DLA Piper Intelligence

Data Protection
Laws of the World

Security

Organisations must take appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss, destruction of, or damage to, personal information. The measures taken must ensure a level of security appropriate to the harm that may result from such unauthorised or unlawful processing, accidental loss, destruction or damage, and appropriate to the nature of the data.

Last modified 16 Feb 2022
Law
Cuba

Cuba does not have its own data protection law. 

Cuba regulates data privacy and protection issues, in general, under the following normative: 

  • Constitution of the Republic of Cuba (2019) .- article 97
  • Decree-Law 35/2021 “On Telecommunications, Information and Communication Technologies and the use of the Radioelectric Spectrum”.
  • Decree-Law No. 370/2018 “On the Computerization of the Society in Cuba”.
  • Decree 360/2019 "On the Security of Information and Communication Technologies and the Defence of National Cyberspace".
  • Resolution No. 99/2019 "Regulation for private data networks".
  • Others rules:
    • Regulation for the production of computer programs and applications and the evaluation of their quality (2019).
    • System for registration of computer programs and applications (2019).
    • Regulation with the control measures and the types of security tools that are implemented in private data networks (2019).
    • Regulation with the control measures and the types of security tools that are implemented in private data networks (2019).
    • Regulation of the provider of public accommodation and hosting services in the internet environment (2019).
    • Regulation of the provider of public accommodation and hosting services in the internet environment (2019).
    • Information and communication technology security regulation (2019).
    • Methodology for Information Security Management (2019).
Last modified 16 Feb 2022
Definitions

Definition of Personal Data

In the regulatory order, the information is approached in a general sense oriented to the preservation of the confidentiality, integrity and availability of the same, and focuses on establishing rules that regulate the management and treatment of information in general, especially related to cybersecurity issues.

Definition of Sensitive Personal Data

Cuban rules do not provide for an express definition of sensitive personal data.

Last modified 16 Feb 2022
Authority

Ministry of Communications.

Last modified 16 Feb 2022
Registration

No requirements.

Last modified 16 Feb 2022
Data Protection Officers

There is no general requirement under binding Cuban rules for organisations to appoint a data protection officer.

Last modified 16 Feb 2022
Collection & Processing

Generally, entities must obtain prior express consent from data subjects and provide prior notice to the Ministry of Communications to lawfully collect and process personal data. However, data subject consent is not required in certain circumstances provided by Cuba rules.

Last modified 16 Feb 2022
Transfer

Nothing in the Cuba rules is established concerning transfer.

Last modified 16 Feb 2022
Security

Organisations must take appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss, destruction of, or damage to, personal information. The measures taken must ensure a level of security appropriate to the harm that may result from such unauthorised or unlawful processing, accidental loss, destruction or damage, and appropriate to the nature of the data.

Last modified 16 Feb 2022
Breach Notification

The Ministry of Communications, in coordination with other authorities, establishes the Program for Strengthening Cybersecurity and coordinates participation in activities required for this purpose and implements its control and inspection. 

The Cuba rules introduced a general requirement for the reporting and notification of actual or suspected personal information breaches. Where personal information is leaked, lost or distorted (or if there is a potential for such incidents), organisations must promptly take relevant measures to mitigate any damage and notify the relevant data subjects and report to the relevant government agencies in a timely manner in accordance with relevant provisions.

Mandatory breach notification

All breaches must be reported according to a four-level security scheme.

Last modified 16 Feb 2022
Enforcement

The competent authority for the enforcement of Data Protection rules is the Ministry of Communications, in coordination with the Ministry of Interior, Cuban Central Bank, and other authorities.

Last modified 16 Feb 2022
Electronic Marketing

Natural and legal persons that provide goods and services for digital media are obliged to develop a technically safe environment for commercial transactions in which they operate, in accordance with current legislation.

Last modified 16 Feb 2022
Online Privacy

There is nothing established about online privacy, or cookies, or location data.

Last modified 16 Feb 2022
Contacts
Aldo Alvarez
Aldo Alvarez
Director
Mercatoria
T +53 58050722
Last modified 16 Feb 2022