445746
® LEGAL RULES
A Peruvian man
Lima, Sunday July 3, 2011

MUNICIPALITY
VICTORY
GIVES. N ° 009-2011-ALC / MLV.- They have the flag
District Real Estate General 445770
MUNICIPALITY OF SAN JUAN DE MIRAFLORES
GIVES. N ° 0010-2011-MDSJM / A.- Expiration date extended
of Tax and Non-Tax Benefits 2011 “Get up to date and
It complies with San Juan de Miraflores ”445771

LEGISLATIVE POWER
LAW N ° 29733
THE PRESIDENT OF THE REPUBLIC
HOW MUCH:
The Congress of the Republic
has given the following Law:
THE CONGRESS OF THE REPUBLIC;
He has given the following Law:
LAW OF PROTECTION OF
PERSONAL INFORMATION
Preliminary Title: General provisions.
Title |: Guiding principles.
Title II: Processing of personal data.
Title II; Rights of the owner of personal data.
Title IV: Obligations of the owner and the person in charge of the
personal data bank.
Title V: Personal data banks.
Title VI: National Data Protection Authority
Personal.
Title VII: Infractions and administrative sanctions.
Final complementary provisions
PRELIMINARY TITLE
GENERAL DISPOSITION
Article 1. Purpose of the Law
The purpose of this Law is to guarantee the right
fundamental to the protection of personal data,
provided for in article 2 numeral 6 of the Constitution
Politica del Peru, through its proper treatment,
within a framework of respect for other rights
fundamental that are recognized in it.
Article 2. Definitions
For all purposes of this Law, it is understood
for:
1. Personal data bank. Set
organized personal data, automated
or not, regardless of the support, be it
physical, magnetic, digital, optical or others that are
believe, whatever the form or modality
of its creation, formation, storage,
organization and access.
2. Administration personal data bank
private. Personal data bank whose title
corresponds to a natural person or a person
Legal of private law, as the bank na
is strictly linked to the exercise of
powers of public law.
3. Administration personal data bank
publishes. Personal data bank whose
ownership corresponds to a public entity.

4. Personal data. All information about
a natural person who identifies or makes it
identifiable through means that can be
reasonably used.
5. Sensitive data. Personal data constituted
by biometric data that by themselves
they can identify the owner; data referring to
racial and ethnic origin; you enter economic,
opinions or political, religious,
philosophical or moral; union membership; and
information related to health or life
sexual.
6. Manager of the personal data bank.
Any natural person, legal person
private or public entity that alone or acting
together with another performs the treatment of
personal data commissioned by the owner of the
personal data bank.
7. Public entity. Entity included in the
article | of the Preliminary Title of Law 27444,
General Administrative Procedure Law, or
the one that takes its place.
8. Cross-border flow of personal data.
International transfer of personal data to
a recipient located in a country other than the country
source of personal data, regardless of the
support in which they are, the media
for which the transfer was made nor the
treatment they receive.
9. Sources accessible to the public. Banks
of personal data of public administration or
private, which can be consulted by any
person, prior payment of the consideration
corresponding, if applicable. The sources
accessible to the public are determined in
the rules.
10. Sufficient level of protection for data
personal. Protection level covered
at least the consignment and respect for
the guiding principles of this Law, as well as
technical security and confidentiality measures,
appropriate according to the category of data that
is concerned.
11. Legal person of private law. In order to
effects of this Law, the legal person shall not
included in the scope of the article |
of the Preliminary Title of Law 27444, Law of the
General Administrative Procedure.
12. Anonymization procedure. Treatment
of personal data that prevents the identification
or that does not make the owner of these identifiable. The
procedure is irreversible.
13. Dissociation procedure. Treatment of
personal data that prevents the identification or
that does not make the owner of these identifiable. The
procedure is reversible.
14. Holder of personal data. Natural person to
who corresponds the personal data.
15. Holder of the personal data bank. Person
natural, legal person of private law
or public entity that determines the purpose and
content of the personal data bank, the
treatment of these and security measures.
16. Transfer of personal data. mud
transmission, supply or manifestation of data
personal, national or international,
to a legal person under private law, to a

A Peruvian man
Lima, Sunday July 3, 2011
@ LAWS
445747

public entity or a different natural person
of the owner of personal data.
17. Processing of personal data. Any
technical, automated operation or procedure
or not, which allows the collection, registration,
organization, storage, conservation,
elaboration, modification, extraction, consultation,
use, blocking, deletion, communication
by transfer or by broadcast or any
another form of processing that facilitates
access, correlation or interconnection of data
personal.
The regulations of this Law may carry out a greater
development of existing definitions.
Article 3. Scope of application
This Law is applicable to data
personal content or intended to be contained in
public administration personal data banks and
of private administration, whose treatment is carried out in
the national territory. Are objects of special protection
sensitive data_
The provisions of this Law do not apply to
the following personal data:
1. To the contents or intended to be contained
in personal data banks created by
natural persons for purposes exclusively
related to your private or family life.
2. To the contents or intended to be contained
in public administration databases,
only as long as your treatment is necessary
for the strict fulfillment of the competences
assigned by law to the respective entities
public, for national defense, security
public, and for the development of activities in
criminal matter for investigation and repression
of the crime.
TITLE |
GUIDING PRINCIPLES
Article 4. Principle of legality
The processing of personal data is done in accordance with
to what is established in the law. The collection of
personal data by fraudulent, unfair means
0 illicit.
Article 5. Principle of consent
For the processing of personal data you must
mediate the consent of its owner.
Article 6. Principle of purpose
Personal data should be collected for a
purpose determined, explicit and licit. The tratment of
personal data should not be extended to another purpose
that has not been unequivocally established
as such at the time of collection, excluding
cases of activities of historical, statistical or
scientist when using a dissociation procedure
0 anonymization.
Article 7. Principle of proportionality
All processing of personal data must be
adequate, relevant and not excessive to the purpose for the
that these had been compiled.
Article 8. Principle of quality
The personal data that will be processed
must be truthful, accurate and, to the extent possible,
updated, necessary, relevant and adequate
regarding the purpose for which they were collected.
They must be kept in such a way as to guarantee their
security and only for the time necessary to comply with
the purpose of the treatment.
Article 9. Safety principle
The owner of the personal data bank and the person in charge
of their treatment must adopt technical measures,
organizational and legal necessary to guarantee
the security of personal data. Measures
security should be appropriate and consistent with the

