On November 30, 2024, Supreme Decree No. 016-2024-JUS was published in the Official Gazette El Peruano, approving new Regulations for Law No. 29733 – Personal Data Protection Law (hereinafter, the "Regulations"). This regulation imposes new obligations on the owners of personal data banks and/or those responsible for their processing, such as:
- Notify the National Data Protection Authority within 48 hours of becoming aware of a security incident that results in the exposure of large volumes of personal data or serious harm to its owners. The affected owners must also be notified within the same period, unless the incident has been resolved or no such impact has occurred. Likewise, any security incident that occurs must be duly documented and a record kept.
- Appoint a Personal Data Protection Officer when processing large volumes of personal data or sensitive data. The officer will be responsible for overseeing compliance with obligations and acting as the point of contact with the Authority. In the case of business groups, only one officer may be appointed per group.
- Have a security document, which must be formally approved and mandatory for personnel with access to information systems. It must be up-to-date and contain, at a minimum, procedures for access management, privilege management, and periodic verification of assigned privileges related to information systems.
Furthermore, proactive liability mechanisms are established, which are optional, and which represent the responsible party's commitment to compliance with the regulations. These mechanisms may be considered mitigating liability in a potential administrative sanctioning procedure, such as:
- Conducting Personal Data Protection Impact Assessments, especially when it involves sensitive data, data used to create personal profiles, data of individuals in particularly vulnerable situations, among others.
- The implementation of Codes of Conduct, which establish specific rules for compliance within the entity or business group, such as procedures that facilitate the exercise of rights, oversight mechanisms, clauses for obtaining consent, among others.
Furthermore, the new Regulation establishes new features such as the recognition of portability as a manifestation of the right of access to the personal data of its owners, which entails the transfer of data to another controller or owner of personal data banks, when requested and technological possibilities allow it, as well as the possibility of establishing an initial contact to obtain the express consent of the owner for advertising and commercial prospecting purposes (if this is not obtained, no further contact may be made).
Finally, the registration of personal data banks is free of charge and the creation of the "I take care of my personal data" platform for citizen service is established.
The new Regulation will enter into force 120 calendar days after its publication in the Official Gazette. Specifically, the obligations related to the appointment of a Compliance Officer will gradually enter into force over a four-year period, depending on the sales volume of the responsible companies. Regarding the right to data portability, this will take effect six months after the Regulation enters into force.
For more information or any questions on this topic, please contact us at the following email address: innovacion@cpb-abogados.com.pe
