Data Privacy Tool
You may also be interested in our Data Privacy Scorebox to assess your organization's level of data protection maturity.
Guatemala does not have a personal data protection law, however the Law on Access to Public Information (Ley de Acceso a la Información Pública – Decree 57-2008 of the Congress of the Republic), even if it pertains to information in public files and records, does address the matter in certain provisions which can be applicable to private parties.
Definition of Personal Data
Article 9, number 1 of the Law on Access to Public Information defines Personal Data as “relative to any information pertaining to natural persons identified or identifiable.”
Definition of Sensitive Personal Data
Article 9, number 2 of the Law on Access to Public Information defines Sensitive Personal Data as “such personal data referring to physical or moral characteristic of the persons or to facts or circumstances of its private life or activity, such as personal habits, racial origins, ethnic origin, ideology or political opinions, religious beliefs or convictions, physical or psychologic health status, sexual preference or sex life, moral and familiar situation or other intimate matters similar in nature.”
According to Art. 46 of the Law on Access to Public Information the competence as National Data Protection Authority is the Ombudsman (Procurador de los Derechos Humanos).
Registration of Personal Data is not regulated, yet if personal data of an individual is gathered by any public office or obliged subject, even private parties (under the premise that they receive public funds or grants from the State of Guatemala), Article 30 of the Law on Access to Public Information grants the right to Habeas Data.
Public offices and private parties defined in Art. 6 of the Law on Access to Public Information must implement Public Information Units, pursuant to Art. 19 of the law.
Collection and Processing of personal data is not regulated, however Art. 33 of the Law on Access to Public Information refers files and information systems and Art. 39 refers to electronic or digital records. According to Art. 36 of the Law, all information in public records must be safeguarded and should not be destroyed. Art. 32 of the Law prohibits the creation of data banks or files containing sensitive data and sensitive personal data, unless such information is for the service and attention of the public institution creating the data bank.
Transfer of Personal Data is not regulated, however, Art. 31 of the Law on Access to Public Information establishes that written consent is necessary for any type of information transfer and bans expressly the commercialisation of sensitive data and sensitive personal data.
Security is not regulated. However, as referred above, according to Art. 36 of the Law, all information in public records must be safeguarded and should not be destroyed.
Breach Notification is not regulated, however, Art. 17 of the Law on Access to Public Information stipulates that the person consulting public information must give notice to the relevant authority of the destruction or misuse of public information.
Mandatory breach notification
Mandatory Breach Notification is not regulated.
According to Arts. 61, 62 and 63 of the Law on Access to Public Information, enforcement corresponds to the Superior Authorities of the relevant public offices and in the event the infraction entails criminal responsibility it corresponds to the Prosecutor General’s Office. Arts. 64 to 67 of the Law specifically create criminal figures related to the abuse and misuse of information contained in public records, including Personal Data.
Specifically, Art. 64 of the Law establishes a prohibition to private parties to commercialise personal data without consent. Violation to this provision results in jail from 5 – 8 years and a fine ranging from Q.50,000.00 to Q.100,000.00 and the confiscation of any element employed to execute the crime.
According to the Law of Acknowledgment of Electronic Communications and Signatures, Decree 47-2008 of the Congress of the Republic, electronic marketing is not considered E-Commerce, yet it is considered a communication and an electronic communication as it contains an exposition, statement, claim, advice, request, or offer and the acceptance of an offer, in relation to the construing or execution of a contract.
If any such communication is not addressed to a particular person but it is a general communication, according to Art. 25 of the aforementioned law, it shall be deemed an offer.
Protection to the consumer in E-Commerce and E-Marketing or E-Advertisement is addressed in Art. 51 of the aforementioned law, compelling the originators of such communications to act in an equitable manner and to fully comply with the offered matters and not to engage into false, deceitful, fraudulent or disloyal business practices.
Online privacy is not regulated.