Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Peru - Data Protection Overview
Back

Peru - Data Protection Overview

July 2022

1. Governing Texts

1.1. Key acts, regulations, directives, bills

Currently, in the midst of a technological era, the protection of personal data has acquired greater relevancy in Peru. Not only have the obligations, that must be fulfilled by data controllers and/or data processors to ensure adequate processing of personal data, been established through regulation; but also, due to the proactivity of the Peruvian data protection authority ('APDP'), it has been verified by audits of compliance. Together with an awareness of the importance of the protection of personal data, not only to those who are in charge of its processing, but also to those who share it without knowing the consequences that this may entail, this has been a fundamental part to strengthen this area of law in Peru.

The data protection right was first introduced by the Political Constitution of Peru ('the Constitution'), which states, as a fundamental right, that 'information services, whether computerised or not, whether public or private, will not provide information affecting personal and family privacy' (Article 2(6) of the Constitution).

In order to guarantee the effective exercise of this right, the habeas data process was regulated for the first time in 1994 by Law No. 26301, later substituted by Law No. 28237 Constitutional Procedural Code (only available in Spanish here) in May 2004. Pursuant to the habeas data process, all individuals are entitled to access, update, cancel, or rectify their personal information stored or registered, whether manual, mechanical, or informatics, in files, databases, and registries of public or private entities, which provide services or access to third parties. The habeas data is a constitutional process that follows a procedural path for guaranteeing a fundamental right. It is performed before the Judiciary of Peru, which takes time and has a considerable cost for the majority of citizens. Consequently, it is difficult to achieve effective protection.

It was not until 2011 that a general framework for data protection was issued and its enforcement was entrusted to an administrative body, which established more expeditious mechanisms for the protection of this fundamental right. Law No. 29733 on the Protection of Personal Data (only available in Spanish here) ('the Law'), published on 3 July 2011 and amended by Legislative Decree No. 1353 of 7 January 2017 (only available in Spanish here), and its regulation approved by Supreme Decree No. 003-2013-JUS (only available in Spanish here) ('the Regulation') published, on 22 March 2013, seek to guarantee this protection, recognising specific rights of data subjects and obligations of those who are responsible for the processing of such data. These norms are supervised and controlled by the APDP, a body that reports to the Vice-Ministerial Office of Justice of the Ministry of Justice and Human Rights.

It is important to mention that on 28 June 2001, Law No. 27489 which Regulates Private Risk Centres and the Protection of Information Owners (only available in Spanish here) was published, which regulates credit bureaus by providing a legal framework for the provision of credit information of individuals to the market to allow for the assessment of their creditworthiness and to calculate their risk level, in order to reduce transaction costs in the market. The provisions of this norm remain in force as a special regulation vis-à-vis the Law.

In addition, on 22 October 2013, Law No. 30096 on Cyber Crime (only available in Spanish here) was published in order to prevent and sanction unlawful conduct that affects information systems through the use of information or telecommunication technologies. On the topic of data protection, it sanctions, among other things, the creation, access, alteration, deletion, or interception of data or informatics systems.

Finally, on 9 January 2020, Emergency Decree No. 007-2020 which approves the Digital Trust Framework (only available in Spanish here) was published as a means to establish certain obligations for public or private entities acting as digital service providers. These include reporting to the APDP when a digital security incident involving personal data occurs, as well as implementing technical, organisational, and legal security measures to guarantee the confidentiality of information transmitted through its communications services.

1.2. Guidelines

Through Directorial Resolution No. 019 -2013-JUS/DGPDP of 11 October 2013 (only available in Spanish here), the Information Security Directive (only available in Spanish here) ('the Security Directive') was approved, which contains recommendations on the security measures to be adopted by the holders of personal databases.

In addition, on 16 January 2020, through Directorial Resolution No. 02-2020-JUS/DGTAIPD on 10 January 2020 (only available in Spanish here), the Directive for the Processing of Personal Data by Video Surveillance Systems (only available in Spanish here) ('the Video Surveillance Directive') was published, in order to establish obligations regarding the collection, processing, and storage of personal data obtained through video surveillance systems, as well as security measures related to the implementation of user identification and authentication procedures.

