Add a bookmark to get started

Abstract view of building
30 May 20226 minute read

Peru: Antitrust, consumer protection and data protection challenges on the way

The coming months will likely see significant changes and challenges for companies operating in Peru. In this article, we take a concise look at recent developments in the legal frameworks affecting antitrust, consumer protection and data protection.

Antitrust: new rules for business concentrations

Peru’s Law No. 31112, establishing the regime of prior control of business concentration operations[1] in Peru, and its regulation, entered into force on June 14, 2021. This Law creates a prior control procedure to be overseen by the national consumer protection authority, Indecopi[2]regarding business control operations, in order to ensure competition and economic efficiency in the marketplace for the welfare of consumers.

To be subject to the prior control procedure, a business concentration operation must fall within both of the following thresholds:

  1. During the fiscal year prior to that in which the business concentration operation is notified, the total value of sales or annual gross income or value of assets in Peru of the companies involved has reached a value equal to or greater than 118,000 tax units[3] and

  2. During the fiscal year prior to the one in which the operation is notified, the value of sales or annual gross income or value of assets in Peru of at least two of the companies involved in the business concentration operation reached, a value equal to or greater than 18,000[4] tax units, for each of the companies.

In that regard, in 2022, companies which are involved in, or contemplating, a business concentration operation should make an exhaustive analysis of the gross incomes and value of assets of the companies involved, in order to determine if a notification to INDECOPI will be required.

Consumer protection and e-commerce

The fight against COVID-19 has changed consumer habits in a number of ways – notably, in the dramatic growth in ecommerce, which has come to be regarded as a way for consumers to acquire products and services that is not just fast but safe. This massive change in consumer behavior is prompting many companies to move away from traditional channels, such as bricks-and-mortar shops, and opt for this new and, from the consumer viewpoint, convenient option.

Companies that are offering and selling products and providing services through their webpages to Peruvian consumers should keep in mind the tenets of Peru’s Law No. 29571, the Consumer Protection and Defense Code.[5]

That Code requires that companies ensure strict respect for consumer rights; inform consumers about products and services though easily understandable terms and conditions; establish clear delivery times and then comply with those times; clearly describe any fees regarding delivery agreements; and implement a return policy.  As e-commerce continues its dramatic growth, companies doing business online in Peru are paying attention to this law’s requirements in 2022.

Protection of consumer data

The growth of e-commerce also has implications for the ways companies process and use consumers’ personal data.[6] In 2022, Peru’s Data Protection Authority is focusing on surveillance, paying special attention on how companies (website owners) who act as data controllers[7] comply with the provisions established by the Peruvian Data Protection Legislation.

Therefore, any company that commercializes or intends to commercialize its products and services through the Internet should take into consideration the following obligations:

  • Personal data must be processed in compliance with the consent principle. That is, personal data should not be processed without the data subject’s consent, unless one of the exceptions provided by the Data Protection Legislation is in place. It is important to highlight that, due to recent Data Protection Authority rulings, data subjects must consent to the use of cookies which are not strictly necessary for website functionality (ie, preference or marketing cookies). In that regard, it is seen as best practice to include a consent formula on the website to notify users about the use of cookies and obtain their assent such usage.
  • Databases and any transfer abroad of personal data must be registered with the Peruvian Data Protection Authority.
  • Data subjects must be properly informed about the conditions under which their personal data is being processed, in accordance with the Duty to Inform set out in the Personal Data Protection Law.[8] This is usually addressed through privacy policies.
  • Personal data must be processed in compliance with the security measures set out in the Data Protection Legislation.

Find out more about the implications of these changes for your business by contacting either of the authors.

[1] According to Law No. 31112, a Business Control Operation is “any act or operation that implies a transfer or change in the Control of Company, or a part of it.”

[2] INDECOPI is the multipurpose regulatory body in charge of the surveillance of, among other areas of law, antitrust and consumer protection matters.

[3] Approximately US$146,000,000.

[4] Approximately US$22,500,000.

[5] Consumer protection regulations are ruled by Law No. 29571, the Consumer Protection and Defense Code.

[6] Law No. 29733, the Peruvian Personal Data Protection Law, defines “personal data” as “any information about a natural person that identifies it or makes it identifiable through means that can be reasonably used.”

[7] According to Law No. 29733, Peruvian Personal Data Protection Law, a data controller is “the person who determines the purpose of the processing of personal data.”

[8] According to Law No. 29733, Peruvian Personal Data Protection Law, the data subject shall be informed in a simple, express, unequivocal manner, and prior to the collection of data, about the purpose for which his personal data will be processed; who are or may be its recipients, the existence of the data bank in which it will be stored, as well as the identity and address of its owner and, if applicable, of the person or persons in charge of the processing of his or their personal data; the mandatory or optional nature of your answers to the questionnaire proposed to you, especially regarding sensitive data; the transfer of personal data; the consequences of providing your personal data and of your refusal to do so; the time during which your personal data will be kept; and the possibility of exercising the rights granted to you by law and the means provided for this purpose.