Supreme Decree No. 016-2024-JUS was published in the Official Gazette El Peruano, approving a new Regulation of Law No. 29733 – Personal Data Protection Law (hereinafter, the “Regulation”). Through this regulation, new obligations are imposed on the holders of personal data banks and/or those responsible for their processing, such as:

• Notify the National Authority for Personal Data Protection within 48 hours of becoming aware of a security incident that causes the exposure of large volumes of personal data or serious harm to its owners. This must also be notified to the affected owners within the same period, unless the incident has been resolved or such damage has not occurred. Likewise, any security incident that occurs must be duly documented and a record kept.
• Appoint a Personal Data Protection Officer when large volumes of personal data or sensitive data are processed, who will be responsible for supervising compliance with the obligations and being the point of contact with the Authority. In the case of business groups, only one officer may be appointed per group.
• Have a security document, which must be formally approved and must be complied with by personnel with access to information systems. It must be up to date and contain at least the access management procedures, privilege management and periodic verification of assigned privileges regarding information systems.

Likewise, proactive responsibility mechanisms are established, of an optional nature, which represent the commitment of the person responsible to comply with the regulations and may be considered mitigating circumstances of liability in a possible administrative sanctioning procedure, such as:

• Conducting Personal Data Protection Impact Assessments, especially when it involves sensitive data, data for the purpose of creating personal profiles, data of people in particularly vulnerable situations, among others.
• The implementation of Codes of Conduct, which establish specific rules for compliance with regulations within the entity or business group, such as procedures that facilitate the exercise of rights, supervisory mechanisms, clauses for obtaining consent, among others.

On the other hand, the new Regulation establishes new features such as the recognition of portability as a manifestation of the right of access to the personal data of its owners, which implies the transfer of the data to another controller or owner of personal data banks, when requested and technological possibilities allow it, as well as the possibility of establishing a first contact to obtain the express consent of the owner for advertising and commercial prospecting purposes (if this is not obtained, a new contact cannot be made).

Finally, the registration of personal data banks is established free of charge and the creation of the platform “I take care of my personal data” for citizen attention.

The new Regulation will come into force 120 calendar days after its publication in the Official Journal. Specifically, the obligations regarding the appointment of a Compliance Officer will come into force progressively over a 4-year timeframe, depending on the sales volume of the responsible companies. Regarding the right to Portability, this will take effect 6 months after the Regulation comes into force.

For more information or in case of any questions on the subject, contact us at the following email:  innovacion@cpb-abogados.com.pe