The protection of personal data in Peru is enshrined in Article 2, section 6, of the Peruvian Political Constitution, which recognizes every individual’s fundamental right to the protection of their personal information. This constitutional right is developed through the Personal Data Protection Law (Law N° 29733, “PDPL”) enacted on 2011, and its Regulation approved by Supreme Decree No. 016 2024 JUS, published on November 30, 2024, and in force since March 31, 2025, replacing the previous 2013 regulation. This legal framework governs the processing of personal data by both public and private entities, and establishes principles, rights, obligations, and supervisory mechanisms under the authority of the National Authority for the Protection of Personal Data (“Authority”), which include the imposition of fines.

The key decisions enforcing this legislation include administrative resolutions issued by the Authority, which clarify and regulate areas such as valid consent, the limits of legitimate interest, obligations for incident notification, attendance of the data subject’s requests and the handling of sensitive data. Though Peru does not have binding judicial precedent as in common law systems, these resolutions serve as authoritative administrative precedents that guide consistent enforcement. In addition, the Authority may issue non-binding advisory opinions in response to inquiries from public or private entities seeking clarification regarding the interpretation, application, or scope of the data protection regulations in specific cases. While these opinions are not enforcement decisions, they provide technical guidance that supports compliance and helps mitigate legal risks.

According to Article 2 of the PDPL and Article III of its Regulation, personal data is defined as any numerical, alphabetical, graphic, photographic, acoustic or other type of information, including data related to personal habits, geolocation, or online identifiers such as IP addresses, cookies or device IDs, concerning to physical, economics, cultural or  social characteristics of a natural personal that identifies or makes them identifiable. A person is considered identifiable when their identity can be determined, directly or indirectly, through the combination of data using means thar are reasonably available. This definition explicitly includes indirect and contextual identification, aligning with modern data protection standards. 

As per Article 2.5 of the PDPL and Article III of the Regulation, sensitive personal data includes genetic or biometric data, neural data, moral or emotional characteristics, facts or circumstances related to a person’s affective or family life, highly intimate personal habits, union affiliation, physical or mental health, economic income, or other analogous data that may impact a person’s privacy. Processing of sensitive data requires heightened safeguards, including technical and legal controls.

The PDPL is a public order statute applicable to all data controllers and processors, and it mandates respect for the fundamental right to personal data protection, as recognized in Article 2 of the Political Constitution of Peru. Within this framework, the PDPL and its Regulation impose binding obligations to implement technical, organizational, and legal measures aimed at ensuring confidentiality, integrity, availability, and resilience of personal data throughout its entire lifecycle. These obligations are based on the security principle set forth in Article 9 of the PDPL, which requires data to be protected against unauthorized access, loss, destruction, or alteration. Furthermore, Article 16 of the PDPL explicitly prohibits the processing of personal data in databases that do not meet the legally required minimum security conditions and establishes the duty of confidentiality for all entities involved in the processing. The updated Regulation reinforces the principle of proactive accountability by requiring a risk-based security management approach that must be documented and subject to regular internal reviews.

In line with this, data controllers are required to prepare a Security Document, duly approved with certain date, that includes guidelines on access control, privilege management, backup procedures, and protocols for the secure storage, transfer, and destruction of personal data. These safeguards ensure lawful and secure data processing in accordance with international standards and best practices in the field of data protection.

Privacy obligations under the PDPL apply to all data controllers (holders of personal data banks) and data processors, whether individuals or legal entities, public or private, that conduct personal data processing within Peruvian territory or through means located in Peru. The PDPL also extends to entities not established in Peru that process personal data by using infrastructure or technological means situated in the country, as well as to foreign entities offering goods or services to, or monitoring and profiling the behavior of, individuals located in Peru. The Regulation explicitly clarifies that all such processing activities fall within the scope of the PDPL and that, in these cases, foreign data controllers must appoint a legal representative in Peru. Data processing conducted exclusively for transit purposes, such as data routing through Peruvian territory without storage or analysis, is expressly excluded.

