Data protection & privacy laws in Peru (2026)

Law N° 29733 (Ley de Protección de Datos Personales), enacted 2011, remains the cornerstone statute. Supreme Decree N° 016-2024-JUS (El Peruano, 30 Nov 2024) replaced the 2013 regulation in its entirety and took effect 30 March 2025, establishing 135 articles across three titles.

The Autoridad Nacional de Protección de Datos Personales (ANPDP) operates under the Ministry of Justice and Human Rights. It maintains the National Registry of Personal Data Banks, investigates complaints and own-initiative cases, issues binding directives, imposes fines, and may order suspension of data processing activities.

The 2025 regulation extends coverage beyond entities physically established in Peru to foreign companies that offer goods or services to persons in Peru or that profile individuals located in Peruvian territory; such entities must appoint a local representative to liaise with the ANPDP.

A DPO is mandatory for entities processing sensitive data and for companies above revenue thresholds, with phased deadlines: large companies (>2,300 UIT ≈ USD 3.28 M) by 30 Nov 2025; medium (1,700–2,300 UIT) by 30 Nov 2026; small (150–1,700 UIT) by 30 Nov 2027; micro (<150 UIT) by 30 Nov 2028.

Security incidents must be notified to the ANPDP within 48 hours of detection. Data portability rights became effective 30 September 2025. Other standard rights—access, rectification, cancellation, and opposition—were already established under Law 29733.

Fines range from 0.5 UIT (≈ USD 743) for minor infractions to 100 UIT (≈ USD 148,600) for very serious violations, capped at 10% of the infringing entity's annual net revenue for the prior year.