Privacy is protected in the National Constitution of Paraguay (the Constitution) and specifically, credit data and its processing are regulated in the recent Law 6534/2020 (Personal Credit Data Protection Law). 

The right to the protection of intimacy, dignity and the private image of people is guaranteed in Article 33 of the Constitution. This article also states that personal and family intimacy, as well as respect for private life, is inviolable. The conduct or behaviour of people, so long as it does not affect the public order established by the law or the rights of third parties, is exempted from public authority.

The Constitution also recognises the habeas data action, which is the main way data protection rights may be exercised. It is contemplated in Article 135 as a constitutional guarantee and allows an individual to access information or data about themselves or their assets that is held in social or private registers of a public nature. Furthermore, it provides the right to know how the information is used, including its purposes, and the possibility to ask for it to be updated, rectified, or destroyed when it is erroneous or illegitimately affects personal rights.

Regarding specific legislation regarding data protection, the above-mentioned new Personal Credit Data Protection Law was enacted at the end of 2020. This law has repealed previous laws which regulated private information. Besides the fact that it establishes new definitions of personal data, including sensitive personal data and credit information data, it also creates new data security obligations for companies that process personal credit data and enlarges the data subject rights of access, rectification and objection, as well as the right to be forgotten.

There is no specific data protection authority in Paraguay.

Nonetheless, the Central Bank and the Secretary of Consumer Defence are the competent authorities established in the Personal Credit Data Protection Law. Both authorities have the power to initiate investigations and issue sanctions to companies who process personal credit information.

As Personal Credit Data Protection Law is very recent, we have not yet seen any enforcement action nor sanctions from the credit data authorities. 

Taking into consideration the scope of contemporary data protection legislation all over the world, especially the EU's General Data Protection Regulation (GDPR), there are many provisions that are not present in the Paraguayan law.

As a result of this situation, and in view of the necessity of a comprehensive data protection law, a civil society group called the Personal Data Coalition has started working on a draft bill with a plan to present a final draft to Congress as soon as possible.

TEDIC and ISOC (Paraguayan chapter) are both NGOs advocating for a comprehensive data protection law in the country.

The draft bill for a comprehensive data protection law mentioned in 1.4 Multilateral and Subnational Issues is based on the EU model; therefore, it has incorporated well-known international data protection standards.

The most important recent development in Paraguayan law is the new Personal Credit Data Protection Law, enacted and approved in the past year. In addition, a draft bill for a comprehensive data protection law is being elaborated for an eventual submission and thorough study in Congress.

In the next 12 months, the official entrance of a comprehensive data protection law for its discussion in Congress is expected.

Within the current framework of data protection, there is no requirement for the appointment of data protection officers.

The legal criteria for data processing are the express consent of the data subject and authorisation by law.

Neither privacy by design or by default nor privacy impact analyses and adoption of internal or external privacy policies are contemplated.

There are rights for credit data subjects, such as access, erasure, correction, portability and objection to collection and use. A data subject may exercise their rights anytime and their request should be directed to the controller. Proceedings must be simple, efficient, and accessible without any costs for the data subject.

There is no indication of the use of data pursuant to anonymisation, de-identification and pseudonymisation. Neither are there restrictions on or allowances for profiling, automated decision-making, online monitoring or tracking, big data analysis, artificial intelligence, and algorithms.

Concepts of injury or harm in relation to breaches of data subject rights have not yet been developed in Paraguayan law.

It is worth noting that most of these issues are considered in the draft bill for a comprehensive data protection framework.

The definition of sensitive data is stated as all information regarding race or ethnic origin, political preferences, health conditions, religious or philosophical or moral beliefs, sexual orientation, and, in general, all data which could cause any discrimination, or affect the dignity, privacy, and the private image of persons or families.

It is strictly prohibited to publish or disclose this special category of data relating to an individualised or identifiable person without the authorisation of the data subject.

There is not yet any specific regulation regarding internet data or streaming and video issues.

Regarding data subject rights in general, the current framework allows the exercise of the traditional rights to access, rectification, and erasure through the habeas data action. This action is brought before civil courts. Furthermore, the right of portability is only mentioned in the Personal Credit Data Protection Law. There is no mention of the possibility of objecting to the use of data for its sale and/or tracking. 

