DLA Piper Intelligence

Data Protection
Laws of the World

Law

Costa Rica
Costa Rica

Data privacy regulation in Costa Rica is contained in two laws, the "Laws": Law No. 7975, the Undisclosed Information Law, which makes it a crime to disclose confidential and/or personal information without authorization; and Law No. 8968, Protection in the Handling of the Personal Data of Individuals together with its by-laws, which were enacted to regulate the activities of companies that administer databases containing personal information. Therefore, the scope of the second law is limited.

The Costa Rican Congress is currently discussing a bill, which would fully amend the Laws currently in effect.  Such bill was presented to local Congress in January 2021 and is still under discussion.

The proposed bill aims to update the Laws and align its provisions to the principles contained in the EU General Data Protection Regulation (GDPR). It is still unclear when and if the proposed bill will be enacted.

Last modified 28 Jan 2024
Law
Costa Rica

Data privacy regulation in Costa Rica is contained in two laws, the "Laws": Law No. 7975, the Undisclosed Information Law, which makes it a crime to disclose confidential and/or personal information without authorization; and Law No. 8968, Protection in the Handling of the Personal Data of Individuals together with its by-laws, which were enacted to regulate the activities of companies that administer databases containing personal information. Therefore, the scope of the second law is limited.

The Costa Rican Congress is currently discussing a bill, which would fully amend the Laws currently in effect.  Such bill was presented to local Congress in January 2021 and is still under discussion.

The proposed bill aims to update the Laws and align its provisions to the principles contained in the EU General Data Protection Regulation (GDPR). It is still unclear when and if the proposed bill will be enacted.

Last modified 28 Jan 2024
Definitions

Definition of personal data

Personal information contained in public or private registries (eg, medical records) that identifies or could be used to identify a natural person. Personal information can only be disclosed to persons or entities with a need to know such information.

Definition of sensitive personal data

Personal information related to the personal sphere of an individual, including racial origin, political opinion, religious or spiritual convictions, socioeconomic condition, biomedical or genetic information, sex life and sexual orientation, among others. Sensitive personal data cannot be disclosed without express prior authorization from the data subject.

Last modified 28 Jan 2024
Authority

Pursuant to Law No. 8968, the Agency for the Protection of Individual's Data (PRODHAB) is the entity charged with enforcing compliance with the Laws.

The Constitutional Court and local civil courts also have jurisdiction to hear claims alleging violations of the Laws.

Last modified 28 Jan 2024
Registration

Under Law 8968, companies that manage databases containing personal information and that distribute, disclose or commercialize such personal information in any manner must register with the Agency.

Entities that manage databases containing personal information for internal purposes do not need to be registered with PRODHAB.

Databases managed by financial institutions subject to control and regulation from the Superintendent of Financial Entities of Costa Rica do not need to be registered with the Agency.

In-house databases are outside the scope of enforcement of the Laws.

Last modified 28 Jan 2024
Data Protection Officers

There is no requirement for a data protection officer.

Last modified 28 Jan 2024
Collection & Processing

Any company may store personal information and manage a database containing it if the following rules are respected:

  • When collecting personal information, private companies and/or the government must respect the “sphere of privacy” to which all individuals are entitled
  • Such companies must obtain prior, unequivocal, express and valid consent from the owner of the personal information or his or her representative. Such consent must be written (either handwritten or electronic)
  • Companies that maintain personal information about others in their databases must ensure that such information is:
    • Materially truthful
    • Complete and
    • Accurate
  • Data subjects must be given access to their personal information and are entitled to dispute any erroneous or misleading information about them at any time
  • Companies that manage databases containing personal information and that distribute, commercialize or widespread such personal information in any manner, must comply with Law 8968. Particularly, they must comply with the following: 
    • Report and register the company and the database with PRODHAB
    • Report the technical measures to secure the database
    • Protect and respect confidentiality of personal information
    • Secure the information contained in the databases
    • Establish a proceeding to review requests filed by data subjects for the amendment of any error or mistakes in the database
Last modified 28 Jan 2024
Transfer

The transfer of personal information is authorized by the Laws if the data subject provides prior, unequivocal, express and valid written consent to the company that manages the database. Such transfers cannot violate the principles and rights granted in the Laws. Also, there are specific limitations regarding cross-border transfers of personal information.

The transfer of personal information from the person responsible for a database to a service supplier, technological intermediary, or entities in the same economic interest group is not considered a transfer of personal information and thus does not need authorization from the data subject. Also, the transfer of public information (which can be generally accessed) does not need authorization from the data subject.

Last modified 28 Jan 2024
Security

Any company or individual using and / or managing personal information must take all necessary steps (technical and organizational) to guarantee that the information is kept in a secure environment, and must issue an internal protocol indicating all the procedures that shall be followed during the recollection, storage and use of such information.

If security is breached because of improper management or protection, then the responsible company may be held liable, and may be subject to penalties and civil liability for any harm.

Last modified 28 Jan 2024
Breach Notification

Any entity managing personal data must inform PRODHAB and affected data subjects about any breach of personal information (such as loss, destruction, or misplacement), within five business days after the time of the breach.

The notification to PRODHAB and data subjects must at least include the following information:

  • Nature of the breach;
  • Personal data compromised by the breach;
  • Immediate corrective actions taken by the entity;
  • Other preventive and corrective actions that will be taken;
  • Contact information to obtain further information.

Failure to provide notice within the required timeframe may result in a potential fine to be enforced by PRODHAB.

Last modified 28 Jan 2024
Enforcement

PRODHAB has begun to enforce the obligations established under the Laws. Individuals may file their claims directly with PRODHAB, which may initiate an administrative procedure against the database manager. 

In 20122, PRODHAB received more than 272 complaints (the second highest number in history) regarding potential breaches to data protection regulations.

Last modified 28 Jan 2024
Electronic Marketing

General rules of data protection will apply. There is little to no regulation of electronic marketing.

Notwithstanding the above, the Telecommunications Act set the scope and the mechanisms of regulation for telecommunications (including e-marketing), by describing the data subject’s rights, interests and privacy protection policy. Therefore, pursuant to such Act, marketing companies may not advertise via phone nor email unless they obtain prior and express written consent from the data subject. If such companies do not comply with such condition, they might be sanctioned with a fine that can be between 0,025% and 0,5% of the income of the company of the last fiscal year.

Last modified 28 Jan 2024
Online Privacy

There has been little to no regulation in this area. However, the general rules of data protection issued by the Constitutional Court, with respect to the collection and processing of personal information, apply.

Last modified 28 Jan 2024
Contacts
Carlos J. Oreamuno
Carlos J. Oreamuno
Partner
Facio & Cañas
T +(506) 2233 9202
Sergio A. Solera
Sergio A. Solera
Partner
Facio & Cañas
Last modified 28 Jan 2024