treatment to be carried out and with the category of
personal data in question.
Article 10. Principle of disposition of appeal
Any holder of personal data must have the
administrative or jurisdictional channels necessary to
claim and enforce their rights, when these are
violated by the processing of your personal data.
Article 11. Principle of level of protection
suitable
For the cross-border flow of personal data,
must guarantee a sufficient level of protection for
personal data to be processed or, at least,
comparable to the provisions of this Law or the standards
international in the matter.
Article 12. Value of the principles
The actions of the owners and managers of the
banks of personal data and, in general, of all
that intervene in relation to personal data, you must
conform to the guiding principles referred to in this
Title. This list of guiding principles is illustrative.
The outlined guiding principles also serve as
interpretive criteria to resolve the issues that
may arise in the application of this Law and its
regulation, as well as a parameter for the elaboration of
other provisions and to fill gaps in the legislation
on matter.
TITLE II
PROCESSING OF PERSONAL DATA
Article 13. Scope of data processing
personal
13.1 The processing of personal data must
be done with full respect for rights
fundamentals of their holders and
rights that this Law confers on them. Same rule
governs its use by third parties.
13.2 Limitations on the exercise of the right
fundamental to data protection
personal can only be established
by law, respecting its essential content
and be justified by reason of respect
of other fundamental rights or property
constitutionally protected.
13.3. By regulation measures are dictated
special for data processing
personal information of children and adolescents,
as well as for the protection and guarantee of your
Rights. For the exercise of the rights that
this Law recognizes, children and adolescents
act through their representatives
legal, being able the regulation to determine
the applicable exceptions, if applicable,
taking into account the best interests
of the child and the adolescent_
13.4 Communications, - telecommunications,
computer systems or their instruments, when
are of a private nature or private use, only
can be opened, seized, intercepted or
intervened by reasoned order of the judge
or with the authorization of its owner, with the guarantees
provided by law. It is kept secret from
matters unrelated to the fact that motivates your examination.
Personal data obtained in violation of
This precept has no legal effect.
13.5 Personal data can only be subject to
treatment with the consent of your
holder, except authoritative law in this regard. The
consent must be prior, informed,
express and unequivocal.
13.6 In the case of sensitive data, the consent
For the purposes of your treatment, in addition, you must
be in writing. Even if it did not mediate
the consent of the owner, the treatment of
sensitive data can be made when
the law authorizes it, provided that it attends to
important reasons of public interest.
13.7 The owner of personal data can revoke
your consent at any time,

445748
® @ LEGAL RULES
A Peruvian man
Lima, Sunday July 3, 2011

observing the same requirements
than on the occasion of its granting.
13.8 The processing of relative personal data
to the commission of criminal offenses or
administrative can only be done by
the competent public entities, except
management order agreement in accordance with
to Law 27444, Law of Procedure
General Administrative, or whatever
its times. When the
cancellation of criminal records,
judicial, police and administrative, these
data cannot be supplied unless
are required by the Judicial Power or the
Public Ministry, according to law.
13.9 The commercialization of personal data
content or intended to be contained in
personal data banks are subject to the
principles provided for in this Law.
Article 14. Limitations on consent for the
processing of personal data
The consent of the data subject is not required
personal, for the purposes of their treatment, in the
following cases:
1. When personal data is collected or
transfer for the exercise of functions
of public entities in the scope of their
competencies.
2. When it comes to personal data
content or intended to be contained in
sources accessible to the public.
3. In the case of personal data relating to
financial and credit solvency, in accordance with
to law.
4. When there is no mediation for the promotion of
competition in regulated markets
issued in exercise of the normative function by
the regulatory bodies to which it refers
Law 27332, Framework Law of Organisms
Regulators of Private Investment in
Public Services, or the one that takes its place,
provided that the information provided is not
used to the detriment of user privacy_
5. When personal data is necessary
for the execution of a contractual relationship in
the one to which the owner of personal data is a party,
or when it comes to personal data that
derive from a scientific or professional relationship
of the holder and are necessary for its development
or compliance.
6. When it comes to relative personal data
to health and is necessary, in circumstances
risk, for prevention, diagnosis and
medical or surgical treatment of the holder,
provided that said treatment is carried out in
health establishments or professionals
in health sciences, observing the secret
professional; or when there are reasons for
public interest provided by law or when they must
be treated for public health reasons, both
reasons should be qualified as such by
the Ministry of Health; or for the realization of
epidemiological or analogous studies, as long as
dissociation procedures are applied
suitable.
T. When the treatment is carried out by
non-profit organizations whose purpose
be political, religious or union and refers
to the personal data collected from your
respective members, who must keep
relationship with the purpose to which they are circumscribed
their activities, not being able to be transferred
without their consent.
8. When a procedure had been applied
of anonymization or dissociation.
9. When e! processing of personal data
necessary to safeguard interests
legitimate rights of the owner of personal data by
part of the owner of personal data or by the
person in charge of personal data.

