Lexincorp Central American Law Firm
What law(s) specifically govern personal data / information?
Law number 8968, Law on the Protection of Personal Data
What are the key data protection principles in this jurisdiction?:
- Informative self- determination.
- Informed consent.
- Quality of the information.
- Goal adequateness.
What is the supervisory authority / regulator in charge of data protection?
Data Protection Agency (Agencia de Protección de Datos de los Habitantes, also called PRODHAB for its acronym in Spanish). PRODHAB does have a National Director as the person in charge of the Agency.
Is there a requirement to register with a supervisory authority / regulator?
Yes, a registry process only for individuals or corporations who manage personal data databases.
Requirements: signed request, designation of people responsible before PRODHAB, details of the security measures for data treatment, recipients of the data, copy of existing acting protocols, and method of service.
The annual fee is $200USD.
Is there a requirement to notify the supervisory authority / regulator?
Yes, there should be an express approval by PRODHAB for people or corporations to manage data (the registry process described above).
Is it possible to register with / notify the supervisory authority / regulator online?
PRODHAB website, with respective forms to be completed.
What are the key data subject rights under the data protection laws of this jurisdiction?
- Access to the information.
- Right to rectification.
Is there a requirement to appoint a data protection officer (or equivalent)?
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
No, nevertheless the compliance of the requirements established by PROHAB must be fulfilled.
Does this jurisdiction have any specific data breach notification requirements?
The proceeding is presented before PRODHAB (the supervisory authority) by the affected party. Additionally, PRODHAB can start a proceeding by its own motion.
PRODHAB will notify the other party and that party will have 3 days to submit its case and defence report.
What restrictions apply to the international transfer of personal data / information?
Art- 31 Law 8968 - Very serious offences.
Subparagraph f) Transferring, to databases of third countries, personal information of Costa Ricans or foreigners residing in the country, without the consent of their owners.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
What rules specifically deal with marketing?
Costa Rica does not have any legislation specifically for marketing, however and directly related, there is existing legislation specifically for labelling and advertising.
Do different rules apply to business-to-business and business-to-consumer marketing?
Yes, and it will depend on the business. The relationship should be analysed on a case by case basis in order to identify the applicable legislation.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
What rules specifically deal with cookies?
What are the consequences of non compliance with data protections laws (including marketing laws)?
After the process is presented before PRODHAB (the supervisory authority) by the affected party, and PRODHAB rules that there was indeed a data breach, PRODHAB may impose economic sanctions based on base salaries, sanction which may go from one to thirty base salaries.
In addition, there could also be judicial proceedings before national courts.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
The multinational must comply with the ruling regarding the registration at PROHAB if they manage personal information databases with marketing purposes.
If the multinational only handles personal information of personnel and employees, the labour / employment contract must indicate the release of responsibility of the multinational by the employee for the use of the employee’s personal information.
What upcoming data protection developments should multinational organisations be aware of?
No current ones.