Guide to Peru’s Personal Data Protection Law (PDPL)

In this guide:

  1. Key aspects of Peru’s PDPL
  2. How to ensure business compliance
  3. Why Privacy Bee works

Key aspects of Peru’s Personal Data Protection Law (PDPL)

Peru enacted its Personal Data Protection Law (PDPL) in 2011, which was followed shortly thereafter by additional formal Regulations in 2013 to establish and further expand data protection rights and regulations in the country. To this day, the PDPL and its Regulations are considered the core legislative framework governing data privacy issues. Because it was created prior to the European Union’s General Data Protection Regulation (GDPR), it is notably less strict but has been amended several times to align more closely with global standards over time.

The PDPL applies to any organization or individual operating in Peru or collecting personal data within Peru, regardless of location. This extraterritorial scope is critical, as it holds companies abroad accountable when collecting and processing data by ensuring these groups properly care for all obligations included in this law. The National Data Protection Authority, or Autoridad Nacional de Protección de Datos Personales in Spanish, (ANPD) oversees the enforcement of the PDPL as the governing authority.

At its core, Peru’s PDPL and its Regulations protect individuals’ data privacy by creating the following data subject rights:

  • Right to be informed: Data subjects are entitled to be informed in a simple and concise manner, prior to the collection of their personal data, about all of the relevant aspects of the data processing to occur including the purpose for which the data is being collected.
  • Right to access: Data subjects have the right to access held information about themselves, the manner in which their personal data was collected, the reasons for its collection and at whose request it was collected, as well as transfers made or planned to be made upfront.
  • Right to rectification: Data subjects have the right to correct information about themselves that is held by an organization, whether it is partially or totally incomplete or inaccurate, an error is clear, it is no longer necessary or relevant, or the original terms established for processing have expired.
  • Right to erasure: In a similar fashion to the right to rectification, data subjects have the right to erase information about themselves whether it is partially or totally incomplete or inaccurate, an error is clear, it is no longer necessary or relevant, or the original terms established for processing have expired.
  • Right to object or opt-out: Data subjects have the right to object to data processing in certain instances, provided there are legitimate and grounded reasons due to a specific personal situation or if the personal data was obtained from public sources and the data subject never consented to such collection in the first place.
  • Right to data portability: No matter the format used to provide data subjects with the information requested, it must be clear and readable with the ability to be transferred to another organization of the data subject’s choosing easily.
  • Right not to be subject to automated decision-making: Data subjects have the right to avoid automated decision-making using their personal data or any information that significantly affects them.
  • Right to protection: If data controllers fail to comply with a rights request, data subjects have the right to file a claim against them before the ANPD.
  • Right to be compensated: Data subjects have the right to be compensated by data controllers if they suffer damages due to infringements of the PDPL. This is determined on a case-by-case basis.

Any organization managing or processing personal data must respect these rights and be able to show clear processes for the public to exercise them. It’s important to point out that for most of these data subject rights, a 10-20 day grace period is allowed for the business to respond to the relevant request appropriately. Those who do not can be subject to penalties in the form of fines and legal actions depending on the severity of the offense.

[Source: Congress of Peru (Spanish only) and the unofficial English translation]

How to ensure business compliance

There are numerous obligations placed on businesses to ensure the proper handling of personal data. While these can be time-consuming and costly to implement, this is an opportunity for organizations to differentiate themselves from the competition by showing data privacy is a priority. Data privacy laws are only becoming more stringent around the world, and compliance is a must anyways, so it’s best to get ahead of the curve sooner than later. Doing so will help build consumer trust with your brand while shielding your organization from fines and other legal actions.

Specifically, Peru’s PDPL establishes the following obligations on businesses:

