|Teresa Tovar Mena|
On July 3 2011, Law No 29733 was published in the Peruvian Official Gazette. This Law protects personal information contained in public and private data banks, establishing obligations for those who are responsible for the processing of such data.
Thus, obtaining prior, informed, express and unequivocal consent is necessary to process personal data. If the data is sensitive information, consent must be granted in writing. Consent will not be required only in specific cases, including: (i) when the personal data is public information; (ii) when it is related to the financial solvency or creditworthiness of a person; and (iii) when it is related to a person's health.
The Law does not apply to personal data contained in, or to be included in, data banks created for a person's private or family use, nor to data banks of public agencies which are necessary for them to comply with their responsibilities, for national defence or public security.
Data bank managers must adopt measures to ensure the security of the data bank and to keep confidentiality of personal data.
Specific security requirements will be established by a directive of the National Authority for the Protection of Personal Data. This agency, which is part of the Ministry of Justice, was created by the Law to ensure compliance of its provisions, being entitled to impose sanctions of up to approximately $128,000. The agency will be in charge of the National Registry of Personal Data Protection, which will contain a list of public and private personal data banks, the sanctions imposed and the codes of conduct of each personal data bank. This registry can be accessed by the public.
The Law establishes the following rights for the owner of the personal data: to be informed about the purpose of the data recollection and processing; to access its personal data, update it, include more information, and rectify and suppress information on him/herself; to impede the sharing and processing of the data; protection of his/her rights; and to claim damages.
Cross-border transfer of personal data is only permitted if the recipient country has adequate levels of protection, similar to those established under the Law. If the recipient country does not have an adequate level of protection, the data transmitter must guarantee that the processing of the personal data will be made according to the protection standards set forth by the Law.
From July 4 2011, the provisions related to requiring previous consent for processing personal data, cross-border transfer, the obligation to ensure security and confidentiality of the database and the creation of the agency, as well as those related to the issuance of regulations and implementation of the Law, are in force.
Existing personal data banks must adapt to the rules set forth in the Law within a term to be established in the regulations (to be issued within four months). Other provisions of the Law will come into force on April 2 2012, after the regulations are issued and if all deadlines are met.
Teresa Tovar Mena