Finally, the APDP approved, through Directorial Resolution No. 43-2018-JUS/DGTAIPD of 3 July 2018 (only available in Spanish here), a model clause (only available in Spanish here) to comply with the duty to inform the conditions of the processing of personal data, as required by Article 18 of the Law. Thus, it was emphasised that data subjects have the right to be informed about what is done with their personal data, who can access it, where it is stored, with whom it can be shared, the length of time it will be kept, as well as their rights, which allows them to have control over their personal information. In order to provide guidance to data controllers on how to fulfil the duty to inform, the APDP published, within Directorial Resolution No. 80-2019-JUS/DGTAIPD of 5 November 2019, a guide on the duty to inform (only available in Spanish here).

1.3. Case law

The APDP has already conducted several preliminary investigations in accordance with its supervising powers and has imposed penalties for failure to comply with the legal framework. Even though most of the cases are a consequence of not having complied with the registration of databases requirement, the APDP's decision against Supermercados Peruanos S.A. is of particular relevance since it referred to the principles of consent, security, and adequate levels of protection.

In particular, Supermercados Peruanos, which owns several supermarket chains in Peru like Plaza Vea and Vivanda, collected personal data from its clients in order to send them advertisements for its products and services. In 2016, by means of an audit, the APDP became aware of a number of violations of the Law committed by Supermercados Peruanos. The APDP found that Supermercados Peruanos had failed to inform data subjects of the recipients of their personal data, implement security measures, and communicate to the APDP that it had transferred data outside Peruvian territory, which was in violation of the principles of consent, security, and adequacy. The APDP imposed a fine amounting to 8.5 tax units, which is equivalent to approximately PEN 37,400 (approx. €9,410).

Please note that the Law provides that data controllers must process personal data with the free, prior, informed, express, and unequivocal consent of data subjects. It also states that they must implement security measures for the protection of personal data collected to prevent loss or unauthorised access by third parties. Finally, it provides that data controllers must register any cross-border flow of personal data carried out with the APDP. According to the APDP, the prosecuted company breached these obligations.

Additionally, in 2019 the APDP issued a decision against the National Office of Electoral Processes ('ONPE') due to the massive exposure of voters' personal data through a web platform called 'Hackathon'. The APDP determined that, since the ONPE did not guarantee the security of the data against unauthorised access, it had violated the principle of security established in the Law and some provisions of the Security Directive. The APDP found that the infringement was minor and therefore imposed a fine of 1 tax unit, which is equivalent to approximately PEN 4,400 (approx. €1,110). This case is of particular relevance since a public entity was sanctioned.

2. Scope of Application

2.1. Personal scope

The Law applies to data contained, or intended to be contained, in public or private databases, which refer to natural persons, and whose processing is carried out in Peruvian territory.

2.2. Territorial scope

The Law also applies in the following circumstances:

  • when data processing is carried out in an establishment located in Peruvian territory which belongs to a data controller;
  • when data processing is carried out by a data processor, regardless of its location, on behalf of a data controller established in Peruvian territory;
  • when the data controller or data processor is not established in Peruvian territory, but the Law is applicable to them by contractual provisions or international law; and
  • when the data controller is not established in Peruvian territory, but it uses means located in Peru for the processing of personal data, unless such means are used only for transit purposes that do not involve processing.

2.3. Material scope

The scope of the Law does not include:

  • data contained, or intended to be contained, in databases created by individuals for family or private purposes; or
  • data contained, or intended to be contained, in public administration databases, when its processing is necessary for the compliance of the functions assigned by law of such public administration, as long as such functions are related to national defence, public security, or the development of activities for the investigation of criminal activities and suppression of crime.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The APDP is the national personal data protection authority.

