header_logo
cancel1

Costa Rica

Last Verified on Thursday 3rd January 2019

    • Costa Rica

      Yes. Article 24 of the Constitution protects the rights to intimacy, liberty and secrecy of communications. Based on this article, the Constitutional Court has protected the right to informational self-determination. Additionally, article 4 of Law No. 8968 on the Protection of the Person Concerning the Treatment of Personal Data indicates that the right to informational self-determination is recognised as a fundamental right that allows to control the flow of information and arises from the right to privacy.

      Last verified on Thursday 3rd January 2019

    • Costa Rica

      Yes. The collection and use of personal data are regulated by Law No. 8968 on the Protection of the Person Concerning the Treatment of Personal Data and its Regulations, Executives Decrees Nos. 37554-JP/40008-JP (the Regulations). This law applies to personal data contained in automated or manual databases, whether public or private, and any subsequent use of these data. The law is not applicable to databases maintained for internal, personal or domestic purposes only, as long as they are not put up for sale or commercialised in any other manner.

      Last verified on Thursday 3rd January 2019

    • Costa Rica

      Costa Rica has not adopted a general legal framework on cybersecurity matters. However, it is possible to find different rules applicable to this matter in different regulations, for instance, Law No. 8968, or the Criminal Code. The bank sector supervisor, the General Superintendency of Financial Institutions (SUGEF) has implemented regulation SUGEF 18-16 related to Operational Risk and emitted in March 2017 regulation SUGEF 14-17 on the General Management of Information Technology.

      Regarding the commercial sector, on 25 October 2017, the Law to Promote Competition and Effective Consumer Protection No. 7472 was amended to introduce Chapter X regulating e-commerce whereby merchants have the obligation to protect customer personal data as well as establish adequate security systems for payment of goods and services sold online.

      The Criminal Code establishes certain crimes related to cybersecurity such as IT fraud, IT damage, IT sabotage, phishing, pharming, cyber espionage, setup or spread of malicious software, among others.

      Last verified on Thursday 3rd January 2019

    • Costa Rica

      Personal data is defined by Law No. 8968 as “any information relating to an identified or identifiable individual”. The definition cannot be extended to data relating to businesses. 

      Last verified on Thursday 3rd January 2019

    • Costa Rica

      Yes. Article 3 of Law No. 8968 defines sensitive data as “information related to intimate aspects of the person, such as, information that reveals racial origin, political opinions, religion or spiritual views, socio-economic condition, biomedical or genetic information, life and sexual orientation, among others”. Said law also establishes other categories such as restricted access personal data, unrestricted access personal data and data regarding credit behaviour. 

      Last verified on Thursday 3rd January 2019

    • Costa Rica

      Law No. 8968 establishes some basic principles such as informed consent and quality of the information. The quality of the information consists of four sub-principles: current character, truthfulness, accuracy and suitability for the purpose. In addition, other principles can be inferred from the law, such as the principle of security.

      There are some general limitations for the processing of personal data. One of those restrictions sets forth that personal data cannot be processed without the proper informed consent. Also, notwithstanding some allowed exceptions, sensitive data cannot be processed. 

      Last verified on Thursday 3rd January 2019

    • Costa Rica

      There are some data protection rules that apply only to certain industries. According to article 9 of Law No. 8968, the data regarding credit behaviour shall be governed by the rules of the National Financial System. The 2016 amendment of the Regulations (Decree No. 40008-JP) establishes that databases of financial entities subject to the SUGEF should not register their databases. Nevertheless, the Regulations point out that the Agency for the Protection of the Data of the Inhabitants (PRODHAB) is competent to regulate and supervise the rights and guarantees protected by law on such databases. Regulations emitted by SUGEF govern certain aspects specific to financial entities such as cloud computing and business continuity.    

      Regarding healthcare, as explained before, the law classifies some data as sensitive that cannot be processed. However, as an exception, processing of sensitive data is allowed if it is necessary for prevention purposes or medical diagnosis, delivery of healthcare or medical treatment, or management of healthcare services. This processing must be carried out only by a healthcare clerk or medical professional, who must be subject to professional secrecy or another person who is also subject to an equivalent secrecy obligation.    