10. Others established by law, or by regulation
granted in accordance with this Law.
Article 15.
personal
The owner and manager of the personal data bank
must carry out the cross-border flow of personal data
only if the recipient country maintains levels of protection
adequate according to this Law.
In case the recipient country does not have
an adequate level of protection, the emitter of the flow
cross-border personal data should ensure that the
processing of personal data is carried out in accordance with
to the provisions of this Law.
The provisions of the second paragraph in the
following cases:
Cross-border data flow
1. Agreements within the framework of treaties
international studies on the subject in which
the Republic of Peru is a party.
2. International judicial cooperation.
3. International cooperation between
intelligence for the fight against terrorism,
illicit drug trafficking, money laundering,
corruption, human trafficking and other forms
organized crime_
4. When personal data is necessary
for the execution of a contractual relationship in
the one to which the owner of personal data is a party,
including what is necessary for activities such as
user authentication, improvement and support
of the service, monitoring of the quality of the service,
support for maintenance and billing of the
account and those activities that the management of
the contractual relationship requires.
5. When it comes to bank transfers
or securities, in relation to transactions
respective and in accordance with the applicable law.
6. When the cross-border flow of data
personnel is carried out for protection,
prevention, diagnosis or medical treatment or
quinirgico of its holder; or when necessary
for conducting epidemiological studies
oanalogos, as long as procedures are applied
appropriate dissociation measures.
T. When the owner of the personal data has
given your prior informed consent,
express and unequivocal.
8. Others established by the regulations of the
present Law, subject to the provisions of the
Article 12.
Article 16. Data processing security
personal
For the purposes of processing personal data,
the owner of the personal data bank must adopt
technical, organizational and legal measures that guarantee
their safety and avoid their alteration, loss, treatment or
Unauthorized access.
The requirements and conditions that must be met by
personal data banks in security matters are
established by the National Authority for the Protection of
Personal Data, except for the existence of provisions
special laws contained in other laws_
The processing of personal data is prohibited
in databases that do not meet the requirements and the
security conditions referred to in this article.
Article 17. Confidentiality of personal data
The owner of the personal data bank, the person in charge
and those who intervene in any part of your treatment
They are obliged to keep confidentiality regarding the
themselves and their background. This obligation subsists
even after the relationship with the owner of the
personal data bank.
The obligee may be relieved of the obligation to
confidentiality when there is prior consent,
informed, express and unequivocal of the owner of the data
personal, consented or enforceable judicial resolution,
or when there are well-founded reasons related to the defense
national, public security or public health, without
penalty of the right to keep professional secrecy.

A Peruvian man
Lima, Sunday July 3, 2011
@ LAWS
445749

TITLE III
RIGHTS OF THE HOLDER OF
PERSONAL INFORMATION
Article 18. Right to information of the owner of
personal information
The owner of personal data has the right to
be informed in a detailed, simple, express way,
unequivocally and prior to its compilation, on the
purpose for which your personal data will be processed;
who are or could be its recipients, the existence
of the database in which they will be stored, as well as the
identity and address of its owner and, if applicable, of the
in charge of the processing of your personal data; the
mandatory or optional nature of your responses to the
questionnaire that is proposed to you, especially as regards
to sensitive data; data transfer
personal; the consequences of providing your data
personal and their refusal to do so; the time during
which your personal data is kept; and the possibility
to exercise the rights granted by law and the means
planned for it.
If personal data is collected online at
through electronic communications networks,
Obligations of this article can be satisfied
by publishing privacy policies, which
they must be easily accessible and identifiable.
Article 19. Right of access of the data holder
personal
The owner of personal data has the right to obtain the
information that about itself is object of treatment
in data banks of public or private administration,
the way your data was collected, the reasons
that motivated its collection and at whose request
the collection was carried out, as well as the transfers
carried out or planned to be made of them.
Article 20. Right to update, inclusion,
rectification and deletion
The owner of personal data has the right to
updating, inclusion, rectification and deletion of
your personal data subject to treatment, when
these are partially or totally inaccurate, incomplete,
when omission, error or falsehood has been noticed,
when they are no longer necessary or relevant to
the purpose for which they were collected or when
the term established for their treatment had expired.
If your personal data had been transferred
previously, the person in charge of the personal data bank
must communicate the update, inclusion, rectification or
deletion of those who have been transferred, in the event that
treatment is maintained by the latter, who should
also proceed to update, inclusion, rectification
or deletion, as appropriate.
During the process of updating, inclusion,
rectification or deletion of personal data, the
person in charge of the personal data bank has your
blocking, being prevented from allowing third parties
access them. Such blocking is not applicable to
public entities that require such information
for the proper exercise of their powers, according to
law, which must inform that it is in process
any of the aforementioned processes.
The deletion of personal data contained in
public administration personal data banks
is subject to the provisions of article 21 of the Sole Text
Ordered by Law 2/806, Law of Transparency and Access
to the Public Information, or the one that takes its place.
Article 21. Right to prevent supply
E | owner of personal data has the right to prevent
that these are supplied, especially when it
affect their fundamental rights. The right to prevent
The supply does not apply to the relationship between the owner of the
personal data bank and the bank manager
of personal data for the purposes of processing
these.
Article 22. Right of opposition
Provided that the law does not provide otherwise and
when he had not given consent, the owner