According to Article 2 section 19 of the PDPL defines the processing of personal data as any operation or technical procedure, automated or not, that permits the collection, registration, organization, storage, conservation, preparation, modification, extraction, consultation, use, blocking, deletion, communication by transfer or dissemination, or any other processing that facilitates access, correlation or interconnection of personal data. 

The principles governing personal data protection in Peru are established in both the LPDP and its Regulation. These principles are binding on all data controllers and processors, laying the regulatory foundations for the processing of personal data.

Article 4 of the LPDP establishes the principle of legality, which requires that all data processing be carried out within the legal framework and respecting the constitutional rights of individuals. Article 5 defines the principle of consent, according to which the processing of personal data must have the free, prior, informed, and explicit consent of the data subject, except for legal exceptions. Article 6 establishes the principle of purpose, which requires that personal data be collected for specific, explicit, and lawful purposes and not be processed in a manner incompatible with those purposes. Article 7, in turn, establishes the principle of proportionality, which limits processing to personal data that is strictly necessary, relevant, and not excessive for the intended purposes. According to Article 8, the data quality principle obliges data controllers to ensure that personal data is accurate, complete, and that it corresponds to the data subject's actual situation. Article 9 introduces the principle of security, which requires controllers and processors to adopt technical, organizational, and legal measures to protect personal data against unauthorized access, loss, destruction, or alteration. The principle of the data subject's right to redress, established in Article 10, guarantees that individuals have effective mechanisms to exercise their rights, such as access, rectification, erasure, and objection. Article 11 enshrines the principle of an adequate level of protection, which establishes that international transfers of personal data are only permitted where the receiving country or organization guarantees a level of protection comparable to that offered by Peruvian law.

Furthermore, Article IX of the Regulation incorporates two additional principles aligned with international standards. The principle of transparency requires that data subjects receive clear, timely, and accessible information about the processing of their data, including the identity of the data controller and the purposes for which it is processed. The principle of accountability (proactive responsibility) requires controllers and processors to adopt a preventive and demonstrable approach to compliance through internal controls, policies, training, documentation, and audits that demonstrate the effective implementation of legal obligations.

Under the PDPL and its Regulation, the lawful processing of personal data requires a valid legal basis. While the default basis is the data subject’s prior, informed, free, explicit, and unequivocal consent, the PDPL establishes a series of alternative legal bases that permit processing without consent under specific conditions, provided that the data subject is still properly informed.

One of the most relevant alternatives is the execution or performance of a contractual or professional relationship, recognized under Article 14.5 of the PDPL. However, even when consent is not required, the data controller must still fulfill its duty to inform the data subject in accordance with the Regulation. This includes clearly disclosing the controller’s identity, the processing purposes, categories of data collected, potential recipients (including third parties and affiliates), applicable international transfers, retention periods, and the procedures for exercising ARCO rights (access, rectification, cancellation, and objection). Additionally, processing must be limited and proportionate to what is strictly required for the contract. If the controller intends to process data for unrelated or ancillary purposes—such as marketing or commercial prospecting—separate and explicit consent must be obtained, as reaffirmed by recent enforcement decisions of the Peruvian Data Protection Authority (ANPD).

The PDPL also recognizes other legal bases for processing personal data without consent, including:

i.    Compliance with court orders or judicial mandates.
ii.    Processing by public authorities in the exercise of their legal functions.
iii.    Processing under the compliance of an authoritative law.
iv.    The use of data obtained from publicly accessible sources (e.g., registries or media), provided this does not violate the data subject’s fundamental rights
v.    Processing by nonprofit organizations with political, religious, or union-related aims, strictly in relation to their members or affiliates; and
vi.    Processing for public health purposes, as defined by the Ministry of Health.

It is important to note that the PDPL does not recognize the controller’s legitimate interest as an independent legal ground for processing, unlike other jurisdictions such as the European Union.