Article 23 of Law 4868/2013 (Electric Commerce Law) contains stipulations regarding unsolicited commercial communications through email. It establishes that providers of goods and services can only send commercial communications when they fulfil the following requirements:

• they indicate in an express way that it is an unsolicited commercial communication;
• they include in the message a simple mechanism for the request of exclusion from the list;
• the recipient’s data must be obtained without any infraction of their privacy rights; and
• the commercial communication should not exceed the size determined by the authority.

A subsequent law was enacted, Law 5830/2017, which prohibits unauthorised advertising to mobile phone users. It refers specifically to telemarketing calls and text messages. This law creates a registry to which cell phone owners request the addition of their numbers to avoid future unsolicited communications. Goods and services providers must check the list before sending commercial communications to potential clients. 

There are no constrains on behavioural and targeted advertising so far.

There is no special law regulating privacy in the workplace. Nonetheless, last year a law regarding teleworking was enacted, Law 6738/2021.

In Article 8 of Law 6738/2021, dealing with privacy, obliges employers respect the private lives of their teleworkers. A right to digital disconnection of workers is guaranteed, which allows employees to not answer work communications, calls, emails, messages, Whatsapp, etc, outside their working hours.

Furthermore, Article 18 of Law 6738/2021 establishes that systems of control which are designed to protect the employers’ goods and information will also have to safeguard the right to privacy of teleworkers and the privacy of their homes.

As of now (February 2021), there are no legal standards established for violation of general privacy or data protection laws.

Concerning the Personal Credit Data Protection Law, it provides a vast list of infractions and the maximum stipulated sanction is high. Specifically, it mandates fines of up to 15,000 times the minimum wage for first time offences (approximately USD180,000). If further offences occur, fines will increase to 50,000 times the minimum wage (approximately USD600,000) for natural or legal persons with turnovers of more than PYG6 billion.

No penalties have yet been imposed by the new competent authorities.

Class actions are not allowed in Paraguay.

A judicial authorisation is required to access data in cases of investigation of possible crimes.

Government could access personal data for intelligence purposes upon judicial authorisation, according to law 5241/2014. A proportionality criterion must be considered and a balance between the pursued objectives and the subject's privacy rights struck.

There are no specifications with respect to what constitutes a legitimate basis when foreign governments request access to collect and transfer data. 

Paraguay does not participate in a Cloud Act agreement with the USA.

There is some debate about biometric data and the use of surveillance cameras in some areas of the capital city by the Home Affairs Ministry and the National Police. NGOs have requested access to more detailed information regarding the information and images collected, what data processing is being carried out and the given use. This judicial action will be attended to by the Supreme Court.

The data protection framework in force does not refer to data transfers of personal information. However, there is a mention of international data transfer in the Personal Credit Data Protection Law. The international transfer of personal data to a recipient located in a third country or to an international organisation, when the guarantees, requirements or exceptions established in this law are not met, is included in the list of infractions. Neither requirements nor exceptions are mentioned in the law.

As detailed in 4.1 Restrictions on International Data Issues, there are no specific provisions regarding data transfer in Paraguay.

There are no government notifications or approvals required to transfer data internationally.

Currently there are no data localisation requirements.

No software code, algorithms or similar technical details are required to be shared with the Paraguayan government.

There are no specific limitations or considerations applied to the collection or transfer of data in connection with foreign government requests. 

Currently, there are no blocking statutes in Paraguay.

None of the key data protection issues raised by emerging technologies (eg, big data analytics, AI and machine learning, facial recognition and the spread of online disinformation) are yet regulated yet in Paraguayan legislation. However, the concept of automated decision-making is incorporated in the draft bill mentioned in 1.4 Multilateral and Subnational Issues. It is anticipated that it will be a data subject right to request a review of decisions taken solely based on the automated processing of personal data.

Furthermore, biometric data is properly defined and included as personal data.

It is not common in Paraguay for organisations to establish protocols for digital governance, or fair data practice review boards or committees.

So far there have not been any significant audits, investigations or penalties imposed on companies for privacy violations in Paraguay.

Neither class actions, collective redress nor representative actions are permitted in Paraguay.

During due diligence proceedings, if and when processing personal data, general protection rules must remain.

There is no other specific law that mandates disclosure of an organisation’s cybersecurity risk profile or experience.

There are no further significant issues in Paraguayan data privacy and protection not already discussed in this chapter.