Data protection laws in Venezuela
There is no specific legislation about data privacy or data protection in Venezuela, however, there are isolated provisions in some existing laws that regulate certain aspects related to data protection (e.g., Law on Privacy Protection of Communications, the Special Law against Computer Crimes, the Organic Law on Prevention, Conditions, and the Working Environment, and the Civil Code, Communications from the National Superintendency of Banks).
Likewise, the Constitution of the Bolivarian Republic of Venezuela (the "Constitution") establishes general principles that serve as a framework for the protection of information. These principles were developed by decision No. 1318 of the Supreme Court of Justice ("TSJ" for its Spanish acronyms) of August 2011, guarding the honour, privacy, intimacy, self-image, confidentiality, and reputation of individuals. The principles are:
- Principle of free will, which implies the need of a prior, free, informed, unequivocal and revocable consent for the use, and collection of personal data.
- Principle of legality, according to which the collection of personal data entails that the limitation to information self-determination is a result of a legal provision.
- Principle of purpose and quality, which means that the collection of personal data must respond to predetermined purposes, motives, or causes that are not contrary to constitutional and legal provisions, also a prerequisite to obtain valid consent. Data can only be extracted and treated for the fulfilment of specific, explicit, and legitimate purposes related to the activity of those who get them. This principle entails the necessary proportionality in the collection of data, which must be adequate, relevant, and not excessive.
- Principle of temporality or conservation, under which the data should be preserved until the purposes or objectives that its collection are achieved.
- Principle of accuracy and self-determination, which means that the data must be complete, accurate and up to date, in response to the real situation of the person as the data may be subject to control by the individuals whose data is collected. The interested party must have clear and expeditious procedures to obtain from the person responsible for the use or receipt of the information: the confirmation of the use of data; the purposes of such registers and its recipients; the rectification or cancellation of inaccurate, inadequate, or excessive data, and; the knowledge of such modifications by those whose wrong information has been communicated.
- Principle of foreseeability and integrity: Although the rights relating to the collection of information should be initially aimed at protecting the rights of the individuals whose information is collected, the analysis of the impact that the collection of data has on such rights cannot be isolated and without reference to data that may be collected in other registries.
- Principle of security and confidentiality, which implies the guarantee of confidentiality, of no alteration of data by third parties, and of access to such data by the competent authorities in accordance with the law. The data must be protected from alteration, loss, accidental destruction, unauthorised access, or fraudulent use. This protection goes as far as preventing international data transfers to States whose legislation does not guarantee a level of protection similar to the one described.
- Principle of guardianship, which means that in addition to having judicial protection to enforce the right to access the information and obtain knowledge of the use of the personal data, there should be public entities that ensure the right to the protection of personal data with powers to create or implement simplified models and based on technical standards to measure the level of efficiency of the structures and procedures in place and the level of protection of the personal data.
- Principle of liability, under which a violation of the right to the protection of personal data gives rise to liability and the imposition of civil, criminal, and administrative penalties, as the case may be.
Also, Article 28 CRBV sets the right for individuals to access their personal information stored in public or private records, to know for what use such information will be recorded, and, rectify or destroy it when incorrect or when it unlawfully affects their rights. Although there is no legal regulation in this regard, the TSJ has agreed to the possibility of maintaining this information and personal data in systems or records, stored in a way that a profile of them can be done with the purpose of using the information for personal gain or for third parties, as long as the rights set in Article 28 CRBV are respected. According to this Article, a double right is guaranteed: (i) to collect information about people and their goods, and (ii) access to such information that has been collected and is reflected in the records. However, whoever collects the information or data of the individuals or their goods, shall respect the right of the people to protect their honour, privacy, intimacy, self-image, confidentiality, and reputation, all of this provided in Article 60 CRBV.
Additionally, the decision also stipulates that the particular data that someone keeps for study purposes, or for personal use or to fulfill professional objectives, which do not form a system capable of designing a total or partial profile of individuals are not subject to these principles, since they lack a general projection. However, records that, when cross-referenced with others, make it possible to outline a profile of the private life of individuals, or of their economic situation, political tendencies, etc., could be part of the records protected by the Constitution. The mere potential of intersecting and complementing the data of a registry, with the information stored in others that complete it, makes the set of records susceptible to the rights referred to in article 28 of the Constitution.
