Peru’s new data protection officer: obligations and practical issues

March 2026  |  SPECIAL REPORT: DATA PRIVACY & CYBER SECURITY

Financier Worldwide Magazine

March 2026 Issue

In today’s business environment, the processing of personal and sensitive data has become a necessity rather than an option, driven by the rapid development and widespread use of artificial intelligence, automated processes and information technology systems.

Technology not only increases exposure to risks such as security incidents and unauthorised access, but also gives rise to a series of legal obligations for data controllers and processors under the applicable data protection regulatory framework.

In recent years, Peruvian companies have experienced several incidents targeting relevant information in sectors such as banking, insurance, healthcare and aviation. According to the National Centre for Digital Security, 3388 security alerts were managed between 2020 and 2025.

In this context, new data privacy rules were enacted to strengthen the protection of personal data. The new regulation establishes requirements for personal data processing in advertising and commercial outreach, imposes an obligation to notify the Data Protection Authority (DPA) and data users within 48 hours of a security incident, and introduces a new officer responsible for ensuring – to a certain extent – the protection of personal data.

The role of the data protection officer (DPO) has therefore gained relevance, as this position is responsible for overseeing all data protection matters and serving as the main contact for both the DPA and data users. For Peruvian companies, the DPO appointment procedure is new and has generated important questions. Do all private entities need to appoint a DPO? What does the appointment involve? What risks or contingencies might arise for organisations?

Current regulatory framework

Although the DPO has become a common standard in several jurisdictions, for Peruvian companies it represents a recent and complex obligation. Under Law No. 29733, the Data Privacy Law, approved by Supreme Decree No. 016‑2024‑JUS (published on 30 November 2024), companies are required to appoint a DPO and notify the DPA of the appointment.

It is also important to note that this obligation will become enforceable progressively, depending on annual sales levels. From 1 December 2025, companies with sales greater than approximately 12m soles ($3.5m) must appoint a DPO.

Although guidance remains limited, the DPA has provided criteria for companies to consider. On 31 December 2025, Directorial Resolution No. 100‑2025‑JUS‑DGTAIPD was issued, setting out rules for the DPO appointment procedure, obligations and responsibilities of the DPO, and related matters. While this directive addresses several gaps, its implementation has inevitably generated challenges.

The appointment of the DPO: practical challenges

DPO appointment is mandatory in three situations: when personal data is processed by a public entity, when entities process large volumes of personal data and when sensitive data is processed due to the nature of the business activity.

The assessment of large volumes of personal data must consider the number of data subjects, the sensitivity and type of data, the purpose and associated risk, frequency and scope of the processing. Sensitive data must be assessed when such data is involved in the company’s primary business activity or when its processing is strictly necessary for providing services to users.

The DPO must also have proven experience and knowledge of data privacy matters. According to the DPA, a DPO must have at least two years of prior experience in data privacy and postgraduate studies, an academic degree in data privacy or a related certification. This requirement poses a challenge because access to specialised training and programmes remains limited due to the newness of the role.

Data privacy regulations establish that the primary role of the DPO is to inform and advise the company regarding its data privacy obligations and to cooperate with and act as the main point of contact for the DPA in matters related to personal data processing.

Organisations should also consider that the DPO may be an employee of the company, an employee from the corporate group or an external individual. If the DPO is an employee, labour and tax implications may arise, including defining the terms under which the employee assumes the role, assessing salary adjustments and determining the duration of the appointment. A reasonable approach is to implement an agreement modifying employment terms and conditions, specifying the functions and liability associated with the new role.

A significant concern for companies is the potential liability assumed by an employee designated as DPO. The DPA has determined that the DPO is liable for acts or omissions committed with intent or negligence or for failure to comply with the obligations and functions established in data protection regulations. It will therefore be essential to define specific duties and liabilities for employees who assume these additional responsibilities, often without corresponding salary increases.

If a single DPO is appointed for a corporate group or is based outside the country, the company must ensure full availability in the event that the DPA requires contact with the responsible officer. This consideration is particularly relevant for multinational organisations that process large volumes of data or sensitive data in Peru. Appropriate local training will be essential for the effective performance of the DPO role.

The DPA has established a two‑level formal procedure for appointing a DPO: an internal appointment through a formal corporate act in accordance with internal governance requirements, such as a shareholders’ agreement or board decision, and a formal notification submitted to the DPA.

Comparative analysis: Spain and the UK

Because Peru’s new personal data privacy regulations have adopted the European model as their primary reference, there are notable similarities with the European Union (EU) data privacy regulation.

Under UK data privacy rules, a documented analysis of core activities, regular and systematic monitoring and large scale processing is required, while Spanish regulations include a defined list of entities that must appoint a DPO. Conducting similar analyses would give Peruvian companies a clearer basis for determining whether they must appoint a DPO.

There are also differences. According to the DPA, failure to appoint a DPO when required constitutes a minor infringement, whereas other EU jurisdictions impose more severe sanctions for similar breaches.

The future of the DPO in perspective

Peru has made significant regulatory progress in the field of data privacy. However, certain gaps remain, particularly regarding the role of the DPO, which is still a relatively new figure within the Peruvian legal framework.

For instance, uncertainty persists regarding the practical execution of DPO functions. Although the directive offers additional clarity, implementation will vary case by case. The role of the DPA has not been fully defined either, as it continues to operate with limited enforcement powers. The DPO is currently required only to serve as a point of contact or coordination, raising questions about the extent of the DPA’s supervisory and sanctioning authority over the DPO.

In an environment of continuous technological development, the DPO represents more than a formal obligation for certain entities. It is a key figure for the protection of personal data in its processing and treatment and, in many respects, a standard that companies should adopt.

 

Franco Muschi is a partner at Garrigues. He can be contacted on +51 (1) 399 2600 or by email: franco.muschi@garrigues.com.

© Financier Worldwide

BY

Franco Muschi

Garrigues

©2001-2026 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.