Ley No. 787 Ley de Protección de Datos Personales (Law No. 787 Personal Data Protection Law) effective since 29th of March 2012 published in the Official Gazzette No. 61 same day.
Definition of Personal Data
Personal data: It is all the information about a natural or legal person that identifies or makes it identifiable.
Definition of Sensitive Personal Data
Sensitive personal data: It is any information that reveals the racial, ethnic, political affiliation, religious, philosophical or moral, union, health or sexual life, criminal record or administrative, economic and financial misconduct; as well as credit and financial information and any other information that could be grounds for discrimination.
Personal Data Protection Directorate (it has not been formally incorporated).
Each organisation that collects personal data will have the obligation to register in the Data File Registry.
However, since the Personal Data Protection Directorate has not yet been incorporated, such a Register in practice does not yet exist. Therefore, organisations are unable to materially comply with such registration.
Any officer responsible for the Data File of each organisation must register in the Data Files Registry that the Personal Data Protection Directorate enables for this purpose.
We must reiterate that this obligation cannot be materially fulfil as the Personal Data Protection Directorate has not been formally incorporated.
The law defines data processing as those systematic operations and procedures, automated or not, that allow the collection, registration, recording, conservation, ordering, storage, modification, updating, evaluation, blocking, destruction, deletion, use and cancellation, as well as the transfer of personal data resulting from communications, consultations, interconnections and transfers.
Personal data may only be processed, when they are adequate, proportional and necessary in relation to the scope and specific, explicit and legitimate purposes for which they have been requested.
The purpose of processing the personal data of the user should be to facilitate the improvement, expansion, sale, billing, management, provision of services and acquisition of goods.
Personal data may be assigned and transferred when the purposes are directly related to the legitimate interest of the assignor and the assignee and with the prior consent of the owner of the data, who must be informed about the purpose of the assignment and identify the assignee.
The consent for the transfer is revocable, by written notification or by any other means that is equated, depending on the circumstances, to the person responsible for the data file.
The necessary technical and organisational measures must be adopted to guarantee the integrity, confidentiality and security of personal data, to avoid its adulteration, loss, consultation, treatment, disclosure, transfer or unauthorised disclosure, and that allow detecting intentional deviations or not, of private information, whether the risks come from human action or the technical means used.
The legislation does not expressly contemplate the duty of notification of data breach.
Mandatory breach notification
The legislation only contemplates mandatory notification in the event of data breach in the case of Army and Police personnel, and the relevant institutions must be informed immediately.
Due to the fact that the institution that supervises the application of the norm has not been formally incorporated (Personal Data Protection Directorate), the enforcing of the provisions are not being duly exercised by the government.
The data files destined to the sending of advertising, promotions, offers and direct sale of products, goods and services or other analogous activities can only incorporate personal data with the consent of the owner, or when the data appears in publicly accessible sources.
The sending of advertising and promotions, through electronic means, must offer the possibility to the recipient of personal data to express their refusal to continue receiving advertising and promotional content of goods and services or, where appropriate, revoke their consent in a clear and free manner.
Companies or institutions that engage in electronic marketing, advertising and promotional content must be protected by means of a contract that establishes that the personal data contained in a data file has been obtained with the unequivocal and informed consent of the owners or that it has been obtained from publicly accessible sources.
The normative states that when the officer of the data file uses mechanisms in remote or local means of electronic, optical or other technology communication (cookies), which allow to collect personal data automatically and simultaneously, while the data owner makes contact with them. At that time, the owner must be informed about the use of these technologies, that personal data is obtained through them and the way in which they can be disabled.
The location data is not regulated.