DLA Piper Intelligence

Data Protection
Laws of the World

Law

Bolivia
Bolivia
  •  Bill of Personal Data Protection;
  • The Political Constitution of the Plurinational State of Bolivia, in Article Nº130.

Any individual or collective person who believes to be unduly or illegally prevented from knowing, objecting or obtaining the deletion or rectification of the data registered by any physical, electronic means, magnetic or computer, in public or private files or databases, or that affect their fundamental right to personal or family privacy, or in their own image, honor and reputation, may file a Private Protection Action.

Last modified 28 Jan 2020
Law
Bolivia
  •  Bill of Personal Data Protection;
  • The Political Constitution of the Plurinational State of Bolivia, in Article Nº130.

Any individual or collective person who believes to be unduly or illegally prevented from knowing, objecting or obtaining the deletion or rectification of the data registered by any physical, electronic means, magnetic or computer, in public or private files or databases, or that affect their fundamental right to personal or family privacy, or in their own image, honor and reputation, may file a Private Protection Action.

Last modified 28 Jan 2020
Definitions

Definition of personal data 

Any information about a natural person identified or identifiable, expressed by numbers, alphabetic letters, graphics, photographs, alphanumeric symbols, acoustic forms or any other type of data. It is considered that a person is identified when his identity can be determined directly or indirectly as long as this do not require terms or disproportionate activities. 

Definition of sensitive personal data 

Data that refers to the intimate sphere of the individual, or whose inappropriate use can cause discrimination of any type or high risk to the particular individual.

Last modified 28 Jan 2020
Authority

The Personal Data Authority, is the Agency of the electronic government and information technologies and communication (AGETIC).

Last modified 28 Jan 2020
Registration

It is not established in the Bill of Personal Data Protection, in a prescriptive manner, however, it establishes that personal data can only be processed with the consent of its owner, unless it is by court order issued for reasons of public interest. It is not yet established whether entities or persons interested in the personal data of a third party must request authorization from the Personal Data Protection Authority.

Last modified 28 Jan 2020
Data Protection Officers

The President of the Personal Data Authority is the principal officer and has an Executive Council with three members:

  • the general Director of the electronic government and information technologies and communication Agency; and
  • two designated members from the Ejecutive Council.  

The Ejecutive Council of the Personal Data Protection Authority will be assisted by a Consultive Council integrated by six members:

  • a person with human rights experience;
  • a judicial organ representative;
  • an electoral organ representative;
  • a Public Ministry representative;
  • an academic area representative; and
  • a private sector representative.
Last modified 28 Jan 2020
Collection & Processing

Under the legitimation principle, the person responsible within the Personal Data Protection Authority may only process personal data when the owner  grants his consent for one or more specific purposes, when necessary for the fulfilment of a court order, for the defence or recognition of the rights of the holder/owner before a public authority, to protect the vital interests of the holder/owner or of another natural person; among other legitimate and informed reasons.

Last modified 28 Jan 2020
Transfer

Nothing in the Bill of Personal Data Protection is established concerning transfer.

Last modified 28 Jan 2020
Security

The person responsible for the personal data bank must adopt technical, organizational and legal measures that guarantee its security and prevents its alteration, loss, treatment or unauthorized access. 

The requirements and conditions that personal data banks must meet regarding security are established by the National Authority for the Protection of Personal Data, except for the existence of special provisions contained in other laws. 

The processing of personal data in data banks that do not meet the requirements and security conditions is prohibited.

Last modified 28 Jan 2020
Breach Notification

When the person in charge is aware of a breach of security of personal data that occurs at any stage of the treatment, understood as any damage, loss, alteration, destruction, access, and in general, any illegal or unauthorized use of personal data even when it occurs accidentally, it will notify the control authority and the affected owners of such suffering immediately. 

The foregoing will not be applicable when the person in charge can prove, according to the principle of proactive responsibility, the impossibility of the security breach that has occurred, or, which does not represent a risk to the rights and freedoms of the owners involved. 

The notification made by the person responsible to the affected owners will be written in a clear and simple language. 

The notification should contain at least the following information:

  • the nature of the incident;
  • the Personal data compromised;
  • coercive actions carried out immediately;
  • recommendations to the holder about the measures that can help protect their interests; and
  • the means available to the holder to obtain more information. 

The person responsible shall document any breach of the security of the data that occurred at any stage of the treatment, identifying, but not limited to, the date on which they discovered the reason for the breach, the related facts, their effects and the corrective measures implemented immediately and definitively, which will be available to the supervisory authority. 

The Regulation on the Right to Protection of Personal Data contemplates the effects of the notifications of security breaches made by the person in charge of the Control Authority in regard to the procedures, form and conditions of its intervention in order to safeguard the interests, rights and freedoms of the affected owners.

There is no mandatory breach notification requirement under the Data Protection Law.

Last modified 28 Jan 2020
Enforcement

The competent authority for the enforcement of Data Protection Law is the Personal Data Authority, the Agency of the electronic government and information technologies and communication (AGETIC). However, considering that Authority is not yet created, the level of enforcement may be distributed to other legislative organs in the future.  

Last modified 28 Jan 2020
Electronic Marketing

There is nothing legally established in Bolivia concerning electronic marketing.

Last modified 28 Jan 2020
Online Privacy

There is nothing established about online privacy, or cookies, or location data.

Last modified 28 Jan 2020
Contacts
Marcos Mercado Delgadillo
Marcos Mercado Delgadillo
Jorge Luis Inchauste Comboni
Jorge Luis Inchauste Comboni
Last modified 28 Jan 2020