PERU Law and Practice Contributed by: Luis Ernesto Marín and Andrés Kuan-Veng, Rubio Leguía Normand
2.11 Implications of Additional, Non- Financial Services Regulations Personal Data Protection Personal data protection provisions in Peru are primarily governed by the Personal Data Protec - tion Law and its regulations. This law establishes the legal framework for the protection of per - sonal data, including the processing, use and transfer of such data by individuals and entities. The law requires that personal data be collected and processed in a lawful, fair and transparent manner, and that individuals be informed of the purpose for which their data is being collected and used. It also establishes the rights of individ - uals to access, correct and delete their personal data, and to object to its processing in certain circumstances. In addition, the law requires that entities that process personal data implement appropriate technical and organisational measures to ensure the security of such data and prevent its unau - thorised access, use or disclosure. Entities are also required to obtain the consent of individu - als for the processing of their personal data in most cases. The National Authority for the Protection of Per - sonal Data ( Autoridad Nacional de Protección de Datos Personales or ANPD) is the regulatory agency responsible for overseeing compliance with the Personal Data Protection Law and enforcing its provisions. The ANPD is authorised to impose sanctions and fines for non-compli - ance with the law. Consumer Protection Consumer protection in Peru is governed by the Consumer Protection Code ( Código de Protec- ción y Defensa del Consumidor ) and its regula - tions. This law establishes the legal framework
and develop well-defined business continuity plans and exit strategies. 2.9 Gatekeeper Liability Fintech providers in Peru are under no specific legal obligation to act as gatekeepers for the activities conducted on their platforms. How - ever, they must comply with AML regulations, which may require them to monitor transactions and report suspicious activities. 2.10 Significant Enforcement Actions When the scope of the services provided by fin - tech companies is not well defined or fintech companies engage in activities that fall within the scope of the Banking Law or the Securities Market Law, without the corresponding authori - sations, both the SBS and the SMV may initiate investigations which could give rise to the impo - sition of administrative and criminal sanctions. In the case of data protection regulations, enforcement actions by the APDP may include fines, sanctions, or orders to implement cor - rective measures for failing to comply with data protection requirements, such as obtaining con - sent from data subjects, implementing adequate security measures, or providing notification of data breaches. In the case of INDECOPI, enforcement actions against fintech companies may include fines, sanctions, or orders to cease and desist from engaging in unfair competition, deceptive adver - tising, or violations of intellectual property rights. In the case of BCRP, enforcement actions against fintech companies that fail to comply with the regulations issued by such governmen - tal authority may include fines.
630 CHAMBERS.COM
Powered by FlippingBook