3.2. Main powers, duties and responsibilities

The main powers of the APDP are:

  • representing the country before international instances regarding the protection of personal data;
  • managing and keeping the National Registry of Personal Data Protection ('the National Registry') up to date;
  • carrying out promotion campaigns on the protection of personal data;
  • supervising compliance with the Law;
  • answering queries about personal data protection and the meaning of the regulations in force in the matter; and
  • receiving, investigating, and addressing claims made by data subjects regarding the violation of the rights that concern them and issuing precautionary or corrective measures established by the Regulation.

4. Key Definitions

Data controller: Data controllers are natural persons or legal entities, private or public, that determine the purpose and content of personal databases, data processing, and the security measures of the database.

Data processor: Data processors are the natural persons or legal entities, private or public, that process personal data on behalf of data controllers by virtue of a legal relationship that binds them and delineates their scope of activity.

Personal data: Personal data is any information regarding a natural person ('data subject') that identifies them or makes them identifiable through reasonable means.

Sensitive data: Sensitive data includes biometric data, data related to racial and ethnic origin, income, opinions or convictions regarding politics, religion, philosophy or morality, union membership, and information related to health or sexual life. The Regulation has stated that 'sensitive data' is also information that refers to the physical and emotional characteristics of an individual, the facts and circumstances of their personal and family life, personal habits, and information that corresponds to an individual's most intimate sphere.

Health data: Health-related data is any information concerning a person's past, present, or projected physical or mental health, including the degree of disability and genetic information. In this sense, health-related data is considered sensitive data regarding both the physical and mental health of the data subject.

Biometric data: There is no definition of 'biometric data' under the Law.

Pseudonymisation: The Law does not define pseudonymisation. However, reference has been made to a 'dissociation procedure', whereby dissociation is a reversible procedure that prevents identification or does not make any data subject identifiable. It is similar to the pseudonymisation procedure.

Database: Database is an organised set of personal data, automated or not, regardless of the support, be it physical, magnetic, digital, optical, among others, whatever the form of its creation, storage, organisation, and access.

Data subject: A data subject is a natural person who is the owner of personal data.

Data processing: Data processing is any operation or technical proceeding, automated or not, that allows the collection, storage, organisation, modification, usage, and suppression, among other actions, that allow the access, correlation, or interconnection of personal data.

Data transfer: Data transfer is any transmission, supply, or communication of personal data, national or international, to a private legal entity, to a public entity, or to an individual other than the data subject.

Anonymisation procedure: Anonymisation is an irreversible procedure that prevents identification or does not make any data subject identifiable.

5. Legal Bases

5.1. Consent

The processing of personal data requires the prior, informed, express, and unequivocal consent of the data subject. When sensitive data is involved, consent must be written. Opt-out mechanisms, tacit consent, or blanket consent are not allowed according to the Law. Consent must contain, as a minimum, the following information:

  • the existence of the database, the identity and address of the controller and processor;
  • the purpose of the data processing;
  • the identity of the recipients of the information;
  • indication of which questions are obligatory or optional, if applicable;
  • the consequences of providing or not providing personal data;
  • the time during which the personal data will be stored; and
  • the possibility and mechanisms available to allow data subjects to exercise their rights (access, rectification, cancellation, and opposition to the processing of their personal information).

The Law states that consent will not be required in specific cases, which include the following, among other instances:

  • when it is related to a person's health:
    • when necessary in a situation of risk, prevention, diagnosis, or medical or surgical treatment of a data subject, if such processing is carried out in a medical institution or by health professionals, complying with a professional secret;
    • for public health reasons; or
    • for epidemiologic or analogous studies;
  • when it is related to the financial solvency or creditworthiness of a person;
  • when it is necessary for the execution of a contractual relationship in which the data subject is a party;
  • when it has been anonymised or dissociated;
  • when it is contained in publicly accessible sources;
  • when it is related to the exercise of the fundamental right to freedom of information; and
  • when it is necessary for the prevention of money laundering and financing of terrorism.

