Peru Data Privacy Laws: Law 29733, DS 016-2024-JUS & 2025 Regulation Guide

Peru protects personal data under Law No. 29733 (2011), grounded in Article 2(6) of the Political Constitution. Supreme Decree No. 016-2024-JUS, in force from March 30, 2025, updated the framework with mandatory Data Protection Officers, 48-hour breach notification, and expanded ARCO-PD rights.

Peru's Data Protection Framework at a Glance

Peru enacted Ley de Protección de Datos Personales (Law No. 29733) on July 2, 2011, published in El Peruano, the official gazette. The law made Peru one of Latin America's first countries to adopt a comprehensive statutory data protection regime. The original implementing regulation, Supreme Decree No. 003-2013-JUS, entered into force in 2013 and governed compliance for over a decade.

On November 30, 2024, Peru published Supreme Decree No. 016-2024-JUS in El Peruano, approving a new comprehensive Regulation for Law 29733. This Regulation superseded the 2013 version in its entirety and took effect on March 30, 2025. The 135-article Regulation modernises the framework for the digital economy, addressing e-commerce, artificial intelligence, automated profiling, cookies, and location data.

The constitutional right to data privacy sits in Article 2(6) of the Political Constitution of Peru (1993), which guarantees every person's right against information services that affect personal and family privacy. Article 200(3) establishes the habeas data action as the judicial remedy available when that right is violated.

For information on how Peru treats the recording of conversations, see our companion article on Peru recording laws.

Constitutional Basis and Habeas Data

Article 2(6): The Fundamental Right

Article 2(6) of Peru's Political Constitution provides the supreme-law foundation for all data protection legislation in the country. The provision recognises that every person has the right to ensure that information services, whether computerised or not, and whether public or private, do not supply information that affects personal and family privacy. This constitutional grounding means that Law 29733 is not merely a regulatory statute: it implements a fundamental right that takes precedence over ordinary legislation.

The constitutional right covers informational privacy broadly. It protects against the collection, storage, and dissemination of personal information without legal justification, and gives data subjects standing to challenge unlawful processing both administratively (before the ANPDP) and judicially (through habeas data).

Article 200(3): Habeas Data as Constitutional Guarantee

Article 200(3) of the Constitution establishes habeas data as one of Peru's constitutional protective actions alongside amparo and habeas corpus. The habeas data action may be brought before a court by any person whose data privacy rights under Article 2(6) have been violated, particularly where an information service improperly uses their personal data or supplies information that damages personal or family privacy.

Habeas data is a subsidiary remedy. The petitioner must ordinarily exhaust administrative remedies before the ANPDP before turning to the constitutional courts. In practice, this means filing a complaint with the ANPDP first. If the administrative proceeding fails to vindicate the petitioner's rights, the habeas data action provides a constitutional fallback before the judicial branch.

The availability of habeas data is a significant feature of Peru's framework compared to many other Latin American countries. It gives data subjects a constitutional-level enforcement tool that sits above and beyond the ANPDP's administrative proceedings.

Law No. 29733: Core Provisions

Scope and Application

Law 29733 applies to the processing of personal data carried out by any natural or legal person, whether in the public or private sector, through automated or non-automated means. The law covers every stage of data processing: collection, recording, storage, conservation, organisation, modification, extraction, consultation, use, blocking, deletion, and destruction of personal data.

The law applies to processing carried out in Peruvian territory. DS 016-2024-JUS extends its reach to foreign controllers that offer goods or services to individuals located in Peru, or that conduct behavioural profiling of individuals in Peru, even where the controller has no physical establishment in the country. Those foreign entities must designate a Peruvian representative responsible for compliance.

Definitions: Personal Data and Sensitive Data

Law 29733 defines personal data as any numerical, alphabetical, graphical, photographic, acoustic, or other information relating to an identified or identifiable natural person. DS 016-2024-JUS expanded this definition to explicitly include location data and online identifiers (such as IP addresses and cookie identifiers) as categories of personal data.

Sensitive personal data receives heightened protection. DS 016-2024-JUS updated the sensitive data categories to include:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Health data
• Sexual orientation and gender identity
• Criminal records
• Financial and income data
• Biometric data used for unique identification
• Genetic data
• Emotional data (new under DS 016-2024-JUS)

Processing sensitive data requires the data subject's explicit written consent unless a specific statutory exception applies.