      The telecommunications industry is regulated by the General Law of Telecommunications, which stipulates that public network operators and telecommunications services providers shall ensure the confidentiality of communications, the right to privacy and the protection of personal data of subscribers and end users. They must also take the necessary measures to ensure the safety of networks and their services. Likewise, they must guarantee that the communications and traffic data will not be listened to, recorded, stored, intervened or monitored by third parties without the corresponding consent, unless authorised by a judicial order. However, this does not mean that such operators and providers are not regulated by Law No. 8968, notwithstanding specific applicable rules.

      The processing of personal data on the internet is not specifically contemplated. However, Law No. 8968 is still applicable to the processing.

      Last verified on Thursday 3rd January 2019

    • Costa Rica

      The Childhood and Adolescence Code (Law No. 7739) sets forth specific rules for processing personal data of minors. Article 25 establishes non-interference in private and family life, home and correspondence of minors, notwithstanding the rights and inherent duties of parental authority. Likewise, article 27 prohibits publishing, reproducing, displaying, selling or using images or photographs of minors to illustrate information regarding criminal actions, infractions or omissions either attributed to them or against good morals and manners. It also applies if their dignity is affected, or when the minor has in some way participated, has acted as witness or has been victim of such acts. The publication of the name or any personal data that identifies a minor who is a perpetrator or victim of a criminal act is prohibited, except for judicial authorisation based on reasons of public safety.

      In addition, Law No. 8934 on Protection of Children and Adolescents Against Harmful Content of the Internet and Other Electronic Means, compels cybercafés (premises intended for the public use of computers connected to the internet or other forms of network communication), to place visible signs warning minors of the dangers to which they are exposed when giving private and personal information online.

      Last verified on Thursday 3rd January 2019

    • Costa Rica

      A fine may be imposed in case of non-compliance with the data protection law. The amount will be determined based on the type of fault. In this sense, the faults are classified as mild, serious and very serious. Mild offences have a fine of up to five base salaries of the position of “judicial assistant I”. Serious offences range from five to 20 basic salaries. The most serious offences carry a fine of 15 to 30 base salaries. In the case of very serious offences, the operation of the database may be even be suspended from one to six months. For 2019 the base salary of a "judicial assistant I" is around 446,200,00 colones.

      Moreover, the Criminal Code establishes imprisonment from one to three years for individuals that, without the authorisation of the data subject seize, modify, interfere, accede, copy, transmit, publish, diffuse, compile, render useless, intercept, retain, sell, buy, divert towards a different end from which it was collected, or give an unauthorised use to the image or data of personal storage in computer or telematics systems or networks, or in electronic, optical or magnetic containers.

      Furthermore, the punishment will be from two to four years of imprisonment when the conduct is performed by the person in charge of administrating or giving support to the computer or telematics system or network. In addition, the punishment will apply for an individual who, in the exercise of his or her duties, has accessed such system or network, or to the electronic, optical or magnetic containers, when the information belongs to a minor or a person with disabilities or when the conduct affects sensitive data (ideology, religion, beliefs, health, racial origin, sex life or preferences).

      There are several other offences in the Criminal Code related to cybersecurity, specifically, the crimes mentioned in question 3.

      Last verified on Thursday 3rd January 2019

    • Costa Rica

      The Agency for the Protection of the Data of the Inhabitants (PRODHAB) is the authority with independent criteria in charge of the issues related to the protection of personal data. It is a fully decentralised entity under the auspices of the Ministry of Justice and Peace.

      PRODHAB is located in the Administrative Building of the Costa Rican National Registry. Queries or information can be addressed through the website www.prodhab.go.cr// or by email prodhab@rnp.go.cr.

      The main responsibilities of PRODHAB are the following: ensuring compliance with the regulations in matters of data protection, recording of databases, resolution of complaints for violations of the rules on the protection of personal data, ordering the elimination, rectification, addition or restriction in the circulation of the information contained in databases, when violating the rules on personal data protection and imposing the sanctions deriving from transgression of personal data protection rules and filing in the Prosecutor’s Office those cases that may constitute a crime.

