This article is co-authored by Cecilia Kahn and Ana Lucía Taboada.
It is not strange that we have heard from several people who in recent years have exercised some of the famous ARCO rights (Access, Rectification, Cancellation and Opposition) contained in Law No. 29733, Law on Protection of Personal Data (hereinafter, the "LPDP”), Being the cancellation of personal data (also known as deletion or deletion) one of the most frequently exercised. Before the legitimate exercise of the right of cancellation by the holders of personal data (the "Data Holders”), The following question arises: Is it possible that the holder of the personal data bank (the "Data Bank Holder”) Can you refuse to delete the personal data of people who have exercised their right to cancel?
In the first place, it is important to specify that, as indicated in article 13.5 of the LPDP, personal data can only be processed (collection, registration, use, consultation and / or storage) provided that there is prior, informed, express and unequivocal consent of the Data Holders, except authoritative law in this regard. Thus, in principle, each Data Bank Holder must take the necessary care to only carry out the processing of personal data whose consents have been granted by the Data Holders. In addition, the quality principle set forth in Article 8 of the LPDP provides that the Data Bank Holder may keep the personal data of the Data Holders only for the time necessary to fulfill the purpose of their processing, that is, once the purpose that gave rise to the collection of personal data has been fulfilled, they must be deleted.
It is in this line that, the LPDP provides the following assumptions for the cancellation of personal data: (i) when the purpose that gave rise to the processing of personal data was fulfilled, (ii) when the deadline established for its processing has expired and , (iii) before the exercise of the right of cancellation by the Data Holders, in which case, according to article 67 of Supreme Decree No. 003-2013-JUS, Regulation of the Law on Protection of Personal Data (the "Regulation”), The Data Bank Holder must cease to process the data from a block of the data and its subsequent elimination.
In the case of the exercise of the right of cancellation, Article 69 of the Regulation provides that, in the following cases, the exercise of this right will be declared inadmissible: a) in cases where personal data must be kept by reason historical, statistical or scientific according to the applicable legislation or, b) where appropriate, in the contractual relations between the person in charge and the Data Holder, that justify the treatment of the same.
Likewise, we consider that although there is no express legal provision in the LPDP or its Regulation on the declaration of inadmissibility to exercise the right of cancellation in cases in which the Data Bank Holder is obliged to keep the personal data of the Data Holders for a certain period of time, we consider that such inadmissibility would be based on specific legal frameworks, such as labor, telecommunications, financial and other regulations, as appropriate. As an example, here are some of these assumptions:
- In labor matters, article 3 of Legislative Decree No. 1310, Legislative Decree that approves additional administrative simplification measures, provides that employers must keep all documents and proof of payment of economic labor obligations only up to five years after the payment, that is, if the payment of the salary was made in May 2015, said payment slip must be kept until May 2020. In this case, it is important to emphasize that this obligation to keep documentation of the workers is only referred to ballots of payment.
- On the other hand, the employer must keep records related to occupational diseases for a period of 20 years, while the record of accidents at work and dangerous incidents for a period of 10 years after the event and, the other records for a period of 5 years after the event in accordance with the provisions of article 28 of Law No. 29783, Law on Occupational Health and Safety and article 34 of Supreme Decree No. 005-2012-TR.
- There are also other cases in which it is necessary that the employer, who has the burden of proof, keep documentation of the worker until the statute of limitations expires for the worker to claim their work benefits, AFP contributions or disciplinary sanctions imposed, as stated in the applicable legislation. In any case, the type of documentation must be evaluated, as well as the conservation time of the same for the purpose that meets the intended purposes.
- In the case of medical records, subsection 4.3.2 of Ministerial Resolution 214-2018 / MINSA, which approves NTS No. 139-MINSA / 2018 / DGAIN, Technical Health Standard for the Management of Clinical History, indicates that The Institutions Providers of Health Services -IPRESS- must keep the medical records for a period of 5 years from the date of the last patient care within the active file, and another 15 years within the passive file according to article 4.3.2.
- According to article 16 of Law No. 27336, Law for the Development of Functions and Powers of the Supervisory Body for Private Investment in Telecommunications - OSIPTEL, telecommunications operating companies are obliged to keep information for a period of at least 3 years after its origin, together with the appraisal, the source records of the call details and billing of the services it operates.
- Article 183 of Law No. 26702, General Law of the Financial System and of the Insurance and Organic System of the Superintendence of Banking and Insurance, establishes that the companies of the financial system are obliged to keep their books and documents, including forms and contracts with clients, for a period of not less than 10 years and, if a legal action is promoted against him, this obligation will persist as long as the process lasts, it is convenient to specify that the extension of said term is applicable only to the documentation that keeps relationship with the controversy
In that sense, if a worker or financial client exercises his right of cancellation with respect to the processing of his personal data, the employer or financial entity in his capacity as Data Bank Holders may deny the request for cancellation of the treatment in accordance with the established in the special rules that impose conservation obligations if applicable.
Without prejudice to the foregoing, we consider it appropriate to mention that it would be convenient to include as grounds for impropriety in the Regulation the cases of obligation to keep personal data or to perform some other treatment thereof provided for in special rules so that they do not exist legal gaps, the legislation is uniform and, therefore, it is interpreted properly guaranteeing in this way the rights of the Data Holders and the fulfillment of obligations by the Data Bank Holders.
 Article 2 of the LPDP
16. Holder of personal data. Natural person to whom the personal data corresponds.
 Article 2 of the LPDP
17. Holder of the personal data bank. Natural person, private legal entity or public entity that determines the purpose and content of the personal data bank, their treatment and security measures.
 According to article 4.1. of the NTS No. 139-MINSA / 2018 / DGAIN, the active file is the physical repository that allows to store the medical records that are frequently required by patients, and that is kept there for up to 5 years after the last care received by the patient
 The passive file is the physical repository that allows you to store medical records that have not been required for more than 5 years by patients since their last care. This file also includes the partially deleted medical records, which contain the non-deleted formats (for example: informed consent format, anesthesia format, epicrisis, discharge reports and others according to relevance).