of personal data you can oppose to its treatment
when there are well-founded and legitimate reasons related to
a concrete personal situation. In case of opposition
justified, the owner or the person in charge of the data bank
According to Cormesponda, you should proceed with your
suppression, according to law.
is. Right to objective treatment
The owner of personal data has the right not to see each other
submitted to a decision with legal effects on him or that
affect you in a significant way, supported only
in a processing of personal data aimed at evaluating
certain aspects of your personality or behavior,
Unless this occurs within the framework of the negotiation,
conclusion or execution of a contract or in the cases
evaluation for purposes of incorporation into an entity
publishes, according to law, without prejudice to the possibility of
defend your point of view, to safeguard your legitimate
interest.
Article 24. Right to guardianship
In the event that the owner or manager of the bank
personal data denies the owner of personal data,
totally or partially, the exercise of rights
established in this Law, he may appeal to the
National Authority for the Protection of Personal Data in
via of claim or to the Judicial Power for the purposes of
the corresponding habeas data action.
The procedure to be followed before the National Authority of
Protection of Personal Data is subject to the provisions
in articles 219 and following of Law 27444, Law of the
General Administrative Procedure, or the one that makes its
times.
The resolution of the National Protection Authority
of Personal Data exhausts the administrative route and enables
the imposition of the administrative sanctions provided
in article 39. The regulation determines the instances
corresponding.
Against the resolutions of the National Authority
Protection of Personal Data proceeds the action
contentious-administrative.
is. Right to be compensated
The owner of personal data that is affected by
consequence of the breach of this Law by
the owner or the person in charge of the personal data bank
or by third parties, you have the right to obtain compensation
corresponding, according to law.
is. Consideration
The consideration to be paid by the data holder
personal rights for the exercise of the rights contemplated
in articles 19, 20, 21, 22 and 23 before the banks of
personal data of public administration is subject
to the provisions of Law 27444, Law of the
General Administrative Procedure.
Before the administration personal data banks
private, the exercise of the aforementioned rights is
subject to the provisions of the special rules on the
matter.
Article 27. Limitations
The owners and managers of the data banks
public administration personnel may deny
the exercise of the rights of access, deletion and
opposition for reasons founded on the protection of
rights and interests of third parties or when this may
hinder judicial or administrative actions in
course related to the compliance investigation
of financial or pension obligations, to the
criminal investigations into the commission of misconduct or
crimes, to the development of health control functions
and the environment, to the verification of infractions
administrative, or when so provided by law.
TITLE IV
OBLIGATIONS OF THE OWNER AND THE MANAGER
OF THE PERSONAL DATA BANK
i. Obligations
The owner and manager of the personal data bank,
as the case may be, they have the following obligations:

A Peruvian man

445750 ® & LEGAL NORMS Lima, Sunday, July 3, 2011
1. Carry out the processing of personal data, TITLE VI.
only with prior informed consent, express NATIONAL PROTECTION AUTHORITY
and unequivocal of the owner of the personal data, OF PERSONAL DATA
except authoritative law, with the exception of the
assumptions set forth in article 14 of the
present Law.
2. Do not collect personal data by means
fraudulent, unfair or illegal.
3. Collect personal data that are
updated, necessary, pertinent and
adequate, in relation to __ purposes
determined, explicit and legal for which
have obtained.
4. Not to use the personal data object of
treatment for purposes other than those
that motivated its compilation, unless it mediates
anonymization or dissociation procedure.
5. Store personal data in such a way that
the exercise of the rights of your
headline.
6. Delete and replace or, where appropriate, complete the
personal data object of treatment when
have knowledge of its inaccurate character or
incomplete, without prejudice to the rights of the
holder about it.
T. Delete the personal data object of
treatment when they are no longer
necessary or relevant to the purpose for
which would have been collected or had
expired the term for its treatment, except
that mediate anonymization procedure or
dissociation.
8. Provide the National Authority of
Protection of Personal Data information
relative to the processing of personal data that
this requires you and allow you access to the
personal data banks that it manages,
for the exercise of their functions, within the framework
of an administrative procedure in progress
requested by the affected party.
9g. Others established in this Law and in its
regulation.
TITLE V
PERSONAL DATA BANKS
Article 29. Creation, modification or cancellation
of personal data banks
The creation, modification or cancellation of banks
of personal data of public administration and
private administration are subject to what is established
the regulation, except for the existence of provisions
special provisions contained in other laws. In any case,
guarantees publicity about its existence, purpose,
identity and address of its owner and, if applicable, of
your manager.
Article 30. Provision of treatment services
of personal data
When, on behalf of third parties, services are provided
processing of personal data, these cannot
be applied or used for a purpose other than that stated in the
contract or agreement entered into or be transferred to other
people, not even for their conservation.
Once the performance of the contract or
of the agreement, depending on the case, the personal data processed
must be deleted, unless authorized
express of the one on whose behalf such
services when the possibility is reasonably presumed
of subsequent orders, in which case they can be kept
with the proper security conditions, up to the
term determined by the regulations of this Law.
Article 31. Codes of conduct
The representative entities of the holders
Oo managers of personal data banks of
private administration can elaborate codes of
conduct that establish standards for the treatment of
personal data that tend to ensure and improve the
information systems operating conditions
based on the guiding principles established in this
Law.

