Page 1

Sumilla: Law that regulates private information centers of
risks and protection of the information owner
LAW No. 27489
THE PRESIDENT OF THE REPUBLIC
HOW MUCH:
The Congress of the Republic has issued the following Law:
THE CONGRESS OF THE REPUBLIC;
He has given the following Law:
LAW REGULATING THE PRIVATE INFORMATION CENTERS OF
RISKS AND PROTECTION OF THE INFORMATION HOLDER
TITLE ONE
GENERAL DISPOSITION
Article 1.- Object of the law
The purpose of this Law is to regulate the supply of information from
risks in the market, guaranteeing respect for the rights of the holders
of the same, recognized by the Political Constitution of Peru and the legislation
current, promoting the veracity, confidentiality and appropriate use of said
information.
Article 2.- Definitions
For the purposes of this Law, it is understood by:
a) Private risk information centers (CEPIRS) .- The companies that
in places open to the public and on a regular basis collect and treat
risk information related to natural or legal persons, with the
purpose of spreading by any mechanical or electronic means, in a
free or onerous, credit reports about these. Are not considered
CEPIRS, for the purposes of this Law, to the administration entities
that are in charge of records or data banks that store
information for the purpose of giving you general publicity, without
import the way such information is made public.
b) Risk information.- Information related to obligations or
financial, commercial, tax, labor, insurance background
a natural or legal person that allows evaluating their financial solvency
mainly related to its capacity and debt trajectory and
pay.
c) Sensitive information.- Information referring to the physical characteristics,
moral or emotional nature of a natural person, or facts or circumstances of
their emotional or family life, such as personal habits, ideologies and
political opinions, religious beliefs or convictions, health conditions
physical or mental and sexual life or other similar that affect their privacy and
everything referred to in the Political Constitution of Peru in its Article 2, paragraph 6).
d) Owner of the information.- The natural or legal person to whom the
risk information.
e) Credit report.- All written communication or contained in any medium

Page 2

provided by a CEPIR with risk information referring to a
natural or legal person, identified.
f) Data bank.- Set of risk information managed by the
CEPIRS, whatever the form or modality of its creation, organization,
storage, systematization and access, which allows to relate the
information between themselves, as well as process it for the purpose of transmitting it to
third parties.
g) Collection of information.- Any operation or set of operations or
technical procedure that allow the CEPIRS to obtain information.
h) Public access sources.- Information that is available to the
general public or unrestricted access, not impeded by any
limiting norm, which is collected in media such as censuses, yearbooks,
databases or public registers, jurisprudence repertories, archives of
press, telephone directories or other similar means; as well as the lists of
persons belonging to professional groups that contain only the
names, titles, profession, activity, academic degrees, address and
indication of their membership in the group.
i) Information processing.- Any operation or set of operations or
technical procedure, automated or not, that allow
CEPIRS collect, store, update, record, organize, systematize,
elaborate, select, confront, interconnect, dissociate, cancel and, in
In general, use risk information to be disseminated in a report of
credit.
j) Information dissemination.- Any operation or group of operations or
technical procedures, automated or not, that allow companies to
CEPIRS communicate, assign, transmit, give access or make known to
third parties the risk information contained in their databases. The
source information Public Registries must necessarily indicate the
date and time of obtaining the information and if it is only informative.
Article 3.- scope of application
All CEPIRS that carry out activities or
provide services in the national territory.
SECOND TITLE
OF THE PRIVATE RISK INFORMATION CENTERS
Article 4.- Organization
The CEPIRS may be constituted in any of the forms permitted by the
General Law of Companies.
Article 5.- Characteristics
The CEPIRS must have, as a minimum, the following characteristics of
organization and operation:
a) Adequate computer infrastructure for the proper treatment of the
information collected;
b) Internal procedures for efficient, effective and timely attention to
inquiries, complaints and claims, when applicable; Y,

