The competent authority for the enforcement of Data Protection Law is the Personal Data Authority, the Agency of the electronic government and information technologies and communication (AGETIC). However, considering that Authority is not yet created, the level of enforcement may be distributed to other legislative organs in the future.
- Bill of Personal Data Protection;
- The Political Constitution of the Plurinational State of Bolivia, in Article Nº130.
Any individual or collective person who believes to be unduly or illegally prevented from knowing, objecting or obtaining the deletion or rectification of the data registered by any physical, electronic means, magnetic or computer, in public or private files or databases, or that affect their fundamental right to personal or family privacy, or in their own image, honor and reputation, may file a Private Protection Action.
Definition of personal data
Any information about a natural person identified or identifiable, expressed by numbers, alphabetic letters, graphics, photographs, alphanumeric symbols, acoustic forms or any other type of data. It is considered that a person is identified when his identity can be determined directly or indirectly as long as this do not require terms or disproportionate activities.
Definition of sensitive personal data
Data that refers to the intimate sphere of the individual, or whose inappropriate use can cause discrimination of any type or high risk to the particular individual.
The Personal Data Authority, is the Agency of the electronic government and information technologies and communication (AGETIC).
It is not established in the Bill of Personal Data Protection, in a prescriptive manner, however, it establishes that personal data can only be processed with the consent of its owner, unless it is by court order issued for reasons of public interest. It is not yet established whether entities or persons interested in the personal data of a third party must request authorization from the Personal Data Protection Authority.
The President of the Personal Data Authority is the principal officer and has an Executive Council with three members:
- the general Director of the electronic government and information technologies and communication Agency; and
- two designated members from the Ejecutive Council.
The Ejecutive Council of the Personal Data Protection Authority will be assisted by a Consultive Council integrated by six members:
- a person with human rights experience;
- a judicial organ representative;
- an electoral organ representative;
- a Public Ministry representative;
- an academic area representative; and
- a private sector representative.
Under the legitimation principle, the person responsible within the Personal Data Protection Authority may only process personal data when the owner grants his consent for one or more specific purposes, when necessary for the fulfilment of a court order, for the defence or recognition of the rights of the holder/owner before a public authority, to protect the vital interests of the holder/owner or of another natural person; among other legitimate and informed reasons.
Nothing in the Bill of Personal Data Protection is established concerning transfer.
The person responsible for the personal data bank must adopt technical, organizational and legal measures that guarantee its security and prevents its alteration, loss, treatment or unauthorized access.
The requirements and conditions that personal data banks must meet regarding security are established by the National Authority for the Protection of Personal Data, except for the existence of special provisions contained in other laws.
The processing of personal data in data banks that do not meet the requirements and security conditions is prohibited.
When the person in charge is aware of a breach of security of personal data that occurs at any stage of the treatment, understood as any damage, loss, alteration, destruction, access, and in general, any illegal or unauthorized use of personal data even when it occurs accidentally, it will notify the control authority and the affected owners of such suffering immediately.
The foregoing will not be applicable when the person in charge can prove, according to the principle of proactive responsibility, the impossibility of the security breach that has occurred, or, which does not represent a risk to the rights and freedoms of the owners involved.
The notification made by the person responsible to the affected owners will be written in a clear and simple language.
The notification should contain at least the following information:
- the nature of the incident;
- the Personal data compromised;
- coercive actions carried out immediately;
- recommendations to the holder about the measures that can help protect their interests; and
- the means available to the holder to obtain more information.
The person responsible shall document any breach of the security of the data that occurred at any stage of the treatment, identifying, but not limited to, the date on which they discovered the reason for the breach, the related facts, their effects and the corrective measures implemented immediately and definitively, which will be available to the supervisory authority.
The Regulation on the Right to Protection of Personal Data contemplates the effects of the notifications of security breaches made by the person in charge of the Control Authority in regard to the procedures, form and conditions of its intervention in order to safeguard the interests, rights and freedoms of the affected owners.
There is no mandatory breach notification requirement under the Data Protection Law.
The competent authority for the enforcement of Data Protection Law is the Personal Data Authority, the Agency of the electronic government and information technologies and communication (AGETIC). However, considering that Authority is not yet created, the level of enforcement may be distributed to other legislative organs in the future.
There is nothing legally established in Bolivia concerning electronic marketing.
There is nothing established about online privacy, or cookies, or location data.