Article 32. Competent body and regime
legal
The Ministry of Justice, through the Directorate
National Justice, is the National Protection Authority
of Personal Data. For the adequate performance of
its functions, it can create offices throughout the country.
The National Data Protection Authority
Personal is governed by the provisions of this Law, in its
regulation and in the pertinent articles of the regulation
Organization and Functions of the Ministry of Justice.
Corresponds to the National Authority for the Protection of
Personal Data perform all necessary actions
for the fulfillment of the object and other provisions of
this Law and its regulations. For this purpose, enjoy
of sanctioning power, in accordance with the Law
27444, Law of General Administrative Procedure, or
the one that takes its place, as well as of coercive power, of
in accordance with Law 26979, Law of Procedure of
Coercive Execution, or the one that takes its place.
The National Data Protection Authority
Personnel must periodically submit a report
about his activities to the Minister of Justice.
For the fulfillment of its functions, the Authority
National Protection of Personal Data has
support and technical advice from the National Office
de Gobiemo Electronico e Informatica (ONGEI) de la
Presidencia del Consejo de Ministros, o la que haga sus
veces.
Articulo 33. Funciones de la Autoridad Nacional de
Proteccion de Datos Personales
La Autoridad Nacional de Proteccién de Datos
Personales ejerce las funciones administrativas,
orientadoras, normativas, resolutivas, fiscalizadoras y
sancionadoras siguientes:
1. Representar al pais ante las _ instancias
Intemacionales en materia de proteccién de
datos personales.
2. Cooperar con las autoridades extranjeras
de proteccian de datos personales para el
cumplimiento de sus competencias y generar
mecanismos de cooperacién bilateral y
multilateral para asistirse entre si y prestarse
debido auxilio mutuo cuando se requiera_
3. Administrar y mantener actualizado el Registro
Nacional de Proteccion de Datos Personales.
4. Publicitar, a través del portal institucional,
la relacién actualizada de bancos de datos
personales de administracion publica y privada.
5. Promover campafias de difusidn y promocion
sobre la proteccién de datos personales.
6. Promover y fortalecer una cultura de proteccion
de los datos personales de los nifios y de los
adolescentes.
T. Coordinar la inclusi6n de informacion sobre la
importancia de la vida privada y de la proteccién
de datos personales en los planes de estudios
de todos los niveles educativos y fomentar,
asimismo, la capacitacién de los docentes en
estos temas.
8. Supervisar el cumplimiento de las exigencias

previstas en esta Ley, para el flujo transfronterizo
de datos personales.
9. Emitir autorizaciones, cuando corresponda,
conforme al reglamento de esta Ley.
10. Absolver consultas sobre proteccién de datos
personales y el sentido de las normas vigentes
en la materia, particularmente sobre las que ella
hubiera emitido.
11. Emitir opinion técnica respecto de los proyectos
de normas que se refieran total o parcialmente
a los datos personales, la que es vinculante.
12. Enmitir las directivas que correspondan para
la mejor aplicacién de lo previsto en esta
Ley y en su reglamento, especialmente
en materia de seguridad de los bancas
de datos personales, asi como supervisar

El Peruano
Lima, domingo 3 de julio de 2011
@ NORMAS LEGALES
445751

su cumplimiento, en coordinacién con los
sectores involucrados.
13. Promover el uso de mecanismos_ de
autorregulacion como instrumento
complementario de proteccién de datos
personales.
14. Celebrar convenios de cooperacién
interinstitucional o internacional con la finalidad
de velar por los derechos de las personas en
materia de proteccién de datos personales
que son tratados dentro y fuera del territorio
nacional.
15. Atender solicitudes de interés particular del
administrado o general de la colectividad, asi
como solicitudes de informacion.
16. Conocer, instruir y resolver las reclamaciones
formuladas por los titulares de datos personales
por la vulneracion de los derechos que les
conciernen y dictar las medidas cautelares o
correctivas que establezca el reglamento-_
17. Velar por el cumplimiento de la legislacién
vinculada con la proteccién de datos personales
y por el respeto de sus principios rectores.
18. Enel marco de un procedimiento administrativo
en curso, solicitado por la parte afectada,
obtener de los titulares de los bancos de datos
personales la informacién que estime necesana
para el cumplimiento de las normas sobre
proteccion de datos personales y el desempefio
de sus funciones.
19. Supervisar la sujecién del tratamiento de los
datos personales que efectuen el titular y el
encargado del banco de datos personales a las
disposiciones técnicas que ella emita y, en caso
de contravencién, disponer las acciones que
correspondan conforme a ley.
20. Iniciar fiscalizaciones de oficio o por denuncia de
parte por presuntas actos contranios alo establecido
en la presente Ley y en su reglamento y aplicar las
sanciones administrativas correspondientes, sin
peruicio de las medidas cautelares o correctivas
que establezca el reglamento_
21. Las demas funciones que le asignen esta Ley y
su reglamento.
Articulo 34. Registro Nacional de Proteccién de
Datos Personales
Créase el Registro Nacional de Proteccién de Datos
Personales como registro de caracter administrativo
a cargo de la Autoridad Nacional de Protecciédn de
Datos Personales, con la finalidad de inscribir en forma
diferenciada, a nivel nacional, lo siguiente:
1. Los bancos de datos personales de
administracién publica o privada, asi como los
datos relativos a estos que sean necesaros para
el ejercicio de los derechos que corresponden a
los titulares de datas personales, conforme a lo
dispuesto en esta Ley y en su reglamento_
El ejercicio de esta funcién no posibilita el
conocimiento del contenido de los bancos de
datos personales por parte de la Autoridad
Nacional de Proteccién de Datos Personales,
salvo procedimiento administrativo en curso.
2. Las autorizaciones emitidas conforme al
reglamento de la presente Ley.
3. Las sanciones, medidas cautelares o
correctivas impuestas por la Autoridad Nacional
de Proteccion de Datos Personales conforme a
esta Ley y a su reglamento.
4. Los cédigos de conducta de las entidades
representativas de los titulares o encargados de
bancos de datos personales de administracion
privada.
5. Otros actos materia de inscripcién conforme al
reglamento.
Cualquier persona puede consultar en el Registro
Nacional de Protecci6n de Datos Personales la existencia
de bancos de datos personales, sus finalidades, asi como
la identidad y domicilio de sus titulares y, de ser el caso,
de sus encargados.

