1. Governing Texts

In Peru, Law No. 29733 on the Protection of Personal Data 2011 (only available in Spanish here) ('the Law') and Supreme Decree No. 003-2013-JUS which Approves the Regulation of Law No. 29733 (only available in Spanish here) ('the Regulation') constitute the personal data protection regime. This regime imposes obligations on individuals and companies who, in the development of their activities, access and administer personal data of current or potential customers, employees, or other individuals. Such obligations require, in some cases, adapting the terms and conditions of contracts pursuant to which personal data is accessed, adopting internal security measures to ensure confidentiality and security of the personal information, implementing channels to allow data subjects to access their personal information, and registering before the competent national authorities the databases that a company may be managing, among other aspects. Additionally, as many market activities involve personal data processing, it is important that stakeholders introduce a data protection policy throughout their activities.

In this regard, despite the fact that Peru does not have specific regulations on personal data and cybersecurity in the automotive sector, the data processing involved in this sector must be carried out in compliance with the Peruvian data protection regime. As an example, geolocation data collected by connected vehicles would be considered, under certain circumstances, as personal data protected by the Law.

1.1. Legislation

In Peru, the Ministry of Transportation and Communications ('MTC') is the government entity in charge of regulating the requirements and conditions for the entry, registration, transit, operation, and removal of the vehicles from the national transportation system. The main provisions are established by Supreme Decree No. 58-2003-MTC which Approves the National Vehicle Regulation and its amendments (only available in Spanish here) ('the National Vehicle Regulation').

The National Vehicle Regulation establishes the minimum conditions that vehicles must have for their operation in the territory of the Republic of Peru. Furthermore, the National Vehicle Regulation establishes that certain types of vehicles must have a tachograph (registration instrument that stores information on driving a vehicle, mainly information on times, speed, and displacement). In the case of M1 and N1 category vehicles such as sedans, the use of tachographs is optional. In vehicles of category M2, N2, M3, and N3, such as vans, buses, and trucks, the use of tachographs is mandatory.

However, the National Vehicle Regulation does not develop any requirements or characteristics related to the protection of personal data and cybersecurity of vehicles. Despite that, the government has issued regulations and directives related to the geolocation of vehicles, if the vehicles are intended for the land transport service of people or goods (based on Articles 20.1.10 and 21.3 of Supreme Decree No. 017-2009-MTC which Approves the National Transport Administration Regulation (only available in Spanish here).

Furthermore, the MTC has issued additional measures to regulate the control system of the vehicles. For the transport service, the MTC has issued Directorial Resolution No. 1947-2009-MTC-15 (only available in Spanish here) and Directorial Resolution No. 1811-2014-MTC-15 (only available in Spanish here) (through which Directive No. 001-2014-MTC/15 (only available in Spanish here) was approved). Among other technical aspects, the aforementioned resolutions establish the characteristics of vehicle location systems and the corresponding connectivity conditions.

With regards to data privacy, there is no specific regulation on the protection of personal data and cybersecurity for connected vehicles, autonomous driving, telematics, and manufacturing, and as such, the general Peruvian data protection regime would apply.

The Peruvian data protection regime establishes some of the following obligations, that must be complied by companies in the automotive sector.

Consent

Generally, for the processing of personal data, the controller, i.e. an individual, company, private legal entity, or public entity that determines the purpose and contents of the database, the processing thereof, and its security measures, must obtain the consent of the data subject, i.e. the natural person for which the data enables the identification of , unless an exception provided by the Law could be applied. The most important exceptions are the following:

• The personal data is collected or transferred in response to a public entity acting within the scope of its powers (for example, when the consumer protection agency requests a business client list).
• The personal data is contained or intended to be contained in sources accessible to the public (for example, information contained in the phone book, newspapers, magazines, etc.).
• The personal data is necessary for the execution of a contractual relationship to which the personal data owner is a party (for example, when you use the email address, mailing address, or phone number of a customer to comply with certain purposes of the contract, and send monthly billing statements).
• When an anonymisation or dissociation procedure has been applied. An anonymisation procedure is a process by which the personal data is irreversibly altered in such a way that a data subject can no longer be identified directly or indirectly. On the other hand, the dissociation is reversible. For the definitions of 'anonymisation' and 'dissociation', see 'Key Definitions' below.