      PRODHAB can also access the databases when a complaint is filed and, exceptionally, when there is evidence of generalised misuse of the database or information system.

      There is no independent authority on cybersecurity matters. Those matters are within PRODHAB’s competence when representing a risk for the protection of personal data as well as SUGEF when representing a risk for the protection of personal financial information.

      Last verified on Thursday 3rd January 2019

    • Costa Rica

      Article 21 of Law No. 8968 sets forth that all databases, public or private, managed with purposes of distribution, diffusion, or commercialisation must be registered at PRODHAB.

      However, through the Regulations, it was defined what should be understood by these definitions, extending the scope of application and the assumptions under which registration may be necessary. These concepts are defined in article 2 of the Regulation as follows:

      Commercialisation: one or more times sell, transfer, exchange, or in any other manner assign or pledge to a third party, for profit, the personal data that exists in databases...

      Distribution, dissemination: Any form in which personal data is distributed or published, to a third party, by any means provided that it is intended to commercialise the data or media to obtain profit with the database.

      The owners of the databases must provide – among others – the following information for registration: 

      • name of the data controller, indicating the means and place of contact and a letter of acceptance of the position and the responsibilities;
      • name of the processors, including their contact details, as well as letter of acceptance of the position and the responsibilities;
      • names of databases and their physical location;
      • intended purposes and uses of the databases;
      • categories of personal data processed in such databases;
      • procedures for obtaining, according to informed consent, personal data;
      • technical description of the security measures used in the processing of personal data;
      • recipients of transfers of personal data;
      • copy of the minimum action protocols; and
      • if applicable, a listing of global contracts and sales of files, as well as indication of the economic estimate of each of these contracts.

      The registration procedure consists in submitting the application along with the other requirements. PRODHAB has 20 business days to verify the requirements. If the application does not meet the requirements, PRODHAB will ask to remedy within 10 business days. If prevention is not met, the request for registration will be rejected. Once the requirements have been met, the applicant will be granted a period of 10 business days to cancel the annual fee (US$200). If payment of the fee is not made within this term, the submission will be rejected. Once the payment has been made, the Director of PRODHAB will issue the registration resolution of the database, within a period of 10 business days following the receipt of the payment.

      Last verified on Thursday 3rd January 2019

    • Costa Rica

      The main obligations applicable to data controllers to process personal data are the following:

      • To obtain informed consent for the collection of personal data and limit the processing to such consent.
      • To eliminate data that is no longer pertinent or necessary, modify or eliminate the data that is not truthful and take the necessary measures to eliminate or correct the inexact or incomplete data.
      • To guarantee the rights of the data subjects to access their personal data, rectify or delete them and to consent the transfer of their data. The controller must resolve within five business days and it must be free of charge.
      • To adopt the measures necessary to guarantee the security of the personal data and avoid the alteration, accidental or illegal destruction, loss, unauthorised processing or access as well as any other action contrary to the law.
      • To keep professional or functional secrecy even after the end of their relationship with the database. It also extends to those who intervene in any phase of personal data processing.
      • To transfer data contained in the databases when the data holder authorised such transfer expressly and validly. Transfers must be done without impairing the principles and rights recognised in the law.
      • To establish minimum action protocols and security measures in the processing of personal data.
      • In the case of hiring the services of a technology intermediary or service provider, the controller must verify the compliance with the minimum security measures that guarantee the integrity and security of the personal data.
      • In case of transfer, the data exporter must establish a contract with the data importer, which provides for at least the same obligations as those applicable to the data exporter.  
      • When applicable, register the database at PRODHAB.

      Last verified on Thursday 3rd January 2019

    • Costa Rica

      The Regulations of Law No. 8968 state the obligations under which the processor must carry out the processing of personal data on behalf of the controller.

      The processor must limit the processing to the instructions and the purposes set forth by the controller. It must also implement the security measures and comply with the minimum action protocols. The processor has a confidentiality duty and cannot transfer or disclose personal data, unless there is a formal instruction from the controller. Once the legal relationship with the controller has been fulfilled, the processor must delete the processed personal data.