Principles Governing Data Processing

Law 29733 establishes eight foundational principles that govern all personal data processing in Peru:

1. Legality: Processing must have a lawful basis established by law.
2. Consent: The data subject's free, prior, express, informed, and unequivocal consent is the default legal basis for processing.
3. Purpose: Data may be collected only for a specific, explicit, and lawful purpose and may not be processed in a manner incompatible with that purpose.
4. Proportionality: Processing must be adequate, relevant, and not excessive relative to the declared purpose.
5. Data quality: Data must be accurate, complete, and kept up to date.
6. Security: Controllers must implement technical and organisational measures to protect data against unauthorised access, loss, and destruction.
7. Level of protection: Adequate protection must be ensured for cross-border transfers.
8. Accountability: The controller is responsible for compliance with the law and must be able to demonstrate it.

Legal Bases for Processing

While consent is the primary legal basis under Law 29733, the law recognises several non-consent bases. These include:

• Processing necessary for the performance of public-entity functions within their legally established competence
• Processing of data from publicly accessible sources
• Processing necessary for the performance of a contractual or pre-contractual relationship with the data subject
• Processing necessary for the preparation of statistical studies using anonymous methods
• Processing related to public health, epidemiology, or scientific research in the public interest
• Processing authorised by law for specific purposes

DS 016-2024-JUS clarified and expanded these bases, particularly in the context of digital services and automated systems. It reinforced that the legal basis for processing must be documented and that controllers must be able to demonstrate which basis applies to each processing activity.

Data Subject Rights (ARCO-PD)

Law 29733 originally established the ARCO rights: Access, Rectification, Cancellation, and Opposition. DS 016-2024-JUS expanded this to what practitioners now describe as ARCO-PD by adding Portability and Deindexing:

Access: The right to obtain confirmation of whether personal data is being processed and to receive a copy of that data, along with information about its source, purpose, and the recipients to whom it has been disclosed.

Rectification: The right to have inaccurate or incomplete personal data corrected or completed.

Cancellation: The right to request the deletion of personal data when it is no longer necessary for the purpose for which it was collected, when consent is withdrawn, or when the processing is otherwise unlawful.

Opposition: The right to object to the processing of personal data in certain circumstances, including where processing is based on legitimate interests or for commercial prospecting. DS 016-2024-JUS strengthened this right for commercial prospecting: organisations may contact prospects using publicly sourced data only once, and if no consent is obtained at that initial contact, further contact is prohibited.

Portability (new, effective September 30, 2025): The right to receive personal data in a structured, machine-readable format and to transmit it to another controller, where processing is based on consent, contractual necessity, or automated means. Direct controller-to-controller transmission is permitted when technically feasible.

Deindexing (new): The right to request the removal of URLs or content referencing personal data from search engine indexes.

Controllers must respond to ARCO-PD requests within the timeframes established by the Regulation. Opposition requests must be resolved within 10 business days.

The ANPDP: Structure and Powers

Organisational Structure

The Autoridad Nacional de Protección de Datos Personales (ANPDP) is the administrative authority responsible for overseeing and enforcing Law 29733. The ANPDP is not an independent authority. It operates as part of the Dirección General de Transparencia, Acceso a la Información Pública y Protección de Datos Personales (General Directorate for Transparency, Access to Public Information, and Personal Data Protection) within the Ministry of Justice and Human Rights (MINJUS).

The ANPDP comprises three functional units:

• Inspection and Investigation Directorate: Supervises compliance with the law, conducts announced and unannounced inspections, initiates sanctioning proceedings, and investigates complaints filed by data subjects.
• Personal Data Protection Directorate: Resolves first-instance sanctioning proceedings, administers trilateral administrative proceedings (data subject vs. controller), and administers the National Registry of Personal Data Banks.
• General Directorate: Serves as the final administrative instance, resolving appeals and exhausting the administrative process before matters may proceed to judicial review.

Powers and Functions

The ANPDP holds broad regulatory and enforcement powers:

• Investigating complaints filed by data subjects and initiating ex officio investigations
• Conducting inspections of data controllers and processors, both announced and unannounced
• Issuing binding directives interpreting and supplementing Law 29733
• Imposing administrative fines within the three-tier penalty framework
• Ordering corrective measures, including cessation of unlawful processing and deletion of unlawfully held data
• Maintaining the National Registry of Personal Data Banks
• Issuing guidance on the application of the law, including for specific sectors and technologies
• Approving standard contractual clauses for cross-border data transfers

The authority has progressively increased its enforcement activity, with growing caseloads in the healthcare, financial services, telecommunications, and education sectors.

