In this privacyespresso we interviewed Jorge Allende, Partner and expert in IP and privacy law from the law firm Allende & Garcia Abogados in Perù, to receive an overview of the Peruvian data protection framework.
The data privacy law in Perù was released in 2011, but it was enforced in 2015, so it can be considered very young. Also, its structure is very similar to the GDPR, so complying with one will also help comply with the other. Jorge believes the best way to respect Peruvian law is to focus on good informative materials and consent.
Additionally, in recent years, the Peruvian DPA has focused on data controllers specifically, checking the presence of their databases under its registry as this is mandatory. Also, companies in Perù are required to communicate any data flow to the Authority, which was also under inspection. It is worth mentioning that Authority controls are pretty severe, probably because the money from the sanctions goes the Authority itself, opening some discussion on a potential conflict of interest.
Finally, privacy compliance is relatively easy in Perù. However, the firm control of the Authority and the very little education of companies have led to many fines. This issue has also been hardened by the lack of guidelines and information on how to implement the law. However, in more recent times, things are getting better as there is more awareness of the topic and, consequently, interest in complying.