Paraguay passes comprehensive data protection law as regulatory landscape evolves

Paraguay's legislative process reached a significant milestone when the Chamber of Deputies approved the Personal Data Protection Bill on May 27, 2025, just 12 days ago. According to Luis Alberto Montezuma, an International Data Spaces Facilitator, "On June 5, the President signed and forwarded it to the Senate for consideration and approval."

The timing of Paraguay's data protection legislation demonstrates the country's commitment to modernizing its regulatory framework. The bill, which originated in 2021, underwent extensive committee review and modification before receiving approval from the Chamber of Deputies. This legislative journey spans four years, reflecting the careful consideration given to establishing comprehensive privacy protections.

The law establishes fundamental principles for personal data processing that align with international standards. According to the legislation, data processing must adhere to principles of accuracy, lawfulness, purpose limitation, proportionality, loyalty, transparency, and due diligence. These principles create a framework ensuring that personal data receives appropriate protection while enabling legitimate business operations.

Technical definitions within the law provide clarity for implementation. The legislation defines personal data as "information of any type referring to determined or determinable natural persons," while sensitive personal data includes information about racial or ethnic origin, religious beliefs, political affiliation, health data, sexual orientation, genetic data, and biometric data. These definitions establish clear boundaries for different categories of information requiring varying levels of protection.

The law establishes specific conditions under which personal data processing becomes lawful. Data subjects must provide consent for processing, except in cases involving legal obligations, legitimate interests, public functions, contract execution, vital interests protection, or judicial proceedings. The legislation requires that consent be "prior, free, informed and unequivocal," ensuring individuals understand how their data will be used.

International data transfers receive particular attention in the legislation. According to the law, personal data transfers outside Paraguay's territory can only occur when the destination country maintains adequate protection levels. The legislation includes exceptions for international treaties, judicial cooperation, intelligence cooperation for combating terrorism and organized crime, and contractual relationships where data subjects have provided prior consent.

The law creates the National Agency for Personal Data Protection as the primary supervisory authority. This agency operates within the Ministry of Information and Communication Technology with the rank of General Directorate. The agency possesses extensive powers including supervision, control, evaluation of data processing activities, assistance to individuals regarding their rights, and establishment of binding regulations.

Yield: How Google Bought, Built, and Bullied Its Way to Advertising Dominance

A deeply researched insider’s account of Google’s epic two-decade campaign to dominate online advertising by any means necessary.

Order Now

Rights granted to data subjects under the new law include access to their personal information, rectification of inaccurate data, opposition to processing, suppression of data under specific circumstances, and portability when processing occurs through electronic means. The legislation establishes a 30-day response period for data controllers to address individual requests, ensuring timely resolution of privacy concerns.

Enforcement mechanisms include administrative sanctions ranging from warnings to monetary fines. The law establishes penalty structures with fines ranging from 20 to 2,500 minimum daily wages for general violations, with enhanced penalties for sensitive data processing violations reaching up to 5,000 minimum daily wages. The legislation also allows for suspension of data processing activities when violations occur.

The law includes provisions for video surveillance processing, stating that "natural or legal persons, public or private, may carry out image processing through camera or video camera systems for the purpose of preserving the security of persons and property." However, the legislation restricts public road surveillance except when necessary for strategic infrastructure security or transportation safety.

Special protections apply to children's data processing. The law requires that "in the processing of personal data of a child, girl or adolescent, the protection of their superior interest must be privileged." Adolescents who have reached 14 years of age may provide valid consent for their personal data processing, except for sensitive data requiring legal guardian intervention.

The legislation addresses automated decision-making by granting individuals the right to request human review of decisions based on automated or semi-automated personal data processing. Data controllers must provide clear information about the criteria and procedures used in automated decision-making processes while respecting commercial and industrial confidentiality requirements.

Public sector data processing receives dedicated attention through specific provisions allowing information exchange between public institutions under defined circumstances. The law requires that such exchanges occur only when the receiving institution obtained data through legitimate exercise of its functions and when the data remains adequate and proportional to the intended purpose.

The enforcement provisions establish a two-tiered violation system distinguishing between minor and serious infractions. Minor violations, subject to one-year prescription periods, include collecting personal data without providing adequate information to data subjects, failing to attend to access rights, or non-compliance by data processors with contractual stipulations. Serious violations, carrying two-year prescription periods, encompass transferring personal data in contravention of established rules and treating personal data of minors without proper consent or guardian authorization.

Timeline

May 27, 2025: Paraguay's Chamber of Deputies approves the Personal Data Protection Bill following committee modifications of the original 2021 proposal

June 5, 2025: President signs and forwards the legislation to the Senate for final consideration and approval

Implementation period: Law enters into force 24 months after official publication, providing organizations time to establish compliance frameworks

Next steps: Senate review and potential enactment, followed by Executive Branch regulatory development

Why This Matters

Paraguay's data protection law represents a significant shift in South America's privacy landscape that marketing professionals cannot ignore. The legislation introduces consent requirements that will fundamentally change how companies collect and process customer data for marketing purposes. Organizations operating in Paraguay must now implement transparent consent mechanisms, providing clear information about data collection purposes and obtaining explicit authorization for marketing communications.

The law's international transfer restrictions create particular challenges for global marketing operations. Companies transferring Paraguayan customer data to other countries for analytics, customer segmentation, or campaign management must ensure destination countries provide adequate protection levels or implement appropriate safeguards. This requirement may necessitate restructuring data flows and reassessing vendor relationships.

Marketing automation and profiling activities face new constraints under the automated decision-making provisions. The legislation grants individuals rights to human review of automated marketing decisions, potentially affecting algorithmic targeting, customer scoring, and recommendation systems. Marketing teams must prepare for increased transparency requirements about their decision-making processes while maintaining competitive advantages.

The establishment of the National Agency for Personal Data Protection introduces a new enforcement authority that marketing professionals must monitor. The agency's broad powers include conducting audits, imposing substantial fines, and requiring changes to data processing practices. Marketing compliance programs must incorporate procedures for responding to agency inquiries and implementing corrective measures when required.

This development occurs as European data protection enforcement faces challenges with regulatory complexity and coordination difficulties between authorities. Paraguay's approach provides an opportunity for clearer, more streamlined privacy regulation that could influence regional privacy standards. Marketing teams operating across Latin America should monitor Paraguay's implementation as a potential model for neighboring countries' privacy legislation development.