OMG
What law(s) specifically govern personal data / information?
Law 172-13 of December 15, 2013 (“Law 172-13”).
Additionally, the right to intimacy and personal honor is duly recognized by the Dominican Constitution of October 2024.
Law 53-07 of Hi-Tech Crimes and Offences (Ley 53-07 sobre Crímenes y Delitos de Alta Tecnología) (23 April 2007 on the other hand, protects, among other things, the integrity of the information systems and its components, commercial transactions and information or data, archived or transferred through it.
Law No. 4-23 Organic Law of Civil Status Act, enacted on January 18, 2023, provides that no private entity may collect, capture, process and use the biometric data of a person or a client, unless the following conditions are met:
- Inform the person, in writing or by electronic means, that their biometric data is being collected or stored.
- Inform the person, in writing or by other means, of the specific purpose and length of the term for which their biometric data is collected, stored, and used.
- The person grants their explicit, free, specific, informed, and unequivocal consent for the processing of said biometric data.
Furthermore, there are additional rules that have an impact on the collection/access, treatment, and transference of personal data, such as:
- Law 192-19 for the Protection of the Image, Honor and Family Intimacy related to Deceased or Injured Persons.
- Law 1-24, that creates the National Intelligence Directorate (DNI for its acronym in Spanish).
- Law 97-25, that establishes the Penal Procedural Code of the Dominican Republic.
- Resolution No. 126-2021, issued by the Board of Directors of the Dominican Telecommunications Institute (Instituto Dominicano de las Telecomunicaciones INDOTEL), for Cybersecurity for Access to Internet Services.
One important instrument to consider, which will come into effect in August 2026, is the new Penal Code for the Dominican Republic. This code establishes offenses against the private information of individuals registered in catalogs, files, or automated data systems. The penalties for violating these provisions will also extend to legal entities/corporations that collect or use personal data without express prior consent.
What are the key data protection principles in this jurisdiction?:
Legality of the archives and personal data: consists of the fact that the processing of the data must have purposes attached to the law and public order.
Quality of the data: this provides the obligation that the data be certain, exact, and complete, and that these be kept updated if necessary.
Right to information: when personal data is collected that requires the consent of the owner of the data, so that they can be given the treatment of data or be transferred the data after obtaining said consent, the owner or owners of the data must be previously informed, expressly and clearly, explaining:
The purpose for which the data will be used and who may be the recipients, or class of recipients, of the data.
The existence of the file, registry, data bank, or any other type of data storage in question, and the identity and address of the person in charge.
The possibility of the interested party to exercise the rights of access, rectification, and deletion of data.
Consent of the interested party. The processing and transfer of personal data is unlawful when the owner of the data has not given his free, express, and conscious consent, which must be recorded in writing or by other means that allow that it be equated, according to the circumstances. The aforementioned consent, provided with other declarations, must appear expressly and prominently. Prior notification must be provided to the requisite owner of the data described in numeral 3 of the present article.
Security of the data: The person responsible for the archive of personal data and in this case, the person in charge of the treatment, must adopt and implement the measures of technical, organizational and security nature necessary to safeguard the data of a personal nature and avoid its alteration, loss, treatment, consultation or non-authorized access.
Duty of secrecy: The person responsible for the personal data file and those who intervene in any phase of the processing of personal data are bound by professional secrecy with respect to them and the duty to store them.
Obligations that will subsist even after ending their relations with the owner of the personal data file or, where appropriate, with the person responsible for it, unless relieved of the duty of secrecy by a judicial resolution and when there are well-founded reasons related to public security, national defense or public health.
Loyalty: it is imposed the prohibition to collect data by fraudulent, unfair or illegal means.
Purpose of the data: The data will only be collected for processing, when they are adequate, pertinent, explicit, not excessive in relation to the scope and specific, and legitimate goals for which they were obtained.
What is the supervisory authority / regulator in charge of data protection?
There is no supervisory authority / regulator in charge of data protection for the Dominican Republic.