      Last verified on Thursday 3rd January 2019

    • Costa Rica

      Yes, there must be an informed consent to process personal data. Nevertheless, Law No. 8968 establishes three situations where express consent is not required: (i) when there is a substantiated order, issued by a competent judicial authority or a decision made by a special investigation commission of the Legislative Assembly in the performance of its functions, (ii) when the data is of unrestricted access obtained from general public access sources or (iii) when the data must be delivered by constitutional or legal provision.

      Last verified on Thursday 3rd January 2019

    • Costa Rica

      Article 7 of the Law No. 8968 grants to data subjects the rights to access their personal data, rectify or delete it and consent its transfer. These rights are exercised freely and any request involving them must be resolved within five business days.

      Regarding the right of access to information, the data subject can obtain the confirmation whether the database contains his or her personal information or not. If it does, the data controller will notify the information the database has, the purposes for which it was compiled, and the use given. The data subject will have access to the entire personal record and will be notified of the system, program, method or process used in the processing.

      If the personal information from the data subject is incomplete or inaccurate or was compiled without authorisation, then it is possible to request the data controller to rectify, update or eliminate the data. 

      Last verified on Thursday 3rd January 2019

    • Costa Rica

      Article 14 of Law No. 8968 establishes a general rule applicable to the transfer of personal data, regardless of whether it is transferred locally or internationally, and states that it is only possible to transfer the data when the data subject has expressly authorised it. Thus, in order to carry out a transfer, it is essential to have the informed consent of the data subject, both for the treatment itself and for the transfer of the data. If the transfer has a profit purpose, the database must be registered at PRODHAB, but the transfer itself does not necessarily require the need of notice or approval from PRODHAB.    

      Transfer of personal data of the person responsible of a database, to another person in charge, to a services provider or technology intermediary, or to those companies from the same group of economic interest, will not be considered a transfer.

      Last verified on Thursday 3rd January 2019

    • Costa Rica

      Law No. 8968 forces the data controller to adopt the technical and organisational measures necessary to ensure the security of personal data and prevent its alteration, accidental or unlawful destruction, loss, unauthorised treatment or access, as well as any other action contrary to the law. These measures should include the most appropriate physical, logical and administrative security mechanisms in accordance with current technological development.

      The Regulations set forth the minimum actions to be implemented by the controller. These are: detailed description of the type of personal data processed or stored, create and maintain an inventory of the technological infrastructure, indicate the type of system, program, method or process used in the processing or storage of data, have a risk analysis (identifying hazards and estimating risks that may affect personal data), establish security measures applicable to personal data, and identify those effectively implemented, calculate the existing residual risk based on the difference of existing and missing security measures that are necessary for the protection of personal data, and elaborate a work plan for the implementation of the missing security measures, derived from the result of the residual risk calculation.

      Last verified on Thursday 3rd January 2019

    • Costa Rica

      In case of data security breach, the data controller must inform the affected individuals and PRODHAB, within the first five business days. Per the Regulations, there must be a notification in case of any irregularities in the processing or storage of the data, such as loss or destruction. The notifications must contain at least the following information: nature of the incident, the compromised personal data, corrective actions taken immediately and the ways in which or the place to obtain more information.

      Last verified on Thursday 3rd January 2019

    • Costa Rica

      There is no regulation in Costa Rica on the use of cookies or tracking technologies. Although Law No. 8968 does not expressly refer to these uses, it should not be understood that they are not subject to the rights and principles of the Law.

      Nevertheless, the General Law of Telecommunications specifies that traffic and location data relating to end users that are processed and stored under the responsibility of an operator or provider should be removed or made anonymous when they are not necessary for the purposes of transmitting a communication or for the provision of a service. The location data may only be processed anonymous or with the prior consent of the subscribers or users, to the extent and for the time necessary for the provision of a service.

