C.R. & F. Rojas Abogados
What law(s) specifically govern personal data / information?
Constitution; Procedural Constitutional Code No. 254; Civil Code, Telecommunications Law No. 164; Regulations to the Telecommunications Law No. 1391 and 1793; Financial Services Law No. 393, Criminal Code,
What are the key data protection principles in this jurisdiction?:
Privacy
Intimacy
Honor
Dignity
What is the supervisory authority / regulator in charge of data protection?
There is no supervisory authority, nor an organic Data Protection Law.
Is there a requirement to register with a supervisory authority / regulator?
N/A
Is there a requirement to notify the supervisory authority / regulator?
N/A
Is it possible to register with / notify the supervisory authority / regulator online?
N/A
What are the key data subject rights under the data protection laws of this jurisdiction?
Right to Information
Right to Privacy
Right to Exercise a Privacy Protection Action
Right to the Inviolability and Secrecy of Communications
Right to Access.
Right to Rectification of Errors
Right to Updating
Right to Cancellation
Right to Object and Revoke
Is there a requirement to appoint a data protection officer (or equivalent)?
N/A There is no supervisory authority.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
The personnel of operators and providers of telecommunications services and information and communication technologies are obligat-ed to keep the existence and content of the communications confidential and to protect the personal data and privacy of the users, adopting the most suitable measures to guar-antee, preserve and maintain the confidenti-ality and protection of users’ personal data.
To guarantee the security of this personal data, the following provisions need to be adopted:
- The use of personal data will respect the fundamental rights and guarantees estab-lished in the Constitution;
- The processing of data requires the prior and express consent of the owner, which can be revoked without retroactive effects;
- Data owners must be informed about the processing of their data, including its purpose, potential recipients, and the rights they have the ability to exercise;
- Data can only be used or transferred to third parties with the consent of the owner or through a court order.
- The person responsible for the processing of personal data must adopt the necessary technical and organizational measures to en-sure data protection, and prevent its altera-tions, and unauthorized access, while adjust-ing to existing technology and risks.
Does this jurisdiction have any specific data breach notification requirements?
The following cases apply:
- If there is a specific court order;
- With the prior, express, and written consent of the owner/user;
- In cases where the information is necessary for the issuance of telephone directories, invoices, call details, handling of claims, or providing information and assistance services as established by regulation,
The operator or service provider must assist in identifying those allegedly responsible for violations of the inviolability and secrecy of communications, as well as the protection of personal data and the privacy of users, that may be committed by their staff at the operator’s or provider’s facilities.
It is prohibited for operators and service providers to allow access to their users' records or databases, whether individually or through lists of users or numbers, for commercial or advertising purposes, except with prior express and written authorization of the user who wishes to receive such advertising.
What restrictions apply to the international transfer of personal data / information?
N/A There is no supervisory authority, nor an organic Data Protection Law.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
No, Bolivian Law, does not include provisions related to “extra-territorial effect” on organizations outside of its jurisdiction.
What rules specifically deal with marketing?
It is prohibited for operators and service pro-viders to allow access to their users' records or databases, whether individually or through lists of users, or numbers, for commercial or advertising purposes, except with prior ex-press and written authorization of the user who wishes to receive such advertising.
Do different rules apply to business-to-business and business-to-consumer marketing?
No, Bolivian Law does not include rules that apply to business-to-business and business-to-consumer marketing.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
The personnel of operators and providers of telecommunications services and information and communication technologies are obligat-ed to:
- Keep the existence or content of the com-munications confidential and to protect the personal data and privacy of users.
- Adopt the most suitable measures to guar-antee, preserve, and maintain the confidenti-ality and protection of users’ personal data..
- Assist in the identifying those allegedly re-sponsible for violations of the inviolability and secrecy of communications, as well as the protection of personal data and the privacy of users, that may be committed by their staff at the facilities of the operator or provider.
What rules specifically deal with cookies?
No, Bolivian Law does not have rules specifically dealing with cookies.
What are the consequences of non compliance with data protections laws (including marketing laws)?
There is no supervisory authority, nor an organic Data Protection Law that imposes fines.
However, the Criminal Code provides the following provisions:
a. Anyone who, with the intent to obtain an undue benefit for themselves or a third party, manipulates the processing or transfer of computer data, leading to an incorrect result or preventing a process from yielding a correct result, thereby causing a transfer of assets to the detriment of a third party, shall be punished with imprisonment for one (1) to five (5) years and a fine ranging from sixty (60) to two hundred (200) days.b. Anyone who, without authorization, appropriates, accesses, uses modifies, deletes, or disables data stores in a computer or any digital medium, causing harm to the data owner, shall be punished with community service for up to one (1) year or a fine of up to two hundred (200) days.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Provided that there is no organic Data Protection Law, nor a supervisory authority, the following regulation should be taken into consideration:
- Constitution articles 21, 130 and 131.
- Law No. 254 Constitutional Procedural Code articles 58 to 63.
- Supreme Decree No. 28168, article 19.
- Financial Services Law No. 393, article 477.
- Supreme Decree No. 1391, article 176.
- Supreme Decree No. 1793, article 56.
- Criminal Code, articles 363 Bis, and 363 Ter.
What upcoming data protection developments should multinational organisations be aware of?
A Data Protection Law Project is currently being analyzed by Congress.