Significant Fines for Infringement of the Data Protection Law
The National Authority for the Protection of Personal Data (ANPDP), which belongs to the Ministry of Justice, imposed fines for a total of $ USD 232,271.- to public and private institutions that violated the personal data protection law. According to the Peruvian law which governs this matter (Law No. 29733 of Protection of Personal Data of Peru), the processing of personal data requires, as a general rule, obtaining the free, prior, informed, express and unambiguous consent of its owner, except as provided in the law. Likewise, security measures must be implemented to protect the collected personal data, such as documenting security protocols for access and privilege management, as well as periodically reviewing the aforementioned privileges, among others.
Example of this new policy followed by the National Data Protection Authority was one of the last sanctions imposed on ¨Supermercados Peruanos S.A.¨, which had collected personal data without the authorization of its clients. Likewise, security measures were not implemented and the Authority was not notified of the transfer of data outside the Peruvian territory.
Also, during 2018, the ANPDP also prepared 105 final reports of instruction, made 283 visits to public and private institutions on personal data, and issued 3.278 resolutions on the National Registry of Personal Data Protection. In this sense and in order to inform the data managers, conducted the training of more than 1.700 people in various events and 689 queries on standard interpretation of data protection legislation, as well as made the first Report on Supervision of Transparency Portals Standard of public entities.
In this way, it is important to highlight that these new measures clearly demonstrate that the APDP is fully committed to the actions necessary to guarantee the right to the protection of personal data in Peru, in relation to the new measures taken by several Latin American countries and The EU.