Last review date: 15 January 2025
Yes.
There is no specific definition of "third country" in Law 29733. However, a third country shall be understood as a country other than the country of origin of the personal data, regardless of the format in which the data is stored or transferred.
Transfers of personal data to third countries are only permissible if there is a legal basis for the processing/transfer and one of the following applies:
The transferring entity may not transfer personal data to a country that does not have adequate levels of protection. The Authority must issue an assessment establishing the level of compliance of these countries. Such countries must have:
The assessment is not required if the country has negotiated and subscribed to common and general standards of personal data protection with Peru.
If the receiving country does not meet these standards, the sender must ensure that the receiver in the foreign country processes the personal data in accordance with Law 29733 and its Regulations. To that end, the Regulations suggest that contractual provisions may be a good mechanism to require the recipient of the information to assume all the obligations imposed by legislation and, thus, to ensure that the personal information will be processed according to the Law.
Transfers of personal data to third countries are only permissible if there is a legal basis for the processing/transfer and one of the following applies:
☒ approved adequate/whitelisted jurisdictions
☒ approved standard contractual clauses
Please see separate question for information on data localization provisions that are not restricted to personal data.