5.2. Contract with the data subject

It is an exception to the need of obtaining consent to carry out data processing activities. According to the criterion of the Constitutional Court, 'contractual necessity' must be interpreted very restrictively as it is an exception or limitation of a constitutional right (data protection).

5.3. Legal obligations

When the collection of personal data is necessary to comply with a legal obligation, no consent is required.

5.4. Interests of the data subject

It is an exception to the need of obtaining consent to carry out any data processing. Its scope of application is undetermined due to a lack of jurisprudence. In any case, it must be interpreted very restrictively. For instance, in situations where the health or property of a data subject are at evidential risk.

5.5. Public interest

It is not an exception to the need of obtaining consent to carry out any data processing and should also be interpreted very restrictively.

5.6. Legitimate interests of the data controller

It is not an exception to the need of obtaining consent to carry out any data processing and should be also interpreted very restrictively.

5.7. Legal bases in other instances

There are no other legal basis established in the Law.

6. Principles

Legality: Data processing must be carried out in accordance with the Law. The collection of personal data by illegal, fraudulent, or unfair means is forbidden.

Purpose: The collection of personal data must be done for a determined, explicit, and legal purpose. The processing of personal data should not be extended to other purposes than those established at the time of collection, except in cases of historical, statistical, or scientific activities, where dissociation or anonymisation processes are applied.

Proportionality: The processing of personal data must be adequate, relevant, and not excessive for the purposes for which it has been collected.

Quality: Personal data processed must be truthful, accurate and, if possible, updated, necessary, relevant, and appropriate with regard to the purpose for which it was collected. It should be preserved only for the time necessary to fulfil the purpose of processing. The Regulation has stated that, according to this principle, data contained in a database must be precisely truthful.

Security: Data controllers and data processors are required to adopt appropriate physical, technical, and organisational security safeguards to protect personal data in order to prevent its unauthorised access and use, and to ensure that the level of security is in accordance with the amount, nature, and sensitivity of the personal data involved. In addition, though the Security Directive is not mandatory, it is a guide for the implementation of security measures for a database.

Adequate level of protection: For cross-border data transfers, the person responsible for the processing must ensure a sufficient level of protection for personal data, which must be at least comparable to the provisions of the Law or international standards.

7. Controller and Processor Obligations

Controllers

The main obligations of data controllers include:

  • registering the database they are managing with the APDP (only for data controllers);
  • processing personal data only with the previous consent of data subjects;
  • not collecting data using fraudulent, illegal, or unfair means;
  • collecting data only when necessary and pertinent for the purposes informed to data subjects;
  • allowing the exercise of data subjects' rights - for this purpose, they must implement an easy and free of charge proceeding;
  • deleting personal data when no longer necessary or relevant to the purpose for which it had been collected or when the term for its processing has ended, unless it is anonymised or dissociated;
  • adopting technical, organisational and legal measures which guarantee the security of data and prevent its alteration, processing, or unauthorised access;
  • keeping the confidentiality of personal data; and
  • allowing the APDP access to the database and providing it with the information required in the context of an administrative proceeding.

Processors

Data processors have the same obligations as data controllers. In addition, they must comply with the abovementioned principles for the processing of personal data. For further information, please refer to the section on principles above.

7.1. Data processing notification

According to the Law, data controllers are obliged to register their personal databases in the National Registry. However, personal data contained or intended to be contained in databases created by natural persons for purposes exclusively related to their private or family life do not need to be registered (Article 77(2) of the Regulation, read in conjunction with Article 3(1) of the Law). In regard to cross-border transfers of personal data, such processing must be notified to the APDP. Codes of conduct may also be registered before the APDP, although it is not mandatory.

Database owners must provide the following information when registering (Article 79 of the Regulation):

  • the name and location of the database, its purpose and intended use;
  • the identity of the owner of the database;
  • the types of personal data contained in the database;
  • the origin of the personal data and the purpose for its collection;
  • a technical description of the security measures; and
  • the recipients of any data transfers.

