DLA Piper Intelligence

Data Protection
Laws of the World

Law

Costa Rica
Costa Rica

The development of data privacy regulation in Costa Rica is divided among two laws (the "Laws"). The first law is Law No. 7975, Undisclosed Information Law, which makes it a crime to disclose confidential/personal information without authorization. The second law is Law No. 8968, Protection in the Handling of the Personal Data of Individuals, and its by-laws were enacted regulate the activities of companies that administer databases containing personal information. Therefore, its scope is limited.  

Last modified 24 Jan 2017
Law
Costa Rica

The development of data privacy regulation in Costa Rica is divided among two laws (the "Laws"). The first law is Law No. 7975, Undisclosed Information Law, which makes it a crime to disclose confidential/personal information without authorization. The second law is Law No. 8968, Protection in the Handling of the Personal Data of Individuals, and its by-laws were enacted regulate the activities of companies that administer databases containing personal information. Therefore, its scope is limited.  

Last modified 24 Jan 2017
Definitions

Definition of personal data

Personal information contained in public or private registries (e.g. medical records) that identifies or could be used to identify a natural person. Personal information can only be disclosed to persons/entities with a ‘need to know’ such information.

Definition of sensitive personal data

Personal information relating to ideological orientation, creed, sexual preferences. Sensitive personal data cannot be disclosed without express prior authorization from the data subject.

Last modified 24 Jan 2017
Authority

Pursuant to Law No. 8968, the Agency for the Protection of Individual's Data, hereinafter "PRODHAB", is the entity charged with enforcing compliance with the applicable regulation.

Pursuant to the abovementioned By-Laws, PRODHAB has to be granted by each data holder, for control purposes, with unrestricted and permanent access to each data base through a “Superuser”. This policy has been a very controversial requirement in Costa Rica.

The Constitutional Court also has jurisdiction to hear claims alleging violations of the Laws.

Last modified 24 Jan 2017
Registration

Under Law 8968, companies that manage databases containing personal information and that distribute, disclose or commercialize in any manner such personal information must register before the Agency.

In-house databases are outside the scope of enforcement of the Laws.

Last modified 24 Jan 2017
Data Protection Officers

There is no requirement for a data protection officer.

Last modified 24 Jan 2017
Collection & Processing

Any company may store and manage a database containing personal information if the following rules are respected:

  • When accumulating personal information, private companies and/or the government must respect the 'sphere of privacy' to which all individuals are entitled.
  • Such companies must obtain prior, express and valid consent from the owner of the personal information or its representative. Such consent must be written (either handwritten or electronic).
  • Companies that maintain personal information about others in their databases must ensure that such information is:
    • materially truthful;
    • complete;
    • accurate; and
    • individuals have access to their personal data and must be entitled to dispute any erroneous or misleading information about them.
  • Individuals must have access to their personal data and must be entitled to dispute any erroneous or misleading information about them at any time.
  • Companies that manage databases containing personal information and that commercialize such personal information in any manner, must comply with Law 8968. Particularly, they must comply with the following:
    • Report and register the company and the database before PRODHAB.
    • Report the technical issues related to the security of the database.
    • Protect and respect confidentiality issues
    • Secure the information contained in the databases; and
    • Establishing a proceeding to review requests filed by individuals for the amendment of any error or mistakes in the database.
Last modified 24 Jan 2017
Transfer

Transfer of personal information is authorized by the Laws if the data subject provides prior, express and valid written consent to the company that manages the database. Such transfer cannot violate the principles and rights granted in the Laws.

Transferring of public information (which has general access) does not need authorization from the data subject.

Last modified 24 Jan 2017
Security

Any company or individual using and/or managing this type of information must take all necessary steps (technical and organisational) to guarantee that the information is kept in a safe environment. If security is breached because of improper management or protection, then the responsible company may be held liable, and may be subject to penalties and civil liability for any harm.

Last modified 24 Jan 2017
Breach Notification

There is no mandatory requirement. Nonetheless, if there is a breach the entity that manages the database might be liable.

Last modified 24 Jan 2017
Enforcement

PRODHAB recently announced that they will begin to enforce the obligations established under the Laws. Therefore, individuals may file their claims directly to PRODHAB so they may initiate an administrative procedure against database manager.

Last modified 24 Jan 2017
Electronic Marketing

General rules of data protection will apply. There is little to no regulation of electronic marketing.

Notwithstanding the above, the Telecommunications Act set the scope and the mechanisms of regulation for telecommunications (including e-marketing), by describing the data subject’s rights, interests and privacy protection policy. Therefore, pursuant to such Act, marketing companies may not advertise via phone nor email unless they obtain prior and express written consent from the data subject. If such companies do not comply with such condition, they might be sanctioned with a fine that can be between 0,025% and 0,5% of the income of the company of the last fiscal year.

Last modified 24 Jan 2017
Online Privacy

There has been little to no regulation in this area. However, the general rules of data protection issued by the Constitutional Court, with respect to the collection and processing of personal information, do apply.

Last modified 24 Jan 2017
Contacts
Carlos J. Oreamuno
Carlos J. Oreamuno
Partner
T +(506) 2233 9202
Sergio A. Solera
Sergio A. Solera
Partner
Last modified 24 Jan 2017