SecurePrivacy Logo

Peruvian Personal Data Protection Law (LPDP)

View Law Text
Maximum Fine
Up to 100 UIT
Scope
National
Regulator
ANPDP
Enacted
2011

Need Help with Peruvian Personal Data Protection Law (LPDP) Compliance?

Get expert guidance on implementing Peru's data protection requirements and ensuring ongoing compliance for your organization.

Get Expert Help

Overview

The Personal Data Protection Law (LPDP) establishes comprehensive requirements for the protection of personal data in Peru, enforced by the National Authority for Personal Data Protection.

Key Facts

  • Enacted in 2011
  • Enforced by National Authority for Personal Data Protection
  • Requires registration of databases

Key Principles

Lawfulness and Consent

Personal data must be processed lawfully and with proper authorization.

Requirements

  • Obtain valid consent
  • Identify legal basis
  • Document processing grounds
  • Regular compliance reviews
  • Maintain consent records

Examples

  • Consent mechanisms
  • Legal basis documentation
  • Processing records
  • Compliance reports

Transparency

Organizations must be transparent about their data processing activities.

Requirements

  • Clear privacy notices
  • Processing purpose disclosure
  • Data sharing information
  • Rights notification
  • Regular updates

Examples

  • Privacy policies
  • Data processing notices
  • Rights information
  • Communication records

Data Security

Implementation of appropriate security measures to protect personal data.

Requirements

  • Security risk assessments
  • Technical safeguards
  • Staff training
  • Incident response
  • Regular audits

Examples

  • Security protocols
  • Training programs
  • Incident plans
  • Audit reports

Compliance Requirements

Database Registration

Organizations must register their databases containing personal data with the National Authority for Personal Data Protection.

Implementation Steps

  • Identify registrable databases
  • Complete registration forms
  • Submit to authority
  • Maintain registration current
  • Update when changes occur

Required Documentation

  • Database inventory
  • Registration certificates
  • Processing records
  • Update history
  • Change notifications

Cross-Border Transfers

Requirements for transferring personal data outside Peru.

Implementation Steps

  • Assess recipient country adequacy
  • Implement transfer safeguards
  • Obtain necessary approvals
  • Document transfers
  • Monitor compliance

Required Documentation

  • Transfer assessments
  • Safeguard documentation
  • Approval records
  • Transfer logs
  • Monitoring reports

Enforcement & Penalties

Administrative Penalties

The National Authority for Personal Data Protection can impose administrative penalties for violations.

Penalty Categories

Severe Violations
Up to 100 UIT
For serious breaches of data protection requirements
Processing Violations
Up to 50 UIT
For unauthorized processing of personal data
Documentation Violations
Up to 20 UIT
For failure to maintain required documentation

Example Cases

Financial Institution
80 UIT
2023 - Unauthorized data sharing with third parties
Technology Company
45 UIT
2022 - Insufficient security measures leading to data breach

Additional Measures

The Authority can impose various corrective measures beyond monetary penalties.

Penalty Categories

Processing Bans
Temporary or Permanent
Suspension of data processing activities
Mandatory Changes
Compliance Orders
Required modifications to processing activities
Public Warnings
Public Notice
Publication of violations and warnings

Example Cases

E-commerce Platform
Processing Ban
2023 - Ordered to cease illegal data collection practices
Healthcare Provider
Compliance Order
2022 - Required to implement additional security measures