Generally, entities must obtain prior express consent from data subjects and provide prior notice to the Ministry of Communications to lawfully collect and process personal data. However, data subject consent is not required in certain circumstances provided by Cuba rules.
Cuba does not have its own data protection law.
Cuba regulates data privacy and protection issues, in general, under the following normative:
- Constitution of the Republic of Cuba (2019) .- article 97
- Decree-Law 35/2021 “On Telecommunications, Information and Communication Technologies and the use of the Radioelectric Spectrum”.
- Decree-Law No. 370/2018 “On the Computerization of the Society in Cuba”.
- Decree 360/2019 "On the Security of Information and Communication Technologies and the Defence of National Cyberspace".
- Resolution No. 99/2019 "Regulation for private data networks".
- Others rules:
- Regulation for the production of computer programs and applications and the evaluation of their quality (2019).
- System for registration of computer programs and applications (2019).
- Regulation with the control measures and the types of security tools that are implemented in private data networks (2019).
- Regulation with the control measures and the types of security tools that are implemented in private data networks (2019).
- Regulation of the provider of public accommodation and hosting services in the internet environment (2019).
- Regulation of the provider of public accommodation and hosting services in the internet environment (2019).
- Information and communication technology security regulation (2019).
- Methodology for Information Security Management (2019).
Definition of Personal Data
In the regulatory order, the information is approached in a general sense oriented to the preservation of the confidentiality, integrity and availability of the same, and focuses on establishing rules that regulate the management and treatment of information in general, especially related to cybersecurity issues.
Definition of Sensitive Personal Data
Cuban rules do not provide for an express definition of sensitive personal data.
Ministry of Communications.
No requirements.
There is no general requirement under binding Cuban rules for organisations to appoint a data protection officer.
Generally, entities must obtain prior express consent from data subjects and provide prior notice to the Ministry of Communications to lawfully collect and process personal data. However, data subject consent is not required in certain circumstances provided by Cuba rules.
Nothing in the Cuba rules is established concerning transfer.
Organisations must take appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss, destruction of, or damage to, personal information. The measures taken must ensure a level of security appropriate to the harm that may result from such unauthorised or unlawful processing, accidental loss, destruction or damage, and appropriate to the nature of the data.
The Ministry of Communications, in coordination with other authorities, establishes the Program for Strengthening Cybersecurity and coordinates participation in activities required for this purpose and implements its control and inspection.
The Cuba rules introduced a general requirement for the reporting and notification of actual or suspected personal information breaches. Where personal information is leaked, lost or distorted (or if there is a potential for such incidents), organisations must promptly take relevant measures to mitigate any damage and notify the relevant data subjects and report to the relevant government agencies in a timely manner in accordance with relevant provisions.
Mandatory breach notification
All breaches must be reported according to a four-level security scheme.
The competent authority for the enforcement of Data Protection rules is the Ministry of Communications, in coordination with the Ministry of Interior, Cuban Central Bank, and other authorities.
Natural and legal persons that provide goods and services for digital media are obliged to develop a technically safe environment for commercial transactions in which they operate, in accordance with current legislation.
There is nothing established about online privacy, or cookies, or location data.