Here is the converted article in Markdown format:
Data Processors Have Same Obligations as Controllers
In Peru, data processors have the same obligations as data controllers when it comes to processing personal data. However, there are some key differences in terms of registration and notification requirements.
Registration Requirements
According to the Law and its Regulation, data controllers are required to register their databases in the National Registry. This requirement does not apply to databases created by natural persons for purposes exclusively related to their private or family life. Data processors must comply with the same principles for processing personal data as outlined above.
Notification Requirements
Data transfers require prior, express, and unequivocal consent from the data subject. The transfer of sensitive data, such as health information, requires written consent. Data controllers may request an opinion from the APDP (Authority for Data Protection) regarding their data transfer practices.
Data Processing Records
While there is no requirement to maintain internal records of processing activities (ROPAs), data controllers have the burden of proving their compliance with the Law and its Regulation in case of investigation by the APDP. Keeping evidence about consent, security measures, and organizational measures may be necessary.
Data Protection Impact Assessment
There is no express requirement for data controllers to conduct privacy impact assessments (PIAs). However, a risk assessment must be conducted to determine the necessary security, legal, and organizational measures for processing activities.
Data Protection Officer Appointment
There is no requirement to appoint a data protection officer in Peru.
Data Breach Notification
While there is no general requirement to notify data breaches, entities from certain sectors (such as banking, healthcare, transportation, and education) must report breaches to the relevant authorities. Additionally, the Security Directive recommends notifying data subjects of any confirmed data breach.
Data Retention
There are no specific provisions related to data retention for data controllers in the Law and its Regulation. Data processors may keep personal data for up to two years in a processing agreement framework.
Children’s Data
The processing of minors’ personal data requires their free, prior, express, and informed consent if they are above 14 and below 18 years old, or that of their legal representatives (parents or guardians) if they are under 14. The information provided to them must be expressed in an understandable language.
Special Categories of Personal Data
In the case of sensitive data, such as health information, consent must be given in writing either by handwritten signature, digital signature, or similar means that can be printed on a paper surface.
I hope this helps! Let me know if you have any further requests.