However, the Bank Superintendency is the entity responsible for punishing personal data infringements by Credit Bureaus (Sociedades de Información Crediticia), according to Law 172-13, (please refer to Question 4 below).
Therefore, archives, registries, or public and private data banks aimed to provide credit reports are subject to the inspection and surveillance of the Bank Superintendency.
However, the Bank Superintendency is the entity responsible for punishing personal data infringements by Credit Bureaus (Sociedades de Información Crediticia), according to Law 172-13, (please refer to Question 4 below).
Is there a requirement to register with a supervisory authority / regulator?
There is no registration requirement before a supervisory authority / regulator, in the Dominican Republic.
Nonetheless, Credit Bureaus (Sociedades de Información Crediticia), after obtaining the corresponding operations permit, must register at the Bank Superintendency, which is the local authority that regulates and supervises credit bureaus in the Dominican Republic.
However, after obtaining the corresponding operations permit, Credit Bureaus (Sociedades de Información Crediticia) must register at the Bank Superintendency, which is the local authority that regulates and supervises credit bureaus in the Dominican Republic. Therefore, archives, registries, or public and private data banks aimed to provide credit reports are subject to the inspection and surveillance of the Bank Superintendency.
Is there a requirement to notify the supervisory authority / regulator?
N/A
Is it possible to register with / notify the supervisory authority / regulator online?
N/A
In the case of Credit Bureaus (Sociedades de Información Crediticia), registration must be performed physically/in person at the Bank Superintendency, following the requirements set by said entity.
What are the key data subject rights under the data protection laws of this jurisdiction?
The personal data subject has the following rights, at any time and upon request:
- Confirmation of the existence of the processing data.
- Right of access to the data.
- Correction of incomplete, inaccurate or out-of-date data.
- The right to request rectification, erasure or update of the personal data.
- Deletion/removal of personal data processed with the consent of the data subject except in the situations provided for in Law 172-13.
- Right to compensation the breach of the provisions of Law 172-13.
However, Section 27 of Law 172-13 sets forth the exception to the consent requirement for the treatments and assignment of personal data when:
- It is obtained from publicly accessible sources.
- It is collected for the exercise of functions proper to State/governmental official attribution/powers or under a legal obligation.
- In case of lists for marketing purposes, whose data is limited to name, identity document number, tax identification and other biographical information.
- Derived from a commercial, labor or contractual, scientific or professional relationship with the natural person, and are necessary for their development or compliance.
- In the case of personal data that it is received from its clients in relation to the operations carried out by financial intermediation entities regulated by the Monetary and Financial Law, of the Credit Bureaus (Sociedades de Información Crediticia), that develop tools for credit scores for risk evaluations of debtors of the national financial and commercial system, according to the conditions set forth in Section 5 numeral 4 of Law 172-13.
- It is provided by law.
- It is carried out directly between dependencies of governmental bodies, in the measure of compliance with their respective powers.
- In the case of personal data related to health, and that it is necessary for public health reasons, emergency, or for conducting epidemiological studies, and as long as the secrecy of the identity of the owners of the data is preserved through adequate dissociation mechanisms.
- An information dissociation procedure would have been applied, so that the owners of the data are not identifiable.
Is there a requirement to appoint a data protection officer (or equivalent)?
Law 172-13 does not appoint a data protection officer; however, the files, records, or public and private data banks intended to provide credit reports will be subject to the inspection and surveillance of the Bank Superintendency as a control officer.
In accordance with Section 29 of Law 172-13, the Bank Superintendency will be responsible for:
- Assisting and advising individuals who require it regarding the scope and legal means at their disposal for the defense of the rights guaranteed in Law 172-13;
- Imposing administrative sanctions that correspond to the breach of the rules set forth in Law 172-13.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Law 172-13 does not set forth data protection/private impact assessments to be carried out in certain circumstances. However, the financial intermediation entities, economic agents and other entities that engage services with Credit Bureaus (Sociedades de Información Crediticia) must obtain written and express consent for the data that is to be collected/treated. These entities are responsible for the accuracy of the data in their files for a period of six (6) months from the moment in which said permission was duly granted by the owner of the data, as set forth in Section 4 of Law 172-13.