According to the Law and the Regulation, the consent obtained by the data controller must be:

• Free – obtained without the mediation of error, bad faith, violence, or deception that may affect the data subject will (including the possibility of the data subject to accept or deny the different purposes in processing their personal data).
• Prior – obtained before the collection of data, or where the personal data is being used for different purposes other than those for which the consent was given.
• Express and unequivocal – the collection of the consent must occur in conditions that do not allow doubts about its granting. The consent may be oral, written, or behavioural (through a conduct that unequivocally evidences that consent has been granted). However, in the case of sensitive data, consent must be written.
• Informed – the controller must disclose all aspects of the processing in a clear, express, and unambiguous manner, as well as in a simple language.

Security measures

Controllers should adopt legal and technical measures to ensure the security of personal data and avoid its alteration, loss, process, or unauthorised access. The security measures should be appropriate and consistent with the processing to be carried out.

In addition to this, the National Authority for the Protection of Personal Data ('ANPD') has published the Information Security Directive (only available in Spanish here) ('the Security Directive'), providing guidelines for determining the security conditions in the processing of personal data to be observed by the database controller.

Confidentiality

In the absence of specific regulatory exceptions, controllers and those who intervene at any stage in the personal data processing, are required to maintain the confidentiality of the handled information.

Data subject rights

The controller must allow the exercise of the following rights granted to data subjects:

Right to information and right of access

Individuals have the right to receive certain information prior to the collection of their personal data. Moreover, individuals have the right to request information from the controllers regarding how their personal data is being/will be processed.

Right to update, include, rectify, and delete data

The Law recognises that data subjects could request the following actions to be implemented by the controllers: (i) update to their personal data; (ii) inclusion of information to complete the data being processed; (iii) rectification of inaccurate, incorrect, or false data; and (iv) suppression of information contained in a database.

Right to prevent the supply and right of opposition

Individuals are entitled to impede their data from being shared with third parties when it affects their fundamental rights and to oppose its processing when there are reasonable grounds.

Data transfers

The transfer of personal data implies the transmission or supply of personal data to third parties (e.g. a private legal person, a public entity, or an individual other than the data subject), inside or outside the country. For example, the exchange of customers' databases between related companies for commercial purposes constitutes an act of transfer. Similarly, the acquisition of a database of potential customers from a third party for marketing activities constitutes an act of transfer.

Any transfer of personal data must comply with the following obligations:

• the controllers must obtain the free, prior, expressed, informed, and unequivocal consent of the data subject to transfer their data, unless they are acting under the exceptions established in the Law to which we have referred to previously in 'Legislation, Consent' above;
• if the controllers transfer or receive personal data, companies must comply with the following obligations:
  • obligations of the entity that transfer personal data (the 'issuer' or 'exporter'): the issuer or exporter of the personal data must prove that the transfer has been performed in accordance with the obligations established by the Law;
  • obligations of the entity that receives the personal data (the 'recipient' or 'importer'): the recipient or importer of personal data has the same obligations of a controller and must process the personal data in accordance with the information provided by the issuer or exporter to the data subject; and
  • obligations of the exporter in case of international transfer of personal data: the exporter will be obliged to ensure that the importer will assume the same obligations of a controller, and to comply with such obligation, the exporter may enter into contracts or other instruments authorised under Peruvian legislation with the importer to establish the obligations of the importer.

In any case of cross-border flow of personal data, the controller must notify the ANPD about such transfer.

1.2. Regulatory authority guidance

As described in the 'Legislation' section, there is no specific regulation for the automotive sector; however, the following laws are relevant for the data processing:

• The National Vehicle Regulation.
• The Law.
• The Regulation;.
• The Security Directive.
• Guidelines on Observing the 'Duty to Inform' (only accessible in Spanish here). This guide provides guidance on how to comply with the duty of information established in Article 18 of the Law. Regarding the recipients of personal data, providing a general classification of recipients (e.g., banking institutions, franchisees) is allowed whenever: (i) the detail is reported in a complementary way (such as a link); and (ii) when it is not possible to determine in advance or exhaustively the recipients of the data or if the relationship is very extensive.
• Opinions, legal reports, and decisions of the ANPD (only accessible in Spanish here).
  • Legal Report No. 9-2020-JUS/DGTAIPD (only accessible in Spanish here): The ANPD provided their technical opinion on a draft law related to the use of data derived from telecommunications for the identification, location and geolocation of communication equipment. ANPD indicated that geolocation will be considered as personal data if such equipment (e.g. connected vehicles) is associated to and identifies its owner.
  • Opinion No. 35-2020-JUS/DGTAIPD (only accessible in Spanish here): The ANPD established that certain information, under certain circumstances, would not be protected by the Law. One such circumstance is the contact information (contact or corporate data) of a person acting on behalf of a legal entity. If the contact information is used within the scope of the activity or in the course of business of the legal entity and is strictly limited information pertaining to the legal entity (e.g. names, surnames, e-mails of the representatives that are provided by the legal entity to send business information), this information is not protected by the Law.
  • Opinion No. 041-2021-JUS/DGTAIPD (only accessible in Spanish here): The ANPD has defined 'metadata' as any descriptive information about the context, quality, condition, or characteristics of a resource, data, or object that has the purpose of enabling its retrieval, authentication, assessment, preservation, and/or interoperability. For example, traffic data and localisation data. This is considered personal data protected by the Law only if the metadata discloses information about an identified or reasonably identifiable person.
  • Opinion No. 01-2022-DGTAIPD (only accessible in Spanish here): As a general rule, consent is required for the treatment of personal data, unless the treatment is under the exceptions established in the Law to which we have referred to previously in ‘Legislation, Consent’ above. Additionally, the ANPD has established another exception of the consent, known as ‘first contact’. This exception is oriented to the use of personal data to contact a data subject and obtain their consent for commercial purposes. If consent is not obtained, companies shall not contact the data subject again. However, through this opinion, the ANPD has limited the scope of ‘first contact’, stating that the exception can only be used once, regardless of the product and/or service to be advertised by the same company.
  • Decision No. 655-2022-JUS/DGTAIPD-DPDP (only accessible in Spanish here): The ANPD indicated that biometric data as sensitive data obtained from technical processing related to the physical, physiological or behavioural characteristics of a person, which allows or confirms the unique identification of that person.

Also, the ANPD defined privacy by design as the proactive responsibility by those who process personal data with the implementation of preventive measures to ensure compliance with regulatory obligations and privacy by default as the measures implemented to limit access to personal data, preventing access from unauthorized individuals or those who do not need to know the personal data to perform their functions as well as imposing limits to the criteria to minimize data processing.

2. Key Definitions

Vehicle Information Number (sole or in combination with further identifiers): A Vehicle Identification Number ('VIN') consists of 17 characters, assigned and recorded by the manufacturer in accordance with the provisions of the Technical Standard ITINTEC 383.030¹ or the ISO 3779 standard 'Road vehicles — Vehicle identification number (VIN) — Content and structure'. The rules for the VIN are the following:

• the first three characters correspond to the World Manufacturer Identifier code ('the WMI code'). They are determined according to the Technical Standard ITINTEC 383.031² or the ISO 3780:2009 standard 'Road vehicles — World manufacturer identifier (WMI) code', and in Peru the WMI code is assigned by the Ministry of Production;
• the fourth to ninth characters correspond to the vehicle description section.; and
• the tenth to seventeenth characters correspond to the indicative section of the vehicle.

The tenth character corresponds to the model year determined by the manufacturer which, in some cases, coincides with the calendar year in which the vehicle was produced.

Geolocation data: The National Vehicle Regulation does not define geolocation data. However, the Directorial Resolution No. 1947-2009-MTC-15 establishes some related definitions such as 'Automatic Vehicle Location' (equipment that includes remote location systems in real time, based on the use of a GPS integrated into a wireless transmission system) and the 'Global Positioning System' (that allows obtaining the position of an object, person, or vehicle with a specific precision).

On the other hand, according to the Legal Report No. 9-2020-JUS/DGTAIPD, geolocation is a tool used to determine the geographic location of a device in space and will be considered as personal data protected by the general regulation whenever the location of a device (e.g. connected vehicles) identifies a natural person allowing their identification³.

Telematic data: The National Vehicle Regulation and the Law do not define 'telematic data'.

Biometric data: According to Decision No. 655-2022-JUS/DGTAIPD-DPDP, 'biometric data' as a personal data obtained from a specific technical treatment, related to the physical, physiological, or behavioural characteristics of a natural person that allow or confirm the unique identification of such person. This is considered sensitive personal data protected by the Law (Article 2(5) of the Law)⁴.