According to the PDPL and its Regulations, the storage, security, and retention of personal data are subject to strict controls. Personal data must be stored in structured databases, whether automated or not, whose creation, modification, or deletion must be recorded in the National Registry of Personal Data Protection. This registry ensures transparency regarding the existence, purpose, and controllers of each database.
Regarding security, data controllers and processors must implement technical, organizational, and legal measures appropriate to the type of data processed. These include access control, periodic privilege checks, audit logs, backup and recovery protocols, and encryption for logical or electronic transfers. Furthermore, the regulations require a formally approved and dated Security Document that follows best practices or standards such as NTP-ISO/IEC 27001. Confidentiality obligations apply to all parties involved in the processing of information.
Data retention must be limited to the period strictly necessary to fulfill the purpose of collection. Once the retention period has elapsed, or when the data is no longer relevant or consent is withdrawn, it must be deleted. Exceptions apply for historical, statistical, or scientific reasons, or justified contractual reasons, subject to anonymization where possible.

Under PDPL, individuals have a broad set of rights concerning their personal data. These include: 

a)    the right to information, to be clearly and explicitly informed about how their data will be processed before collection;
b)    the right of access, allowing them to obtain complete information about the data held about them, how it was collected, for what purpose, and any transfers made; 
c)    the rights to rectification, inclusion, and update, enabling individuals to correct inaccurate or incomplete data; 
d)    the right to erasure (cancellation) when the data is no longer necessary or was unlawfully processed; 
e)    the right to object to data processing on legitimate grounds, even after consent has been granted, including the right to delist personal data on the internet; 
f)    the right to not be subject to automated decisions, including profiling, that produce legal effects or significantly affect them; 
g)    the right to data portability, allowing individuals to receive their personal data in a structured, commonly used format and transmit it to another controller, where technically feasible; this right is subject to technical availability, as established under Article 76.3 of the Regulation.  
h)    the right to judicial or administrative recourse, in case of denial of their rights, through a claim to the Data Protection Authority or an “habeas data” action in court.

According to Article 13.1 of the PDPL and Article 6 of its Regulation, valid consent must be freely given, prior, express, unequivocal, and informed. In this regard, the data controller must inform the data subject of the following: the identity of the controller, the purpose of the processing, the possible recipients, the existence of the database, whether the data requested is mandatory or optional, the consequences of providing or refusing to provide the data, any national or international data transfers, the existence of automated decision-making or profiling, the data retention period, and the procedures for exercising ARCO rights (access, rectification, cancellation, and opposition). In the case of sensitive personal data, consent must also be granted in writing through reliable means (including digital means). The burden of proof of having obtained valid consent lies with the data controller.

According to Article 5 of the PDPL, authorization to process personal data is based on the data subject's valid consent, which must be obtained prior to any processing and must be specifically related to the purposes disclosed at the time of collection. If the controller intends to process the data for new or additional purposes, renewed consent must be obtained. 

However, Article 14 of the PDPL provides specific exceptions to the consent requirement, permitting processing without consent in the following cases:

(i)    when personal data are processed by public entities in the exercise of their lawful functions, including for interoperability purposes; 
(ii)    when the data originate from publicly accessible sources, such as public registers or the media, provided that other fundamental rights are not adversely affected; 
(iii)    when the processing involves creditworthiness and solvency data, as permitted by law; 
(iv)    when required by regulatory provisions to promote competition in regulated markets, without affecting users' privacy rights; 
(v)    when the processing is necessary for the preparation, execution, or fulfillment of a contractual or professional relationship with the data subject; 
(vi)    for public health purposes as defined by the Ministry of Health, or for medical treatment; 
(vii)    when it is carried out by non-profit organizations for political, religious, or trade union purposes and involves their own members or affiliates; 
(viii)    when the data have been subject to a process of anonymization or dissociation; 
(ix)    when the processing is necessary to safeguard the legitimate interests of the data subject; 
(x)    for compliance with anti-money laundering (AML) and counter-terrorist financing regulations; 
(xi)    for the exchange of information within financial groups supervised by the Financial Intelligence Unit, under confidentiality safeguards; 
(xii)    when the processing is carried out in accordance with the constitutional right to freedom of information; and 
(xiii)    in any other case expressly provided for by law. In all these scenarios, the data controller remains responsible for ensuring that the processing complies with the principles of lawfulness, proportionality, purpose limitation, and data security.