Does this jurisdiction have any specific data breach notification requirements?
N/A
However, Section 29 of Law 172-13 points out that the Bank Superintendency, as the local authority regulating and supervising Credit Bureaus in the Dominican Republic has the obligation to impose the corresponding administrative sanctions for violation of the rules set forth in Law 172-13.
It is important to remark that the owner of personal data has the right to access to such information and demand rectification, erasure or update through the “Habeas Data” procedure set forth in the Dominican Constitutuion, as well as by Section 17 of Law 172-13.
What restrictions apply to the international transfer of personal data / information?
International transfers of personal data of any type, among countries and international organizations that require the data owner’s consent are only permitted in specific situations, set forth in Section 80 of Law 172-13, such as:
- The owner freely and consciously, decides to authorize in his own free will the transfer of data, or when the law allows it.
- In case of data exchange of a medical nature, when so required by the treatment of the affected person or an epidemiological investigation, of hygiene or public health reasons.
- In case of bank or stock transfers, in relation to transactions respective and in accordance with the legislation that is applicable to them.
- The data transfer had been agreed or contemplated within the framework of international treaties or conventions, and in the free trade agreements of which the Dominican Republic is part of.
- The data transfer is for the purpose of international cooperation between intelligence agencies for the fight against organized crime, terrorism, human trafficking, drug trafficking, and other crimes and offences.
- The data transfer is necessary for the performance of a contract between the owner of the data and the person in charge of the treatment, or for the execution of pre-contractual measures.
- The legally required transfer of data is to safeguard the public interest or for the recognition, exercise or defense of a right in a court process, or requested by a tax or customs administration for the fulfillment of its powers/duties.
- The transfer of data is carried out to provide or request international legal assistance; and
- The transfer of data is carried out at the request of an international organization with legitimate interest from a public record.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
No, it does not. As set forth in Section 3 of Law 172-13, the data protection laws derived from Law 172-13 are of public order and apply to all the personal data that is processed and collected within the Dominican Republic territory.
What rules specifically deal with marketing?
Law 172-13 sets forth the obligations of the privately owned registries. Specifically, Section 71 of Law 172-13 sets forth the obligations for the owners of the privately owned registries for advertising and commercial purposes as well as the rights for such personal data owners.
In the Dominican Republic there is no particular or specific law covering or regulating the marketing, advertising or promotions matters, however, the following laws set forth provisions related to advertising, promotions and marketing among its different areas and industries, as follows:
The Constitution of the Dominican Republic;
Law No. 424-06 Free Trade Agreement among Dominican Republic, Central America and the United States of America, dated 20 November 2006;
Competition Defense Law No. 42-08, dated 16 January 2008;
Law No. 358-05, Consumer’s Rights Protection Law, dated 14 September 2005;
Law No. 6132 of Expression and Diffusion of Thought, dated 15 December 1962;
Law No. 136-03, which creates the Regulation for the Protection System for the Fundamental Rights of Girls, Boys and Adolescents, dated 17 October 2003;
Law No. 01-02 of Unfair Trade Practices and Safeguard Measures dated 22 January 2002;
Copyright Law No. 65-00, dated 24 August 2000;
Industrial Property Law No. 20-00, dated 10 May 2000
Telecommunications Law No. 153-98, dated 28 May 1998;
Law No 48-00, which prohibits smoking within indoor spaces, dated 27 July 2000;
General Health Law No. 42-01, dated 10 March 2001;
Law 249-17 which modifies Law No. 19-00 of the Dominican Securities Market, dated 21 December 2017;
Law No. 10-91 which creates the Dominican Journalists Association, dated 15 May 1991;
Law No. 287-04 about Prevention, Suppression and Limitation of Harmful and Annoying Noises that produce noise pollution, dated 27 August 2004;
Law No. 126-02 about E-Commerce, Documents and Digital Signatures, dated 29 September 2002;
Law No. 47-25 of Public Contracts, dated 28 July 2025;
Law No. 134-03, which creates the State Corporation of Radio and Television dated 15 August 2003;
Tourism Organic Law No. 541, dated 29 December 1979;
Law No. 50-88 of Drugs and Controlled Substances of the Dominican Republic, dated 30 May 1988 and its modifications;
Dominican Disability Law No. 5-13, dated 13 January 2013;
Law No. 310-14 dated 11 August 2014, which regulated the exchange of unsolicited commercial electronic mails (SPAM);
Technical Regulation No. 0000033, dated 21 December 2015 of the Social Assistance and Public Health Ministry, which regulates the publicity and promotions of medicine, cosmetics, sanitary, personal and household hygiene products; and
Resolution No. 016-2014 of the Directive Board of the National Institute for the Protection of Consumer Rights, which regulates Misleading Advertising in the Dominican Republic, dated 14 August 2014.
