May consent be used as a legal basis for processing worker information? (Y/N – if N, please explain)
Yes.
Are there any specific worker data collections or processing operations that require prior consent? (Y/N – if Y, when is consent required)
Yes. The data not necessary for the execution of the contract must be provided with the prior consent of the workers. Similarly, the data required for purposes other than the execution of the contract.
There are court rulings that establish that the employer may only check the worker’s email if a judge orders it or the worker himself consents.
Are there exceptions that will allow employers to collect and treat workers data without consent? (Y/N – if Y, list the exceptions)
Yes. According to article 14 of Law N° 29,733, Personal Data Protection Law, employers may treat employees’ data without employees’ consent when it is personal data necessary to execute the contractual relationship.
Is the company required to provide a privacy notice to workers? (Y/N)
Yes.
Does the worker privacy notice need to address security measures?
Not necessarily. Security measures are mandatory but there is no legal obligation to include them in the privacy notice to workers.
Are there any other unique disclosure requirements with respect to the privacy notice (e.g. list data retention periods, state legitimate bases, etc.)?
Yes. Employees should be informed about who is the controller of their data; the purposes for which your data will be used; and their rights with respect to said data (“ARCO”). Employees must also be informed about the employer’s video surveillance policy.
Are there data subject rights for workers? (Y/N – if Y, please list)
Yes. Workers have the same rights as any data subject (i.e. to be informed, to access, to rectification, to erasure, to object/opt-out, etc.). In addition, workers have rights that derive from the general rule of the Civil Code.
What is the timeframe to respond to data subject requests from workers?
In case of worker’s request to access the timeframe is 20 business days and worker’s request for rectification, cancellation or opposition the timeframe is 10 business days.
Are there exceptions to responding to data subject requests from workers?
Yes. Requests may be denied when protecting the rights and interests of third parties or when this may hinder ongoing legal or administrative actions related to the investigation on compliance with tax or social security obligations, to criminal investigations into the commission of misdemeanors or crimes, to the development of health and environmental control functions, to the verification of administrative infractions, or when so provided the law.
Are there employment rules about privacy-related discrimination (e.g., unlawful to terminate employment due to worker submitting an access request)?
There are no specific employment rules about privacy related discrimination.
Are there any unique requirements for transfers of employee information to third parties (i.e., contractual restrictions or otherwise)?
Yes. Generic rules about transfer of personal data to third parties are also applicable to employee information.
Are there rules about automated decision making involving workers (e.g., hiring decisions)?
No.
Are there rules about processing sensitive information or information about worker households or families (e.g., biometric data, health/medical information, sexual orientation, religious affiliation, union membership, etc.)?
Yes. Sensitive data require consent for the purposes of its treatment and it must be made in writing.
Are there specific security requirements for storing and processing worker information?
No. The general regime is also applicable for worker information.
Are there rules about using worker information for marketing?
Yes. Generic rules about use of personal data for marketing is applicable also to worker information for marketing. Therefore, the employer must obtain the consent of the workers.
Are there rules about surveillance of workers?
Yes. It is regulated by Directive 01-2020-JUS / DGTAIPD.
Are there other specific privacy rules or issues involving worker information (e.g., BYOD policies, monitoring technology use, automated tracking of workers)?
No. However, case law require the consent of the worker for the employer to access his email, telephone or other device.
Is there a legislative body or government entity that regulates employment-related privacy matters?
No.
In the event of a violation, is the recourse regulatory, a private right of action, or other?
Both.
Expected Changes to Worker Privacy Laws:
No.
Is business-to-business (B2B) data treated differently than consumer or employee data? (Y/N – If yes, please explain).
No.
Av. República de Panamá
3461 Piso 9
San Isidro – 15036
Call: +51 (1) 202 8000
Los Tamarindos 274
Urb. 4 de Enero
Piura – Piura
Call: +51 (73) 32 6994
Call: +51 (73) 31 3192
We work together to deliver local business intelligence and value with global depth and reach.