National Registry of Personal Data Banks

One of the most distinctive features of Peru's framework is the mandatory registration of personal data banks with the ANPDP. This requirement predates the 2025 regulation and has been maintained and streamlined under DS 016-2024-JUS.

Every public and private entity that maintains a personal data bank must register it in the Registro Nacional de Protección de Datos Personales before commencing data collection. Registration is conducted free of charge through an automatic approval procedure via the Integrated Personal Data Protection System (SIPDP) platform available at the ANPDP's official website. The registration must include the bank's purpose, categories of data held, applicable security measures, and data subject rights procedures.

DS 016-2024-JUS maintains the registration requirement and updated the registration procedures to align with the new Regulation. Failure to register a personal data bank is classified as a serious infraction, attracting fines of 5 to 50 UIT.

Supreme Decree No. 016-2024-JUS: What Changed

Overview of the Reform

Supreme Decree No. 016-2024-JUS represents the most comprehensive reform of Peru's data protection framework since the original Law 29733. Published on November 30, 2024 and effective March 30, 2025, the Regulation replaces the 2013 implementing regulation across all 135 articles and six supplementary provisions.

The reform reflects regulatory alignment with developments in Latin American and European data protection law, particularly the influence of the EU General Data Protection Regulation and Brazil's Lei Geral de Proteção de Dados. The principal changes cover DPO obligations, breach notification, new data subject rights, expanded scope, enhanced consent rules, AI and automated decision-making, and cookie compliance.

Data Protection Officer Requirements

DS 016-2024-JUS introduces a mandatory DPO role triggered in three situations:

1. The controller is a public entity that processes personal data.
2. The controller handles large volumes of personal data or processes sensitive data affecting the fundamental rights of data subjects.
3. The controller's core business activities consist of processing sensitive personal data.

The DPO must satisfy minimum qualification requirements: at least two years of general experience in data privacy matters plus one year of specific data protection experience, combined with postgraduate studies in data privacy, an academic degree in the field, or a recognised certification. The DPO must also demonstrate moral and ethical integrity and must have functional independence from the entities whose processing activities they oversee.

Multi-site enterprises may designate a single DPO accessible across all locations. The DPO's contact information must be published (for instance, in the organisation's privacy notice) and formally notified to the ANPDP within 15 days of appointment, per Directorial Resolution No. 100-2025-JUS-DGTAIPD.

The DPO obligation is phased by annual sales in a staggered compliance schedule:

Breach Notification

DS 016-2024-JUS establishes Peru's first statutory breach notification obligation. When a personal data security incident occurs that involves large volumes of data, sensitive personal data, or causes evident prejudice to the fundamental rights of data subjects, the controller must:

1. Notify the ANPDP within 48 hours of becoming aware of the incident. A dedicated notification form is available at https://reporte.cnsd.gob.pe/home/minjus.
2. Notify affected data subjects within the same 48-hour window, in clear and simple language, explaining what occurred, what data was exposed, and what steps the controller is taking.
3. If the controller operates in a critical sector, additionally notify the National Center for Digital Security (Centro Nacional de Seguridad Digital).

Late notifications are not automatically sanctioned but require documented justification with evidence of the reasons for the delay. The breach notification obligation applies from the date DS 016-2024-JUS took effect, March 30, 2025.

Expanded Extraterritorial Scope

The 2013 implementing regulation was largely territorial in orientation. DS 016-2024-JUS shifts to an effects-based approach aligned with modern international standards. The Regulation applies to foreign data controllers that:

• Offer goods or services to individuals located in Peru, regardless of whether payment is required, or
• Monitor or profile the behaviour of individuals located in Peru.

Foreign controllers falling within this scope must designate a Peruvian representative who can be held liable for compliance failures. The representative requirement took effect on March 30, 2025.

AI and Automated Decision-Making

DS 016-2024-JUS addresses the use of artificial intelligence systems that process personal data. Organisations deploying AI systems for automated decision-making that significantly affects data subjects must:

• Inform data subjects that automated processing is occurring and explain its logic
• Provide data subjects with the right to request human review of automated decisions that produce significant effects
• Implement transparency and accountability measures proportionate to the risk of the processing

These provisions are consistent with Peru's broader 2025 AI regulatory context. Separately, Ley No. 32314 (discussed below under Recent Developments) targets criminal misuse of AI but does not alter Law 29733 obligations.

Cookie Compliance and Location Data

DS 016-2024-JUS explicitly designates online identifiers (including cookies and IP addresses) and location data as personal data. Cookies that go beyond the functionality strictly necessary to operate a website require the user's prior consent. Location data requires separate, specific consent distinct from general consent to data processing.

