Global Data and Cyber Handbook

Peru

Select a Topic
Start Comparison
International Data Transfer
Are there restrictions on the transfer of personal data to third countries?

Last review date: 15 January 2025

Yes.

There is no specific definition of "third country" in Law 29733. However, a third country shall be understood as a country other than the country of origin of the personal data, regardless of the format in which the data is stored or transferred.

Transfers of personal data to third countries are only permissible if there is a legal basis for the processing/transfer and one of the following applies:

The transferring entity may not transfer personal data to a country that does not have adequate levels of protection. The Authority must issue an assessment establishing the level of compliance of these countries. Such countries must have:

  1. Regulation of personal data protection law, especially regarding cross-border flows of data
  2. Statutory procedures allowing data subjects to exercise their privacy rights
  3. A legal system outlining responsibilities, obligations, and duties for data controllers and processors
  4. A sanctioning regime for infringements of privacy laws
  5. An agency or regulator for the protection of personal data, with technical independence and with powers to impose sanctions and enforce the law

The assessment is not required if the country has negotiated and subscribed to common and general standards of personal data protection with Peru.

If the receiving country does not meet these standards, the sender must ensure that the receiver in the foreign country processes the personal data in accordance with Law 29733 and its Regulations. To that end, the Regulations suggest that contractual provisions may be a good mechanism to require the recipient of the information to assume all the obligations imposed by legislation and, thus, to ensure that the personal information will be processed according to the Law.

Transfers of personal data to third countries are only permissible if there is a legal basis for the processing/transfer and one of the following applies:

   approved adequate/whitelisted jurisdictions

   approved standard contractual clauses

Please see separate question for information on data localization provisions that are not restricted to personal data.

{{ $store.state.loadingScreen.message }} ...