www.Nymity.

com
Page |1

Privacy Interviews with Experts

June 2016

Oscar Montezuma Panez

Partner
Montezuma & Porto
Peru

Data Privacy in Peru within employment relations.

Professional profile:
Lawyer from Universidad Catlica del Per holding an LLM from the George Washington University. With more than ten
years of experience in the telecommunications and information technologies sector Oscar has worked for important law
firms and transnational technology companies. Oscar has served as consultant to the Ministry of Information
Technologies and Communications of the Colombian Government, and as member of the Copyright Commission of
INDECOPI in Peru. Currently Oscar is partner at Montezuma & Porto, boutique law firm with a leading and highly ranked
practice in telecommunications, technology and data protection law.
Nymity: What is the history and background of data protection in Peru in impacting employment relations?
Montezuma: Before the Data Protection Act (2011) and its Regulations (2013) (collectively Data Protection Act)
employment relations were governed by generic privacy protection provisions contained within the Constitution
(including the constitutional writ of Habeas Data) and sectoral regulation on intimacy rights. The Data Protection Act and
its Regulations are not restricted to a legal remedy, instead it offers a comprehensive set of rules and principles that
govern: (i) collection and use of personal information, (ii) quality and security of information and (iii) rights of individuals
with respect to information about themselves.
Nymity: What are the data collection and processing requirements in the employment context?
Montezuma: Data collection and processing in the employment context is regularly referred to two processes: (i) staff
recruitment and selection, and (ii) staff hiring. The general rule set by the Peruvian Data Protection Act is that use and
treatment of personal data requires previous, informed, express, unequivocal and free consent. In the first case such
consent is required if the employer plans to store resumes, tests or similar information for other selection processes.
However, once the employer hires the candidate the Data Protection Act provides an exemption by which consent is not
necessary for the execution or performance of a contract (in this case the employment contract). This means that
ordinary activities such as use of employees personal data for salary payment or compliance with labour regulation
Nymity Inc. All Rights Reserved.

www.Nymity.com
Page |2
activities are covered under the exemption. However the employee must be aware that the Data Protection Act is
governed by principles such as proportionality. Therefore employer must store only the information needed for the
establishment and maintenance of the employment relation. For any other use or treatment, mandatory consent may be
required.
Nymity: Are there information collection restrictions of employee information?
Montezuma : There are no restrictions to the collection of employee information including sensitive information other
than obtaining consent where applicable and as required by law. However while processing personal data the employer
must comply with principles of proportionality, legality and purpose provided by the Data Protection Act. Additionally
according to general employment law regulation, employer is not allowed to use personal data in any activity that may
involve any type of discrimination against the employee.
Nymity: How is the access and correction of information treated within employment relations?
Montezuma: Access and correction rights (also known as ARCO rights) are those provided by the Data Protection Act and
must be responded to by the employer on the terms set by law. If the employer does not respect ARCO rights the
employee may file an administrative remedy before the Data Protection Authority (DPA) against the employer; that may
imply fines of up to 100 UIT (approximately US$119,700)
Nymity: Is employee monitoring and surveillance allowed?
Montezuma: The general rule set by the Peruvian Data Protection Act is that use and treatment of personal data requires
previous, informed, express, unequivocal and free consent. Therefore, the access, use and transfer of employees
information for monitoring and surveillance purposes can only be performed after obtaining consent.
On the other hand, Peruvian Constitutional Court relying on the constitutional right to the secrecy of communications and
general employment regulation has issued diverse decisions on the legality of employees email monitoring and
surveillance practices. Below you may find a list of the most relevant decisions:
Cases before the Peruvian
Constitutional Court

Year

Exp. 1058-2004-AA/TC (the

Serpost case)

2004

Exp. 04224-2009-PA/TC

2011

(the CMAC-Tacna Case)

Exp. 03599-2010-PA/TC y
00114-2011-PA/TC (the
Telefonica cases)