Articulo 35. Confidencialidad
El personal de la Autoridad Nacional de Proteccién de
Datos Personales esta sujeto a la obligaci6n de guardar
confidencialidad sobre los datos personales que conozca
con motivo de sus funciones. Esta obligacién subsiste aun
después de finalizada toda relacion con dicha autondad
nacional, bajo responsabilidad.
Articulo 36. Recursos de la Autoridad Nacional de
Proteccion de Datos Personales
Son recursos de la Autoridad Nacional de Proteccion
de Datos Personales los siguientes:
1. Las tasas por concepto de derecho de tramite
de los procedimientos administrativos y servicios
de su competencia.
Los montos que recaude por concepto de
multas.
Los recursos provenientes de la cooperacion
técnica intemacional no reembolsable.
Los legados y donaciones que reciba.
Los recursos qué se le transfieran conforme a
ley.
ane woN
Los recursos de la Autoridad Nacional de Proteccién
de Datos Personales son destinados a financiar los gastos
necesarios para el desarrollo de sus operaciones y para
su funcionamiento.
TITULO VII
INFRACCIONES Y SANCIONES
ADMINISTRATIVAS
Articulo 37. Procedimiento sancionador
El procedimiento sancionador se inicia de oficio, por
la Autoridad Nacional de Proteccién de Datos Personales
o por denuncia de parte, ante la presunta comision de
actos contrarios a lo dispuesto en la presente Ley o en su
reglamento, sin perjuicio del procedimiento seguido en el
marco de lo dispuesto en el articulo 24.
Lasresoluciones de laAutoridad Nacional de Proteccion
de Datos Personales agotan la via administrativa.
Contra las resoluciones de la Autoridad Nacional
de Proteccidn de Datos Personales procede la accién
contenciose-administrativa.
Articulo 38. Infracciones
Constituye infraccion sancionable toda accién uomision
que contravenga o incumpla alguna de las disposiciones
contenidas en esta Ley o en su reglamento.
Las infracciones se califican como leves, graves y muy
graves.
1. Son infracciones leves:
to. Dar tratamiento a datos personales sin recabar
el consentimiento de sus titulares, cuando el
mismo sea necesario conforme a lo dispuesto
en esta Ley.
b. No atender, impedir u obstaculizar el ejercicio
de los derechos del titular de datas personales
reconocidos en el titulo III, cuando legalmente
proceda.
c. Obstruir el ejercicio de la funcién fiscalizadora
de la Autoridad Nacional de Proteccién de Datos
Personales.
2. Son infracciones graves:
to. Dar tratamiento a los datos personales
contraviniendo los principios establecidos en
la presente Ley o incumpliendo sus demas
disposiciones o las de su Reglamento.
b. Incumplir la obligacién de confidencialidad
establecida en el articulo 17.
c. No atender, impedir u obstaculizar, en forma
sistematica, el ejercicia de los derechos del
titular de datos personales reconocidos en el
titulo Ill, cuando legalmente proceda.
d. Obsiruir, en forma sistematica, el ejercicio de la
funcién fiscalizadora de la Autoridad Nacional
de Proteccién de Datos Personales.