This provision directly affects websites and mobile applications serving users in Peru or targeting Peruvian residents from abroad.

Data Protection Officer Obligations: Practical Detail

The DPO under DS 016-2024-JUS is an internal compliance officer, not a licensee or registered professional in the way a lawyer or notary would be. The DPO's primary responsibilities are:

• Informing and advising the organisation and its employees of their obligations under Law 29733 and DS 016-2024-JUS
• Monitoring internal compliance with data protection policies and procedures
• Providing advice on data protection impact assessments (DPIAs) for high-risk processing
• Serving as the primary point of contact for the ANPDP in matters relating to personal data processing
• Cooperating with ANPDP inspections and investigations

Organisations appointing a DPO must follow a two-step formal procedure: (1) internal appointment by formal corporate act (shareholder resolution or board decision), followed by (2) formal notification to the ANPDP. The DPO may be an employee or an external service provider.

The qualification bar, particularly the requirement for postgraduate studies or a recognised certification in data privacy, presents a practical challenge given the relatively limited supply of formally trained data privacy professionals in Peru. The phased schedule for smaller organisations reflects this reality and provides time for the professional education market to develop sufficient capacity.

Breach Notification: Obligations and Process

What Triggers Notification

Not every security incident triggers the 48-hour notification obligation. DS 016-2024-JUS confines the mandatory notification to incidents that meet one or more of the following thresholds:

• The incident exposes large volumes of personal data
• The exposed data includes sensitive personal data (health, biometric, genetic, etc.)
• The incident causes, or is likely to cause, evident prejudice to the fundamental rights of data subjects (for example, identity theft risk, discrimination risk, or financial harm)

Where the incident is contained and resolved without any material risk to data subjects, the controller must still document the incident internally but is not required to make an external notification.

Notification Content

The notification to the ANPDP must describe: the nature of the incident; the categories and approximate volume of personal data affected; the likely consequences; the measures taken or proposed to address the incident; and the name and contact details of the DPO (if appointed). Notifications to affected data subjects must use clear and simple language and must tell the subject what occurred, what data was exposed, and what remedial steps are being taken or are available.

Critical Sectors

Organisations operating in critical infrastructure sectors (energy, finance, health, telecommunications, water) must additionally notify the Centro Nacional de Seguridad Digital using the form at https://reporte.cnsd.gob.pe/home/minjus. This dual-reporting obligation reflects Peru's parallel cybersecurity regulatory framework.

Cross-Border Data Transfers

The Adequacy Requirement

Law 29733 restricts international transfers of personal data to countries or international organisations that provide adequate levels of data protection. The ANPDP has authority to determine which countries satisfy this standard, though as of 2025 Peru has not published a comprehensive adequacy list equivalent to the EU's approach.

Transfer Mechanisms Where Adequacy Is Absent

Where no adequacy determination exists for the destination country, DS 016-2024-JUS permits transfers through the following mechanisms:

• Standard contractual clauses: Written contracts that bind the recipient to protect the data in accordance with the obligations of Law 29733. The ANPDP may pre-approve model clauses.
• Binding corporate rules: For intra-group transfers between entities of the same corporate group.
• International treaties: Where a bilateral or multilateral treaty provides for data protection.
• Judicial and law enforcement cooperation: Transfers necessary for international judicial cooperation or law enforcement purposes (terrorism, drug trafficking, money laundering, corruption, human trafficking, organised crime).
• Medical treatment: Transfers necessary for the protection of the data subject's health or physical safety.
• Contractual necessity: Transfers required for the performance of a contract between the data subject and the controller.
• Anonymisation: Where data has been genuinely anonymised or dissociated before transfer.
• Consent: Express, informed consent of the data subject that specifically authorises the cross-border transfer to the named destination country and recipient.

DS 016-2024-JUS updated the cross-border transfer assessment framework. Controllers must evaluate the destination country's legal framework, its recognition of data protection principles, the rights available to data subjects in that jurisdiction, and the existence of a supervisory authority.

Penalties and Enforcement

The Three-Tier Penalty Framework

Law 29733 establishes three tiers of infractions, with fines expressed in Unidades Impositivas Tributarias (UIT). The UIT value is set annually by the Ministry of Economy and Finance. For 2026 it is S/5,500 (Decreto Supremo No. 301-2025-EF).

No fine may exceed 10% of the offending entity's annual net revenue from the prior year, providing a cap that protects smaller organisations from disproportionate sanctions while allowing significant penalties for large-scale violations by major enterprises.

