DLA Piper Intelligence

Data Protection
Laws of the World

Law

Costa Rica
Costa Rica

Data privacy regulation in Costa Rica is contained in two laws, the "Laws": Law No. 7975, the Undisclosed Information Law, which makes it a crime to disclose confidential and/or personal information without authorization; and Law No. 8968, Protection in the Handling of the Personal Data of Individuals together with its by-laws, which were enacted to regulate the activities of companies that administer databases containing personal information. Therefore, the scope of the second law is limited.

Last modified 28 Jan 2019
Law
Costa Rica

Data privacy regulation in Costa Rica is contained in two laws, the "Laws": Law No. 7975, the Undisclosed Information Law, which makes it a crime to disclose confidential and/or personal information without authorization; and Law No. 8968, Protection in the Handling of the Personal Data of Individuals together with its by-laws, which were enacted to regulate the activities of companies that administer databases containing personal information. Therefore, the scope of the second law is limited.

Last modified 28 Jan 2019
Definitions

Definition of personal data

Personal information contained in public or private registries (eg, medical records) that identifies or could be used to identify a natural person. Personal information can only be disclosed to persons or entities with a need to know such information.

Definition of sensitive personal data

Personal information related to the personal sphere of an individual, including racial origin, political opinion, religious or spiritual convictions, socioeconomic condition, biomedical or genetic information, sex life and sexual orientation, among others. Sensitive personal data cannot be disclosed without express prior authorization from the data subject.

Last modified 28 Jan 2019
Authority

Pursuant to Law No. 8968, the Agency for the Protection of Individual's Data (PRODHAB) is the entity charged with enforcing compliance with the Laws.

The Constitutional Court also has jurisdiction to hear claims alleging violations of the Laws.

Last modified 28 Jan 2019
Registration

Under Law 8968, companies that manage databases containing personal information and that distribute, disclose or commercialize such personal information in any manner must register with the Agency.

Entities that manage databases containing personal information for internal purposes do not need to be registered with PRODHAB.

Databases managed by financial institutions subject to control and regulation from the Superintendent of Financial Entities of Costa Rica do not need to be registered with the Agency.

In-house databases are outside the scope of enforcement of the Laws.

Last modified 28 Jan 2019
Data Protection Officers

There is no requirement for a data protection officer.

Last modified 28 Jan 2019
Collection & Processing

Any company may store personal information and manage a database containing it if the following rules are respected:

  • When collecting personal information, private companies and/or the government must respect the “sphere of privacy” to which all individuals are entitled
  • Such companies must obtain prior, unequivocal, express and valid consent from the owner of the personal information or his or her representative. Such consent must be written (either handwritten or electronic)
  • Companies that maintain personal information about others in their databases must ensure that such information is:
    • Materially truthful
    • Complete and
    • Accurate
  • Data subjects must be given access to their personal information and are entitled to dispute any erroneous or misleading information about them at any time
  • Companies that manage databases containing personal information and that distribute, commercialize or widespread such personal information in any manner, must comply with Law 8968. Particularly, they must comply with the following: 
    • Report and register the company and the database with PRODHAB
    • Report the technical measures to secure the database
    • Protect and respect confidentiality of personal information
    • Secure the information contained in the databases
    • Establish a proceeding to review requests filed by data subjects for the amendment of any error or mistakes in the database
Last modified 28 Jan 2019
Transfer

The transfer of personal information is authorized by the Laws if the data subject provides prior, unequivocal, express and valid written consent to the company that manages the database. Such transfers cannot violate the principles and rights granted in the Laws. Also, there are specific limitations regarding cross-border transfers of personal information.

The transfer of personal information from the person responsible for a database to a service supplier, technological intermediary, or entities in the same economic interest group is not considered a transfer of personal information and thus does not need authorization from the data subject. Also, the transfer of public information (which can be generally accessed) does not need authorization from the data subject.

Last modified 28 Jan 2019
Security

Any company or individual using and / or managing personal information must take all necessary steps (technical and organizational) to guarantee that the information is kept in a secure environment, and must issue an internal protocol indicating all the procedures that shall be followed during the recollection, storage and use of such information.

If security is breached because of improper management or protection, then the responsible company may be held liable, and may be subject to penalties and civil liability for any harm.

Last modified 28 Jan 2019
Breach Notification

Any entity managing personal data must inform PRODHAB and the data subject about any breach of personal information within five business days after the time of the breach.

In the notification, the entity must provide to PRODHAB and the data subject the following information:

  • Nature of the breach
  • Personal data compromised by the breach
  • Immediate corrective actions taken by the see above
  • Other preventive and corrective actions that will be taken
  • Contact information to obtain further information
Last modified 28 Jan 2019
Enforcement

PRODHAB has begun to enforce the obligations established under the Laws. Individuals may file their claims directly with PRODHAB, which may initiate an administrative procedure against the database manager.

Last modified 28 Jan 2019
Electronic Marketing

General rules of data protection will apply. There is little to no regulation of electronic marketing.

Notwithstanding the above, the Telecommunications Act set the scope and the mechanisms of regulation for telecommunications (including e-marketing), by describing the data subject’s rights, interests and privacy protection policy. Therefore, pursuant to such Act, marketing companies may not advertise via phone nor email unless they obtain prior and express written consent from the data subject. If such companies do not comply with such condition, they might be sanctioned with a fine that can be between 0,025% and 0,5% of the income of the company of the last fiscal year.

Last modified 28 Jan 2019
Online Privacy

There has been little to no regulation in this area. However, the general rules of data protection issued by the Constitutional Court, with respect to the collection and processing of personal information, apply.

Last modified 28 Jan 2019
Contacts
Carlos J. Oreamuno
Carlos J. Oreamuno
Partner
T +(506) 2233 9202
Sergio A. Solera
Sergio A. Solera
Partner
Last modified 28 Jan 2019