  • Process personal data only after obtaining informed, explicit, and unequivocal consent from the data subject. Avoid collecting personal data through fraudulent, unfair, or illegal means. Ensure that the compiled personal data is updated, necessary, relevant, and adequate for the explicit and legal purposes for which it was obtained. This is perhaps the biggest responsibility of any data processor or controller.
  • Do not use processed personal data for purposes other than the ones that prompted its initial collection, unless undergoing anonymization or dissociation procedures. Store personal data in a manner that enables and facilitates the data subject to exercise their rights. Correct or replace inaccurate or incomplete personal data upon awareness, without prejudicing the rights of the data subject.
  • Delete processed personal data when it is no longer necessary or relevant for the original purpose, or when the processing term has expired, unless subjected to anonymization or dissociation processes. Ensure that the marketing of personal data in databases complies with the regulation of the Law.
  • Implement technical, organizational, and legal measures to guarantee the security of retained personal data. Prevent the alteration, loss, unauthorized processing, or access of stored personal data proactively and document it accordingly. Personal data databases must meet ANPD guidelines for security requisites and conditions, and processing personal data in non-compliant databases is prohibited.
  • Provide the ANPD with required information regarding the processing of personal data and report any data breaches promptly to facilitate seamless communication. Doing so can help lessen fines and potentially avoid legal action if appropriate security measures can be demonstrated.

Diverging from other leading global data privacy laws, Peru’s PDPL does not include legal requirements for companies to perform data protection impact assessments (DPIAs) or to appoint data protection officers (DPOs). However, both of these are still a good idea regardless, and will be necessary for just about any organization operating internationally.

It’s also important to be careful when transferring data across borders, as this is allowed only if the proposed recipient countries have adequate data protection mechanisms. A formal binding contract is required in these instances, and there are additional requirements placed on these data transfers.

With so much included as part of Peru’s PDPL, the following best practices are an easier way to keep your company’s data privacy processes and procedures in order:

  1. Understand and align with PDPL requirements: Thoroughly understand the provisions and regularly review updates to ensure full compliance. Align business practices and data processing activities with the specific requirements outlined in the legislation.
  2. Establish a robust privacy policy: Develop and maintain a comprehensive privacy policy that clearly communicates how personal data is collected, processed, and protected. Ensure that the privacy policy is easily accessible to data subjects.
  3. Implement explicit consent mechanisms: Obtain explicit and informed consent from individuals before collecting, processing, or using their personal data. Clearly communicate the purposes for data processing and allow individuals to make informed decisions about their information.
  4. Data minimization and purpose limitation: Practice data minimization by collecting only the minimum amount of personal data necessary for the intended purposes. Ensure that data processing activities align with the specific purposes for which consent was obtained.
  5. Secure data management: Implement robust security measures to protect personal data from unauthorized access, disclosure, or alteration. Regularly assess and update security protocols to address evolving threats.
  6. Ensure data accuracy and currency: Establish procedures to maintain the accuracy, completeness, and currency of personal data. Regularly review and update records to reflect any changes in individuals’ information.
  7. Enable Data Subject Rights: Facilitate the exercising of data subject rights, including the right to access, correct, and delete personal data. Establish mechanisms for individuals to easily submit requests related to their data.
  8. Anonymization and pseudonymization: Where applicable, utilize anonymization or pseudonymization techniques to process personal data, especially if it is still possible to fulfill the intended purposes through these methods.
  9. Train employees on data protection: Provide comprehensive training to employees on data protection principles, PDPL requirements, and the organization’s privacy policies. Foster a culture of privacy awareness and responsibility.
  10. Regularly audit and monitor compliance: Conduct regular internal audits to assess compliance with PDPL requirements. Monitor data processing activities to identify and address any deviations from established privacy practices.

Gross negligence is typically punished most severely, so its vital to keep careful documentation of every step taken to respect data subject rights and protect all held personal data. Most governing bodies around the world review the full body of work and consider the steps taken proactively, especially when a data breach does occur unexpectedly.

Remember: requirements to care for personal data being collected and processed aren’t going away. The options are clear. Either make it a priority and get ahead of the competition, or fall behind and lose customer while damaging your bottom line every step of the way.

Why Privacy Bee works

Personal data protection is imperative for businesses engaged in online service delivery today, especially for sensitive data. New regulations are popping up every day around the world. The current trend is that these continue to require more stringent opt-in policies while granting consumers more rights. The public now has the ability to review and remove their personal data, increasing the accountability and obligations of every organization processing personal identifiable information (PII).

Yet the responsibility still falls primarily on the individual to oversee, assess, update and delete (via DSAR request) their personal data wherever it may be collected and dispersed across the internet.

This becomes a massive lift for any business looking to protect their organization from data breaches. When working to cover an entire company, it is practically impossible for a single person or small team to manage External Data Privacy without help from a specialized team of experts. The identification and subsequent elimination of this data plays a pivotal role in deterring cybercriminals from launching dangerous social engineering attacks against an organization by closing the data protection gap.

