On november 27th of 2025, the Reublic of Paraguay encacted “Law 7593/2025” Ley 7593/2025 on the Protection of Personal Data. Although this law is not yet in effect, it is subject to a 24 month regulatory period and it points out the beggining of a legal framework aimed at aligning with international standards.

Thie text implies that the mandatory parties include both individuals and legal entities, whereas the protected parties are specifically individuals.

The competent authority shall be the National Agancy for the Protetcion of the Personal Date, as stipulated in Tittle IV. This entity will assume the role currently held by the Secretariat for Consumer and User Defense (SEDECO) regarding Law No. 6534/2020 on the Protection of Credit Data. Said law will remain in effect, with the exception of specific articles clearly stated for repeal. Furthermore, it is clarified that this law will aply supplementally to matters not adressed by Law No. 6534/2020. The Institution shall posses functional authonomy, and its establishment will be overseen by the Ministry of Information and Communication Technologies (MITIC). It must also be included in the National General Budget.

Upon reviewing the content, it is more then clear that the objective is to ensure the responsible use od citizens' data. This is constitutionally mandated, as privacy is considered a protected legal interest (Article 33 of the National Constitution of the Republic of Paraguay). Under this law, personal data is recognized as an integral part of the rights to privacy, dingnity, and honor.

Particular emphasis is placed on the fact that no company or entity whether it is private or public, domestic or foreign, is authorized to process personal data without a legally established protocol. This applies to manual or automated storage, as well as public and private records located both within and outside the country. Theses protections are further strengthened when the date involves children or adoledcents.

According the text, both public and private entities must ensure that data is processed with transparency and legality, comply with regulations regarding data retention, transfer, and documentation, as well as it takes rigorous precautions to ensure confidentially and security during data handling.

Article 4 establishes the governing principles for the processing of personal data, including: data accuracy, lawfulness, purpose, minimization or proportionality, storage limitation, fairness and transparency, the balancing of public transparency and protection, due diligence, security, and confidentiality."

The text further stipulates the conditions regarding both the processing of data and the provision of consent to be granted by the natural person, as set forth in Articles 5 and 6.

The data is categorized in Chapter IV of Title I, setting forth prohibitions, special treatments, conditions, and other relevant provisions.

The law clearly shoes off that date subjects shall be provided with mechanisms to gurantee their rights of acces, rectification, objection, portability, and erasure. Furthermore, the retain the auhtority to take out or revoke consent at any time. These rights may be exercised by the individuals themselves or through an authorized representative.

Chapter V of Title I is of particular interest, as it addresses access to information held in public sources that may be denied or restricted. It provides for specific exceptions to the right of access to public information and exhaustively enumerates the instances in which such exceptions shall not apply. Furthermore, it outlines a brief procedure, including statutory deadlines, regarding the exercise of the data subject's rights.

The entities depemding on this law shall appoint a Data Protection Officer (DPO), in addition to observing all other required safeguards and aligning their practices accordingly. Chapter II of Title II establishes the obligations concerning to the data controller and the data processor.

Title V, Chapter I of the Law characterizes the described conducts as minor and serious infractions; it provides for sanctions ranging from a formal warning to fines (which are quantified according to their classification), as well as the suspension of activities related to the processing of personal data. The proceeds from these fines shall be allocated to the enforcement authority.

Finally, it is important to note that the objective is to bring the country into alignment with the legal standards of jurisdictions where personal data protection is legislated; however, this requires the adaptation of numerous practices and mechanisms to ensure that such intended protection is neither misrepresented nor manipulated.