2012

All of them agree on the fact that employee's information is protected under the above mentioned constitutional
safeguards however those decisions contain diverse dissenting opinions that show this matter would remain under
permanent and further discussion.
Nymity Inc. All Rights Reserved.

www.Nymity.com
Page |3
Nymity: Are data transfers allowed by the employer?
Montezuma: Yes, upon obtaining consent for such transfer. However, cross-border flows of personal data should be
performed only if the country of destination maintains the same level of protection as the Data Protection Act.
Nymity: What are the security and breach notification standards applicable for data controllers/ employers?
Montezuma: There is no mandatory breach notification under the Data Protection Act. Even though there is no
mandatory security and breach notification, the Security Directive, a non-mandatory document issued by the DPA
suggests that data controllers shall implement a notification procedure to the data subject in the event of any security
incident regarding his/her personal data. We consider the latter a reasonable recommendation that companies should
follow proactively.
Nymity: How long should the employer retain the personal data of former employees?
Montezuma: Employment law lays down mandatory time limits for which certain types of employee records must be
kept. According to Supreme Decree No. 001-98-TR payroll, workers payment receipt and related records must be stored
for 5 years since last payment. However in the case of trial it is common that judges request the employer to display
documents such as payroll, payment records, social benefit and other similar documentation even though such
documents are more than 5 years old. Moreover, judges tend to prefer the term applicable for the expiration of the
employment legal actions, which is 4 years since the termination of the employment relationship.
Nymity: What are the main concerns of data controllers/ employers under the current legislation?
Montezuma: The main concerns for data controllers/employers under the current legislation are focused in
implementing the Data Protection Act within all the human resources processes that involve use and access to personal
data, from recruitment through the termination of the employment relationship. This also includes drafting data
protection clauses within the contracts they enter into with third parties such as payroll outsourcing services, recruiting
services and physical security services (data processors). There is a common confusion between confidentiality or nondisclosure clauses and data protection clauses that need to be clarified specially when dealing with data processors that
have access to sensitive employee information. Finally implementation of security measures should not be left aside.
Nymity: Are there any proposed amendments to the current set of rules?
Montezuma: No, there are not any proposed amendments to the current set of rules.
Nymity: What are five key recommendations for effective employees data protection compliance in organizations in
Peru?
Montezuma:
1. Data Protection Act implementation should be viewed as 360-degree process that crosses the whole organization
and should not be restricted to the Human Resources area. CEOs should be involved from the beginning.
2. Data Protection Act implementation should be envisioned as a turnkey solution that brings assembled technical
and legal answers to organizations. This implies lawyers and technical experts working together as a task force. In
Nymity Inc. All Rights Reserved.

www.Nymity.com
Page |4
our professional experience, have given us the best achievements and results in the services we provide to our
clients.
3. Prioritization is the key for implementing data protection solutions within any organization. Diagnosis and
implementation phases tend to be very useful especially in the case of large corporations.
4. Data Protection Act must move beyond mere implementation to become an asset that adds value to the
organization and lives through its culture.
5. Organizations must be aware that any initiative within the Human Resources area such as BYOD and/or telework
policies as well as any outsourcing project must undergo compliance with the Data Protection Act as well as the
sectorial employment regulation.

These interviews are provided by Nymity as a resource to benefit the broader privacy community. The interviews represent the points of view of the interview subjects and Nymity makes no guarantee as to the
accuracy of the information. Errors or inconsistencies may exist or may be introduced over time as material becomes dated. None of the foregoing is legal advice. If you suspect a serious error, please contact
research@nymity.com.

Copyright 2014 by Nymity Inc. All rights reserved. All text, images, logos, trademarks and information contained in this document are the intellectual property of Nymity Inc. unless otherwise indicated.
Reproduction, modification, transmission, use, or quotation of any content, including text, images, photographs etc., requires the prior written permission of Nymity Inc. Requests may be sent to
research@nymity.com.

Nymity Inc. All Rights Reserved.