Paraguay has signed and ratified the United Nations (UN) Convention on the Use of Electronic Communications in International Contracts.

Paraguay enacted Law No. 6822/2021, drawing upon the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce.

Paraguay enacted Law No. 6822/2021, drawing upon the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Signatures.

According to Arts. 14 and 15 of Law No. 7593/25 on Personal Data Protection in the Republic of Paraguay, the controller must carry out a data protection impact assessment (DPIA) before any processing operation that, by its nature, scope, context or purposes, is likely to pose significant risks to data subjects’ rights. A DPIA is mandatory where:
(a) there is a systematic and comprehensive evaluation of personal aspects based on automated processing, including profiling, underpinning decisions with legal or similarly significant effects;
(b) large-scale processing of sensitive data or data on criminal convictions and offences is undertaken; or
(c) large-scale, systematic monitoring of publicly accessible areas takes place. The supervisory authority must publish a list of operations requiring a DPIA and may also issue a list of operations exempt from this requirement.
Where a DPIA shows that the envisaged processing would still involve high risk in the absence of mitigation measures, the controller must engage in prior consultation with the supervisory authority and may not commence processing until the authority has issued its opinion.
Moreover, according to Art. 4(h), the controller or processor, where applicable, shall designate a data protection officer. Art. 18 regulates the role of the data protection officer, who is responsible for supporting and supervising compliance with data protection rules.

Law No. 4868 on Electronic Commerce establishes a safe harbour regime for intermediaries for copyright infringements. According to Art. 11 of Law No. 4868, if the service receiver provides the data, the intermediary service provider shall not be responsible for the information transmitted under several circumstances, including when providers or data do not initiate the transmission is not changed by providers. Art. 16 requests all providers to establish a mechanism to remove content that violates copyright and related rights and industrial property laws from the network. This mechanism must be public and accessible to any user.

Law No. 4868 on Electronic Commerce establishes a safe harbour regime for intermediaries beyond copyright infringements. According to Art. 11 of Law No. 4868, if the service receiver provides the data, the intermediary service provider shall not be responsible for the information transmitted under several circumstances, including when providers or data do not initiate the transmission is not changed by providers. Art. 16 requests all providers to establish a mechanism to remove content that violates copyright and related rights and industrial property laws from the network. This mechanism must be public and accessible to any user.

According to Art. 4 of the National Telecommunications Commission's (CONATEL) Resolution No. 656/2008, the activation of a Mobile Telephony Service line requires the Sales Agent to implement procedures for identifying and registering the User. For natural persons, this involves presenting a copy of their identity document. Users who fail to provide the necessary documentation or meet the requirements specified in Art. 5 will be unable to activate a Mobile Telephony Service line. According to Art. 5, a Mobile Telecommunications Service Provider must maintain a record of its activated lines, which includes information such as an ID Document, the electronic serial number of the terminal (ESN) and/or the SIM card, if applicable, among others.

According to Art. 3 of Law No. 5653, any Internet service providers shall develop and offer free software to detect, filter, classify, delete and block harmful information, and they shall provide clients with such software and its teaching manual, which explains how to install and use it.

According to Arts. 3-7 of Decree No. 6832/2017, a prior import licence is required for the importation of mobile telephone devices, including mobile phones (other than satellite phones), laptops, parts and accessories for mobile phones, and mobile phone motherboards.

Art. 19 of the Law on the Protection of Personal Data establishes Paraguay’s rules on international transfers of personal data, permitting transfers (including onward transfers) only if the destination country, territory, sector or international organisation provides an adequate level of protection as determined by the National Data Protection Agency. Alternatively, transfers are permitted when controllers and processors implement appropriate safeguards, such as contractual clauses, binding corporate rules, codes of conduct or certification mechanisms, in accordance with the regulations to be adopted under the law. It also provides derogations, including transfers grounded in international treaties, judicial or intelligence cooperation to combat serious crime, contractual necessity (including authentication, service improvement, support, maintenance and billing), banking or securities transfers, health-related purposes, epidemiological studies with adequate anonymisation, and the data subject’s prior explicit consent. Although the Agency has been established, it is not yet operational, and no regulations have yet been issued.

Paraguay has joined agreements with binding commitments to open transfers of data across borders. According to the Art. 7.2 of the Mercosur Agreement on E-Commerce signed by Paraguay, each Party shall permit the cross-border transfer of information when the purpose of such transfer is to realise the commercial activities of a person of a Party. Furthermore, according to the Art. 7.11 of the Free Trade Agreement between Chile and Paraguay, each Party shall permit the cross-border transfer of information by electronic means, where such activity is for the conduct of the business of a person of a Party.

Law No. 7593/25 on the Protection of Personal Data in the Republic of Paraguay provides a comprehensive regime of data protection in the country.

According to Art. 10 of Law No. 4868, intermediary service providers and data service providers shall store the connection and traffic data generated during the established communication for at least six months.

According to Art. 1 of Resolution No. 1350, telephone service providers shall store a detailed call log of all Paraguayan users for a period of six months.

In accordance with Arts. 1-3 of Resolution No. 2583/2024 of the National Telecommunications Commission (CONATEL), which establishes the obligation for all Internet Access and Data Transmission Service licensees to retain connection records, such licensees must keep connection logs for each subscriber for a minimum period of six months, including the data necessary to identify the subscriber. The Resolution further requires licensees to store for a minimum period of six months, for each connection made by the subscriber, including the assigned IP address and, where network address translation (NAT) is used, the TCP/UDP ports employed and the date and time of the IP communication, together with the identification of the subscriber to whom the service is contracted.