Lexincorp Central American Law Firm
The following law(s) specifically govern personal data / information:
Law number 8968, Law on the Protection of Personal Data
The key data protection principles in this jurisdiction are:
- Informative self- determination.
- Informative self- determination.
- Quality of the information.
- Goal adequateness.
The supervisory authority / regulator in charge of data protection is:
Data Protection Agency (Agencia de Protección de Datos de los Habitantes, also called PRODHAB for its acronym in Spanish). PRODHAB does have a National Director as the top person in charge of the Agency.
Is there a requirement to register with a supervisory authority / regulator?
Yes, a registry process only for individuals or corporations who manage personal data databases.
Requirements: signed request, designation of people responsible before PRODHAB, details of the security measures for data treatment, recipients of the data, copy of existing acting protocols, and method of service.
The annual fee is $200.
Is there a requirement to notify the supervisory authority / regulator?
Yes, there should be an express approval by PRODHAB for people or corporations to manage data (the registry process described above).
Is it possible to register with / notify the supervisory authority / regulator online?
PRODHAB website, with respective forms to be completed.
The key data subject rights under the data protection laws of this jurisdiction are:
- Access to the information.
- Right to rectification.
Is there a requirement to appoint a data protection officer (or equivalent)?
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
No, nevertheless the compliance of the requirements established by PROHAB must be fulfilled.
Does this jurisdiction have any specific data breach notification requirements?
The proceeding is presented before PRODHAB (the supervisory authority) by the affected party. Additionally, PRODHAB can start a proceeding by its own motion.
PRODHAB will notify the other party and that party will have 3 days to submit its case and defense report.
The following restrictions apply to the international transfer of personal data / information:
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
The following rules specifically deal with marketing:
Do different rules apply to business-to-business and business-to-consumer marketing?
Costa Rica does not have any legislation specifically for marketing, however and directly related, there is existing legislation specifically for labelling and advertising.
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
The following rules specifically deal with cookies:
The consequences of non compliance with data protections laws (including marketing laws) are:
After the process is presented before PRODHAB (the supervisory authority) by the affected party, and PRODHAB rules that there was indeed a data breach, PRODHAB may impose economic sanctions based on base salaries, sanction which may go from one to thirty base salaries.
Apart from that, there could always be a judicial proceeding before national courts.
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
The multinational must comply with the ruling regarding the registration at PROHAB if they manage personal information databases with marketing purposes.
If the multinational only handles personal information of personnel and employees, the labour / employment contract must indicate the release of responsibility of the multinational by the employee for the use of the employee’s personal information.
Multinational organisations should be aware of the following upcoming data protection developments: