Last modified 28 January 2025

Data Protection in the Dominican Republic

Security in the Dominican Republic

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in the Dominican Republic

Section 44 of the Dominican Constitution recognizes citizens’ right to access their personal data stored in public or private databases, as well as their right to information concerning the purpose and use of the same.

The Constitution also establishes that the processing of personal data must be carried out in accordance to the principles of:

Reliability
Legality
Integrity
Security, and
Purpose of the information

The collection, storage and safekeeping of personal data, as well as usage and access rights concerning such personal data, are governed by the provisions of Law No. 172-13 on the Protection of Personal Data enacted December 13, 2013 (DPL).

In addition to setting forth the legal regime for the protection of personal data, the DPL establishes regulations governing the constitution and operation of credit bureaus.

For the purposes of the DPL, the term 'credit bureau' refers to companies dedicated to collecting, organizing, storing, conserving, providing, transferring or transmitting data regarding consumers (including goods and services related to the same), as well as any other information provided by the Superintendent of Banks.

Law No. 53-07 on High Technology Crimes and Offenses does not specifically refer to personal data but ensures the protection of information systems and their components, as well as the information or data that are stored or transmitted through them, and it also establishes the penalties for crimes committed against them or any of their components or those committed using such technologies to the detriment of individuals or legal entities.

Related resources

Definitions

Definitions in the Dominican Republic

Definition of personal data

Personal data consists of any information, whether numerical, alphabetical, graphic, photographic, or acoustic, or any other type of data which concerns individuals that are identified or identifiable.

Definition of sensitive personal data

The term 'sensitive data' refers to personal data that reveals its subject´s:

Political opinions
Religious, philosophical or moral convictions
Racial or ethnic origin
Affiliation to labor unions or trade union membership, and
Information concerning health or sex life

Personal data concerning the health of an individual encompasses any information concerning their past, present or future physical or mental health.

Affected or interested party

Any natural person whose information is the object of data processing, as well as any creditor, whether a natural or legal person, who has or has had a commercial or contractual relationship with a natural person for the exchange of goods and services, where the natural person is the creditor's debtor. As well as any natural or legal person who has had, has or requests to have a good or service of an economic, financial, banking, commercial, industrial, or any other nature, with a financial intermediation institution or with an economic agent.

Data processing

Systematic operations and procedures that allow the collection, conservation, ordering, storage, modification, relation, evaluation, blocking, destruction and, in general, the processing of personal data, as well as its transfer to third parties through communications, consultations, interconnections or transfers.

Data Processor

The natural or legal person, public or private, who carries out the processing of personal data on behalf of the controller.

Authority

National data protection authority in the Dominican Republic

The Dominican Republic does not have a national data protection authority dedicated to overseeing matters related to data protection concerning processing activities performed by private persons or entities.

However, Section 29 of the DPL establishes that databases and registries, whether public or private, intended to provide credit reports (ie credit bureaus) are subject to the inspection and supervision of the Superintendent of Banks.

Additionally, the General Law for the Protection of Consumer or User Rights No. 358-05 determines that the National Institute for the Protection of Consumer Rights, "Pro Consumidor" is the competent authority for monitoring compliance in data protection in consumer matters. The "Pro-Consumidor" cannot impose fines or administrative sanctions but users, consumers and suppliers can initiate conciliation and arbitration processes before them.

Registration

Registration in the Dominican Republic

Except for credit bureaus, the Dominican Republic does not maintain a registration of personal data controllers or databases, nor of companies that carry out the processing of personal data.

Data protection officers

Data protection officers in the Dominican Republic

There is no requirement to appoint a data protection officer under the DPL.

Collection and processing

Collection and processing in the Dominican Republic

The general rule for the treatment of personal data under the DPL is that consent to process is a requirement. Consent is valid when there is a manifestation of free will, in an unequivocal, specific and informed manner, whereby the data subject consents to the treatment of personal data concerning him or her.

The DPL provides that the treatment and transfer of personal data is illegal when the data has not consented to such usage, unless an exception is provided by law.

For purposes of the foregoing, the DPL defines treatment as operations and procedures (electronic or otherwise), that allow for the:

Collection
Storage
Organization
Modification
Evaluation
Destruction
In general, the processing of personal data, or
Its transfer to third parties via communications, interconnections or transfers

Exceptions to the requirement to obtain consent include, among others:

When the data is obtained from a public source
When the data is obtained for the exercise of public duties or pursuant to a legal obligation to do so
When the data is obtained for marketing purposes and is limited to certain basic information (eg, name, ID, passport, tax ID)
The data derives from a commercial, employment or contractual relationship, or from a professional or scientific relationship with the data subject, and is necessary for its development or compliance

Related resources

Transfer

Transfer in the Dominican Republic

Transfer is considered a form of 'treatment' of personal data under the DPL; hence, the rules apply, including consent requirements. Additional restrictions are provided under the DPL for international data transfers.

Personal data may only be transferred internationally if the owner of the data expressly authorizes such transfer, or if such transfer is necessary for the performance of a contract between the owner of the data and the person or entity responsible for the treatment of the personal data.

Related resources

Security

Security in the Dominican Republic

The controller and, if applicable, the processor, is required to adopt and implement the necessary technical, organizational and security measures to safeguard personal data and avoid its:

Alteration
Loss
Treatment
Consultation, or
Unauthorized access

The DPL prohibits the storage of personal data in files, records or databases that do not meet the necessary technical conditions for guaranteeing their integrity and security. Additionally, credit bureaus and users or subscribers shall take the necessary measures to prevent the alteration, loss or unauthorized access to personal data.

Related resources

Breach notification

Breach notification in the Dominican Republic

There is no obligation to provide notice of a breach.

Related resources

Enforcement

Enforcement in the Dominican Republic

Since there is no special data protection authority in the Dominican Republic, data subjects have the right to institute habeas data proceedings to obtain information about the data held that refers to the relevant data subject.

The DPL expressly recognizes the right of data subjects to recover damages for violations of their right to privacy and the integrity of their personal data. Additionally, the DPL provides criminal sanctions (including fines and imprisonment ranging from six months to two years) which may result from violating the DPL.

Law No. 310-14 Which Prohibits the Sending of Commercial Unsolicited Messages (SPAM), enacted on August 8, 2014 ('SPAM Law No. 310- 14',) also provides criminal sanctions for fraudulently obtaining personal data from public websites for commercial purposes (including imprisonment ranging from six months to five years, and fines from 1 to 200 times the minimum wage).

Although the National Institute for the Protection of Consumer Rights, "Pro Consumidor" cannot impose fines or administrative sanctions but conciliation and arbitration processes between users, consumers and suppliers can be initiated before them.

Electronic marketing

Electronic marketing in the Dominican Republic

Sending commercial or promotional communications via electronic mail is regulated by SPAM Law 310-14. Law 310-14 requires the consent of the recipient in order to deliver commercial communications, unless an exception to said consent requirement is expressly provided by law.

Law 310-14 provides that:

The word 'Publicity' (Publicidad) must be included in the subject field of the email
Commercial communications must include an email address or other similar mechanism which allows the recipient to send a message indicating their desire to stop receiving such communications (opt-out)

Online privacy

Online privacy in the Dominican Republic

The Dominican Republic has not enacted specific legislation governing online privacy or the use of ‘cookies’, although the provisions of the DPL concerning data protection would apply.

Additionally, the unauthorized use of ‘cookies’ could implicate computer misuse laws prohibiting unauthorized access to computers and information therein, particularly those contained in Law No. 53-07 on high-tech crimes and felonies.

Related resources

Key contacts

Data protection lawyers in the Dominican Republic

Mary Fernández

Founding Partner

Headrick

Santo Domingo

Email Full bio

Fernando J. Marranzini

Partner

Headrick

Santo Domingo

Email Full bio

The controller and, if applicable, the processor, is required to adopt and implement the necessary technical, organizational and security measures to safeguard personal data and avoid its:

Alteration
Loss
Treatment
Consultation, or
Unauthorized access

Quick links

Data Protection in the Dominican Republic

Security in the Dominican Republic

Continue reading