DLA Piper Intelligence

Data Protection
Laws of the World

Transfer

Transfer is considered a form of 'treatment' of personal data under the DPL; hence, the rules apply, including consent requirements. Additional restrictions are provided under the DPL for international data transfers.

Personal data may only be transferred internationally if the owner of the data expressly authorizes such transfer, or if such transfer is necessary for the performance of a contract between the owner of the data and the person or entity responsible for the treatment of the personal data.

Last modified 28 Jan 2024
Law
Dominican Republic

Section 44 of the Dominican Constitution recognizes citizens’ right to access their personal data stored in public or private databases, as well as their right to information concerning the purpose and use of the same.

The Constitution also establishes that the processing of personal data must be carried out in accordance to the principles of:

  • Reliability
  • Legality
  • Integrity
  • Security, and
  • Purpose of the information

 The collection, storage and safekeeping of personal data, as well as usage and access rights concerning such personal data, are governed by the provisions of Law No. 172-13 on the Protection of Personal Data enacted December 13, 2013 (DPL).

In addition to setting forth the legal regime for the protection of personal data, the DPL establishes regulations governing the constitution and operation of credit bureaus.

For the purposes of the DPL, the term 'credit bureau' refers to companies dedicated to collecting, organizing, storing, conserving, providing, transferring or transmitting data regarding consumers (including goods and services related to the same), as well as any other information provided by the Superintendent of Banks.

Law No. 53-07 on High Technology Crimes and Offenses does not specifically refer to personal data but ensures the protection of information systems and their components, as well as the information or data that are stored or transmitted through them, and it also establishes the penalties for crimes committed against them or any of their components or those committed using such technologies to the detriment of individuals or legal entities.

Last modified 28 Jan 2024
Definitions

Definition of personal data

Personal data consists of any information, whether numerical, alphabetical, graphic, photographic, or acoustic, or any other type of data which concerns individuals that are identified or identifiable.

Definition of sensitive personal data

The term 'sensitive data' refers to personal data that reveals its subject´s:

  • Political opinions
  • Religious, philosophical or moral convictions
  • Racial or ethnic origin
  • Affiliation to labor unions or trade union membership, and
  • Information concerning health or sex life

Personal data concerning the health of an individual encompasses any information concerning their past, present or future physical or mental health.

Affected or interested party

Any natural person whose information is the object of data processing, as well as any creditor, whether a natural or legal person, who has or has had a commercial or contractual relationship with a natural person for the exchange of goods and services, where the natural person is the creditor's debtor. As well as any natural or legal person who has had, has or requests to have a good or service of an economic, financial, banking, commercial, industrial, or any other nature, with a financial intermediation institution or with an economic agent.

Data processing

Systematic operations and procedures that allow the collection, conservation, ordering, storage, modification, relation, evaluation, blocking, destruction and, in general, the processing of personal data, as well as its transfer to third parties through communications, consultations, interconnections or transfers.

Data Processor

The natural or legal person, public or private, who carries out the processing of personal data on behalf of the controller.

Last modified 28 Jan 2024
Authority

The Dominican Republic does not have a national data protection authority dedicated to overseeing matters related to data protection concerning processing activities performed by private persons or entities.

However, Section 29 of the DPL establishes that databases and registries, whether public or private, intended to provide credit reports (ie credit bureaus) are subject to the inspection and supervision of the Superintendent of Banks.

Additionally, the General Law for the Protection of Consumer or User Rights No. 358-05 determines that the National Institute for the Protection of Consumer Rights, "Pro Consumidor" is the competent authority for monitoring compliance in data protection in consumer matters. The "Pro-Consumidor" cannot impose fines or administrative sanctions but users, consumers and suppliers can initiate conciliation and arbitration processes before them.

Last modified 28 Jan 2024
Registration

Except for credit bureaus, the Dominican Republic does not maintain a registration of personal data controllers or databases, nor of companies that carry out the processing of personal data.

Last modified 28 Jan 2024
Data Protection Officers

There is no requirement to appoint a data protection officer under the DPL.

Last modified 28 Jan 2024
Collection & Processing

The general rule for the treatment of personal data under the DPL is that consent to process is a requirement. Consent is valid when there is a manifestation of free will, in an unequivocal, specific and informed manner, whereby the data subject consents to the treatment of personal data concerning him or her.