That’s why Privacy Bee emerges as the optimal solution. The time-consuming process of monitoring and eradicating employee data as a complement to cybersecurity is a must, and Privacy Bee covers every site across the internet exposing your organization’s data. This data monitoring and deletion service is especially effective for executives who are highly visible to the general public. Using sophisticated automation processes backed by an active human service team, Privacy Bee substantially reduces a company’s attack surface and mitigates the looming threat of an expensive data breach. Industry estimates put the cost of a single data breach somewhere between $7-10 million USD. That can be crippling for a small or mid-size business–not to mention the fines from noncompliance–which is why a proactive approach for maximum security is a must.

Social engineering attacks are the fastest-growing data breach threat, no matter how mature an organization’s cybersecurity program is today. If your response to these attacks isn’t already completely covered, then threat actors still have a lucrative way to target and obtain your organization’s most sensitive information.

Ideally, you are already conducting risk assessments and vendor surveys as well. If so, well done! However, it is absolutely essential to recognize vendors are most susceptible to a breach via social engineering attacks relying on exposed data. Privacy Bee not only minimizes the proliferation of your organization’s data across the vast digital landscape but also extends its protection to vendors, helping you ensure third party partners do not serve as the weak link in your security defenses or put you at risk of noncompliance. Don’t miss this step, as there are far too many massive organizations falling victim to cyberattacks due to a vendor’s lack of proactive security.

Who benefits from doing something like this?

In the ever-growing billion-dollar surveillance industry, Data Brokers and People Search Sites are the key players. They reap record-breaking profits by trading and transferring your organization’s information with obscure and uncontrollable entities. These entities then either publish this information directly for clicks or compile it all to sell on again top yet another organization. Suddenly, you and your employees’ personal data can be easily found via quick Google Search.

If it’s that simple to find you and your coworker’s information, then threat actors can launch cyberattacks at scale by targeting the most vulnerable team members with emotionally engaging messaging that turns even the most highly-trained professionals into victims on a regular basis. The only way to prevent this is by stopping the data flow at the source. The consequences are simply too costly to risk:

  • A solitary data breach leads to massive productivity losses, expensive remediation efforts, and recurring breach incidents.
  • This isn’t new, and is a predicament that plagues the vast majority of businesses following an initial breach. Industry estimates state as many as 83% of organizations who experienced a data breach go on to experience multiple. That is staggering, and is exactly what Privacy Bee is fighting back against.
  • The initial data breach sets off a chain reaction that inflicts short-term damage on your bottom line while eroding brand value and customer trust over time.
  • Furthermore, there are ripple effects to consider, such as heightened employee turnover due to poaching.

Privacy Bee combats threat actors lurking beyond your organization’s perimeters. By meticulously analyzing every location across the internet where your personal and sensitive data resides, then swiftly purging it, Privacy Bee closes the data security gap. The service even encompasses dark web monitoring and provides timely data breach notifications if another company falls victim to an exploitation incident and exposes your information in the process.

Our unwavering commitment is deeply rooted in the belief that privacy is an inalienable human right that transcends political discourse and negotiations. This is why Privacy Bee vigilantly monitors user data for security vulnerabilities while holding the surveillance industry accountable. We compel Data Brokers, People Search Sites, and more than 150,000 additional websites to expunge your stored data and opt out of further data collection to protect you, your family, and your entire organization. This unchanging goal is the reason we offer no-charge monitoring services and deletion guides. You need only reach out when help is needed.

Privacy Bee protection covers a wide range of potential threats, including:

  1. Data breaches
  2. Social engineering attacks
  3. Doxxing
  4. Spam emails
  5. Telemarketing calls
  6. Cyberstalking
  7. Identity theft
  8. Swatting
  9. Blackmail
  10. And more!

Privacy Bee is quickly emerging as the next necessary tool in your security tool belt. There’s no better addition for business leaders with a mature cybersecurity program wanting to protect employee and customer data in the midst of innovative threat actors using AI and other new apps to scale their efforts.

Privacy is more important and harder to come by than ever. Today, you need a trusted partner fighting to preserve your personal and organizational integrity.

Trusted by thousands of companies.

Instant access to the world's leading business privacy platform. Dive into your account: