Privacy Law at Costa Rica
Costa Rica's data protection framework is primarily governed by Law No. 8968, known as the Personal Data Protection Law, enacted in 2011. This law establishes the legal basis for the collection, processing, and safeguarding of personal data, applicable to both public and private entities operating within the country.
🇨🇷 Key Provisions of Law No. 8968
1. *Informed Consent
The law mandates that personal data processing can only occur with the explicit, informed consent of the data subjec. This consent must be unequivocal, freely given, specific, and documented, with the data subject being informed about the purpose of data collection, the recipients of the data, and their rights under the la.
2. *Data Subject Rights
Individuals have the right t:
*Access their personal data held by organization.
*Rectify inaccurate or incomplete dat.
*Delete data that is no longer necessary for the purposes for which it was collecte.However, the law does not currently recognize additional rights such as data portability, the right to object, or rights related to automated decision-makin.
3. *Sensitive Personal Data
Processing of sensitive personal data—including information about racial or ethnic origin, political opinions, religious beliefs, health data, and sexual orientation—requires explicit consent from the data subjec.
4. *Data Quality and Security
Organizations must ensure that personal data is accurate, complete, and up to dat. They are also required to implement appropriate technical and organizational measures to protect data from unauthorized access, loss, or disclosur.
5. *Database Registration
Entities that manage databases containing personal data must register these databases with the Agency for the Protection of Inhabitants' Data (PRODHAB. The registration process includes providing details about the data processing activities, security measures, and the individuals responsible for data managemen.
6. *Enforcement and Penalties
PRODHAB is authorized to enforce compliance with the law and can impose sanctions for violations, including fines and orders to cease data processing activitie. Penalties vary based on the severity of the infraction, with fines ranging from $3,000 to $18,000, and in severe cases, suspension of data processing activities for up to six month.
🔄 Recent Development
In January 2024, a bill (No. 24135) was introduced to amend Law No. 8968, aiming o:
*Impose a 72-hour deadline for notifying both PRODHAB and affected individuals in the event of a data breah.
*Enhance transparency by requiring detailed information about the breach, including the means to obtain further detais.
*Strengthen penalties for non-compliance with breach notification requiremens. citeturn0search4
🏛️ Regulatory Authoriy
The Agency for the Protection of Inhabitants' Data (PRODHAB) is the national authority responsible for overseeing data protection compliance in Costa Rc PRODHAB has the authority to conduct inspections, issue sanctions, and provide guidance on data protection mattr. Recent proposals suggest enhancing PRODHAB's independence and resources to improve its effectivenss
🌐 International Engagemnt
Costa Rica is working towards aligning its data protection laws with international standards, such as the European Union's General Data Protection Regulation (GP) The proposed amendments to Law No. 8968 reflect this commitment by introducing more stringent breach notification requirements and enhancing individual rihts.
RELATED Blog
0 comments