445752
®@ NORMAS LEGALES
El Peruano
Lima, domingo 3 de julio de 2011

e. No inscnbir el banco de datos personales en
el Registro Nacional de Proteccién de Datos
Personales.
3.Son infracciones muy graves:
to. Dar tratamiento a los datos personales
contraviniendo los principios establecidos en
la presente Ley o incumpliendo sus demas
disposiciones o las de su Reglamento, cuando
con ello se impida 0 se atente contra el ejercicio
de los derechos fundamentales.
b. Crear, modificar, cancelar o mantener bancos de
datos personales sin cumplir con lo establecido
por la presente Ley o su reglamento.
c. Suministrar documentos o informacién falsa
o incompleta a la Autoridad Nacional de
Proteccion de Datos Personales.
d. No cesar en el tratamiento ilicito de datos
personales, cuando existiese un previo
requerimiento de la Autoridad Nacional de
Proteccién de Datos Personales para ello
e. No inscnbir el banco de datos personales en
el Registro Nacional de Proteccién de Datos
Personales, no obstante haber sido requerido
para ello porla Autoridad Nacional de Proteccion
de Datos Personales.
La calificacion, la graduacion del monto de las multas,
el procedimiento para su aplicacion y otras tipificaciones
se efectuan en el reglamento de la presente Ley.
Articulo 39. Sanciones administrativas
En caso de violacién de las normas de esta Ley o de
su reglamento, la Autoridad Nacional de Proteccién de
Datos Personales puede aplicar las siguientes multas:
1. Las infracciones leves son sancionadas con
una multa minima desde cero coma cinco de
una unidad impositiva tnbutaria (UIT) hasta
cinco unidades impositivas tributarias (UIT).
2. Las infracciones graves son sancionadas con
multa desde mas de cinco unidades impositivas
tributanas (UIT) hasta cincuenta unidades
impositivas tributarias (UIT).
3. Las infracciones muy graves son sancionadas
con multa desde mas de cincuenta unidades
impositivas tributarias (UIT) hasta cien unidades
impositivas tributarias (UIT).
En ningun caso, la multa impuesta puede exceder
del diez por ciento de los ingresos brutos anuales que
hubiera percibido el presunto infractor durante el ejercicio
anterior.
La Autoridad Nacional de Proteccién de Datos
Personales determina la infraccion cometida y el monto
de la multa imponible mediante resolucion debidamente
motivada. Para la graduacion del monto de las multas, se
toman en cuenta los criterios establecidos en el articulo
230, numeral 3), de la Ley 27444, Ley del Procedimiento
Administrativo General, o la que haga sus veces.
La imposicion de la multa se efectua sin perjuicio
de las sanciones disciplinarias sobre el personal de las
entidades publicas en los casos de bancos de datos
personales de administracién publica, asi como de la
indemnizacion por dafios y peruicios y de las sanciones
penales a que hubiera lugar.
Articulo 40. Multas coercitivas
En aplicacién de lo dispuesto en el articulo 199 de
la Ley 27444, Ley del Procedimiento Administrativa
General, o la que haga sus veces, la Autoridad Nacional
de Proteccion de Datos Personales puede imponer multas
coercitivas por un monto que no supere las diez unidades
impositivas tributarias (UIT), frente al incumplimiento de
las obligaciones accesorias a la sancién, impuestas en
el procedimiento sancionador. Las multas coercitivas se
imponen una vez vencido el plazo de cumplimiento.
La imposicién de las multas coercitivas no impide el
ejercicio de otro medio de ejecucién forzosa, conforme a
lo dispuesto en el articulo 196 de la Ley 27444, Ley del
Procedimiento Administrativo General.

El reglamento de la presente Ley regula lo concemiente
a la aplicacion de las multas coercitivas.
DISPOSICIONES COMPLEMENTARIAS FINALES
FIRST. Reglamento de la Ley
Para la elaboracién del proyecto de reglamento, se
constituye una comisién multisectoral, la que es presidida por
la Autondad Nacional de Proteccién de Datos Personales.
El proyecto de reglamento es elaborado en un plazo
maximo de ciento veinte dias habiles, a partir de la instalacion
de la comisi6n multisectoral, la que debe ocumir en un plazo
no mayor de quince dias habiles, contado a partir del dia
siguiente de la publicacion de la presente Ley.
SECOND. Directiva de seguridad
La Autoridad Nacional de Proteccién de Datos
Personales elabora la directiva de segundad de la
informacién administrada por los bancos de datos
personales en un plazo no mayor de ciento veinte dias
habiles, contado a partir del dia siguiente de la publicacion
de la presente Ley.
En tanto se apruebe y rija la referida directiva, se
mantienen vigentes las disposiciones sectoriales sabre la
materia.
TERCERA. Adecuacion de documentos de gestion
y del Texto Unico de Procedimientos Administrativos
del Ministerio de Justicia
Estando a la creacion de la Autoridad Nacional de
Proteccién de Datos Personales, en un plazo maximo
de ciento veinte dias habiles, contado a partir del dia
siguiente de la publicacion de la presente Ley, el Ministerio
de Justicia elabora las modificaciones pertinentes en
sus documentos de gestion y en su Texto Unico de
Procedimientos Administrativos.
CUARTA. Adecuacién normativa
Dentro del plazo de sesenta dias habiles, el Poder
Ejecutivo remite al Congreso de la Republica un proyecto
de ley que contenga las modificaciones necesarias a las
leyes existentes a efectos de su adecuacion a la presente
Ley.
Para las normas de rango inferior, las entidades
publicas competentes revisan lanormativa correspondiente
y elaboran las propuestas necesarias para su adecuacion
a lo dispuesto en esta Ley.
En ambos casos se requiere la opinion técnica
favorable previa de la Autoridad Nacional de Proteccién
de Datos Personales, de conformidad con el! articulo 33
numeral 11.
QUINTA.
preexistentes
Los bancos de datos personales creados con
anterioridad a la presente Ley y sus respectivos
reglamentos deben adecuarse a esta norma dentro del
plazo que establezca el reglamento. Sin perjuicio de ello,
sus titulares deben declararlos ante la Autoridad Nacional
de Proteccién de Datos Personales, con sujecion a lo
dispuesto en el articulo 29.
Bancos de datos personales
SEXTA. Habeas data
Las normas establecidas en el Cédigo Procesal
Constitucional sobre el proceso de habeas data se
aplican en el ambito constitucional, independientemente
del ambito administrativo materia de la presente Ley. El
procedimiento administrativo establecido en la presente
Ley no constituye via previa para el ejercicio del derecho
via proceso constitucional.
SETIMA. Competencias del Instituto Nacional de
Defensa de la Competencia y de la Proteccion de la
Propiedad Intelectual (Indecopi)
La Autoridad Nacional de Proteccién de Datos
Personales es competente para salvaguardar los
derechos de los titulares de la informacion administrada
por las Centrales Privadas de Informaci6n de Riesgos
(Cepirs) o similares conforme a los términos establecidos
en la presente Ley
Sin peruicio de ello, en materia de infraccioén a los
derechos de los consumidores en general mediante la