Metadata: Opinion No. 041-2021-JUS/DGTAIPD defined 'metadata' as any descriptive information about the context, quality, condition, or characteristics of a resource, data, or object that has the purpose of enabling its retrieval, authentication, assessment, preservation, and/or interoperability. For example, traffic data and localisation data. This is considered personal data protected by the Law only if the metadata discloses information about an identified or reasonably identifiable person⁵.

Voice data: There is no definition for 'voice data' under the Law. However, data collected through voice recording systems is considered personal data, in accordance with the Peruvian data protection regime.

Video data (inside/outside the vehicle): There is no specific definition under the Law, however it could be construed that video data is all data collected from a video system and it is considered personal data, in accordance with the Peruvian data protection regime.

Anonymisation: According to the Law, 'anonymisation' is a procedure that prevents the identification of the owner of the personal data or makes it unidentifiable. This procedure is irreversible (Article 2(14) of the Law).

Pseudonymisation: There is no specific definition for 'pseudonymisation' under the Law. However, there is a reference of the 'dissociation procedure' which is a reversible procedure that prevents identification or does not make any data subject identifiable, and is similar to the procedure of pseudonymisation (Article 2(15) of the Law).

Data processing: Under the Law, 'data processing' consists of any operation or technical procedure (automated or not) that allows for the collection, registration, organisation, storage, conservation, preparation, modification, extraction, consultation, use, blockage, suppression, communication by transfer, dissemination or any other form of processing that facilitates the access, correlation, or interconnection of personal data (Article 2(19) of the Law). For example, when a company compiles, in a database, the names and surnames of its clients and their contact information, they are processing personal data.

Data controller: Under the Law, the data controller (referred to as the 'owner of the personal database') could be the individual, company, private legal entity, or public entity that determines the purpose and contents of the database, the processing thereof, and its security measures (Article 2(17) of the Law). Usually, a company, regardless of its economic activities, will be the controller of the database that contains information about its employees and clients that are individuals. Similarly, a hotel will be the owner of the database that contains information about its previous guests, a sports club will be the owner of the database that contains information about its associates, and an education centre will be the owner of the database that contains information on its students.

Data processor: Under the Law, the data processor (referred to as the 'person in charge of the database') is any individual, company, private legal entity, or public entity that individually or jointly with another entity processes personal data at the request of the data controller (Article 2(7) of the Law and Article 2(10) of the Regulation). Examples of database processors would include the car dealers that collect the information for instruction of the automotive company for the car warranties, telecommunication company that provide internet connection to the cars and use the data of the clients for the services, IT services providers that perform software or hardware maintenance, a company that provides postal mailing services, or a call centre that promotes or sells products of another organisation, among others.

Manufacturer: The transportation sector, including the National Vehicle Regulation and the complementary regulations do not establish a definition of a 'manufacturer'. Currently, said the National Vehicle Regulation describes their activities and obligations (for example determining the original and main characteristics of the vehicles such as load capacities, towing, and weights, among others).

Nonetheless, the production sector does provide a definition. According to the Regulation for the Assignment of the World Manufacturer Identification Code (WMI) of Land Transportation Vehicles, a manufacturer is defined as a natural or legal person, with its own or a third party's plant located in national territory authorized by the DIRE⁶, who carries out the activity of manufacturing fully finished land transportation vehicles ready to operate, under compliance with standards that provide safety conditions to such process. A manufacturer must have the WMI Code assigned by the DIRE and is responsible for the codification of the VIN.

The National Vehicle Regulation provides that the manufacturer must have an authorised representative in Peru, which is a natural or legal person who has signed a contract with the manufacturer of certain vehicle brands that proves commercial representation in Peru. This is mandatory if the manufacturer is not a Peruvian entity.

Furthermore, according to Article 56 of Annex II of the National Vehicle Regulation, the authorised representative is entitled to issue authorisations for vehicle assembly, modifications, and presenting the affidavit of compliance with the technical requirements and other requirements established by the National Vehicle Regulation.

3. Supervisory Authority

3.1. Who is the relevant supervisory authority overseeing compliance applicable to the automotive sector?

The MTC is the entity in charge of supervising compliance with the provisions of the National Vehicle Regulation. Specifically, the Regulation of Organisation and Functions of this Ministry establishes that the Road Traffic Directorate conduct the identification system vehicle and homologation, certification, and technical reviews.