The DPL provides that the treatment and transfer of personal data is illegal when the data has not consented to such usage, unless an exception is provided by law.

For purposes of the foregoing, the DPL defines treatment as operations and procedures (electronic or otherwise), that allow for the:

  • Collection
  • Storage
  • Organization
  • Modification
  • Evaluation
  • Destruction
  • In general, the processing of personal data, or
  • Its transfer to third parties via communications, interconnections or transfers

Exceptions to the requirement to obtain consent include, among others:

  • When the data is obtained from a public source
  • When the data is obtained for the exercise of public duties or pursuant to a legal obligation to do so
  • When the data is obtained for marketing purposes and is limited to certain basic information (eg, name, ID, passport, tax ID)
  • The data derives from a commercial, employment or contractual relationship, or from a professional or scientific relationship with the data subject, and is necessary for its development or compliance
Last modified 28 Jan 2024
Transfer

Transfer is considered a form of 'treatment' of personal data under the DPL; hence, the rules apply, including consent requirements. Additional restrictions are provided under the DPL for international data transfers.

Personal data may only be transferred internationally if the owner of the data expressly authorizes such transfer, or if such transfer is necessary for the performance of a contract between the owner of the data and the person or entity responsible for the treatment of the personal data.

Last modified 28 Jan 2024
Security

The controller and, if applicable, the processor, is required to adopt and implement the necessary technical, organizational and security measures to safeguard personal data and avoid its:

  • Alteration
  • Loss
  • Treatment
  • Consultation, or
  • Unauthorized access

The DPL prohibits the storage of personal data in files, records or databases that do not meet the necessary technical conditions for guaranteeing their integrity and security. Additionally, credit bureaus and users or subscribers shall take the necessary measures to prevent the alteration, loss or unauthorized access to personal data.

Last modified 28 Jan 2024
Breach Notification

There is no obligation to provide notice of a breach.

Last modified 28 Jan 2024
Enforcement

Since there is no special data protection authority in the Dominican Republic, data subjects have the right to institute habeas data proceedings to obtain information about the data held that refers to the relevant data subject.

The DPL expressly recognizes the right of data subjects to recover damages for violations of their right to privacy and the integrity of their personal data. Additionally, the DPL provides criminal sanctions (including fines and imprisonment ranging from six months to two years) which may result from violating the DPL.

Law No. 310-14 Which Prohibits the Sending of Commercial Unsolicited Messages (SPAM), enacted on August 8, 2014 ('SPAM Law No. 310- 14',) also provides criminal sanctions for fraudulently obtaining personal data from public websites for commercial purposes (including imprisonment ranging from six months to five years, and fines from 1 to 200 times the minimum wage).

Although the National Institute for the Protection of Consumer Rights, "Pro Consumidor" cannot impose fines or administrative sanctions but conciliation and arbitration processes between users, consumers and suppliers can be initiated before them.

Last modified 28 Jan 2024
Electronic Marketing

Sending commercial or promotional communications via electronic mail is regulated by SPAM Law 310-14. Law 310-14 requires the consent of the recipient in order to deliver commercial communications, unless an exception to said consent requirement is expressly provided by law.

Law 310-14 provides that:

  • The word 'Publicity' (Publicidad) must be included in the subject field of the email
  • Commercial communications must include an email address or other similar mechanism which allows the recipient to send a message indicating their desire to stop receiving such communications (opt-out)
Last modified 28 Jan 2024
Online Privacy

The Dominican Republic has not enacted specific legislation governing online privacy or the use of ‘cookies’, although the provisions of the DPL concerning data protection would apply.

Additionally, the unauthorized use of ‘cookies’ could implicate computer misuse laws prohibiting unauthorized access to computers and information therein, particularly those contained in Law No. 53-07 on high-tech crimes and felonies.

Last modified 28 Jan 2024
Contacts
Mary Fernandez
Mary Fernandez
Founding Partner
Headrick
T +809 473 4500
Fernando J. Marranzini
Fernando J. Marranzini
Partner
Headrick
T +809 473 4500
Last modified 28 Jan 2024