Clym Logo
PY flag

PY

Law No. 7.593 Paraguay

Overview

Law No. 7.593 establishes Paraguay’s national framework for the protection of personal data. It regulates the processing of personal data by public and private entities and creates the Agencia Nacional de Protección de Datos Personales as the supervisory authority.

The law introduces core data protection principles, lawful bases for processing, security obligations, breach notification requirements, impact assessments, international transfer safeguards, and enforceable individual rights.

The law was officially published in the Official Gazette Nº 287 on 11/27/2025 and entered into force on 11/28/2025.

Regulation Summary

  • 11/13/2025 – Law approved by Congress.
  • 11/27/2025 – Published in Official Gazette Nº 287.
  • 11/28/2025 – Law partially enters into force.
  • 11/27/2027 – End of two-year transition period for full implementation.

  • All public and private entities processing personal data in Paraguay.
  • Entities established in Paraguay, even if processing occurs abroad.
  • Foreign companies offering goods or services to individuals located in Paraguay.
  • Entities monitoring behavior within Paraguayan territory.
  • Public institutions and government bodies.

  • Personal or household activities without commercial purpose.
  • National defense, security, migration, and criminal investigations.
  • Specific sectoral laws governing credit data and criminal records.
  • Activities subject to constitutional protections such as freedom of expression, subject to proportionality.

  • Identify and document a lawful basis for processing.
  • Apply principles such as lawfulness, purpose limitation, proportionality, transparency, security, and confidentiality.
  • Implement appropriate technical and organizational security measures.
  • Conduct data protection impact assessments for high-risk processing.
  • Appoint a data protection officer when required by regulation.
  • Notify the authority and affected individuals of security incidents within 72 hours.
  • Maintain internal documentation and accountability records.

  • Provide clear and accessible privacy notices.
  • Implement valid consent mechanisms when required.
  • Provide accessible tools for exercising data subject rights.
  • Apply safeguards to online forms and digital collection mechanisms.
  • Disclose profiling and automated decision-making practices where applicable.

  • International transfers permitted only to countries with adequate protection or with appropriate safeguards such as contractual clauses or binding corporate rules.
  • Enhanced protection for sensitive data, including biometric, genetic, health, political, and religious data.
  • Parental consent required for children under 16.
  • Mandatory prior consultation with the authority when a data protection impact assessment identifies high risk.
  • Creation of an autonomous national data protection agency with regulatory and sanctioning powers.

  • Right to information.
  • Right of access.
  • Right to rectification.
  • Right to erasure.
  • Right to opposition.
  • Right to portability.
  • Right to review automated decisions.
  • Right to lodge complaints with the supervisory authority

  • Authority: National Data Protection Agency
  • The authority has investigative, supervisory, regulatory, and sanctioning powers.
  • Sanctions are administrative and determined based on severity, proportionality, and regulatory criteria.
Book a demo