Yes, cross-border data transfers are expressly regulated under Article 15 of the PDPL and Article 19 of its Regulation. Data controllers may only transfer personal data internationally when the recipient country ensures an adequate level of personal data protection. Article 19.2 of the Regulation establishes that a country is deemed to provide adequate protection when it meets the following criteria:

(i)    it has a legal framework governing personal data protection; 
(ii)    it incorporates principles applicable to data processing; 
(iii)    it includes provisions that recognize and guarantee data subjects' rights and provide mechanisms for their effective exercise; and 
(iv)    it has an independent data protection authority empowered to monitor compliance and impose sanctions. 
Peru also recognizes adequacy when a country adheres to general and commonly accepted international data protection standards. Although Peru does not maintain formal adequacy decisions or treaties with specific jurisdictions, its regulatory approach is heavily influenced by the European GDPR model. The Peruvian Data Protection Authority may also carry out its own evaluation of a country’s legal framework on an ex officio basis or upon request.

In cases where the destination country does not provide an adequate level of protection, Article 20 of the Regulation allows the use of alternative legal mechanisms to enable the transfer. These include the adoption of standard contractual clauses or other binding instruments. In practice, Peru has adopted the Ibero-American Network of Data Protection Model Clauses , which align with the requirements established under the PDPL. Additionally, all international data transfers must be reported through the Peruvian National Registry of Personal Data Protection. When registering a personal data bank, the controller must indicate whether an international transfer will occur, identify the destination country, and specify the recipient (such as an affiliate or third-party processor) in the relevant section of the registration form. Regardless of the mechanism used, the controller remains fully accountable for ensuring the lawfulness and security of the transfer.

Under Article III, section 16 of the Regulation, a personal data security incident is defined as any security breach that results in destruction, loss, unlawful alteration, or unauthorized communication or exposure of personal data. While the definition itself does not explicitly require an assessment of potential harm to the data subject, the Regulation promotes proactive risk management through a Personal Data Protection Impact Assessment. This mechanism, although optional and to be conducted prior to processing, entails an analysis or evaluation of the risks and impacts associated with the processing of personal data. It is particularly recommended in cases involving sensitive data, profiling, large volumes of data, or vulnerable individuals. Reference may be made to standards such as NTP-ISO/IEC 27005 and NTP-ISO 31000 for the analysis and evaluation of risks. This approach reflects the regulatory emphasis on proactive responsibility and risk-based data protection.

Yes. In the event of a personal data security incident, data controllers must notify both the affected data subjects and the Authority, depending on the severity of the incident. Notification to the Authority is required within 48 hours of becoming aware of the incident when it involves (i) large volumes of personal data (in terms of quantity or type), (ii) a large number of affected individuals, (iii) sensitive personal data, or (iv) evident harm to the rights or freedoms of the data subjects. If the notification is delayed beyond 48 hours, justification must be provided. The notification must include the nature of the incident, the types of data affected, contact details of the Data Protection Officer or relevant contact point, possible consequences, and measures taken to mitigate the impact.

If an incident occurs in a digital environment, it must also be reported to the National Center for Digital Security for inclusion in the National Register of Digital Security Incidents .

Data subjects must also be notified within 48 hours if the incident results in evident harm to their rights. The communication must be clear and easily understandable and must describe any actions taken to mitigate the impact. However, this obligation does not apply if the incident did not cause harm and was fully resolved by the data controller.

Additionally, data processors are required to immediately inform the data controller of any security incidents they become aware of. All incidents must be properly documented by the controller, including the facts, effects, and remedial actions taken, to allow verification by the Authority.

In Peru, the competent privacy regulator is the National Authority for the Protection of Personal Data (“Authority”), attached to the Ministry of Justice and Human Rights. The Authority functions are carried out by the General Directorate for Transparency, Access to Public Information and Protection of Personal Data, which serve as both the first and second administrative instances in data protection matters.

