Latest Posts:
Search for:

Analyzing critical legal trends and developments across data, cyber, AI and digital regulations from around the world and beyond borders

In Data Privacy Data Protection

The Designation of a Data Protection Officer: The Case of Peru

by 7 Mins Read

On March 30, 2025, Peru’s new Regulation of the Personal Data Protection Law, approved by Supreme Decree No. 016-2024-JUS (“New Regulation“), will come into effect. The New Regulation introduces additional obligations for companies and organizations, with one particularly impactful requirement: the obligation to designate a Data Protection Officer (DPO).

Starting this year, the obligation to designate a DPO will gradually come into effect for companies or organizations that process large volumes of personal data or sensitive data, or when its core business involves the processing of sensitive data (e.g., information related to genetic or biometric data, information related to physical or mental health, union affiliation, economic income, etc.). It is important to note that most companies could be subject to this obligation by merely handling the personal and sensitive data of their employees. Companies that interact with end consumers, such as those in the retail sector, are even more likely to be affected.

This obligation is not new globally. Significant regulations, such as the European Union’s General Data Protection Regulation, and national regulations, such as Germany’s Federal Data Protection Act, have included this requirement for many years.

The National Authority for the Protection of Personal Data (under the Ministry of Justice and Human Rights) has indicated that it will soon issue guidelines to help companies determine when they are considered to process large volumes of personal or sensitive data or engage in business activities involving sensitive data. These guidelines will provide more clarity on compliance with this obligation. However, the authority has emphasized that the validity of the obligation and supervision will not depend on the issuance of these guidelines. Therefore, it is crucial for companies to familiarize themselves with this obligation and take the necessary steps for its timely implementation.

What are the main obligations of the DPO?

The New Regulation outlines several key functions that the DPO must fulfill. These functions should be complemented with international best practices on the subject:

  1. Advising and supervising: DPOs must inform and advise organizations about their data protection obligations.
  2. Compliance verification: DPOs must ensure that internal processes involving the processing of personal data comply with data protection standards and policies. They should also actively participate in the design of any new product or service that involves the processing of personal data, especially when it comes to sensitive information.
  3. Point of contact: They should act as liaisons between their companies and the National Authority for the Protection of Personal Data.
  4. Internal training: DPOs must promote training for employees involved in the processing of personal data.
  5. Handling ARCO rights: They must attend to or facilitate requests made by data subjects to exercise their rights.

How is a DPO designated?

The New Regulation does not specify a particular procedure for designating DPOs. However, based on our experience, the following phases typically occur:

  1. Needs assessment: Determine if the company is required to designate a DPO pursuant to the New Regulation of the Personal Data Protection Law.
  2. Profile definition: Establish the requirements and competencies that the DPO must have, such as specialized knowledge in data protection and the ability to perform their duties independently. We delve deeper into this point in the next section.
  3. Candidate selection: Search for and select a candidate who meets the established requirements. This can be an internal employee or an external consultant.
  4. Official appointment: Officially appoint the DPO and communicate it to the entire organization, for example, through a board resolution, the signing of an employment or service contract, etc.
  5. Registration and communication: Inform the National Authority for the Protection of Personal Data about the DPO’s appointment and ensure that the DPO’s contact details are available to the public, for example, through the organization’s Privacy Policy.

What qualifications should the DPOs possess?

The New Regulation offers flexibility regarding the designation of the DPO. It is not necessary for the DPO to be a full-time employee; a current employee can, therefore, assume the role. The DPO does not need to be an employee of the company. Hence, external providers offering DPO services (DPO-as-a-service) can also be hired. However, this latter option may become more viable as companies become more familiar with this obligation and its compliance.

Currently, it is recommended for a company employee to assume the DPO role. Whether the DPO can dedicate their function full-time or part-time will depend on the company’s needs. The more exposed the company is to privacy risks, the more reasonable it is to consider that the DPO should spend most of their time performing this function. Therefore, when assessing the need and defining the profile, a risk analysis should be conducted to determine whether the DPO needs to be full-time or part-time.

Regarding the DPO’s requirements, the New Regulation does not establish a specific professional profile. It only states that the DPO must have specialized knowledge in data protection and the ability to manage risks related to the processing of personal data, regardless of whether they are a part-time or full-time DPO. However, based on international experience, there are additional requirements that the DPO should meet.

DPOs should have:

  • Adequate knowledge of the organization’s operations: The DPO must be familiar with the company’s processes to be able to verify compliance with the regulations.
  • Basic knowledge of information security, at a higher level than general employees.
  • A certain level of seniority, enabling them to effectively convey their observations regarding compliance with the regulations.

Moreover, from the organization’s perspective, it is important for the DPO, as a compliance officer, to have the necessary resources and sufficient independence to perform their duties effectively. In other jurisdictions, for example, it is required that the DPO be protected against dismissal to ensure they are not removed for fulfilling their duties.

When the analysis concludes that the DPO role can be held by a part-time employee, the next question is which department they should come from.

A factor that can help clarify this point is their proximity to the company’s most relevant processes related to the processing of personal data. For example, in technology-intensive companies, the DPO could be from the IT department, such as a cybersecurity specialist who reports to the IT manager, or the IT manager themselves. This is provided they complement their knowledge with the legal obligations related to data protection. In companies that are human resources-intensive, the DPO could be someone from the legal or human resources department. Ultimately, the decision will depend on the internal processes of each organization.

Final reflection: Beyond compliance

Designating a DPO involves an investment in human resources and capital, but it also brings significant advantages. One of the most evident benefits is the early detection and preventive control of potential violations.

There are real-life cases that demonstrate this. For example, a financial entity in the country experienced a data breach affecting thousands of customers. The DPO acted swiftly, notifying the authority and coordinating measures to mitigate the impact. Thanks to their intervention, the entity was able to minimize the damage and improve its security protocols. In technology companies, the DPO is often involved in user service processes to verify if any user communication involves a request to exercise privacy rights and to ensure compliance with the requirements within the timeframes and using the forms required by law.

These situations clearly demonstrate that the DPO’s work helps mitigate risks to the company. It is also important to note that under the New Regulation, the failure to designate a DPO when required is considered a violation of the Personal Data Protection Law. Most sanctions for not designating a DPO are imposed when a security incident occurs and the authority finds that the necessary preventive measures, such as designating a DPO, were not adopted. As the saying goes, it is better to have insurance and not use it than to need it and not have it.

Categories:
Tags:
Author

Crosbby is a senior associate and is based in Lima. He has more than nine years of experience in competition law, advertising and regulation, both in the private and public sectors, which allows having a holistic view of the difficulties of our clients.

Related Posts