DLA Piper Intelligence

Data Protection
Laws of the World

Law

Dominican Republic
Dominican Republic

Section 44 of the Dominican Constitution recognizes citizens’ right to access their personal data stored in public or private databases, as well as their right to information concerning the purpose and use of the same.

The Constitution also establishes that the processing of personal data must be carried out in accordance to the principles of:

  • Reliability
  • Legality
  • Integrity
  • Security, and
  • Purpose of the information

 The collection, storage and safekeeping of personal data, as well as usage and access rights concerning such personal data, are governed by the provisions of Law No. 172-13 on the Protection of Personal Data enacted December 13, 2013 (DPL).

In addition to setting forth the legal regime for the protection of personal data, the DPL establishes regulations governing the constitution and operation of credit bureaus.

For the purposes of the DPL, the term 'credit bureau' refers to companies dedicated to collecting, organizing, storing, conserving, providing, transferring or transmitting data regarding consumers (including goods and services related to the same), as well as any other information provided by the Superintendent of Banks.

Last modified 28 Jan 2019
Law
Dominican Republic

Section 44 of the Dominican Constitution recognizes citizens’ right to access their personal data stored in public or private databases, as well as their right to information concerning the purpose and use of the same.

The Constitution also establishes that the processing of personal data must be carried out in accordance to the principles of:

  • Reliability
  • Legality
  • Integrity
  • Security, and
  • Purpose of the information

 The collection, storage and safekeeping of personal data, as well as usage and access rights concerning such personal data, are governed by the provisions of Law No. 172-13 on the Protection of Personal Data enacted December 13, 2013 (DPL).

In addition to setting forth the legal regime for the protection of personal data, the DPL establishes regulations governing the constitution and operation of credit bureaus.

For the purposes of the DPL, the term 'credit bureau' refers to companies dedicated to collecting, organizing, storing, conserving, providing, transferring or transmitting data regarding consumers (including goods and services related to the same), as well as any other information provided by the Superintendent of Banks.

Last modified 28 Jan 2019
Definitions

Definition of personal data

Personal data consists of any information, whether numerical, alphabetical, graphic, photographic, or acoustic, or any other type of data which concerns individuals that are identified or identifiable.

Definition of sensitive personal data

The term 'sensitive data' refers to personal data that reveals its subject´s:

  • Political opinions
  • Religious, philosophical or moral convictions
  • Affiliation to labor unions, and
  • Information concerning health or sex life

Personal data concerning the health of an individual encompasses any information concerning their past, present or future physical or mental health.

Last modified 28 Jan 2019
Authority

The Dominican Republic does not have a national data protection authority.

Section 29 of the DPL establishes that databases and registries, whether public or private, intended to provide credit reports (ie credit bureaus) are subject to the inspection and supervision of the Superintendent of Banks.

Last modified 28 Jan 2019
Registration

Except for credit bureaus, the Dominican Republic does not maintain a registration of personal data controllers or databases, nor of companies that carry out the processing of personal data.

Last modified 28 Jan 2019
Data Protection Officers

There is no requirement to appoint a data protection officer under the DPL.

Last modified 28 Jan 2019
Collection & Processing

The general rule for the treatment of personal data under the DPL is the consent requirement. Consent is valid when there is a manifestation of free will, in an unequivocal, specific and informed manner, whereby the data subject consents to the treatment of personal data concerning him or her.

The DPL provides that the treatment and transfer of personal data is illegal when the data has not consented to such usage, unless an exception is provided by law.

For purposes of the foregoing, the DPL defines treatment as operations and procedures (electronic or otherwise), that allow for the:

  • Collection
  • Storage
  • Organization
  • Modification
  • Evaluation
  • Destruction
  • In general, the processing of personal data, or
  • Its transfer to third parties via communications, interconnections or transfers

Exceptions to the consent requirement include, among others:

  • When the data is obtained from a public source
  • When the data is obtained for the exercise of public duties or pursuant to a legal obligation to do so
  • When the data is obtained for marketing purposes and is limited to certain basic information (eg, name, ID, passport, tax ID)
  • The data derives from a commercial, employment or contractual relationship, or from a professional or scientific relationship with the data subject, and is necessary for its development or compliance
Last modified 28 Jan 2019
Transfer

Transfer is considered a form of 'treatment' of personal data under the DPL; hence, the rules apply, including consent requirements. Additional restrictions are provided under the DPL for international data transfers.

Personal data may only be transferred internationally if the owner of the data expressly authorizes such transfer, or if such transfer is necessary for the performance of a contract between the owner of the data and the person or entity responsible for the treatment of the personal data.

Last modified 28 Jan 2019
Security

The controller and, if applicable, the processor, is required to adopt and implement the necessary technical, organizational and security measures to safeguard personal data and avoid its:

  • Alteration
  • Loss
  • Treatment
  • Consultation, or
  • Unauthorized access

The DPL prohibits the storage of personal data in files, records or databases that do not meet the necessary technical conditions for guaranteeing their integrity and security. Additionally, credit bureaus and users or subscribers shall take the necessary measures to prevent the alteration, loss or unauthorized access to personal data.

Last modified 28 Jan 2019
Breach Notification

There is no obligation to notify a breach.

Last modified 28 Jan 2019
Enforcement

Data subjects have the right to institute habeas data proceedings to obtain information about the data held that refers to the relevant data subject.

The DPL expressly recognizes the right of data subjects to recover damages for violations of their right to privacy and the integrity of their personal data. Additionally, the DPL provides criminal sanctions (including fines and imprisonment ranging from six months to two years) which may result from violating the DPL.

Law No. 310-14 Which Prohibits the Sending of Commercial Unsolicited Messages (SPAM), enacted on August 8, 2014 ('SPAM Law No. 310- 14',) also provides criminal sanctions for fraudulently obtaining personal data from public websites for commercial purposes (including imprisonment ranging from six months to five years, and fines from 1 to 200 times the minimum wage).

Last modified 28 Jan 2019
Electronic Marketing

Sending commercial or promotional communications via electronic mail is regulated by SPAM Law 310-14. Law 310-14 requires the consent of the recipient in order to deliver commercial communications, unless an exception to said consent requirement is expressly provided by law.

Law 310-14 provides that:

  • The word 'Publicity' (Publicidad) must be included in the subject field of the email
  • Commercial communications must include an email address or other similar mechanism which allows the recipient to send a message indicating their desire to stop receiving such communications (opt-out)
Last modified 28 Jan 2019
Online Privacy

The Dominican Republic has not enacted specific legislation governing online privacy or the use of ‘cookies’, although the provisions of the DPL concerning data protection would apply.

Additionally, the unauthorized use of ‘cookies’ could implicate computer misuse laws prohibiting unauthorized access to computers and information therein, particularly those contained in Law No. 53-07 on high-tech crimes and felonies.

Last modified 28 Jan 2019
Contacts
Mary Fernandez
Mary Fernandez
Partner
Headrick
T +809 473 4500
Last modified 28 Jan 2019