Within the General Directorate, there are specialized divisions responsible for different aspects of enforcement and supervision:

a)    The Directorate of Supervision and Investigation is responsible for initiating and conducting investigations, collecting evidence, issuing charges, and preparing the final investigation report during the administrative sanctioning procedure. It may also launch inspections ex officio or based on complaints.

b)    The Directorate for Personal Data Protection has first-instance authority to determine the existence of an infringement, impose administrative sanctions, and issue precautionary and corrective measures. It also handles requests for direct enforcement of data subject rights (e.g., access, rectification, deletion) and resolves motions for reconsideration filed against its own resolutions.

According to the PDPL, a personal data breach constitutes an administrative offense when it involves the failure to implement adequate security measures or the non-compliance with the obligations established in the Personal Data Protection Law (LPPD) and its Regulations. Such violations are subject to sanctions by the National Authority for Personal Data Protection (ANPD), which classifies them as minor, serious, or very serious:
Minor violations can result in fines between 0.5 and 5 UIT (Tax Units)  and involve the processing of personal data in violation of security measures.
Serious violations carry fines between more than 5 and up to 50 UIT and involve the processing of personal data in violation of security measures, thereby generating the unauthorized exposure of personal data. Likewise, failure to notify the Authority of a security incident constitutes a serious violation.
Very serious violations are punishable by fines ranging from 50 to 100 UIT and involve the processing of sensitive data in violation of security measures and causing harm to the data subject.
Finally, all sanctions imposed are published in the Public Registry of Sanctions, which can affect the organization's reputation. Those affected can also request civil compensation or protection through constitutional actions such as habeas data.

Electronic marketing (calls, emails, messages or any form of commercial prospecting) requires prior, express, and informed consent from the data subject. Under PDPL and its Regulation, such consent must be free, unequivocal, and verifiable, with the burden of proof on the data controller. In addition, unsolicited marketing communications through call centers, automated calls, mass text messages, or mass emails are expressly prohibited by Law No. 32323, Law that expands the prohibition of spam communications. This prohibition applies unless the data subject has proactively initiated contact and is given explicit consent to be contacted through specific channels. Data subjects may revoke or object to the processing of their data at any time, and data controllers must ensure simple, free, and accessible mechanisms to exercise these rights within ten calendar days. Non-compliance may result in administrative sanctions imposed by the Authority, including fines, corrective measures, and public listing in the National Registry of Sanctions.

Yes, there are sector-specific privacy requirements in Peru; however, the general framework established by the PDPL and its Regulation remains applicable and prevails over any conflicting provisions. Sectoral regulations must align with the general data protection principles and may only establish specific procedures if they offer equal or higher safeguards. For example, in the telecommunications sector, operators must ensure the confidentiality, integrity, and lawful use of subscriber data and may only process it under consent or legal mandate. In the financial sector, consent is not required for processing creditworthiness or anti-money laundering data when justified by law. For professional associations, member directories containing basic identifying information are considered public sources, and their processing must still comply with the law. In the healthcare sector, data may be processed without consent for medical purposes or public health needs under strict conditions. Additionally, intra-group data transfers must observe applicable rules, including obtaining consent unless an exemption under Article 14 applies. 
While these sectoral provisions exist, they do not exempt entities from compliance with the overarching data protection regime.

Under Article 37 of the Regulation a Data Protection Officer (DPO) must be appointed when any of the following conditions are met: 
(i)    the processing involves a large volume of personal data or affects a large number of individuals; 
(ii)    the processing includes sensitive personal data; 
(iii)    the processing may result in evident harm to the rights or freedoms of data subjects; or 
(iv)    the core activities of the data controller involve the processing of sensitive data. 
Under Article 39 of the Regulation, the DPO must possess accredited knowledge and experience in data protection. Their functions include: 
(i)    informing and advising the data controller or processor and employees on data protection obligations; 
(ii)    verifying and reporting on compliance with the law and internal policies, including responsibility assignments, awareness-raising, training, and audits; 
(iii)    cooperating with the Data Protection Authority; and 
(iv)    performing their tasks with attention to the risks associated with the data processing activities. 
The DPO may be internal or external and does not need to reside in Peru but must be easily reachable and act as a reliable point of contact for both the Authority and data subjects.

