New Regulations for the Personal Data Protection Law Approved
Supreme Decree No. 016-2024-JUS, recently published, approves the new Regulations for Law No. 29733 (Personal Data Protection Law) with the aim of improving security and regulatory compliance in the processing of information. Among the main modifications are the expansion of the range of data considered sensitive and the requirement to appoint a Personal Data Officer, who will be responsible for ensuring compliance with the law and implementing measures to protect information. Among other changes summarized below:
|
Table of New Aspects of the New Regulations |
|
|
(Supreme Decree No. 016-2024-JUS) |
|
|
New Aspect |
Summary |
|
Expansion of sensitive data |
Inclusion of genetic, biometric, and emotional data as protected categories, as well as union membership. |
|
Deindexing |
Removal of URLs or specific content from search engines. |
|
Profiling |
Regulates the automated processing of data for analysis or predictions. |
|
Impact Assessment |
Seeks preventive analysis to mitigate risks in data processing. Doing so mitigates liability for any detected violation. |
|
Expansion of Scope |
The regulation will apply when processing is carried out in connection with the offer of goods or services to individuals located in Peru or when activities aimed at analyzing the behavior of individuals are carried out in Peru. This seeks to ensure the protection of the personal data of Peruvian citizens, regardless of the geographic location of the data controllers. Representative Data controllers, whether in Peru or abroad, must designate a representative in the country as a liaison with the National Data Protection Authority, meeting specific requirements and providing an official email address. |
|
Representative Data |
Representative Data controllers, whether in Peru or abroad, must designate a representative in the country as a liaison with the National Data Protection Authority, meeting specific requirements and providing an official email address. |
|
Cross-border flow |
The General Directorate of Transparency, Access to Public Information, and Personal Data Protection will determine a country’s appropriate level of data protection through resolutions issued ex officio, upon request, or through new sectoral regulations. |
|
Proactive Accountability |
Data processing requires legal, technical, and organizational measures to comply with regulations, and the data controller must demonstrate effective compliance. |
|
Processing of Personal Data of Minors |
Rules are established regarding the processing of personal data of children and adolescents:
· Consent: Data processing is lawful when the consent of parents or guardians is obtained, except for children under 14 years of age, who can only consent to their own data if the information is understandable to them. · Prohibitions: Data about the child’s family cannot be collected without the consent of the data subjects, and only contact information from parents can be collected to obtain such consent. · Protection: Data controllers are required to collaborate in educating minors about data protection. · Data on the Internet: The processing of minors’ data on digital platforms requires parental consent if they are under 14 years of age, or the consent of the minor themselves if they are between 14 and 18 years of age. The identity of those giving consent must be verified. |
|
Security incident reporting |
In the event of a security incident that exposes large volumes of personal data or affects a large number of individuals, the data controller must notify the National Data Protection Authority within 48 hours of becoming aware of it. If the notification is made after this deadline, it must be justified with the corresponding reasons and evidence. This obligation persists even if the incident has been resolved internally. |
|
Personal Data Officer |
The appointment of a Personal Data Officer by personal data owners and database managers is regulated. This position is mandatory when: (1) the processing is carried out by a public entity; (2) large volumes or sensitive data are handled that may affect the rights of data subjects; or (3) the organization’s core activities involve processing sensitive data. It also allows a business group or related public entities to designate a single officer if the officer is accessible to all involved. The officer’s contact information must be published and communicated to the National Data Protection Authority within 15 days of its appointment or update. |
|
Security Document |
The controller of personal data must have a formally approved, dated, and updated Security Document. This document must include at least procedures for managing access and privileges, as well as their periodic verification, in the information systems used for processing personal data, such as technological platforms and applications. It can be based on the current NTP-ISO/IEC 27001 or other recognized standards. |
|
Backups |
Backups of personal data must be made at least weekly, unless updates are made during this period. The procedure must include appropriate security measures for the storage, transfer, and, if applicable, destruction of copies. |
|
Portability of Personal Data |
The data subject of personal data may exercise their right to portability by requesting their data in a structured, machine-readable format for transmission to another controller, provided that the processing is based on consent, a contractual relationship, or is automated. This includes direct transmission between controllers when technically feasible and does not entail an undue burden. |
|
Auditing |
It is classified into two types: in-person and in-office. In-person audits are conducted outside the offices of the General Directorate of Transparency, in the presence of the database owner, the data processor, or their representatives. In-office audits are carried out from the aforementioned offices and consist of a digital evaluation of the activities of the personal data controller. |
|
Sanctions |
This includes the application of a second coercive fine and incorporates new violation cases. |
|
Validity |
The Regulation will enter into force 120 days after its publication. The appointment of the Personal Data Officer will be progressive according to the following schedule:
· Companies with annual sales exceeding 2,300 UIT: within one year. · Companies with annual sales between 1,700 and 2,300 UIT: within two years. · Companies with annual sales between 150 and 1,700 UIT: within three years. · Companies with annual sales up to 150 UIT: within four years. |
At Thorne, Echeandía y Lema Abogados, we are available to answer any service proposal requests, as well as for questions, extensions, or clarifications. Do not hesitate to contact us:
Alfred Kossuth Wieland