      Last verified on Thursday 3rd January 2019

    • Costa Rica

      Costa Rica has not adopted a general legal framework on fintech and cybersecurity matters. SUGEF emitted in March 2017 regulation SUGEF 14-17 on the General Management of Information Technology. However, said regulation does not establish specific obligations that supervised financial entities have to comply with. The regulation is just a guidance, as financial entities are free to determine their IT framework considering their nature, business model, complexity, transaction volume among other factors to establish a technological profile. Moreover, financial entities must inform SUGEF of their technological profile and have an obligation to keep it up to date and inform any relevant changes. Financial sector entities must be audited by an external IT audit regularly (every two or four years).

      Last verified on Thursday 3rd January 2019

    • Costa Rica

      Law No. 8968 and its regulations does not include any “privacy by design” or “privacy by default” requirements.

      Moreover, article 36 of the Regulations establishes a series of actions to preserve the data security. It includes performing a risk analysis to identify hazards and estimate the risks that could affect personal data. In addition, the existing residual risk must be calculated based on the difference between the existing security measures and the missing ones that are necessary for the protection of personal data. Finally, a work plan must be prepared for the implementation of the missing safety measures, derived from the result of the calculation of the residual risk.

      Last verified on Thursday 3rd January 2019

    • Costa Rica

      The action of sending unsolicited electronic commercial communication is prohibited in Costa Rica. The Criminal Code punishes with imprisonment of one to six years, to those who offer, contract or provide services of mass unsolicited communications.

      Also, the General Telecommunications Law prohibits the use of voice auto call systems, fax, electronic mail or any other device for the purpose of direct sales, except for subscribers who have previously given their consent. In addition, it prohibits the practice of sending electronic messages for direct sale purposes in which the identity of the sender is concealed or does not contain a valid address to which the recipient can send a request for such communications to be terminated.

      Although Law No. 8968 does not expressly refer to these kinds of communications, it should not be understood that they are not subject to its regulation.

      Last verified on Thursday 3rd January 2019

    • Costa Rica

      The Regulations comprises in the concept of database, files that are within the cloud. In addition, data in the cloud has been defined as a “file, record or other structured set of data accessed by using the Internet” (article 2) and the concept of automated data processing includes the possibility that it occurs through the cloud.

      Finally, article 27 of the Regulations establish that the controller must create and document procedures for data processing whether on site or in the cloud. 

      Last verified on Thursday 3rd January 2019

    • Costa Rica

      Yes, the Law and its Regulations apply to personal data contained in automated or manual databases, whether public or private. However, not all obligations are equally applicable. For example, Law No. 8968, has specific provisions about informed consent when the processing involves State Agencies, as indicated in question 15.

      In addition, the Law indicates exceptions for the right to informational self-determination, in which the guarantees and rights covered by the Law can be limited, such as the security of the State, the security and performance of public authority, the prevention, persecution, investigation, detention and repression of criminal offences or professional ethics violations, the operation of databases used for statistical, historical or scientific investigation purposes when there is no risk for the persons to be identified, adequate performance of public services and efficient routine activity of the Administration, by official authorities.

      Last verified on Thursday 3rd January 2019

    • Costa Rica

      In Costa Rica, the right of access to personal data also includes government agencies. In this sense, article 7 on the rights of data subjects is not limited to the private sector. In addition, the Public Administration has a constitutional obligation of providing access to information. However, there are important limitations such as the protection of personal data of other people or information considered a state secret.

      Last verified on Thursday 3rd January 2019

    • Costa Rica

      There are few self-regulations in Costa Rica. However, most of them have been approved by the Chamber of Banks and Financial Institutions of Costa Rica, a non-profit association, specialised in the banking and financial sector.

      The most important one is the Manual of Good Practices for the Handling of the Personal Data of the Clients of the Financial Services, which aims to promote, advise and protect the informational self-determination of customers of financial institutions.

      Also, the Code of Good Banking Practices for The Protection of Electronic Services, which applies to the electronic services provided by banking and financial entities to consumers of the financial services. This Code mainly covers general security measures and does not include data protection issues.

      Last verified on Thursday 3rd January 2019

Latin Lawyer gives you a fantastic platform to promote your legal expertise to our extensive readership base

Become an author

Contributing editors

Authors