Do different rules apply to business-to-business and business-to-consumer marketing?
In the Dominican Republic business and commercial agreements are primarily based and governed on the principle of the freedom of contracting and, as such, parties are free to establish the provisions that will regulate their relationship, as long as such contractual relationship does not infringe public order.
As previously indicated, in the Dominican Republic there is no particular or specific law that regulates marketing and advertising, however, there are laws that set forth provisions related to advertising, promotions, and marketing among its different areas and industries. For instance, and from a consumer protection perspective, Law No. 358-05 on Consumer’s Rights Protection, dated 14 September 2005, presents specific provisions in order to avoid unlawful competition, willful intent and misleading conduct. It also relates to business-to-consumer marketing and the protection of end users/consumers from misleading advertising, comparative advertising and lure advertising.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
Law No. 126-02 about E-Commerce, Documents and Digital Signatures, dated 29 September 2002;
Law No. 358-05, Consumer’s Rights Protection Law, dated 14 September 2005; and
Law No. 310-14 dated 11 August 2014, which regulates the exchange of unsolicited commercial electronic mails (SPAM). It also recognizes the collection of personal data from publicly accessible websites as illegal and subject to sanctions.
What rules specifically deal with cookies?
In principle, Law No. 126-02 about E-Commerce, Documents and Digital Signatures, dated 29 September 2002.
However, even though the term “cookies” is not literally defined under Dominican Law, cookies that allow the identification of a person are considered personal data, and therefore the provisions of Law 172-13 must be considered.
These provide that the expressed consent of the individual whose data is being collected must be obtained, as well as the provision of clear and comprehensive information to said individual about the collection, use, storage, processing and protection of their personal data. This includes information collected through cookies, and other tracking and/or storing technologies.
What are the consequences of non compliance with data protections laws (including marketing laws)?
Non-compliance with data protection laws (including other relating laws to data protection and personal data privacy) shall be subject to fines and pecuniary penalties, as well as precautionary measures and sanctions, in the penal, administrative and civil fields.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
In principle, data protection laws apply to/within the territory of the Dominican Republic; however, multinational organisations should be aware in taking all measures in order to comply with key factors and local legal requirements for the proper use of the information related to personal data/data privacy.
This is especially true when said information will be subject to be transferred or used outside the territory, or by entities related to said multinational organizations or will be used for different purposes or by third parties other than the entity that obtained the data.
Under some conditions the international transfer of personal data conducted by multinational organisations could be subject to EU General Data Protection Regulation (GDPR). In this case, multinational organisations should comply with the conditions established in chapter V of the GDPR called "transfers of personal data to third countries or international organizations".
What upcoming data protection developments should multinational organisations be aware of?
The review and discussions of draft bills (projects of legislation) seeking an amendment and/or update of Law 173-12 on the protection of personal data in the Dominican Republic, including standardization of provisions with other international instruments, such as the EU General Data Protection Regulation (GDPR), as well as the need for a supervisory/regulatory entity, among other proposals.
The entry into force next August 2026, of the new Penal Code for the Dominican Republic, which establishes offenses against the private information of individuals registered in catalogs, files, or automated data systems; particularly the establishment of criminal liability for legal entities/corporations.