Page 3

c) Internal controls that provide security in the development of their
activities, as well as procedures for the validity of the processed information.
Article 6.- Impediments
They are prevented from being directors, managers or officers who have
decision-making capacity within the CEPIRS:
a) Those prevented from being directors and managers in accordance with the Law
General of Companies;
b) Those convicted of malicious crimes;
c) Those declared in insolvency process, while it lasts;
d) Those who register document protests in the last five years;
e) Those who, directly or indirectly, have overdue credits for more than 120
(one hundred and twenty) days, or that have entered judicial collection; Y,
f) Those who are owners, partners or shareholders of related companies, to the
referred to in literal b) of Article 54 of the General Tax Law on
Sales and Selective Consumption Tax, which have overdue credits for
more than 120 (one hundred and twenty) days, or that have entered judicial collection.
TITLE THREE
OF THE COLLECTION, TREATMENT, DISSEMINATION AND SECURITY OF THE
RISK INFORMATION
Article 7.- Sources of information
7.1 CEPIRS may collect risk information for their credit banks.
data from both public and private sources, without the need for
have the authorization of the owner of the information, understanding that the
Database will be satisfied with all risk information.
7.2 The CEPIRS may acquire information from the sources mentioned in the
preceding paragraph by entering into private contracts directly
with the natural or legal person who has or has had civil relations,
commercial, administrative, banking, labor or of a similar nature with the
owner of the information, as long as it refers to the acts,
situations, facts, rights and obligations that are the subject of such relationships or
derived from these and that do not constitute a violation of professional secrecy.
7.3 They may also enter into private contracts directly with the
public administration entities that collect or use information from
risks in the exercise of their functions and powers legally
established, unless such information has been declared or constitutes a
trade or industrial secret.
Article 8.- Information supplied by the holders
The CEPIRS may collect risk information directly from the
holders, having to previously inform them expressly, precisely
and unequivocally the following:
a) The existence of the data bank, the purpose of collecting the
information and its potential recipients;

Page 4

b) The identity and address of the CEPIR that collects the information;
c) The optional nature of your answers to the questions that may be
raised;
d) The possible consequences of obtaining the information; Y,
e) The scope of the rights developed in the Fourth Title of the present
Law, as well as the procedures to enforce them.
When questionnaires or any other questionnaire are used to collect information
other printed medium, a copy must be delivered to the owner of the information
of these in which the indications must be clearly legible
indicated in the preceding paragraphs. The burden of proof of having provided the
Information detailed above corresponds to the CEPIRS.
Article 9.- General guidelines for the collection and treatment of
information
For the collection and treatment of risk information in charge of the
CEPIRS must observe the following general guidelines:
a) The collection of information may not be carried out by fraudulent means
or illegal;
b) The information collected may only be used for the stated purposes
in this Law;
c) The information will be lawful, exact and truthful, in such a way that it responds to the
real situation of the owner of the information at a certain time. If the
Information turns out to be illegal, inaccurate or erroneous, in whole or in part, they must
corrective measures be adopted, as the case may be, by the CEPIRS,
without prejudice to the rights that correspond to the holders of said
information.
In order to determine the moment, each report must indicate the
report date; Y,
d) The information will be kept for the established legal term or, in its
defect, for the time necessary for the purposes for which it was
collected.
Article 10.- Excluded information
The CEPIRS may not contain in their databases or disseminate in their
credit reports the following information:
a) Sensitive information;
b) Information that violates bank secrecy or the tax reserve;
c) Inaccurate or erroneous information;
d) Information regarding the breach of obligations of a civil nature,
commercial or tax, when (i) 5 (five) years have elapsed since
the obligation was paid or extinguished in full or (ii) has prescribed the
legal term to demand compliance, whichever comes first;
e) Information regarding enforceable penalties of a tax nature,
administrative or other analogous, of economic content, when (i) they have

Page 5

5 (five) years have elapsed since the sanction imposed on the
infringer or was terminated by any other legal means, or (ii) has prescribed the
legal term to demand its execution, whichever comes first;
f) Information referring to the insolvency or bankruptcy of the owner of the information,
when 5 (five) years have elapsed since the status of
insolvency or since bankruptcy was declared; or,
g) Any other information excluded by law.
Article 11.- Dissemination of risk information
The CEPIRS may disclose to third parties, onerous or under the title
free, risk information contained in their databases. In order to
such effects, the CEPIRS may implement in the way they deem
convenient automated procedures for transmission, communication
or data access to third parties, as well as the mandatory registration of these under
responsibility, having to protect the rights of the holders of the
information.
The CEPIRS disseminate risk information, after identifying with means
appropriate to the requestor of the information.