The Director of the Registry ('the Director') has the competence to decide on whether a database fulfils the registration requirements (Article 83 of the Regulation). Granting or refusing the registration must be done within 30 days of the receipt of the application. If this deadline is not met, registration is deemed granted. The same applies to the approval of modifications to or cancellation of the database (Article 85 of the Regulation). If the Director rejects the application for registration, their resolution must be duly reasoned and should explain the requirements that were not met and which led to the rejection (Article 86 of the Regulation). Such a resolution may be appealed (Articles 87 and 88 of the Regulation).

The registration of a database must be kept updated at all times. Any modification to the database that entails a change in the information recorded in the Registry must be notified to the Director in advance. In addition, the cancellation of the database must be notified, specifying what will happen with the data or how it will be destroyed (Article 84 of the Regulation).

Penalties

Not registering or updating a database in the Registry constitutes a minor violation (Article 132(1)(e) of the Supreme Decree). Minor violations can lead to a fine of one tax unit (approx. €1,160) (Article 42(1) of the Supreme Decree). Not registering or updating the database in the Registry, despite having been required to do so by the ANPD, constitutes a serious violation (Article 132(2)(h) of the Supreme Decree). Serious violations can lead to a fine of up to three tax units (approx. €3,490) (Article 42(2) of the Supreme Decree).

In the event of two minor violations being committed in the same year, the third minor violation will be sanctioned as a serious violation (Article 133 of the Supreme Decree). In the event of two serious violations being committed in the same year, the third serious violation will be sanctioned as a very serious violation (Article 133 of the Supreme Decree). A very serious violation can lead to a fine of up to five tax units (approx. €5,810) (Article 42(3) of the Supreme Decree).

Methods

Registration can be done through forms which must be printed, signed, and delivered to the Ministry of Justice and Human Rights at the following address (Page 13 of the Guidance): Scipio Llona 350, Miraflores, Lima. The forms for registering, modifying, or cancelling an existing registration in the Register can be accessed on the ANPD's website (only available in Spanish here). Alternatively, the ANPD also established a virtual platform for registration (only available in Spanish here). Finally general information on registration can be accessed only in Spanish here).

7.2. Data transfers

The Law and its Regulation provide that the transfer of personal data requires prior, express, and unequivocal consent from the data subject. In order to demonstrate that the transfer was made according to the provisions of the Law and its Regulation, the burden of proof will lie in all cases with the entity transferring the data.

As a result of the Law's provisions relating to data transfers, the recipient of personal data is obliged to comply with the same obligations as those imposed on data controllers.

Regarding the cross-border transfer of data, the Law and its Regulation state that if the recipient country does not have an adequate level of protection, the data transmitter must guarantee that the processing of the personal data will be made in accordance with the Peruvian legal framework. This provision is not applicable in the following cases:

  • the transmission of personal data is conducted within the framework of international judicial cooperation or the application of international trade in this regard;
  • international cooperation among intelligence agencies;
  • when the personal data is necessary for the execution of a contractual relationship with the data subject;
  • when referring to banking and security transfers;
  • when the transfer is made for the purposes of protecting, preventing, diagnosing, and providing medical treatment to the data subject; and
  • when the data subject has granted their consent to the transfer of their data under these conditions.

Data controllers may request the opinion of the APDP as to whether the cross-border data transfer they carry out or will carry out complies with the provisions contained in the Law and its Regulation.

In any case, whether the opinion is requested or not, international data transfers must be reported to the APDP, including the information required for such transfers and the registration of the database.

7.3. Data processing records

Under the Law, it is not required that data controllers maintain internal records of processing activities ('ROPAs'). However, in the case of an investigation by the APDP, data controllers have the burden to prove their compliance with the Law and its Regulation. In that sense, it could involve keeping evidence about the processing activities, for example, evidence concerning consent was obtained.

7.4. Data protection impact assessment

Under the Law, it is not expressly required that data controllers carry out Privacy Impact Assessments ('PIAs'). However, it is important to point out that, data controllers must conduct a risk assessment in order to determine the security, legal, and organisational measures required for acts of data processing.