In aspects related to the transportation of people and goods, the entity in charge of supervisory activities is the Superintendence of Land Transportation of People, Cargo, and Goods.

Regarding any data privacy matters, the ANPD is the relevant authority.

There is no specific government entity that regulates aspects of personal data in the automotive sector.

4. Connected Vehicles

4.1. What are the practical implications of the following principles for connected vehicles and how can organisations manage them in practice?

The National Vehicle Regulation has not regulated the principles related to data protection.

Additionally, there is no specific standard that regulates data protection in the automotive industry. However, like any other entity who processes or treats personal data, it should be deemed as ruled by the Law and the Regulation. In this sense, data controllers and/or processors in the automotive sector are subject to this legislation.

Transparency

Under Peruvian law, the principle of transparency is construed under the right of information, which states that the owner of personal data has the right to be informed in a detailed, simple, precise, and unequivocal manner, prior to its collection about the personal data processing (Article 18 of the Law).

Likewise, the data controller must obtain the consent of the data owner without the use of fraudulent, unfair, or unlawful means.

Choice and consent

The Law establishes that any processing of personal data requires the prior consent of the data subject (Article 5 of the Law). The consent of the data subject must be prior, freely given, informed, express, and unequivocal. In the case of sensitive data, such as biometric data, the consent must also be in writing.

The data subject must be informed about the following issues:

• identity and address of the controller and its processor, if applicable;
• all the purposes for which their personal data will be processed;
• identity of the possible personal data recipients;
• existence of the database in which the data will be stored;
• mandatory or optional nature of providing its personal data;
• consequences of providing, or not, their personal data; and
• national and international transfers of data to be carried out.

Data security

According to the Law, the database controller must adopt technical, organisational, and legal measures that guarantee the security of the personal data and avoid its alteration, loss, or unauthorised access (Article 9 of the Law). For this purpose, the computer systems must adopt, among others, the following measures: (i) the control of the access to personal data information, and (ii) the generation and maintenance of records that provide evidence of interactions with the data.

Furthermore, according to the Security Directive, depending on how risky the processing of personal data is, the data controller must adopt additional measures such as restricting the use of photographic, video, audio, or other recording equipment in the area where personal data is processed.

Data retention

According to the Law, under the principle of quality, personal data should not be retained when the time necessary to fulfil the purpose of the processing has expired. Also, according to the principle of proportionality, any processing of personal data must be adequate, relevant, and not excessive to its purpose. Therefore, once the purpose has been fulfilled, the personal data must be destroyed.

Accountability and record of processing

Natural or legal persons of the private sector or public entities that create, modify, or cancel the personal database are under the obligation to register these acts in the ANPD, specifically under the National Registry for the Protection of Personal Data.

Data sharing and international transfers

International data transfers may only be made if a level of protection comparable to that provided by Peruvian law or at least by international standards on the subject is guaranteed. If this adequate level of protection is not achieved, the transfer may not be executed, unless there is an international treaty on the matter and Peru is a party, it is for international cooperation, or the owner has given their consent under the aforementioned standards, among other cases.

Data governance

Legislative Decree No. 1412, that Approves the Digital Government Law (only available in Spanish here) has been approved with the aim of establishing a digital government governance framework for the proper management of digital identity, digital services, digital architecture, interoperability, digital security, and data applicable to public administration entities.

Regarding the private sector, although the Legislative Decree is not mandatory in order to comply with any international requirement, it is advisable that the security standards adopted follow the provisions of the Peruvian Code of Good Practices for Information Security Management (only available in Spanish here).

Data portability

The Law does not regulate data portability. However, and implicitly through the right of access, the Regulation establishes the right of portability (Article 62 of the Regulation). It states that whatever format is used to provide data subject with the requested information, it must be clear, legible and intelligible, without using passwords or codes that require other mechanisms to access the information. Also, the language must be simple.

Privacy/Security by Design and by Default

Recently, through the Decision No. 655-2022-JUS/DGTAIPD-DPDP (only accessible in Spanish here), the ANPD defined Privacy by Design as the proactive responsibility by those who process personal data with the implementation of preventive measures to ensure compliance with regulatory obligations and Privacy by Default as the measures implemented to limit access to personal data, preventing access from unauthorised individuals or those who do not need to know the personal data to perform their functions as well as imposing limits to the criteria to minimise data processing.

