Law: Law No. 29.733 on the Protection of Personal Data 2011 (only available in Spanish here) (the Law) and Supreme Decree No. 003-2013-JUS which Approves the Regulation of Law No. 29733 (only available in Spanish here) (the Regulation)

Regulator: National Authority for the Protection of Personal Data (ANPD)

Summary: Law No. 29733 on the Protection of Personal Data 2011 (only available in Spanish here) (the Law) was published on July 3, 2011, and Supreme Decree No. 003-2013-JUS which Approves the Regulation of Law No. 29733 (only available in Spanish here) (the Regulation) was enacted on March 22, 2013.

The Law provides for various data subject rights, such as the right to access and rectify data, object to processing, and to be informed of any processing. Moreover, the Law requires data controllers to register all personal databases in the National Registry of Personal Data Protection managed by the National Authority for the Protection of Personal Data (ANPD), as well as to notify the ANPD of any cross-border data transfers. While the Law has not instituted general breach notification requirements in Peru, a 2020 Emergency Decree approving the Framework for Digital Trust and Measures for its Strengthening (only available in Spanish here) provided that bodies which have suffered a breach must notify the National Digital Security Centre and any other authorities that may have an interest.