Article 12.- Duty of security
The CEPIRS must adopt technical and administrative measures
designed to guarantee the security of the information they handle, in order to
prevent its alteration, loss, treatment or unauthorized access.
TITLE FOUR
OF THE DEFENSE OF THE HOLDERS
OF THE INFORMATION IN GENERAL
SUBTITLE ONE
OF THE RIGHTS OF THE HOLDERS
OF THE INFORMATION
Article 13.- Rights of the holders
By way of example, but not limited to, the holders of the information
registered in the data banks administered by CEPIRS have the
following rights:
a) The right of access to information relating to oneself registered in
such banks;
b) The right to modify and the right to cancel information
referred to oneself registered in such banks that could be illegal,
inaccurate, erroneous or expires; Y,
c) The right of rectification of the information referred to oneself that has
been disseminated by the CEPIRS and that turns out to be illegal, inaccurate, erroneous or
expires.

Page 6

Article 14.- Right of access
The holders will be able to access, once a year or when the information contained
in the databases has been subject to rectification, to the information
credit that concerns them that was registered in the data banks
administered by CEPIRS. This information will be accompanied by a
Explanatory review of the rights developed in this Title, as well as
of the procedures to enforce them. The information may be obtained
by the owner of the information:
a) Free of charge, by viewing the data on the screen or;
b) By paying a sum of money, which will not exceed the costs
necessary for the issuance of the corresponding document, by means of a
written, copied or photocopied, in legible and intelligible form, without using keys or
codes that require mechanical devices for their proper
understanding.
The information referred to in this article will include, at the request of the owner, the
identity of the sources of information registered in the databases, with
exception of publicly accessible sources and the identity of all persons
who obtained a credit report on the holder in the last twelve
months, as well as the date such reports were issued.
Article 15.- Right of modification and right of cancellation
15.1 If it is considered that the information contained in the banks of
data is illegal, inaccurate, erroneous or expires, the owner of said information
may request that it be reviewed at the expense and expense of the CEPIRS and,
be the case, that it proceeds to its modification or cancellation.
15.2 The request to review the information must be filed by
writing, accompanying the evidential means that prove that the applicant
is the owner of the information. In this request the data will be specified
that you want to review, accompanying the documentation that justifies
the request.
15.3 The CEPIRS will establish the internal procedures necessary to
provide efficient, effective and timely attention to requests for review
presented, as well as the communication and coordination mechanisms
appropriate to the sources from which you collect the information.
15.4 Within a period of 7 (seven) calendar days from the presentation of the
request, the CEPIRS will obligatorily inform in writing the holder of the
information if your request is valid or if it has been denied.
Alternatively, within the same period, the CEPIRS may extend, up to
for 5 (five) additional calendar days, the term to issue a decision
definitively, having to do so, until the end of the term, disseminate that said
information is subject to review.
15.5 Once the terms mentioned in this paragraph have expired, the owner of the
information should receive the written communication that responds to
your request definitively.

Article 16.- Right of rectification
In case it is verified that the information contained in the databases
is illegal, inaccurate, erroneous or expires, CEPIR, at its expense and expense, will send
corrective communications, to those who would have provided said

Page 7

information in the twelve months prior to the date on which the
trouble.
Article 17.- Jurisdictional protection
17.1 The holders of the information who are not considered consumers
for purposes of Legislative Decree No. 716, Consumer Protection Law,
may judicially request the protection of the rights set forth in this
Subtitle on the route of the summary process.
17.2 To be able to file a claim in order to modify it,
cancel or rectify risk information that is considered illegal,
inaccurate, erroneous or expires, the owner of said information must previously
obtain a pronouncement, express or implied, denying a request for
revision or rectification, processed in accordance with the provisions of Articles
15th and 16th of this Law.
SECOND SUBTITLE
OF CIVIL AND CRIMINAL LIABILITY
Article 18.- Civil and criminal liability
18.1 The civil liability of the CEPIRS for damages caused to the holder
For the purpose of processing or disseminating information, it will be objective. The CEPIRS
may repeat against the sources providing information when the damage
is caused as a result of the information processing carried out
For these.
18.2 There is also responsibility on the part of the users or recipients.
of risk information provided by the CEPIRS, in case of use
undue, fraudulent or in a way that causes damage to the owner of the information,
the same that will be determined in accordance with the rules of civil liability and
criminal to which there was place. Notwithstanding the foregoing, the CEPIRS may
repeat against users or recipients of information in case of having
assumed responsibility towards the owner of the information or third parties, in the
aforementioned assumptions in which the responsibility of the
users or recipients of information.

