Under the current legal regime, it is prohibited to publicize or diffuse sensitive data of people that are explicitly identified or identifiable (Art. 4 of Personal Credit Data Protection Law).

The current regulatory regime allows for private use the collection, storage and processing of personal information when it is lawful, exact, complete, true and updated for the specific purpose for which the data was collected (Art. 7 of the Law).  However, the data subject has to give consent to the collection and use of their personal information, to that effect, the data subject has to be informed, clearly and expressly, about the purposes their collected personal data will be processed for. The data subject’s consent may be revoked at any time under the same conditions as it was granted (Art. 6 of the Personal Credit Data Protection Law).

The Personal Credit Data Protection Law specifically regulates personal credit data collection and processing by Credit Data Bureaus. Such bureaus have to be fully authorized and registered by the Central Bank in order to be able render credit reference services (ie, provision of data related to personal credit information of persons or entities) and may only provide services to specific users (eg, financial entities, banks, credit agencies, etc.) (Arts. 3, 12, 13 and 14 of the Law).

Furthermore, the Personal Credit Data Protection Law establishes that a Credit Data Bureau may process personal data related to financial solvency and credit of persons or entities provided that:

• the data was provided by the data subject; or
• the data subject provided express and written consent; or
• the information is related to information that private or governmental entities have the duty to publish; or
• the information is public (Art. 13 of the Law).

The Personal Credit Data Protection Law also establishes a duty to the person/entity responsible for collecting and/or storing the data, to permanently update (when necessary) any personal information regarding the financial situation, solvency and/or the fulfilment of commercial and financial obligations (Arts. 9 and 11 of the Law). It also provides that the users of Credit Data Bureaus have the obligation to regularly provide to them, updated data on their credit portfolio clients, especially information related to the compliance with credit obligations, which must be notified within twenty four (24) hours of its cancellation (Art. 14 of the Law).

In addition, the Law establishes that Personal Credit Data which may affect a data subject cannot be stored (and/or publicized) for more than five (5) years from the date of the recorded event (Art. 9 of the Law).

A data subject has the right to:

• access the information and data about themselves, their dependents and/or property;
• know the use and purpose of such data; and 
• where data is incorrect, inexact or misleading, request access, prompt correction, rectification, to withdraw consent and object to the processing (Art. 5 of Personal Credit Data Protection Law). 

In addition, the Regulatory Decree of the Electronic Commerce Law establishes that the data subject’s express consent is required in order to obtain any personal information (Art. 13).  Accordingly, electronic collection, storage and processing data companies (and other companies that render services via electronic means who collect personal data), have the duty to inform to the data subject about:

• the purposes for which the personal data are collected; and
• how the personal data colelcted will be processed.