DLA Piper Intelligence

Data Protection
Laws of the World

Security

Security is not regulated. However, as referred above, according to Art. 36 of the Law, all information in public records must be safeguarded and should not be destroyed.

Last modified 21 Dec 2021
Law
Guatemala

Guatemala does not have a personal data protection law, however the Law on Access to Public Information (Ley de Acceso a la Información Pública – Decree 57-2008 of the Congress of the Republic), even if it pertains to information in public files and records, does address the matter in certain provisions which can be applicable to private parties.

Last modified 21 Dec 2021
Definitions

Definition of Personal Data

Article 9, number 1 of the Law on Access to Public Information defines Personal Data as “relative to any information pertaining to natural persons identified or identifiable.”

Definition of Sensitive Personal Data

Article 9, number 2 of the Law on Access to Public Information defines Sensitive Personal Data as “such personal data referring to physical or moral characteristic of the persons or to facts or circumstances of its private life or activity, such as personal habits, racial origins, ethnic origin, ideology or political opinions, religious beliefs or convictions, physical or psychologic health status, sexual preference or sex life, moral and familiar situation or other intimate matters similar in nature.”

Last modified 21 Dec 2021
Authority

According to Art. 46 of the Law on Access to Public Information the competence as National Data Protection Authority is the Ombudsman (Procurador de los Derechos Humanos).

Last modified 21 Dec 2021
Registration

Registration of Personal Data is not regulated, yet if personal data of an individual is gathered by any public office or obliged subject, even private parties (under the premise that they receive public funds or grants from the State of Guatemala), Article 30 of the Law on Access to Public Information grants the right to Habeas Data. 

Last modified 21 Dec 2021
Data Protection Officers

Public offices and private parties defined in Art. 6 of the Law on Access to Public Information must implement Public Information Units, pursuant to Art. 19 of the law.

Last modified 21 Dec 2021
Collection & Processing

Collection and Processing of personal data is not regulated, however Art. 33 of the Law on Access to Public Information refers files and information systems and Art. 39 refers to electronic or digital records.  According to Art. 36 of the Law, all information in public records must be safeguarded and should not be destroyed.  Art. 32 of the Law prohibits the creation of data banks or files containing sensitive data and sensitive personal data, unless such information is for the service and attention of the public institution creating the data bank.

Last modified 21 Dec 2021
Transfer

Transfer of Personal Data is not regulated, however, Art. 31 of the Law on Access to Public Information establishes that written consent is necessary for any type of information transfer and bans expressly the commercialisation of sensitive data and sensitive personal data.

Last modified 21 Dec 2021
Security

Security is not regulated. However, as referred above, according to Art. 36 of the Law, all information in public records must be safeguarded and should not be destroyed.

Last modified 21 Dec 2021
Breach Notification

Breach Notification is not regulated, however, Art. 17 of the Law on Access to Public Information stipulates that the person consulting public information must give notice to the relevant authority of the destruction or misuse of public information.

Mandatory breach notification

Mandatory Breach Notification is not regulated.

Last modified 21 Dec 2021
Enforcement

According to Arts. 61, 62 and 63 of the Law on Access to Public Information, enforcement corresponds to the Superior Authorities of the relevant public offices and in the event the infraction entails criminal responsibility it corresponds to the Prosecutor General’s Office.  Arts. 64 to 67 of the Law specifically create criminal figures related to the abuse and misuse of information contained in public records, including Personal Data. 

Specifically, Art. 64 of the Law establishes a prohibition to private parties to commercialise personal data without consent.  Violation to this provision results in jail from 5 – 8 years and a fine ranging from Q.50,000.00 to Q.100,000.00 and the confiscation of any element employed to execute the crime.

Last modified 21 Dec 2021
Electronic Marketing

According to the Law of Acknowledgment of Electronic Communications and Signatures, Decree 47-2008 of the Congress of the Republic, electronic marketing is not considered E-Commerce, yet it is considered a communication and an electronic communication as it contains an exposition, statement, claim, advice, request, or offer and the acceptance of an offer, in relation to the construing or execution of a contract. 

If any such communication is not addressed to a particular person but it is a general communication, according to Art. 25 of the aforementioned law, it shall be deemed an offer. 

Protection to the consumer in E-Commerce and E-Marketing or E-Advertisement is addressed in Art. 51 of the aforementioned law, compelling the originators of such communications to act in an equitable manner and to fully comply with the offered matters and not to engage into false, deceitful, fraudulent or disloyal business practices.

Last modified 21 Dec 2021
Online Privacy

Online privacy is not regulated.

Last modified 21 Dec 2021
Contacts
Carlos Cabrera
Carlos Cabrera
Associate
Central Law
T +502 23836000
Last modified 21 Dec 2021