Written by José Alonso Aquino, Associate – Peru
As digital transformation accelerates, data protection regulations must evolve to keep pace with modern privacy challenges. In Peru, personal data protection has been legally recognised since 1993, with a dedicated legal framework established in 2011. However, regulatory updates have long been overdue to align with global best practices and technological advancements.
The latest regulatory changes, set to take effect in 2025, introduce new obligations for foreign firms, cross-border data transfers, security measures, and consumer rights. Here’s what businesses operating in Peru need to know to stay compliant and protect personal data effectively.
Appointment of Representative for foreign firms that process Personal Data from Peru
All companies that are not domiciled in Peru but use means located therein for personal data processing, except for transit purposes, will have to comply with the regulations. This expressly include firms that (i) offer goods and services to data subjects located in Peru, (ii) performs activities oriented to analyse behaviour of data subjects located in Peru as well as profile elaboration and (iii) when for contractual or international law purposes Peruvian law is applicable.
Such firms will have to appoint a representative located within Peru or for their operations in Peru to be in contact with the competent authority.
Requirements for Cross-border Flow of Personal Data
Personal data transferred outside of Peruvian territory will be required to be made to a receptor located in a country with an adequate level of data protection measures. If that is not the case, then the data exporter will grant adequate guarantees to ensure the protection of personal data.
Personal Data processing for marketing purposes
The new regulations single out personal data processing for publicity and customer prospecting for goods and services as an activity where direct consent from data subjects is required. Furthermore, consent must be obtained on first contact, being unable to request it again upon subsequent contact or refusal.
Obligation to notify Security Incidents
Upon the occurrence of a security incident that (i) exposes large volumes of personal data, (ii) affects many data subjects, (iii) relates to sensitive information or (iv) causes prejudice to data subjects’ other rights, the firm in charge of personal data processing will have to notify the occurrence to the competent authority within 48 hours of having become aware.
Additionally, upon a security incident where prejudice was caused to other rights, the firm will have to notify each affected data subject within 48 hours in simple and clear language.
Privacy Impact Assessments as a mitigating factor for administrative fines
For the processing of sensitive information, profile elaboration purposes or large volumes of personal data, the regulations encourage the implementation of privacy impact assessments before processing such data. If the assessment was made before the prosecution of a sanctioning procedure, it is considered a mitigating factor for fines to be imposed.
Updated Security Measures
Personal data processing firms will be required to issue a Security Document that contains procedures to be carried out by personnel for access and verification purposes. Also, the regulations set forth requirements for the areas in which the personal data is processed, stored or transmitted.
Recognition of Data Subject’s right to personal data portability
Defined as the right to receive their own personal data in a structured, machine-readable format, allowing it to be easily transferred to another service or platform. The firm will have to comply with such requirement if (i) data processing was based on consent or contractual relationship with data subject or (ii) data processing was made through automated means.
Nevertheless, the accomplishment of such an obligation doesn’t include the imposition of an excessive, financial, operational or irrational burden.
Appointment of Personal Data Officer
Firms performing personal data processing activities that (i) affect large volumes of personal data, (ii) affect many data subjects, (iii) relates to sensitive information or (iv) could cause prejudice to data subjects’ other rights are required to appoint a Personal Data Officer.
This officer will oversee advising the firm in personal data protection matters, verify and communicate compliance with personal data protection regulations and be in contact with the competent authority, especially upon the occurrence of security incidents.
A corporate group may appoint a single Personal Data Officer if it is easy to contact from each establishment.
Progressive Implementation of Regulatory update.
The new regulations will take effect from March 30th 2025. But as the government aims for a diligent and progressive implementation, the provisions related to data subjects’ right to personal data portability will be effective upon September 30th 2025 and the appointment of the Personal Data Officer will be implement as follows:
| Type of Firm | Date of Effectiveness |
| Annual sales superior to 2300 UIT (approx. US$ 3’280,333) | November 30th 2025 |
| Annual sales between 1700 UIT (approx. US$ 2’424,333) and 2300 UIT (approx. US$ 3’280,333) | November 30th 2026 |
| Annual sales between 150 UIT (approx. US$ 214,000) and 1700 UIT (approx. US$ 2’424,333) | November 30th 2027 |
| Annual sales up to 150 UIT (approx. US$ 214,000) | November 30th 2028 |
Conclusion
The enactment of updated personal data protection regulations was necessary to adapt the Peruvian legal framework to the reality of the digital approach that goods and services have nowadays. They are the first step of the implementation of system to secure an adequate level of data protection within the Peruvian economy.
Peru’s updated data protection regulations mark a significant step toward strengthening privacy rights and ensuring that businesses align with international standards. As enforcement deadlines approach, companies should proactively assess their compliance, update internal processes, and appoint key personnel to mitigate legal risks.
With the potential for further regulatory refinements, staying ahead of these changes will be essential for businesses handling personal data in Peru. Now is the time to review policies, conduct security audits, and implement best practices to ensure a smooth transition into the new compliance landscape. If you need assistance with the transition, get in touch with our experienced team today.
Harris Gomez Group METS Lawyers ® opened its doors in 1997 as an Australian legal and commercial firm. In 2001, we expanded our practice to the international market with the establishment of our office in Santiago, Chile. This international expansion meant that as an English speaking law firm we could provide an essential bridge for Australian companies with interests and activities in Latin America, and to provide legal advice in Chile, Peru and the rest of Latin America. In opening this office, HGG became the first Australian law firm with an office in Latin America.
As Legal and Commercial Advisors, we partner with innovative businesses in resources, technology and sustainability by providing strategy, legal and corporate services. Our goal is to see innovative businesses establish and thrive in Latin America and Australia. We are proud members of Austmine and the Australia Latin American Business Council.
Disclaimer: This article is for general informational purposes only and does not constitute legal advice. It does not create a solicitor-client relationship, and readers should seek independent legal advice for their specific circumstances. Harris Gomez Group accepts no liability for reliance on this content.