7.5. Data protection officer appointment

There is no requirement to appoint a data protection officer in Peru.

7.6. Data breach notification

Neither the Law nor its Regulation requires data controllers to notify data breaches, except in the case of companies in the banking sector, where the notification is not made to the APDP but to the Superintendence of Banks, Insurance, and Pension Fund Administrators.

Without prejudice to this, it is important to point out that the Security Directive (not mandatory but recommended in order to comply with security's duty) states that any data breach should be informed to data subjects as soon as it is confirmed.

7.7. Data retention

No specific provisions related to data retention applicable to data controllers exist in the Law and the Regulation.

The Regulation provides that data processors can keep, for up to two years, the personal data provided by data controllers in a processing agreement framework. This also applies to the subcontracting of the provision of personal data processing services. The processing agreement must include provisions related to the elimination or return of personal data when it ends.

The environment in which the information is stored must have appropriate security controls. In addition, data controllers and processors must consider mechanisms for backing up personal database information, and for verifying the integrity of the data stored in the backup.

7.8. Children's data

The Regulation states that the processing of minors' personal data requires:

  • their free, prior, express, and informed consent if they are above 14 and below 18 years old, or that of their legal representatives (parents or guardians) if they are under 14;
  • that the information provided to them at the time of obtaining their consent is expressed in an understandable language;
  • that the consent obtained is not intended to offer goods or services that are restricted to minors (e.g. alcohol or inappropriate content);
  • that minors' personal data that allow obtaining information about the other members of their family group (e.g. economic information) cannot be collected without the consent of the data subjects of such data; and
  • to be carried out whilst fulfilling general principles of personal data such as proportionality, which states that all acts of data processing must be adequate, relevant, and not excessive for the purposes for which data was collected.

7.9. Special categories of personal data

In the case of sensitive data which is considered a special category of personal data, consent must be given in writing, i.e. by handwritten signature, fingerprint, or similar means that are or can be printed on a paper surface, digital signature, or any other authentication mechanism that guarantees the unambiguous will of the data subject.

7.10. Controller and processor contracts

There is no express provision in the Law or the Regulation that obliges data controllers to enter into written agreements with data processors. Nevertheless, the Regulation suggests that written agreements may be a good mechanism to oblige data processors to assume all the obligations imposed by legislation and, thus, to ensure that the personal information will be processed according to the Law, the Regulation, and the conditions under which data subjects authorised the processing of their information.

Therefore, it is highly recommended to enter into written agreements that rule the legal relationship between both parties, and to include provisions according to which data processors are obliged to comply with all the provisions contained in Peruvian legislation. It is important to point out that these agreements must determine the scope of the processing and the responsibilities of data processors.

8. Data Subject Rights

8.1. Right to be informed

Data subjects are entitled to be informed in detail, in a simple, express, and unequivocal manner, prior to the collection of their personal data, of all the relevant aspects of the processing according to the consent requirements discussed above.

8.2. Right to access

Data subjects have the right to access information about themselves that is processed in private or public administration databanks, the manner in which their personal data was collected, the reasons for its collection and at whose request it was collected, as well as transfers made or planned to be made.

It is important to point out that data controllers must respond to an access request without undue delay and in any event, within 20 business days of receipt. It may be extended by another 20 business days, where necessary.

8.3. Right to rectification

Data subjects have the right to rectify information about themselves that is processed, when:

  • it is partially or totally incomplete or inaccurate;
  • an error or omission has been noticed;
  • it is no longer necessary or relevant to the purpose for which it has been collected; or
  • its term established for processing has expired.

It is important to point out that data controllers must respond to a request for rectification without undue delay and in any event, within ten business days of receipt. It may be extended by another ten business days, where necessary.

8.4. Right to erasure

Data subjects have the right to erase information about themselves that is processed, when:

  • it is partially or totally incomplete or inaccurate;
  • an error or omission has been noticed;
  • it is no longer necessary or relevant to the purpose for which it has been collected; or
  • its term established for processing has expired.

