Peru's Personal Data Protection Law (Law 29733), enacted in 2011 and implemented through Decreto Supremo 003-2013-JUS, establishes a comprehensive framework for the protection of personal data. The Autoridad Nacional de Proteccion de Datos Personales (ANPDP), operating within the Ministry of Justice, has progressively strengthened its enforcement activities, making data privacy compliance an increasingly important business consideration. For organisations operating in Peru's growing digital economy, understanding and managing data privacy risks is essential for regulatory compliance and competitive positioning.
The Peruvian Data Protection Framework
Law 29733 regulates the processing of personal data in both the public and private sectors, establishing data protection principles, data subject rights, obligations for data controllers, cross-border transfer requirements, and an enforcement framework. The law is complemented by its implementing regulations, which provide detailed guidance on compliance requirements. The ANPDP maintains the National Registry of Personal Data (Registro Nacional de Proteccion de Datos Personales), where organisations must register their personal data banks.
Top Data Privacy Risks
Data Bank Registration Failures
Peru requires organisations to register their personal data banks with the ANPDP. This includes details about the types of data processed, processing purposes, security measures, and data transfers. Failure to register, or maintaining inaccurate registrations, is a compliance violation that can trigger enforcement action. Many organisations, particularly smaller businesses and those new to Peru's market, are unaware of or have not completed this obligation.
Consent and Authorisation Gaps
Law 29733 requires informed, express, and unequivocal consent for the processing of personal data, with written consent required for sensitive data. Organisations must ensure that consent is obtained before processing begins, that data subjects receive adequate information about how their data will be used, and that consent records are maintained. Deficient consent practices remain one of the most common compliance gaps in Peru.
Inadequate Security Measures
The law and its regulations require organisations to implement appropriate security measures to protect personal data, including access controls, encryption, and monitoring. The ANPDP has issued guidelines on security requirements that organisations must follow. Inadequate security practices not only increase the risk of data breaches but also expose organisations to enforcement action for failing to meet their legal obligations.
Cross-Border Transfer Violations
Law 29733 restricts international transfers of personal data, requiring that recipient countries provide adequate levels of protection or that specific safeguards are in place. With Peru's economy increasingly connected through trade agreements and digital services, cross-border data flows are common across sectors including mining, finance, and technology. Managing transfer compliance is a critical risk area.
Third-Party Processing Risks
Organisations that engage third-party processors must ensure adequate contractual protections and oversight. Under Peruvian law, data controllers remain responsible for the processing activities of their processors. Without proper due diligence, contractual safeguards, and monitoring, third-party processing creates uncontrolled compliance risk.
ANPDP Enforcement
The ANPDP has the authority to investigate complaints, conduct inspections, issue corrective orders, and impose administrative fines. Enforcement activities have increased in recent years, with the authority focusing on data bank registration compliance, consent practices, security measures, and response to data subject rights requests. Penalties include fines calculated in tax units (UIT), which can be significant for serious or repeated violations. The ANPDP also publishes enforcement decisions, creating reputational consequences for non-compliant organisations.
Sector-Specific Risks
Peru's mining sector, a pillar of the national economy, processes significant volumes of employee, contractor, and community data that require protection under Law 29733. The financial services sector, supervised by the SBS (Superintendencia de Banca, Seguros y AFP), faces additional cybersecurity and data protection requirements. The healthcare sector handles sensitive medical data requiring enhanced protections and explicit consent. Lima's growing technology and services sector faces particular challenges around digital data processing and international data flows.
Risk Mitigation Strategies
- Register data banks: Verify all personal data banks are registered with the ANPDP and that registrations are current and accurate
- Review consent processes: Ensure consent mechanisms meet Law 29733 requirements for informed, express, and unequivocal consent
- Implement security measures: Deploy technical and organisational controls aligned with ANPDP security guidelines
- Map cross-border transfers: Identify all international data flows and implement appropriate transfer safeguards
- Manage processors: Review and strengthen contracts with third-party processors, including audit rights and data protection obligations
- Train personnel: Provide regular data protection awareness training
- Designate a privacy lead: Appoint a data protection officer or engage an outsourced DPO service
- Monitor compliance: Use a compliance management platform for ongoing compliance tracking
Conclusion
Data privacy risks in Peru are increasing as the ANPDP strengthens its enforcement activities and Peru's digital economy expands. Businesses that proactively manage their compliance obligations, implement robust security measures, and build privacy into their operations are best positioned to avoid regulatory sanctions and maintain stakeholder trust in this evolving landscape.