Peru Data Privacy Laws: Law 29733 Personal Data Protection Guide (2026)

Overview of Peru's Data Protection Framework

Peru enacted its Personal Data Protection Law (Ley de Proteccion de Datos Personales, Law No. 29733) in 2011, becoming one of the early adopters of comprehensive data protection legislation in Latin America. The law was followed by its implementing regulations, approved through Supreme Decree 003-2013-JUS, which provided the detailed rules needed to operationalize the framework.

The constitutional foundation for data protection in Peru is found in Article 2, paragraph 6 of the Political Constitution of Peru, which recognizes the right of every person to ensure that information services, whether computerized or not, whether public or private, do not provide information that affects personal and family privacy.

In November 2024, Peru took a significant step to modernize its framework by enacting Supreme Decree 016-2024-JUS, a new regulation that entered into force on 30 March 2025. This updated regulation addresses the challenges posed by rapid developments in e-commerce, artificial intelligence, and other digital technologies, bringing Peru's framework into closer alignment with contemporary international standards.

Law 29733: Core Provisions

Scope and Application

Law 29733 applies to the processing of personal data carried out by any natural or legal person, whether in the public or private sector, through automated or non-automated means. The law covers all stages of data processing, including collection, recording, storage, conservation, organization, modification, extraction, consultation, use, blocking, deletion, and destruction of personal data.

The law applies to processing carried out in Peruvian territory. However, its reach extends to controllers outside Peru who use means located in the country for processing, unless those means are used solely for transit purposes.

Definition of Personal Data

Personal data is defined as any numerical, alphabetical, graphical, photographic, acoustic, or other type of information relating to an identified or identifiable natural person. The law recognizes sensitive personal data as a distinct category requiring enhanced protection, including biometric data, data revealing racial or ethnic origin, income or financial data, political opinions, religious beliefs, trade union membership, health information, sexual orientation, genetic data, and criminal records.

Principles of Data Processing

Law 29733 establishes eight fundamental principles that govern all personal data processing in Peru. The principle of legality requires all processing to have a lawful basis. The principle of consent requires the data subject's free, prior, express, informed, and unequivocal consent as the default legal basis. The principle of purpose requires that data be collected for a specific, explicit, and lawful purpose. The principle of proportionality requires that processing be adequate, relevant, and not excessive.

Additional principles include data quality (accuracy and completeness), security (appropriate measures to protect data), level of protection (adequate protection for cross-border transfers), and accountability (the controller's responsibility for compliance).

Legal Bases for Processing

While consent is the primary legal basis under Law 29733, the law recognizes several exemptions where consent is not required. These include processing necessary for the performance of the functions of public entities within their competence, processing of data in publicly accessible sources, processing related to a contractual or pre-contractual relationship, and processing necessary for the preparation of studies by anonymous statistical methods.

The 2025 regulatory update expands and clarifies the legal bases available for processing, particularly in the context of digital services and automated decision-making.

Data Subject Rights

Law 29733 grants data subjects a set of rights commonly referred to by the acronym ARCO: Access (the right to obtain information about how personal data is processed), Rectification (the right to correct inaccurate or incomplete data), Cancellation (the right to request the deletion of data when it is no longer necessary), and Opposition (the right to object to data processing in certain circumstances).

The 2025 regulations enhance these rights and introduce additional protections in the context of automated decision-making and artificial intelligence systems.

The ANPDP: Peru's Data Protection Authority

Structure and Role

The Autoridad Nacional de Proteccion de Datos Personales (ANPDP) is the administrative authority responsible for overseeing and enforcing compliance with Law 29733. The ANPDP operates as a directorate within the Ministry of Justice and Human Rights, specifically within the Directorate General for Transparency, Access to Public Information, and Personal Data Protection.

While the ANPDP is not an independent authority in the same way as European data protection authorities, it has been granted sufficient functional autonomy to carry out its supervisory and enforcement activities.

Powers and Functions

The ANPDP has broad powers to investigate complaints filed by data subjects, conduct inspections of data controllers and processors (both announced and unannounced), issue corrective orders requiring controllers to remedy violations, impose administrative fines for non-compliance, maintain the National Registry of Personal Data Banks, and issue guidance and opinions on the interpretation of the law.

