Financial Crime World

Peru’s Emergency Decree: A Guide to Provisions and Obligations

Introduction

The Peruvian government has issued an Emergency Decree aimed at protecting personal data and regulating its use. However, despite the decree’s provisions, there is a lack of regulations and guidelines, leaving many questions unanswered.

Notification Procedure

The decree does not provide specific guidelines for notifying the National Centre about data breaches. Instead, it only requires reporting entities to include identification information and relevant details about the breach in their notification. The absence of regulations means that these requirements are not being enforced by authorities.

Key Takeaways

  • No specific guidelines for notifying the National Centre about data breaches
  • Reporting entities must include identification information and relevant details about the breach in their notification
  • Lack of enforcement of these requirements by authorities

Enforcement and Sanctions

The General Directorate of Sanctions is responsible for resolving violations and imposing sanctions. Fines can range from S/ 2,575 (approximately USD 700) to S/ 515,000 (approximately USD 140,000), depending on the nature and magnitude of the offense. The NDPA also has the authority to impose additional fines if the offender fails to remedy the unlawful practice.

Key Takeaways

  • Fines can range from S/ 2,575 to S/ 515,000
  • Sanctions will be imposed by the General Directorate of Sanctions
  • Additional fines may be imposed if the offender fails to remedy the unlawful practice

Electronic Marketing

The decree does not explicitly regulate electronic marketing, but it applies to activities that involve processing personal data. Consent can be obtained through electronic media by publishing accessible privacy policies with relevant consent language and mechanisms. Written consent may be provided through various means, including electronic signatures, written documents, or pre-established texts.

Key Takeaways

  • Electronic marketing is not explicitly regulated
  • Consent must be obtained for activities that involve processing personal data
  • Consent can be obtained through electronic media by publishing accessible privacy policies with relevant consent language and mechanisms

Online Privacy

The decree does not specifically regulate online privacy, including cookies and location data. However, it will apply if personal data is collected and processed using these mechanisms. Consent must be obtained before cookies and/or location data can be used.

Key Takeaways

  • Online privacy is not explicitly regulated
  • Consent must be obtained for the collection and processing of personal data
  • Consent must be obtained before cookies and/or location data can be used

Criminal Law Enforcement

Legislative Decree N° 1182 permits the National Police of Peru to access location and geolocation data in cases of flagrante delicto. Public communications services providers and public entities are required to keep user data for a certain period and provide location data upon request.

Key Takeaways

  • The National Police of Peru can access location and geolocation data in cases of flagrante delicto
  • Public communications services providers and public entities must keep user data for a certain period and provide location data upon request

Conclusion

As the Peruvian government continues to refine its regulations, businesses and individuals must be aware of their obligations under the Emergency Decree. Failure to comply with these provisions may result in severe penalties.

Key Takeaways

  • Businesses and individuals must be aware of their obligations under the Emergency Decree
  • Failure to comply with the decree’s provisions may result in severe penalties