It is important to point out that, data controllers must respond to a request for erasure without undue delay and in any event, within ten business days of receipt. It may be extended by another ten business days, where necessary.

8.5. Right to object/opt-out

Under the Law and its Regulation, data subjects have the right to object when:

  • there is no law that forces to carry out the act of data processing objected;
  • there are legitimate and grounded reasons, due to a specific personal situation; or
  • the personal data was obtained from public sources, and the data subject did not consent to such collection.

It is important to point out that, data controllers must respond to an opposition request without undue delay and in any event, within ten business days of receipt. It may be extended by another ten business days, where necessary.

8.6. Right to data portability

The Regulation establishes the right of portability implicitly. It states that no matter the format used to provide data subjects with the information requested, it must be clear, readable, and intelligible, without using passwords or codes that require other mechanisms to access the information.

8.7. Right not to be subject to automated decision-making

Data subjects have the right not to be subjected to a decision with legal effects over them, or that significantly affects them, based on the processing of personal data intended to evaluate certain aspects of their personality or conduct (however, there are certain exceptions, e.g. in the context of an agreement's negotiation or an evaluation to join a public entity).

8.8. Other rights

Protection right

If data controllers reject or fail to comply with an individual rights request, data subjects have the right to file a claim against them before the APDP (as a second instance).

Right to be compensated

Data subjects have the right to be compensated by data controllers if they suffer damages due to infringements of the Law.

9. Penalties

Infringements

Minor infringements include:

  • processing personal data without adopting security measures;
  • collecting personal data that is not necessary, relevant, or appropriate regarding the purposes for which it had been obtained;
  • not modifying or rectifying the personal data object of treatment when it is inaccurate or incomplete; and
  • not replying to, impeding, or obstructing the exercise of data subjects' rights.

Serious infringements include:

  • processing personal data without the data subject's consent;
  • processing personal data while not fulfilling the Law's principles;
  • not complying with the obligation of confidentiality;
  • not replying to, impeding, or obstructing, in a systematic way, the exercise of data subjects' rights;
  • obstructing, in a systematic way, the APDP's audits; and
  • not registering the personal database despite having been required by the APDP to do so.

Very serious infringements include:

  • when the processing of personal data does not comply with the Law's principles, and this circumstance impedes or obstructs the exercise of data subjects' rights;
  • creating, modifying, or cancelling a database without complying with the Law;
  • giving false documents or information to the APDP;
  • not ceasing the unlawful processing of personal data when this was previously required; and
  • not complying with the corrective measures established by the APDP.

Penalties

The Directorate of Sanctions, in the first instance, and the APDP, in the second instance, are entitled to impose the following sanctions:

  • for minor infringements: fines of up to 5 tax units (approx. €5,820);
  • for serious infringements: fines of up to 50 tax units (approx. €58,160); and
  • for very serious infringements: fines of up to 100 tax units (approx. €116,330).

The APDP can lower penalties if the offender accepts the infringement and remediates such violations of the Law.

The level of enforceability of the APDP in the past year has notably increased in respect of the previous one and it is expected that this trend will continue.

9.1 Enforcement decisions

The APDP has been very proactive regarding the enforcement of the Law and its Regulation, in relation to the processing of personal data. In 2021, it audited 335 public and private entities including banks, credit bureaus, and health establishments; verifying infringements which resulted in more than 100 Directorial Resolutions of sanctioning proceedings and imposition of fines totalling 1,380 tax units (approx. €1.5 million). The amount of fines imposed on different private and public entities in this last year has almost tripled those imposed before the start of the pandemic.

Indeed, APDP's decision against a public entity is of particular relevance because it referred to the duty of confidentiality breached by the National Superintendence of Migration. In 2021, the APDP identified that the migration information of travellers had been disclosed through messaging applications by the staff of the immigration control area.

The APDP determined the public entity did not adopt the necessary security measures in the migration control processes. It imposed a fine of 39.01 tax units (approx. €44,260).