In the latest installment of our series on Fintech regulation in Paraguay, we review the current legislation, as well as new regulatory efforts, focusing on tools closely linked to the Fintech world: credit and personal data, and trust services.

1. Data Protection

Credit information and its processing are regulated through Law No. 6,534/20. However, the treatment and use of personal data is not covered by the scope of this law, prompting current efforts to regulate them.

1. 1. Applicable Laws

Law No. 6,534/20, of "Protection of Personal Credit Data," establishes the regime for the protection of data and personal information. It regulates the collection and access to credit information data, establishing provisions for companies engaged in obtaining and providing credit information.

This law defines personal data as any information of any kind, referring to specific or determinable legal or natural persons. It also defines credit information as positive and negative information related to the credit history of individuals and legal entities, regarding credit and commercial activities that serve, among other things, to determine their level of indebtedness, fulfillment of obligations, and, in general, credit risks at a given moment.

This law seeks to preserve fundamental rights, such as privacy, informational self-determination, freedom, security, and fair treatment of individuals. It prohibits the dissemination of intimate data of the owner, or any misuse that may lead to discrimination or pose a serious risk to them.

The authorities designated by the law for data protection matters are the Central Bank of Paraguay ("Central Bank of Paraguay") and the Consumer Protection Secretariat ("SEDECO"). These authorities act as supervisors of the data protection system established by the law and can impose sanctions on those who violate its provisions.

Furthermore, this law guarantees access to personal data for all individuals and those under their legal authority, guardianship, or curatorship, existing in records maintained by individuals or legal entities, public or private.

According to this law, individuals must expressly and unequivocally consent to the collection and use of their personal data. This consent can be in written, electronic, or digital form and can be expressly revoked under the same conditions, free of charge and without retroactive effect. The processing and transfer of this data without the consent of the owner constitute an unlawful act.

Individuals also have the right to know the general and specific conditions of the processing of their personal data, and the purpose for which they will be used must be explicitly and clearly informed. In this context, they can request the updating, rectification, deletion, opposition, and portability of this data from the entity responsible for its management. Unless otherwise provided by law, credit information in a registry can be retained for up to five years from the date of the recorded events.

The law establishes a duty of secrecy for individuals responsible for and in charge of processing third-party credit information, as well as those involved in any phase of its collection, processing, storage, use, or circulation. This duty of secrecy only gives way when the information is required by the Central Bank, its supervisory bodies, the National Directorate of Tax Revenues ("DNIT"), the Secretariat for the Prevention of Money Laundering or Assets ("SEPRELAD"), the General Comptroller of the Republic, and, naturally, the Public Prosecutor's Office and competent judicial authorities.

Credit information services can only be provided by Credit Information Bureaus previously authorized by the BCP. These bureaus can only provide credit reference services to certain users, including banks and financial institutions, cooperatives, credit houses, individuals or companies providing credit, mutual funds, and pawn shops, as well as individuals or companies dedicated to selling products on credit or installment plans and those functioning as a channel or means to facilitate financial intermediation or credit granting.

These bureaus can only process credit information related to the economic solvency and credit of the owner, obtained from public sources or provided by the owner with their consent. They cannot disclose credit information about (i) overdue debts not judicially claimed that have exceeded three years of registration, (ii) canceled debts, and (iii) creditor meeting lawsuits after five years from their admission.

Users of credit information services must provide Credit Information Bureaus with positive and negative credit information about their clients. Additionally, they can only use credit information obtained through bureaus confidentially and for the assessment of credit risks.

A key obligation established for users of these services is to inform the owner of credit information about the denial of a contract, job application, service, commercial or financial credit based on a credit report, providing a copy of this report.

Regarding violations of the law, both individuals and legal entities that commit offenses may be held responsible, as well as all members of the administrative bodies of the entity in question and those who perform functions similar to those positions, with the exceptions and according to the circumstances established in the law.

Sanctions that may be imposed on violators by the BCP and SEDECO range from warnings, temporary and permanent closure of operations, disqualification from holding positions within the financial, credit, and Credit Information Bureaus systems, to fines that could amount to nearly one million dollars.

1. 2. Proposed bill

Upon the enactment of Law No. 6,534/20, sectors of the population expressed concerns about its scope, claiming this law primarily regulates the treatment of credit information of individuals, without focusing much on protecting personal data in general.

Therefore, there is currently a bill that aims to rectify this situation and include personal data. This bill is currently under discussion in the committees of the House of Representatives.

