The Department of Commerce released an English translation of Peru’s Law for Personal Data Protection (Ley de Protección de Datos Personales, Ley No. 29733). The law passed Peru’s Congress on June 7, 2011, and was signed by the president July 2, 2011. Peru’s adoption of this new law is in keeping with a recent trend in Latin America, where Uruguay, Mexico and Colombia also have passed privacy legislation.
The law is built on guiding principles that closely reflect traditional fair information practices. With respect to transborder data flows, the law requires that the receiving country “must have a sufficient level of protection for the personal data to be processed or at least comparable to that provided by this Law.” Peru’s new law also:
- Imposes specific requirements for data processing by organizations.
- Creates a data protection authority, the National Authority for Personal Data Protection, which may levy fines for violations of the law. The National Authority is funded by registration fees, fines, bequests and donations, resources obtained through international technical cooperation, and resources made available by law.
- Establishes a National Register of Personal Data Protection to record (1) publicly or privately administered personal databases, (2) authorizations issued pursuant to the data protection law, (3) sanctions imposed by the National Authority, and (4) codes of conduct of the entities representing the privately administered personal database controllers or processors.