Corrective Measures

In addition to financial penalties, the ANPDP may issue corrective orders requiring controllers to:

• Cease unlawful processing immediately
• Delete data that was collected or processed without a valid legal basis
• Implement specific technical or organisational security measures within a prescribed timeframe
• Adopt new internal policies and procedures
• Appoint a DPO or implement compliance programmes

Enforcement Posture

The ANPDP has progressively strengthened its enforcement activity since the law's enactment. Enforcement has concentrated in sectors with intensive personal data processing: healthcare, financial services, telecommunications, and education. The authority has pursued both complaint-driven investigations and ex officio proceedings.

The entry into force of DS 016-2024-JUS in March 2025, with its new DPO, breach notification, and expanded rights obligations, is expected to generate a new wave of enforcement activity as the ANPDP assesses compliance with the updated framework.

Business Compliance: What the 2025 Regulation Requires

Organisations operating in Peru or offering goods and services to Peruvian residents must review their data protection programmes against the following DS 016-2024-JUS requirements:

Data bank registration: All personal data banks must be registered in the RNPDP via the SIPDP platform before processing commences. Existing banks that were not registered must be brought into compliance. Registration is free of charge.

DPO appointment: Assess whether your organisation falls within the mandatory DPO triggers (public entity, large-volume or sensitive-data processing as core activity). If so, identify which phase of the staggered deadline applies based on annual sales and appoint a qualified DPO before the deadline.

Breach notification programme: Implement internal procedures to detect, assess, and report personal data security incidents within the 48-hour window. Designate responsibility for ANPDP notification and data subject communication. Retain incident records.

Privacy notices and consent mechanisms: Update privacy notices to reflect the expanded definition of personal data (location data, online identifiers), the new rights (portability, deindexing), and the basis for each processing activity. Consent mechanisms for cookies, commercial prospecting, and sensitive data must comply with DS 016-2024-JUS requirements.

Cross-border transfer review: Map all international data flows. Confirm that each transfer either benefits from an adequacy determination, is covered by contractual safeguards, or is supported by documented data subject consent.

Extraterritorial compliance: Foreign organisations offering digital goods, services, or targeted advertising to Peruvian residents must assess whether they are now within scope. If so, designate a Peruvian representative and register relevant data banks.

Portability readiness: The right to data portability became effective September 30, 2025. Controllers must be able to respond to portability requests by providing data in a structured, machine-readable format.

AI and automated decision-making: If your organisation uses AI systems to make automated decisions that significantly affect data subjects, implement the transparency and human-review mechanisms required by DS 016-2024-JUS.

Recent Developments (2024 to 2026)

DS 016-2024-JUS (November 2024 / March 2025)

The enactment and entry into force of DS 016-2024-JUS is the most significant development in Peru's data protection framework since 2013. The ANPDP has issued supplementary guidance, including Directorial Resolution No. 100-2025-JUS-DGTAIPD addressing DPO registration procedures.

Ley No. 32314 (April 2025)

Ley No. 32314 was published on April 29, 2025. This law is a criminal law amendment, not a data protection amendment. It strengthens Peru's legal response to AI misuse by: treating the use of AI to commit offences as an aggravating factor in criminal sentencing; sanctioning deepfakes used for child sexual abuse material, financial fraud, or reputational harm; amending the Computer Crimes Law (Ley No. 30096) to include AI as a means of committing offences; and amending Article 217 of the Criminal Code to sanction AI-generated works that infringe copyright.

Ley 32314 does not amend Law 29733 and does not alter ANPDP jurisdiction. However, organisations using AI systems for data processing in Peru must consider both the data protection obligations under DS 016-2024-JUS (transparency, human review rights) and the criminal liability exposure under Ley 32314 (AI used to commit offences as an aggravating circumstance). The two frameworks are complementary rather than overlapping.

Enforcement Trends

The ANPDP has concentrated enforcement attention on consent management practices in digital services and marketing, data security failures in the healthcare and financial sectors, and failure-to-register violations. The expanded obligations under DS 016-2024-JUS are expected to generate new enforcement focus on DPO compliance and breach notification failures from 2025 onwards.

This article presents general legal information about Peru's data protection framework. It does not constitute legal advice. Law 29733 and Supreme Decree No. 016-2024-JUS are primary sources; citations have been verified against official Peruvian government publications and authoritative secondary commentary. Information was verified as of May 19, 2026. Organisations should consult a lawyer licensed in Peru for advice on their specific situation.