On November 27, Paraguay published Law No. 7593/2025, the country’s first general personal data protection law. Until now, the matter was governed by sparse legislation, such as the Credit Data Protection Law (Law No. 6534/2020). With the new legislation, Paraguay adopts a regulatory model aligned with the European Union and other Latin American countries.

Key features of the law include:

• General data protection principles, which include accuracy, lawfulness, purpose, minimization or proportionality, storage period limitation, fairness and transparency, reconciliation between public transparency and protection, due diligence, security, and confidentiality;
• Legal bases for processing personal data, including legitimate interest;
• Obligation to appoint a Controller (Responsable) Representative or Processor (Encargado) Representative, responsible for responding to the Authority and to requests from Data Subjects, in situations to be further regulated by the Authority;
• Obligation to appoint a Data Protection Officer (DPO), who must support and oversee compliance with data protection rules;
• Requirements to conduct Data Protection Impact Assessments (DPIA) for activities deemed higher risk;
• Mandatory notification of security incidents to the Authority and Data Subjects within 72 hours of becoming aware of the incident, subject to further regulation by the Authority;
• Establishment of frameworks for international data transfers; and
• Data Subjects rights, including to access, rectify, delete, object, and portability their personal data, and to review automated or semi-automated individual decisions.

In addition, the Law creates the National Personal Data Protection Agency, which will have functional autonomy and independence for decision-making, action, regulation, supervision, control, and sanctioning, and the application of fines.

The Law will come into force in 24 months. Once effective, companies will be required to comply if (i) they are present in Paraguay, even if the processing is carried out in another country; (ii) they process data of individuals located in Paraguayan territory; (iii) their data processing activities is related to the supply of goods or services in Paraguay; or (iv) their data processing relates to monitoring the behavior of individuals located in Paraguayan territory.

If you have any questions about the new personal data protection legislation in Paraguay or how to incorporate it into your Corporate Data Protection Governance, please contact our Technology, Privacy, and Data Protection Team: [email protected] .