Support Centre



Law: Law No. 29.733 on the Protection of Personal Data 2011 (only available in Spanish here) ('the Law') and Supreme Decree No. 003-2013-JUS which Approves the Regulation of Law No. 29733 (only available in Spanish here) ('the Regulation')

Regulator: National Authority for the Protection of Personal Data ('ANPD')

Summary: The right to data protection was first presented through the 1993 Political Constitution of Peru (only available in Spanish here), before a comprehensive data protection law, the Law, came into force in 2011. The Law provides for various data subject rights, such as the right to access, rectify, object to processing, or to be informed of any processing. Moreover, the Law requires data controllers to register all personal databases in the National Registry of Personal Data Protection, managed by the APDP, as well as to notify the APDP of any cross-border data transfers. While the Law has not instituted general breach notification requirements in Peru, a 2020 Emergency Decree approving the Framework for Digital Trust and Measures for its Strengthening (only available in Spanish here) provided that bodies which have suffered a breach must notify the National Digital Security Centre and any other authorities that may have an interest. 


In this Insight article, Crosbby Buleje, Associate at Baker & McKenzie LLP, discusses Peru's Draft Regulation of Law No. 29.733 on the Protection of Personal Data 2011, as proposed in 2023, including extraterritorial application and enhanced consent requirements.