Law Name

Ley de Protección de Datos Personales, Ley 29733 (2011)

Link to the Law

Data Transfer

The transmission of personal data is allowed and is done through the agency in charge of the personal data database. If the country that the information is being transferred to does not have the adequate security measures in place, the the agency in charge of the personal data must guarantee that the processing of the personal data will conform to the law and meet the standards of security.

Data Sharing

Consent is required to use personal data. The personal data should be collected for a specific and explicit purpose. Consent must be written when dealing with sensitive data. Even if consent is not given, sensitive data can be used if the law authorizes it or if there are important motives for the benefit of the public good.

Data Retention

The data subject has the right to know everything about their personal data such as how it will be used, who has access, where it can be transferred to, etc. The data subject has the right to access their data as well as actualize, include, rectify and suppress their personal data when the data is not exact, incomplete, erroneous or false, or when the data is no longer pertinent to their original use or when the terms of use of the data has expired. If the data has been transferred then these changes must be made known to the person it was transferred to.


The agency responsible for the database should adopt the technical, organizational and legal measures necessary to guarantee the security of personal data. The security measures in place must avoid the alteration loss or unauthorized access to the personal data. The level of security should be adequate depending on how sensitive the data is. Additionally, the National Authority establishes the requisites and conditions under which the agency responsible for the database must comply with for the Protection of Personal Data, unless otherwise stated in other laws. The agency responsible for the database must keep the information confidential unless previously given consent to not do so or required by the authority of the state.


The agency responsible for personal data is responsible for the safety of the data, making amendments to the data as well as notifying the National Authority for the Protection of Personal Data the relative information and processing of personal data. The sector of the Ministry of Justice that is in charge of enforcing the safety and protection of personal data is the “Autoridad Nacional de la Proteccion de Datos Personales” (ANPDP). The ANPDP has to ensure that all databases fulfill the necessary safety requirements. They are obliged to cooperate with foreign authorities regarding privacy of personal data and absolve consults regarding personal data.

Breach Notification

There are various degrees of severity outlined in the law regarding penalties and legal actions that will take place by the ANPDP if there are any infractions to the protection of personal data by the databanks.

Health Privacy Law


Ley General de Salud, Ley N. 26842

The law outlines the responsibilities of the state and the different measures that are taken regarding public health, medical staff responsibilities, and infractions to the law, etc. No person may be treated or subject to scientific investigation without his or her consent. Consent must be written in order to be considered valid

Electronic Health Records Law

Ley N. 30024, Ley Que Crea el Registro Nacional de Historias Clínicas Electrónicas (2013) This law creates the administration and safeguard of the EHR. The “Plataforma de Interoperabilidad del Estado” (PIDE) will be used by the “Registro Nacional de Historias Clínicas Electrónicas” to access the clinical information solicited or authorized by the patient or his legal guardian or representative. There is a database called the “Registro Nacional de Historias Clínicas Electrónicas” which will ensure the confidentiality of the data and its administration. The data protection of this law must coincide and is detailed by the data protection law of Peru. The parent law, the data protection law of Peru, outlines the standards for confidentiality and safety.