Global Data and Cyber Handbook

Peru

Select a Topic
Start Comparison
Regulators, Enforcement Priorities and Penalties
Jump to
Regulators, Enforcement Priorities and Penalties Start Comparison
Who are the main data privacy, non-personal data and/or cybersecurity regulator(s) in the jurisdiction?

Last review date: 15 January 2025

National Personal Data Protection Authority of the Ministry of Justice and Human Rights (Data Protection Authority)

National Institute for the Defense of Competition and Intellectual Property (Indecopi) (for marketing communications targeted at consumers)

How active is each of the regulator(s)?

Last review date: 15 January 2025

☒ Moderately active

What are each of the regulator's anticipated enforcement priorities for the next 12 months?

Last review date: 15 January 2025

We anticipate that regulators will initiate audits ex officio or upon reports by parties for alleged breaches of the law. The most frequently enforced obligations set forth in the Personal Data Protection Law relate to consent, registration of data banks, and security measures. For example, the Data Protection Authority imposed fines on an e-commerce company for i) processing personal data without obtaining consent, ii) not registering its databank of web users, and iii) not informing cross-border transfers of personal data to the Authority. The authority tends to focus on enforcing the Law in the context of digital services.

For Indecopi, it will continue investigating companies' conduct in relation to marketing campaigns involving e-mailing, messaging, or calls with consumers’ consent.

What trends are you seeing in regulatory investigations relating to data & cyber?

Last review date: 15 January 2025

Regulatory investigations or direct enforcement activity by data or cyber regulators are:

         Increasing

Class actions/group actions under data or cyber regulation are:

         Rare

What are the potential penalties/remedies for non-compliance with the key data and cybersecurity laws in the jurisdiction?

Last review date: 15 January 2025

☒   administrative remedies from regulators and law enforcement

  • Minor infractions are sanctioned with a minimum fine ranging from 0.5 to five (5) Tax Units. (USD 650 - USD 6,500 approximately)
  • Serious infringements are sanctioned with a fine ranging from more than five (5) to fifty (50) Tax Units. (USD 6,501 - USD 65,000 approximately)
  • Very serious infringements are sanctioned with a fine ranging from more than fifty (50) Tax Units to one hundred (100) Tax Units. (USD 65,001 - USD 130,000 approximately)

In no case may the fine imposed exceed 10% of the gross annual income that the alleged offender has received during the previous year.

The Data Protection Authority approved guidelines for the calculation of fines, which provide two methodologies: (i) a methodology with pre-established fines based on the severity of the violation, applicable to infringements that have not caused an illicit benefit or avoided cost; and (ii) an ad-hoc methodology, applicable to cases in which an illicit benefit has been obtained, or a cost avoided, or in which the infringement has caused damages to data subjects. 

☒   private remedies

☒   Data subjects may claim damages for law breaches by databank controllers or processors.

If data subjects have private remedies, what form can these remedies take?

Last review date: 15 January 2025

☒   individual personal actions

{{ $store.state.loadingScreen.message }} ...