, the purpose of the relationship to establish with the obliged entity, occupation, trade, or profession, and name of the work centre. Also, pursuant to the AML/CFT Regulatory Framework, obliged entities shall gather information related to their directors, managers, and workers. It should be noted that amongst this required information, there is data protected by bank secrecy (e.g. information related to savings).

According to Article 14 of the Law, in the case of economic groups made up of companies that are considered obliged entities, they can share information with each other about their respective clients for the purpose of the AML/CFT Regulatory Framework, as well as other regulatory compliance, establishing adequate safeguards on the confidentiality and utilisation of the information exchanged.

Note that the AML/CFT Regulatory Framework states that all the information requested by the FIU-Peru shall be provided when requested, regardless of the possible personal data protection affectation it may imply.

4. BANKING SECRECY AND CONFIDENTIALITY

The Peruvian Banking, Insurance and Pension Fund Administrators Act (Act No. 26702, as amended) (only available in Spanish here) sets forth a bank secrecy provision that prohibits financial entities, its directors, and personnel to disclose any information regarding passive operations of its clients unless they have written authorisation or a legal exemption applies.

Furthermore, risk management provisions for financial entities set forth confidentiality obligations for supervised entities that shall be included as part of their SGSI-C. Data shall only be accessible to those who are duly authorised for which the company shall have policies, proceedings, and corporate and organisational structure and informatics tools to guarantee said confidentiality, as well as encryption policies, as detailed in section 2 above, to allow safe access to their clients.

The following are exemptions to bank secrecy:

  1. bank secrecy does not include reporting of unusual transactions for money laundering to the competent authority;
  2. the general information provided by the SBS to the Peruvian Central Bank ('BCR') and other financial entities for statistics, monetary policies, and their follow-up;
  3. for their provision to foreign banks and financial entities with whom Peruvian financial entities have a correspondent relationship or are interested to maintain a correspondent relationship;
  4. when the data is requested by auditors or risk rating agencies;
  5. when persons interested in no less than 30% of the share capital of the company requests it;
  6. the disclosure of the amounts received by the company from different clients for its winding up;
  7. when it is requested by judicial courts for legal proceedings in which the client whose information is disclosed is a party;
  8. when it is requested by the Peruvian Tax Authority, subject to certain requirements, before a Peruvian judicial court;
  9. when the Peruvian Public Prosecutor requests it for investigation of illicit enrichment of public officials or of those who manage or have managed government funds;
  10. a foreign public prosecutor or a foreign government with whom the Peruvian Government has an agreement to suppress and sanction illegal drug traffic or unusual transaction for money laundering;
  11. the president of an investigation congress commission, in connection to events that compromise the public interest; and
  12. the SBS superintendence in connection to the performance of its functions.

For points 9, 10, and 11, the request is channelled through the SBS.

5. INSURANCE

The SBS regulations do not set forth specific regulations for the collection, processing, or transfer of personal financial data, such as the ones set forth in Peruvian data protection laws and regulations. Nonetheless, as part of the SBS regulations, the entity shall comply with certain guidelines and procedures to manage and prevent operational risks and comply with security data managed by it before the SBS, as mentioned above.

6. PAYMENT SERVICES

There are no specific regulations as to data protection for payment service providers.

As of the date of publication, the Payment Systems and Securities Settlement Act (Act No. 29440) (only available in Spanish here) ('the Payment Systems Law') and the Regulations on Payment Systems ('the Payment System Regulations'), enacted through Circular No. 012-2010-BCRP ('only available in Spanish here) by the BCR, is in force.

On a general basis, the Payment Systems Law and Regulations set forth the legal framework for payment systems and payment agreements that involve systemic relevance under the BCR's purview (e.g. payment systems between financial institutions and banks and payment agreements among digital currency companies). The Payment Systems Regulations also include a definition of 'Payment Service Providers'. A payment service provider is any legal entity that offers payment services to transfer funds through a variety of means, including payment cards, digital wallets, payments through mobile devices, and the internet.

Furthermore, the BCR has recently enacted Circular No. 0003-2020-BCRP (only available in Spanish here) ('the BCR Circular'), which contains specific regulations for payment services that are done with Quick Response ('QR') Codes. The BCR Circular establishes:

  • standards for the QR Codes used for payments in Peru; and
  • the regulatory requirements for payment services that are done with QR Codes, including within its scope the providers of QR Codes, providers of digital wallets, and the payment networks that participate in such service.

Nonetheless, note that, pursuant to the BCR Circular, QR Code providers and e-wallet providers must have a data privacy policy, explaining how consumers and commerce data is used, stored, and transferred, and ensure that such data be kept confidential and not used for other means without their approval pursuant to the Law.

7. DATA TRANSFERS AND OUTSOURCING

Pursuant to the Financial Security Regulations, financial entities must check that all security measures included therein are complied with, including the rules related to risk management, even when certain processes or functions are outsourced. If the supervised entity wishes to make use of cloud services, it will have to implement security protocols and procedures of specific applications, taking into account international standards. Likewise, they must approve guidelines to ensure the separation of internal and cloud services networks, as well as a training plan for the management and personnel in charge of its administration with regards to the security protocols.