The PDPL and its Regulations establish extensive record-keeping and documentation obligations for data controllers and processors. These include maintaining valid evidence of consent, especially in writing for sensitive data, up-to-date privacy policies, and the accurate registration of personal data banks in the National Registry, including the declaration of cross-border flows. Furthermore, data controllers must maintain a formally approved and dated internal Security Document containing access protocols, system logs, data inventories, backup policies, and compliance testing. Finally, traceability of responses to data subject rights must be maintained.

Under Article 40 of the Regulation, conducting a Data Protection Impact Assessment (DPIA) is an optional, but recommended, proactive responsibility measure under PDPL. A DPIA is meant to be carried out prior to the processing of personal data, and it is strongly advised in scenarios involving sensitive personal data, large-scale data processing, data subjects in vulnerable situations, or profiling activities. Although the law does not mandate DPIAs, they are encouraged as part of a controller’s duty to manage risk and ensure compliance. While the Authority has not yet issued specific internal guidelines for DPIAs, the Regulation is inspired by international standards such as those of the Spanish Data Protection Agency and ISO frameworks (ISO/IEC 27005, ISO 31000) for risk analysis. The implementation of a DPIA, when properly documented and conducted prior to the initiation of any administrative sanctioning procedure, may be considered a mitigating factor in the assessment of liability.

Under Article 30 of the PDPL and Article 31 of the Regulation, data controllers must implement strict requirements when engaging third-party vendors (data processors) and conducting data sharing. Processors may only process data on behalf of the controller under a formal agreement and are prohibited from transferring the data to additional parties without prior authorization. Subcontracting of processing requires prior consent from the controller and must reflect equivalent obligations. Vendors using technological platforms must ensure confidentiality, integrity, and deletion of data after service completion. International data transfers require the data subject's consent and may only be made to countries with adequate data protection standards, or under appropriate safeguards such as model clauses. All transfers must be documented, informed to the data subject, and, in the case of cross-border flows, reported to the Authority. Controllers must also maintain updated security documentation, audit logs, backups, and restrict access to authorized personnel. Finally, Codes of Conduct and service contracts must reflect compliance obligations, including confidentiality and prohibition of unauthorized access.

Under the PDPL and its Regulation, the Authority is responsible for supervising compliance and imposing penalties for violations.
Violations are classified as minor, serious, or very serious, and may result in fines ranging from 0.5 UIT to 100 UIT, depending on the nature and impact of the breach (Article 39 of the LPDP). 
Enforcement mechanisms include inspections (on-site or remote), sanctioning proceedings, and administrative measures such as precautionary or corrective orders. Failure to comply with such orders may lead to coercive fines from 0.2 to 10 UIT, which can double successively, up to 100 UIT.
Mitigating factors include acknowledgment of responsibility, early adoption of corrective measures, or implementation of a data protection impact assessment or code of conduct before a proceeding. 
Sanctions are published in the National Register of Personal Data Protection, which can affect the organization's reputation.

The PDPL and its Regulation imposes ongoing compliance obligations under the principle of proactive responsibility. Data controllers must adopt legal, technical, and organizational measures to ensure and demonstrate compliance, including the implementation of internal privacy policies, data inventories, access protocols, and staff training programs. They are also required to maintain a formally approved and regularly updated Security Document and appoint a Data Protection Officer (DPO) when applicable.
While the law does not explicitly mandate a formal governance program, it effectively requires a structured internal compliance framework. Controllers may adopt Codes of Conduct as a means to demonstrate accountability.
Controllers must continuously monitor compliance, update security and registration documentation, and respond promptly to data subject requests. The Authority conducts both remote and on-site audits to verify compliance with security standards, registration duties, incident response obligations, and the exercise of data subject rights. Controllers are also expected to apply privacy by design and by default, conduct Data Protection Impact Assessments (DPIAs) when applicable, and foster a culture of data protection across the organization.

Peru’s new Regulation entered into force in March 2025, replacing the previous regulatory framework enacted on 2013. Given its recent adoption, no major legislative changes are expected in the short term. However, the Authority is expected to issue complementary guidelines to provide further clarity on regulatory requirements. These may include guidance on the designation and functions of the Data Protection Officer (DPO), incident response procedures, and other operational aspects to support consistent implementation.