El Peruano
Lima, domingo 3 de julio de 2011
@ NORMAS LEGALES
445753

prestacion de los servicios e informacion brindados por
las Cepirs o similares, en el marco de las relaciones de
consumo, son aplicables las normas sobre proteccién
al consumidor, siendo el ente competente de manera
exclusiva y excluyente para la supervisién de su
cumplimiento la Comision de Proteccién al Consumidor
del Instituto Nacional de Defensa de la Competencia y de
la Proteccién de la Propiedad Intelectual (Indecopi), la que
debe velar por la idoneidad de los bienes y servicios en
funcion de la informacion brindada a los consumidores.
OCTAVA. Informacion sensible
Para los efectos de lo dispuesto en la Ley 27489, Ley
que Regula las Centrales Prvadas de Informacién de
Riesgos y de Proteccion al Titular de la Informacion, se
entiende por informacion sensible la definida como dato
sensible por la presente Ley.
Igualmente, precisase que la informacion confidencial
a que se refiere el numeral 5) del articulo 1/7 del Texto
Unico Ordenado de la Ley 28706, Ley de Transparencia y
Acceso a la Informacion Publica, constituye dato sensible
conforme a los alcances de esta Ley.
NOVENA. Inafectaci6n de facultades de la
administraci6n tributaria
Lo dispuesto en la presente Ley no se debe interpretar en
detrimento de las facultades de la administracion tnbutana
respecto de la informacién que obre y requiera para sus
registros, o para el cumplimiento de sus funciones.
DECIMA. Financiamiento
La realizaci6n de las acciones necesarias para la
aplicaci6n de la presente Ley se ejecuta con cargo al
presupuesto institucional del pliego Ministerio de Justicia
y de los recursos a los que hace referencia el articulo 36,
sin demandar recursos adicionales al Tesoro Publico.
DUODECIMA. Vigencia de la Ley
La presente Ley entra en vigencia conforme a lo
siguiente:
1. _Las disposiciones previstas en el Titulo Il, en el
primer parrafo del articulo 32 y en las primera,
segunda, tercera, cuarta, novena y décima
disposiciones complementarias finales rigen a partir
de! dia siguiente de la publicacién de esta Ley.
2. Las demas disposiciones rigen en el plazo
de treinta dias habiles, contado a partir de la
publicacién del reglamento de la presente Ley.
Comuniquese al sefior Presidente de la Reptiblica
para su promulgacion.
En Lima, a los veintiun dias del mes de junio de dos
mil onceCESAR ZUMAETA FLORES
Presidente del Congreso de la Republica
ALDALAZO RIOS DE HORNUNG
Segunda Vicepresidenta del Congreso
de la Republica
AL SENOR PRESIDENTE CONSTITUCIONAL
DE LA REPUBLICA
POR TANTO:
Mando se publique y cumplaDado en la Casa de Gobierno, en Lima, a los dos dias
del mes de julio del afio dos mil once.
ALAN GARCIA PEREZ
Presidente Constitucional de la Republica
ROSARIO DEL PILAR FERNANDEZ FIGUEROA
Presidenta del Consejo de Ministros y
Ministra de Justicia
660457-1

LEY N* 29734
EL PRESIDENTE DE LA REPUBLICA
POR CUANTO:
El Congreso de la Republica
Ha dado la Ley siguiente:
EL CONGRESO DE LA REPUBLICA;
Ha dado la Ley siguiente:
LEY QUE EXIGE EL GRADO ACADEMICO
DE DOCTOR PARA EL EJERCICIO
DEL CARGO DE RECTOR
Articulo Unico. Modificacién del literal c) del
articulo 34 de la Ley 23733, Ley Universitaria
Modificase el literal c) del articulo 34 de la Ley 23733,
Ley Universitaria, en los siguientes términos:
“Articulo 34. (._.)
c) Tener el grado académico de doctor, no
necesariamente en su especialidad_
En ningun caso, se consideran para este requisito los
doctorados honorificos.”
Comuniquese al sefior Presidente de la Republica
para su promulgacion.
En Lima, a los catorce dias del mes de junio de dos
mil once.
CESAR ZUMAETA FLORES
Presidente del Congreso de la Republica
ALDALAZO RIOS DE HORNUNG
Segunda Vicepresidenta del Congreso de
la Republica
AL SENOR PRESIDENTE CONSTITUCIONAL DE
LA REPUBLICA
POR TANTO:
Mando se publique y cumpla.
Dado en la Casa de Gobierno, en Lima, a los dos dias
del mes de julio del afio dos mil once.
ALAN GARCIA PEREZ
Presidente Constitucional de la Republica
ROSARIO DEL PILAR FERNANDEZ FIGUEROA
Presidenta del Consejo de Ministros
y Ministra de Justicia
660457-2
PODER EJECUTIVO
Designan representante del Ministerio
ante la Comisién Multisectorial creada
por la R.S. N° 162-2011-PCM
RESOLUCION MINISTERIAL
N° 0256-2011-AG
Lima, 2 de julio de 2011
CONSIDERANDO:
Que, por Resolucién Suprema N°162-2011-PCM, se
constituyo una Comision Multisectorial a fin de estudiar