On a general basis, the hiring of material data processing or cloud services shall be notified by the supervised entity to the SBS at least 30 days prior to commencement of the services, provided that all the requirements mentioned in the Regulations for Information Security and Cybersecurity Management are met, including:

  • ensuring adequate access to information, within reasonable timeframes and upon request from the SBS, internal auditor and the external auditing firm, under normal operating conditions and under special regimes (e.g. intervention regime);
  • managing information security incidents, in accordance with the Regulations for Information Security and Cybersecurity Management, and developing information security planned activities;
  • implementing a strategy to terminate the services that allow the resuming of operations on its own or through another supplier, in accordance with the target recovery timeframes defined by the entity for such services, with the strategy having to consider, among other aspects, the necessary actions for the migration of the information to the entity's resources or to those of another supplier;
  • maintaining an inventory of the services that the provider, in turn, contracts with third parties (chain contracting) and that are related to the contracted services;
  • ensuring that confidential information in the service provider's custody is definitively eliminated upon the termination of the contract; and
  • verifying annually that the service provider has information security controls in place, in accordance with current regulations on information security, as applicable to the service provided, which may be supported by independent reports and audit reports that include within their scope the verification of such controls.

Please note that, pursuant to the Regulations for Integral Risk Management, the term 'material' means a service which, in case of default or suspension, may create a significant risk to the supervised entity, affect its income, solvency, operational continuity, or reputation.

The aforementioned notice shall identify the following:

  • service contracted;
  • the service provider;
  • service levels;
  • the technological infrastructure used; and
  • the procedures and obligations to comply with the foregoing requirements.

If any of the requirements listed above are not met and that the data processing services will be conducted abroad, the entity needs authorisation from the SBS and must submit a report with the legal basis for the identified limitations of the services and a proposal for the implementation of measures to mitigate these limitations to the SBS. Additional requirements apply for the outsourcing of cloud services.

8. BREACH NOTIFICATION

Supervised entities by the SBS shall implement a database where they register all incidents for operational risk (including security information incidents). As part of its periodical reports of operational risk management (filed on an annual basis), they shall include information regarding its security information management. In any case, the SBS may request additional information. Pursuant to the Regulations for Information Security and Cybersecurity Management, supervised entities must notify the SBS of cybersecurity incidents that cause, or may presumably cause, a material adverse effect on loss or theft of the entity's or clients' information, fraud, negative impact on the entity's image and reputation, and business interruption.

In case there is a security breach or incident that causes a significant interruption of the entity's operations and it is likely that it resulted from a cyber attack, then the supervised entity shall report it to the SBS within one business day from when it occurred, pursuant to the Regulations for Business Continuity Management.

From the data protection standpoint, the data controller must inform the data subjects of any incident that significantly affect their property or moral rights, as soon as the occurrence of the incident is confirmed. The minimum information requirements in a notice are:

  • a description of the incident;
  • disclosed personal data;
  • recommendations to the data subject; and
  • implemented corrective measures.

In addition, digital services provider in the financial sector must also report the incident with the ANPD and the National Digital Security Centre.

9. FINTECH

There are no specific requirements for financial institutions when using FinTech, in connection to data protection.

However, the Superintendence of the Securities Market ('SMV') has recently enacted Resolution No. 045-2021, Regulations for Crowdfunding and Crowdlending Activities and their Administration (only available in Spanish here), which establishes the obligation for the supervised entities that provide such activities to implement at least the minimum data protection measures as established in the Law.

Furthermore, they must ensure mechanisms that allow both investors and project promoters to know all relevant information with regards to the project, while maintaining strict guidelines to prevent personal information leaks for either party. All investors and project promoters must be registered in a platform managed by an authorised entity by the SMV before participating in this type of activity. The SMV may establish further rules regarding data protection in this sector in the future.

10. ENFORCEMENT

A breach of bank secrecy is a very severe infringement that can lead to a fine ranging from 30 Tax Units ('UIT') (each UIT is equivalent to PEN 4,600 for the year 2022) (approx. €35,880) to 200 UIT (approx. €239,200) for legal entities, suspension of the license, or its revocation, among others, including specific penalties for the officers who breach it, such as their suspension or disqualification. Furthermore, breaching bank secrecy leads to criminal liability.

Additionally, non-compliance with operational risk management and information security regulations is considered a severe infraction and can be sanctioned, among others, with fines between 20 and 100 UIT (approx. €23,920 and €119,600) for legal entities and the suspension of the director, manager or any responsible employee for a period of no less than three days and up to ten days.

On the administrative side, the APDP may impose fines on the employee that vary between 0.5 and 100 UIT (approx. €598 and €119,600) depending on the specific violation. On the criminal side, relevant authorities may impose imprisonment for a period of no less than one year and no more than three years depending on the particular breach. The person affected by non-compliance with the Law may also file a judicial claim arguing damages or distress.

11. ADDITIONAL AREAS OF INTEREST

Not applicable.

Iván Blume Senior Associate
[email protected]
Carolina Chipollini Associate
[email protected]
José Luis Medina Associate
[email protected]
Santiago Neira Associate
[email protected]
Rodrigo, Elías & Medrano Abogados, Lima

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback