QUESTIONNAIRE ON PERUVIAN PRIVACY REGULATION

1. Are there local regulations or laws regarding Data Privacy that would be applicable?
Yes:

 Law N° 29733 – Personal Data Protection Law (henceforth, the Law),

 Supreme Decree N° 003-2013-JUS (henceforth, the Regulations), and
 Directorial Resolution N° 019-2013-JUS/DGPDP (Information Security
Guidelines), which is a non-binding document regarding security measures to be
arranged in order to prevent alteration, loss and unauthorized access to personal
data.
a. If so, when did it enter into force?
The Law was enacted in 2011 and its Regulations in 2013. They entered into fully force
in May 2015.
b. What would be the regulatory framework we should be looking into and how does it
work in each country? (e.g. who is the Data Privacy Authority)
The Law and its Regulations provide for the constitutional protection of the right to
privacy and set forth obligations applicable to public and private entities. The Peruvian
National Authority for the Protection of Personal Data is The General Directorate of
Transparency, Access to Public Information and Protection of Personal Data
(henceforth, the Authority).
The provisions of the Law and its Regulations are applicable to the processing of
personal data when:

 It´s carried out by a data controller or whoever is responsible for the processing,
in an establishment located within Peruvian territory.
 It´s carried out by a data processor, regardless of its location, in the name of a
data controller or who is responsible for processing, established within Peruvian
territory.
 The data controller or whoever is responsible for the processing is not
established in Peruvian territory, but Peruvian law, by a contractual provision or
international law, is applicable to it; and/or
 The data controller or whoever is responsible of the data processing is not
established within Peruvian territory, but uses means located in that territory,
unless such means are used only for transit purposes that do not imply a
processing.      
When the data controller or whoever is responsible for the data processing is not
established within Peruvian territory, but the data processor is, then the latter will be
subject to the provisions related to the security measures contained in the Law and its
Regulations.
c. Do those local regulations mention basic principles that should be complied with
when collecting and managing data? (e.g. lawfulness, transparency, accuracy,
minimization, storage, purpose, retention periods, accountability, etc.)
Yes, the Law and its Regulations set forth several basic principles to be complied with:

 Principle of legality: The processing of personal data shall be done in accordance

with the provisions of the Law. The collection of personal data by fraudulent,
unfair or illegal means is prohibited.
 Principle of consent: The processing of personal data is lawful when the data
subject has given their free, prior, express, informed and unambiguous consent.
 Principle of purpose: A purpose is determined when it has been clearly
expressed, without confusion and when objectively specifying the purpose of the
processing of personal data.
 Principle of proportionality: All processing of personal data must be adequate,
relevant and not excessive to the purpose for which they were collected.
 Principle of quality: The data contained in a personal database must be adjusted
with precision to reality. It is presumed that personal data collected directly form
data subjects are accurate.
 Principle of security: The processing of personal data must adopt the security
(legal, technical and organizational) measures that are necessary in order to
avoid any unlawful data processing.
 Principle of resource disposition: Every data subject must have the administrative
or jurisdictional means necessary to claim and enforce their rights, when these
are violated by the processing of their personal data.
 Principle of adequate level of protection: For cross-border flow of personal data,
an adequate level of protection in the recipient country must be guaranteed by
the issuer.
d. What would be PepsiCo´s main responsibilities pursuant to these regulations?
Depending on the type of operation, PepsiCo can be deemed as a Data Controller or a
Data Processor. As a Data Controller, PepsiCo would be obliged to:

 Register all databases characteristics before the National Registry.

 Carry out the processing of personal data, only if informed, express and
unequivocal consents have been collected from data subjects, unless exceptions
stated in the Law apply,    
 Collect personal data that are proportional to specific, explicit and lawful
purposes for which they were obtained.    
 Refrain from using personal data for purposes other than those consented,
unless anonymization or dissociation proceedings area used.
 Arrange all security measures (legal, organizational and technical) set forth in the
Law and its Regulations.
 Implement a communication channel so data subjects may exercise their privacy
rights.
2. How is “personal data” segregated or classified locally?
According to the Law and its Regulations, personal data can be classified in general
personal data and sensitive personal data.
a. What would be the local classifications?
Personal data is any information on an individual which identifies or makes them
identifiable through reasonable means.
This information could be numerical, alphabetical, graphic, photographic, acoustic,
personal habits, or any other information concerning an individual.
Sensitive personal data are information related to the physical, moral or emotional
characteristics, facts or circumstances of their affective or family life, personal habits
that correspond to the most intimate sphere, information related to physical or mental
health or other analogous that affect their privacy. Sensitive personal data can include
biometric data that can identify the data subject; data referring to racial and ethnic
origin; economic income; opinions or political, religious, philosophical or moral
convictions; union membership; and information related to health or sexual life.
b. Do any of them imply especial treatment?
In the case of sensitive personal data, the informed consent must be made in writing.
Security measures to be adopted must be of a higher degree.
c. Are “e-mail”, “mobile phone”, “address”, “date of birth” and “ID information”
considered sensitive data in these countries?
No, they are not considered sensitive personal data.
3. Are retention periods applicable to this data within these countries?
Unless there is a legal obligation in place, the period of retention of personal data
depends on the purposes for which they were collected.
a. If so, what are the criteria for setting those periods? Is it related to the classification
of the data?
Not applicable
4. Is digital/online consent legally admissible?
Yes, digital/ online consent is legally admissible as an express consent.
In the case of the digital environment, the manifestation consisting of "click", "click-
wrap", "touch", or "pad" or similar are also considered as express consent.
In this context, written consent may be granted by electronic signature, written
signature, so that it can be read and printed, or by any other mechanism or procedure
established to identify the data subject and obtain their consent, through text written. It
can also be granted by pre-established text, easily visible, legible and in plain
language.
a. Is consent required, or does the regulatory framework support an opt-out approach?
As a general rule, explicit consent from the data subject is required. Nevertheless,
according to the Law, certain exceptions apply; for example: (i) when personal data are
collected or transferred for the exercise of the functions of public entities within the
scope of their powers; or (ii) when the personal data are necessary for the preparation,
conclusion and execution of a contractual relationship in which the data subject is a
party, among others.
An opt-out approach is not valid according to the Law, its Regulations, and the
Authority criteria.
b. If required, what are the specific consent standards?
The Law and its Regulations establishes that a data subject consent must be free,
prior, express, unequivocal and informed.
5. How should we store or document the obtained consents?
The Law and its Regulations don´t require the company to meet specific standards for
storing consents. Nevertheless, the burden of proof (related to the collection of an
informed consent) is allocated on the company.
6. Should each purpose for which the information will be used require consent (e.g.
sharing the data with other affiliates, contacting the consumer directly, storing their
data, etc.)?
Yes, every purpose requires consent from the data subject.
a. Do we have to list all the potential purposes or intended uses for the data and then
request consent on all of them at once?
Yes, according to the Authority´s recent criteria, all actual and potential purposes must
be informed to the data subject prior the collection and processing of their personal
data.
b. Or, should we request consent on each of them individually?
That is a possibility; nevertheless, it is not mandatory. We recommend requesting
consent for all the purposes or intended uses at once.
c. Are pre-checked boxes allowed?
According to the Authority´s recent criteria, pre-checked boxes may interfere with the
data subject´s consent. Thus, we do not recommend their use.
7. What are the minimum requirements for storing/managing this data.
Given the Law and its Regulations are applicable to personal data processing, all
obligations stated above are minimum requirement.
We refer now to the adoption of technical, organizational and legal measures in order
to guarantee personal data are safe.
a. Are there technical aspects that we should comply with?
Yes. The minimum technical measures to be adopted are related to: (1) protocols and
controls over the creation of profiles, access and privileges; (2) protocols and effective
periodical verification and supervision of privileges; (3) active traceability of users’
interaction (what users to in terms of personal data processing); (4) backup and
recovery protocols; and (5) security mechanisms in logical transfers of data. Besides,
there must be internal policies on printing and copying.
All of these security protocols must be documented (approved under a formal
document).
b. Are there specific technical requirements or security controls set forth in the laws
(ex. levels of required encryption, etc.)
No. Recommended technical measures are those complying with the best practices
contained in ISO 27001, which is the model standard in the data security context.
Nevertheless, nor the Law or its Regulations impose a specific technology to be used.
For instance, the Law states that the exchange of personal data from processing or
storage environments to any destination outside the physical facilities of the data
controller requires the adoption of “necessary measures” and it immediately states
examples such as encryption, digital signatures, verification checksum, among others.
But it leaves other technical possibilities open.
8. Pursuant to the regulatory framework, should someone from PepsiCo be appointed
as responsible for managing the data?
There is no legal obligation to appoint a responsible for managing the data.
Nevertheless, we recommend the appointment of someone within PepsiCo as a
general compliance officer, as an organizational security measure. Besides, there
should be specific officers responsible for the processing of data for each identified
database.
a. If so, does the applicable regulatory framework restrict who should have access to
this data or provide further guidance?
No. Access to data within the company shall comply with a need-to-know principle.
Each user with access to personal data or personal database must be clearly identified
and use an access validation mechanism (i.e. password).
9. What would be the consequences of breaching the applicable regulatory framework
or managing data improperly?
The Authority could initiate a sanctioning proceeding.
a. What would be the applicable fines or penalties.
Depending on the seriousness of the infringement, the following fines may be imposed:

 Minor infringement: From 0.5 to 5 Peruvian Tax Units (USD 635 to USD 6,365
approximately)
 Serious infringement: From 5 to 50 Peruvian Tax Units (USD 6,365 to USD
63,635 approximately)
 Very Serious infringement: 50 to 100 Peruvian Tax Units (USD 63,635 to USD
127,275 approximately)
b. Would PepsiCo be responsible as a company?
Yes, in case of compliance failure of PepsiCo (i.e. if PepsiCo was found to be the Data
Controller), it could be held responsible as a company.
c. Is this responsibility joint or individual?
It is individual. Fines may apply to data controllers and data processors, though, if they
both failed to comply with the Law and its Regulations.
10. When requested by the consumers, what are the local processes and guidelines
that we should comply with regarding access, rectification or deletion of their data?
There are no specific binding guidelines regarding the attention of data subject´s
privacy rights requests.
According to the Law and its Regulations, a data subject can exercise, at any time,
their privacy rights (information, access, rectification, cancellation, and objection). The
company shall have an established procedure to guarantee these claims are reviewed
and responded within these periods:

 Right to information: eight (08) business days.

 Right of access: twenty (20) business days.
 Right of opposition: ten (10) business days.
 Right of rectification: ten (10) business days
 Right of cancellation: ten (10) business days.
 Full Withdrawal of consent: ten (10) business days.
 Partial Withdrawal of consent: five (5) business days.
11. Are there agency/third-party contractual requirements within local regulations and
laws.
Even though the Law and its Regulation doesn´t provide standard data protection
clauses, the data controller must sign compliance agreements with its third-party
suppliers (as long as they process data too) so that they comply with the minimum
security measures set forth in the Law and its Regulations. Furthermore, third-party
suppliers and their workers must sign confidentiality agreements when they process
personal data.
12. Beyond the consumer context, are there regulations that apply to other types of
personal information collected by PEP (and whether it is an area ripe for
enforcement/litigation), such as employee data.
The Law and its Regulations apply to every type of personal information managed by
the company, thus they apply transversally to all areas including employee data.