In its current wording, the bill does not seek to repeal Law No. 6,534/20 but aims to regulate, in a supplementary manner, those issues of credit information not covered by Law No. 6,534/20. Therefore, the bill does not address the treatment and use of already regulated credit information but aims for the comprehensive protection of personal data of individuals to ensure the full exercise of their rights and regulate the free circulation of this data.

To this end, the bill seeks to regulate issues related to biometric, genetic, sensitive, and personal data. It also aims to regulate the processing of this data and its automated use, as well as the profiling based on them.

2. Trust Services

The Paraguayan State, through the Ministry of Information and Communication Technologies, has developed strategies for the digitization of services, transactions, and interactions in the country, both in the public and private spheres. This project, known as the Digital Agenda, among other things, seeks to promote access to secure and fast digital interactions and, in this context, has regulated the provision of so-called "trust services."

Trust services, defined as those involving the creation, verification, validation, or preservation of electronic signatures, electronic seals, electronic time stamps, electronic delivery, website authentication, and means of identification through electronic identification systems, are regulated as such in Paraguay by Law No. 6,822/21, "On Trust Services for Electronic Transactions, Electronic Documents, and Electronic Transmissible Documents," (the “Trust Services Law”) and its regulatory decree, No. 7,576/22.

These services aim to generate trust and security in electronic transactions and interactions between public bodies, citizens, and businesses, and their regulation is necessary to foster a secure electronic money ecosystem for the population. Among those frequently used are electronic signatures for validating legal acts such as contracts, electronic billing processes, electronic transmission of data or documents, and an increasingly wide range of government procedures.

2. 1. Applicable Laws

Law No. 6,822/21 is primarily influenced by European Regulation No. 910/2014, which regulates electronic identification and trust services for electronic transactions in the member states of the European Union.

The state entity responsible for supervising and issuing the necessary resolutions for the implementation of the provisions of the Trust Services Law is the Ministry of Industry and Commerce, as stipulated by its regulatory decree.

To precisely determine what trust services are, the Trust Services Law establishes four pillars to define them, namely:

1. The creation, verification, and validation of electronic signatures, electronic seals, electronic time stamps, certified electronic delivery services, and certificates related to these services;
2. The creation, verification, and validation of certificates for website authentication;
3. The preservation of electronic signatures, seals, or certificates related to these services;
4. The issuance service of means of identification through electronic identification systems.

The main services within these pillars are electronic signatures, electronic seals, electronic time stamps, certified electronic delivery services, and certificates for website authentication.

The law establishes that, as long as identification is carried out through an electronic identification system in compliance with the requirements outlined in the Trust Services Law, legal effects or admissibility in private, judicial, and administrative proceedings will not be denied to the electronic identification of an individual or legal entity (through its representative).

Likewise, the law establishes a distinction between the provision of these services and their qualified provision, which constitutes a more reliable version of these services and can only be provided by qualified providers according to the parameters established in the law, with implications explained later. The Ministry of Industry and Commerce maintains the list of qualified providers.

To become a qualified provider of these services, providers must be established in the country, either (i) by establishing domicile in Paraguayan territory; (ii) having facilities or workplaces in Paraguayan territory, where they carry out all or part of their activity; or (iii) by registering their company or branch with the General Directorate of Public Records. In addition, the provision of the service must be included in the social statutes of the providing entity.

These qualified providers must be audited at least every two years by independent auditors. In addition, they can be audited at any time by the Ministry of Industry and Commerce, and they must adjust their operations to the observations made by it. Additionally, trust services provided by service providers established outside the country will be recognized as equivalent to those provided by service providers established in Paraguay, as long as there are mutual recognition agreements between national authorities or corresponding international organizations.

The Trust Services Law reiterates what was established by its predecessor, Law No. 4,017/10, by stating that a qualified electronic signature has the same legal effect as a handwritten signature. However, it eliminates the distinction between digital and electronic signatures that Law No. 4,017/10 had stipulated, causing confusion in the everyday use of these services.

The electronic reproduction of documents in paper format, through scans and similar processes, receives explicit legal recognition through the Trust Services Law. This recognition will be valid as long as there is some reliable guarantee that the integrity of the information contained in the document has been preserved.

Finally, the Trust Services Law also recognizes the legal value of acknowledgments of receipt of electronic documents through any act by the recipient that is sufficient to indicate to the sender the receipt of the document. This is especially important for everyday interactions through emails or messaging applications.