TITLE FIVE
DEFENSE OF CONSUMERS IN SPECIAL
Article 19.- Defense of consumers
The provisions contained in this Title are applicable to the
disputes that arise between the CEPIRS and the holders of the information, which are
considered consumers by mandate of this Law, for the purposes of the
application of the provisions of Legislative Decree No. 716, Protection Law
to the consumer.
Article 20.- Infractions
Administrative infractions of this Law are considered:
a) Refusing to provide a consumer's access to risk information
of which it is the owner;
b) Deny a request for review or a request for rectification of the
risk information owned by a consumer; or,

Page 8

c) Refuse to modify or cancel the information of a holder after
he has had a favorable ruling in a procedure followed
In accordance with the provisions of Article 15 of this Law.
The CEPIRS are objectively responsible for incurring the infractions
previously typified, without prejudice to the responsibility that may correspond to
the sources from which they have collected information, if applicable,
in accordance with the provisions contained in Legislative Decree No. 716, Law
Consumer Protection.
Article 21.- Competence of the Consumer Protection Commission
21.1 The Consumer Protection Commission of the National Institute of
Defense of Competition and Protection of Intellectual Property
(INDECOPI) is the competent administrative body to hear the
offenses typified in the preceding article and impose the sanctions
administrative and corrective measures that may take place. For such
effects, the Commission will apply the single procedure contemplated in Title V
of Legislative Decree No. 807, Powers, Norms and Organization of the
INDECOPI.
21.2 To file an administrative complaint for violation of Article 20
subsection b), the consumer who owns the information must previously obtain
an express or tacit pronouncement, denying a request for review or
rectification, processed in accordance with the provisions of Articles 15 and 16 of the
present Law.
Article 22.- Corrective measures
Without prejudice to any administrative penalties, the Commission
of Consumer Protection will impose on the CEPIRS that they incur in any
violation of this Law, the following corrective measures:
a) The modification or cancellation of the risk information registered in their
data banks; Y,
b) The rectification of the commercial risk information disseminated in the
market, at the expense and cost of the offender, in the manner determined by the
Commission.
In addition to the administrative sanctions that may arise regarding
CEPIRS, the Consumer Protection Commission will impose sanctions on the
sources providing the information that incur in any violation of the
this Law and in general to third parties who have provided
risk information to CEPIRS that is illegal, inaccurate, erroneous or
expires.
The modification, update, rectification or cancellation of the information of
aforementioned risks that are registered in their databases are
will update within the day following notification of the measure.
Article 23.- Execution of corrective measures in favor of the
consumers
23.1 Final resolutions ordering corrective measures constitute
Execution Titles in accordance with the provisions of Article 713º paragraph 3) of the
Civil Procedure Code, once they are consented to or cause status in the
Administrative route.
23.2 In case of final resolutions ordering corrective measures in favor of

Page 9

of consumers affected by the administrative offense, the legitimacy to
Acting in civil enforcement proceedings corresponds to such consumers.
In the remaining cases, the legitimacy corresponds to INDECOPI.

COMPLEMENTARY AND FINAL PROVISION
ONLY.- Entry into force
This Law shall enter into force 30 (thirty) days after its publication.
Contact the President of the Republic for its enactment.

In Lima, on the eleventh day of June, two thousand and one.
CARLOS FERRERO
President ai of the Congress of the Republic
HENRY PEASE GARCIA
Second Vice President of the Congress of the Republic
TO THE CONSTITUTIONAL PRESIDENT OF THE REPUBLIC
THEREFORE:
Command is published and fulfilled.
Given at the Government House, in Lima, on the twenty-seventh day of the month of June
of the year two thousand and one.
VALENTIN PANIAGUA CORAZAO
Constitutional President of the Republic
JUAN INCHAUSTEGUI VARGAS
Minister of Industry, Tourism, Integration and Trade Negotiations
International

