Data Privacy Regulations and Compliance in Costa Rica

Data privacy regulations play a vital role in safeguarding individuals' personal information and ensuring responsible handling of data by companies. In Costa Rica, data privacy is governed by two key laws: Law No. 7975 (Undisclosed Information Law) and Law No. 8968 (Protection in the Handling of Personal Data of Individuals). While these laws provide a foundation for data protection, there is an ongoing discussion in the Costa Rican Congress to amend and update the existing legislation.

Scope of Data Privacy Laws:

Law No. 7975 focuses on the disclosure of confidential and personal information without proper authorization, imposing penalties for such actions. On the other hand, Law No. 8968, along with its by-laws, primarily regulates the activities of companies managing databases containing personal information. It is important to note that the scope of the second law is currently limited.

The Costa Rican Congress is considering a bill that seeks to fully amend the existing laws and align them with the principles outlined in the EU General Data Protection Regulation (GDPR). Introduced in January 2021, the bill aims to modernize the legislation and enhance data privacy standards. However, the enactment of the proposed bill and its timeline remain uncertain at this point.

To better understand the legal framework, it is essential to clarify certain key definitions. "Personal data" refers to information contained in public or private registries that identifies or could be used to identify a natural person. Such data should only be disclosed to authorized persons or entities with a genuine need-to-know basis. "Sensitive personal data" encompasses information related to an individual's personal space or sphere, including racial origin, political opinions, religious beliefs, socioeconomic condition, biomedical or genetic information, and more. The disclosure of sensitive personal data requires explicit prior authorization from the data subject.

Data Protection Authority and Jurisdiction:

Under Law No. 8968, the Agency for the Protection of Individual's Data (PRODHAB) is responsible for enforcing compliance with the data privacy laws. Additionally, the Constitutional Court and local civil courts hold jurisdiction to address claims alleging violations of these laws.

Companies managing databases containing personal information and engaging in the distribution, disclosure, or commercialization of such data must register with PRODHAB, as mandated by Law No. 8968.

However, entities managing databases for internal purposes are exempt from this registration requirement. Financial institutions subject to the control and regulation of the Superintendent of Financial Entities of Costa Rica are also not required to register their databases with the Agency. In-house databases are currently outside the scope of enforcement of the existing laws. Unlike some jurisdictions, Costa Rica does not impose a requirement for companies to appoint a dedicated data protection officer.

Companies are permitted to store personal information and manage databases containing such data as long as certain rules are followed. When collecting personal information, both private companies and the government must respect individuals' right to privacy and obtain prior, express, and valid consent from the data owner or their representative. Such consent must be obtained in written form, either handwritten or electronic (valid electronic sign in CR only). Companies must ensure that the personal information maintained in their databases is materially truthful, complete, and accurate. Data subjects have the right to access their personal information and dispute any erroneous or misleading data at any time. Companies managing databases and engaging in distribution and commercialization of personal information must comply with various obligations, including 1) reporting and registering the company and database with PRODHAB, 2) implementing technical measures to secure the database, protecting confidentiality, securing the information, and 3) establishing a procedure to address data subjects' requests for amendments.

The transfer of personal information is authorized if the data subject provides prior, express, and valid written consent to the company managing the database. Such transfers must comply with principles and rights granted by the abovementioned data privacy laws. ?The transfer of public information, which is generally accessible, does not require data subject authorization.

Companies and individuals handling personal information must take all necessary technical and organizational measures to ensure the information is kept secure. They should develop an internal protocol outlining procedures for data collection, storage, and use. In the event of a security breach, entities managing personal data must inform PRODHAB and the affected data subjects within five business days. The breach notification must include details about the nature of the breach, compromised personal data, immediate corrective actions taken, additional preventive and corrective measures, and contact information for further inquiries. Failure to provide timely notice may lead to potential fines enforced by PRODHAB. PRODHAB is enforcing the obligations outlined in the data privacy laws. Individuals can file claims directly with PRODHAB, triggering an administrative procedure against the responsible database manager.

Data privacy is a critical aspect of today's digital age, and it is essential for companies operating in Costa Rica to understand and comply with the existing data privacy laws. Although the laws are subject to potential amendments, organizations should prioritize implementing appropriate measures to protect personal information and ensure compliance with the current legal framework. Staying informed about regulatory updates and proactively addressing data privacy concerns will enable businesses to maintain trust with their customers, employers and partners and uphold the principles of responsible data handling.

#DataPrivacy #CostaRica #DataProtection #GDPR #Compliance #DataPrivacyLaws #PRODHAB #PersonalData #SensitiveData #BreachNotification #DataSecurity #PrivacyRegulations #LegalCompliance #DataPrivacyUpdate #DigitalAge #DataHandling #PersonalInformation #PrivacyRights #DataTransfer #DataBreach #Cybersecurity