Access

Under Article 19 of the Law and Article 61 of the Regulation, the data subject has the right to request information from the data controller regarding how their personal data is being/will be processed.

Additionally, the data subject may access the information in the following ways: (i) on-site viewing; (ii) written, copy or photocopy; (iii) electronic transmission; and (iv) any other form or means that is appropriate for the nature of the information processing.

Data ownership

There is no specific definition under the Law of 'data ownership', however, there is a reference to the concepts 'data subject' and 'database controller'. The 'data subject' or owner is the natural person for whom the data enables the identification of. For example, a person is owner of the information related to their phone number, personal identification numbers, mailing address, etc.

Additionally, the Law defines the 'database' as any organised set of personal data, automated or not, regardless of the means employed (physical, magnetic, digital, optic, or others to be created) or the modality of their creation, formation, storage, organisation, and access, is considered as a database. For example, the mailing list of clients is a personal data database. Furthermore, the 'database controller' is the owner or controller of a database. A controller could be the individual, company, private legal entity, or public entity that determines the purpose and contents of the database, the processing thereof and its security measures.

5. Autonomous Driving

5.1. What are the practical implications of the following principles for autonomous driving and how can organisations manage them in practice?

Autonomous driving is yet to be regulated in Peru. However, the same framework set forth in 'Connected Vehicles' above is applicable when handling personal data.

6. Telematics

6.1. What are the practical implications of the following principles for telematics and how can organisations manage them in practice?

There are no specific regulations for vehicle telematics from a data protection and cybersecurity standpoint. However, when third parties are collecting and monitoring personal data, the legal framework set forth under 'Connected Vehicles' above should be observed.

7. Vehicle Geolocation

7.1. What are the practical implications of the following principles for vehicle geolocation and how can organisations manage them in practice?

There are no specific regulations for vehicle geolocation from a data protection and cybersecurity standpoint. However, when third parties are collecting and monitoring personal data, the legal framework set forth under 'Connected Vehicles' above should be observed.

8. Manufacturing

8.1. What are the practical implications of the following principles for manufacturing and how can organisations manage them in practice?

There are no specific regulations for manufactures from a data protection and cybersecurity standpoint. However, the legal framework set forth under 'Connected Vehicles' above should be observed by manufactures when processing personal data

9. Other

9.1. Please outline any other additional data protection and/or cybersecurity requirements for the automotive sector, including in relation to the following, if applicable:

Internet connectivity and eSIM management

Peruvian regulations do not provide specific provisions for vehicle internet connectivity. In general terms, the public mobile internet service could be contracted for vehicles with an operating company authorised by the General Directorate of Authorizations in Telecommunications of the MTC.

Carlos Patrón Partner
[email protected]
Giancarlo Baella Prado​​​​​​​ Principal Associate
[email protected]
Payet, Rey, Cauvi, Pérez Abogados, San Isidro

1. The Technical Standard ITINTEC 383.030 has been repealed and replaced by NTP-ISO 3779:2008, which has been also repealed and replaced by NTP-ISO 3779:2018 through Directorial Resolution No. 47-2018-INACAL-DN. There is not an available preview of the Technical Standard currently in force since it must be purchased, see: tiendavirtual.inacal.gob.pe/0/modulos/TIE/TIE_DetallarProducto.aspx?PRO=7295
2. The Technical Standard ITINTEC 383.031 has been repealed and replaced by NTP-ISO 3780:2008, which has been also repealed and replaced by NTP-ISO 3780:2018 through Directorial Resolution No. 47-2018-INACAL-DN. There is not an available preview of the Technical Standard currently in force since it must be purchased, see: tiendavirtual.inacal.gob.pe/0/modulos/TIE/TIE_DetallarProducto.aspx?PRO=7296
3. Legal Report No. 9-2020-JUS/DGTAIPD (only accessible in Spanish here).
4. Decision No. 655-2022-JUS/DGTAIPD-DPDP (only accessible in Spanish here).
5. Opinion N° 041-2021-JUS/DGTAIPD (only accessible in Spanish here).
6. Directorate of Regulation of the General Directorate of Policies and Regulation of the Vice-Ministry of Vice-Ministry of MYPE and Industry of the Ministry of Production.