The authority has progressively strengthened its enforcement activities, with an increasing number of investigations and sanctions in recent years.

Registration of Data Banks

One of the most distinctive features of Peru's data protection framework is the mandatory registration of personal data banks with the ANPDP. All entities that maintain personal data banks, whether public or private, must register them in the National Registry. The registration must include information about the data bank's purpose, the categories of personal data it contains, the security measures in place, and the rights of data subjects.

Failure to register a data bank is a sanctionable offense. This registration requirement provides the ANPDP with visibility into the data processing landscape and enables more targeted enforcement.

Cross-Border Data Transfers

Adequacy Requirement

Law 29733 restricts the international transfer of personal data to countries or international organizations that provide adequate levels of data protection. The ANPDP has the authority to determine which countries meet this standard.

Alternative Transfer Mechanisms

In the absence of an adequacy determination, transfers may proceed if the controller provides adequate guarantees of data protection, such as through contractual clauses that ensure the recipient will protect the data in accordance with Peruvian law. Binding corporate rules may also serve as a basis for intragroup transfers.

Consent-Based Transfers

Where neither adequacy nor adequate safeguards are available, cross-border transfers may proceed with the informed consent of the data subject. The consent must be express and informed, meaning the data subject must be told about the destination country, the identity of the recipient, and the purposes of the transfer.

Exceptions

The law provides for limited exceptions allowing transfers without adequacy or consent, including transfers required by international agreements, transfers necessary for international judicial cooperation, transfers necessary for medical treatment, and transfers necessary for bank or stock exchange transactions.

Penalties and Sanctions

Tiered Penalty Framework

Law 29733 establishes a three-tier penalty framework based on the severity of the violation.

Minor infractions include failures to comply with data subject requests within the specified timeframes, inadequate information provided to data subjects, and minor failures in data security. Fines range from 0.5 to 5 UIT (approximately USD 625 to USD 6,250 based on the 2025 UIT value).

Serious infractions include processing personal data without the required consent, failing to register data banks with the ANPDP, and transferring data internationally without adequate safeguards. Fines range from 5 to 50 UIT (approximately USD 6,250 to USD 62,500).

Very serious infractions include processing sensitive data without express consent, obstructing the ANPDP's supervisory functions, and repeated serious violations. Fines range from 50 to 100 UIT (approximately USD 62,500 to USD 125,000).

Corrective Measures

In addition to fines, the ANPDP may order controllers to cease unlawful processing, delete unlawfully collected data, implement specific security measures, and take other corrective actions necessary to remedy violations and prevent recurrence.

The 2025 Regulatory Update

Key Changes

Supreme Decree 016-2024-JUS introduces several important changes to Peru's data protection framework. The regulation enhances protections for data subjects in the context of electronic commerce, addressing practices such as profiling, targeted advertising, and algorithmic decision-making.

The regulation also addresses the use of artificial intelligence systems that process personal data, establishing requirements for transparency, fairness, and accountability in automated processing. Organizations deploying AI systems must ensure that data subjects are informed about automated decision-making and have the right to request human review of automated decisions that significantly affect them.

Enhanced Security Requirements

The updated regulation strengthens data security requirements, mandating that organizations implement technical and organizational measures proportionate to the sensitivity of the data being processed and the risks associated with the processing. This includes requirements for access controls, encryption, incident response planning, and regular security assessments.

Practical Compliance Considerations

Organizations operating in Peru should ensure compliance with both Law 29733 and the updated 2025 regulations. Key priorities include registering all personal data banks with the ANPDP, reviewing consent mechanisms to ensure they meet the law's requirements for free, prior, express, informed, and unequivocal consent, mapping cross-border data flows and implementing appropriate transfer mechanisms, and updating privacy notices to reflect the enhanced transparency requirements.

Organizations using artificial intelligence or automated decision-making systems should pay particular attention to the new regulatory provisions, ensuring that appropriate safeguards and transparency measures are in place.

This article is for informational purposes only and does not constitute legal advice. Data protection laws are subject to change, and organizations should consult with a qualified attorney for advice specific to their situation.