No specific regulation is in place regarding online privacy in El Salvador.
N/A.
El Salvador’s Congress approved a Personal Data Protection Act on Apr. 22, 2021. As part of the process of creation of a Law in El Salvador, all Acts approved by Congress are later referred to the President of the Republic for his review/veto/approval. In this case, the Act was vetoed and sent back to Congress for review but no further action has been taken in order to review the causes for the veto and/or make any amendments for its further approval.
Hence, data protection regulation in El Salvador remains disseminated in many other Acts that briefly regulate the confidentiality of a person’s information but no specific regulation is in place.
Definition of Personal Data
“Information concerning a natural/moral person who is identified or identifiable.”
Definition as contained Personal Data Protection Act on Apr. 22, 2021
Definition of Sensitive Personal Data
“Personal data that affects the most intimate sphere of its owner and whose misuse may give rise to discrimination, seriously affect the right to honour, personal and family privacy and self-image. They are generally those that reveal aspects such as creed, religion, ethnic origin, political affiliation or ideologies, union membership, sexual preferences, physical and mental health, biometric information, genetics, moral and family situation, and other intimate information of a similar nature.”
Definition as contained Personal Data Protection Act on Apr. 22, 2021
The Personal Data Protection Act on Apr. 22, 2021 created the National Authority for the Protection of Personal Data; however, said institution is not in force given that the Act was not finally approved.
Some protection of data is handled by the Institution of Access to Public Information but in regards specifically to data of persons who have had a direct relationship with the Government, such as current or former public employees, contractors, etc.
Registration is not regulated.
To this date, only Public Offices/Institutions are required to appoint a Public Information Access Officer, but no Data Protection Officer regulation is in place.
Collecting and Processing is not specifically regulated. However, the E-Commerce Act establishes, in general terms, that all information provided by the user of an online store/marketplace must be safely guarded. Similar requirements are established by the E-Signature Act, in regards to the information of the owners of an E-Signature.
Transfer is not specifically regulated. However, disperse regulation generally establishes that the owner of personal information must authorise in written the transfer of their data.
Security is not specifically regulated. However, the E-Commerce Act establishes, in general terms, that all information provided by the user of an online store/marketplace must be safely guarded. Similar requirements are established by the E-Signature Act, in regards to the information of the owners of an E-Signature.
Breach notification is not regulated.
No specific Enforcement Authority has been created. However to the extent of its capabilities and within the legal framework of our criminal jurisdiction, the General Attorney’s Office can prosecute any crime related with the use of personal data as regulated in the laws of the matter.
Electronic Marketing is not specifically regulated; however, false/misleading advertisement is punishable as stated in El Salvador’s Consumer Protection Act.
No specific regulation is in place regarding online privacy in El Salvador.