Questions and answers on data protection in Central America

Is there general legislation related to the right to privacy and/or informational self-determination?

In Central America, the Political Constitution of each country regulates the right to privacy and/or informational self-determination.

In the case of Guatemala, the Constitutional Court, with respect to the recognition and protection of the rights to intimacy and privacy, has indicated that they are contained in the following constitutional articles: a) Article 23: Inviolability of the home; b) Article 24: Inviolability of correspondence, documents and books and; c) Article 25: Registration of persons and vehicles. In relation to the content and scope of article 31 of the Constitution, referring to access to state files and records, it can be established that it contains a “partial” recognition of the right to protection of personal data or informational self-determination, since its scope of protection is limited only to personal data appearing in “public” files and records, and not to those contained in private records. This article establishes that every person has the right to know what is contained in files, records or any other form of state records, and the purpose for which this information is used, as well as the right to correction, rectification and updating.

In El Salvador, the rulings of amparo proceedings 934-2007 and 142-2012, (hereinafter the “Jurisprudence”), have developed the right to informational self-determination as a manifestation of the free development of personality and dignity, inasmuch as from such notion derives the capacity of individuals to decide when and within what limits the matters of their personal life are public; since, if the development of personality is projected as a relational concept, it also implies the self-determination and autonomy of the person within a democratic society. This concept derived from the fundamental right to privacy was expanded by the Court itself to a double meaning of freedom and control over the data, without limitation on the type of data processed, developing two facets: (i) a material -preventive-, related to the freedom and autonomy of the individual in relation to his personal data; and (ii) another instrumental -protection and repair-, referring to the control that safeguards and restores it in the face of arbitrary restrictions.

In view of said jurisprudence, in its instrumental facet, it has been determined that individuals must have the right to exercise control over the personal information systematized or contained in data banks or files, providing the individual with certain rights over the information:

The right to know, at the specific moment of data collection, the type of personal information that is going to be stored, the purpose for which it is obtained and processed, to whom the data will be delivered and, finally, who is responsible for the file where they are stored, in order to be able to object to, modify or alter them in any way.

The right to know the existence of automated data banks, by virtue of which every person has the right to know if the data concerning him/her are subject to use or processing by third parties.
The freedom of access to information, which implies the possibility to check whether information about oneself is available and to know its origin and purpose.

The power of rectification, integration and cancellation, to ensure the quality of the data and access to them, requires, on the one hand, the modification of data that appear erroneously recorded and thus obtain the integration of those that are incomplete; and, on the other hand, the power to cancel or cancel the data due to the lack of relevance and timeliness of the information for the purposes of the database or, simply, for the purpose of allowing the owner to recover the availability of any facet of his personality and of his intimate or strictly private data contained in the computer memory or in the respective file.

The power to know the transmission of personal data to third parties. It is not only a matter of knowing, in advance, the purpose pursued by the database and that this implies the possibility of circulating the personal information; but, above all, it consists of obtaining from those responsible for the database, full notice of to whom it has been provided and with what extent, use and purpose.

Additionally, the Jurisprudence develops the principles that must be followed to inform the collection and safeguarding of personal data, which are:

    • Principle of Purpose in the collection of information.
    • Principle of relevance of the information.
    • Principle of Transparency on the type, dimension, use and purpose of the processing.
    • Principle of Subjection to the purpose of processing.
    • Principle of prohibition of data processing and profiling without authorization.
    • Principle of Oblivion (right to be forgotten).

The foregoing, considering the mandatory nature of compliance that materializes through the orbiter dictates of a judgment of the Constitutional Chamber must be attended by any person who processes personal data, to avoid possible repercussions against third parties.

Is there a special law to regulate the protection of personal data?

In the case of Guatemala, there is no body of law within the Guatemalan legal system that specifically regulates the issue of personal data protection. The Law on Access to Public Information, Decree number 57-2008 of the Congress of the Republic, contains and establishes certain important parameters related to the subject (personal data, habeas data, confidential information, treatment and access to personal data, among others) but it does so essentially from the perspective of the handling of personal data by public or state registries (registries controlled by entities that manage resources or assets of the State or carry out public functions). This implies the existence of a “legal vacuum” in Guatemala in terms of regulation on the handling of personal data by private parties and, therefore, in terms of the right to data protection or the right to informational self-determination in all its facets, manifestations and scope.

In El Salvador there is no specific legislation on the protection of personal data in El Salvador, however, the jurisprudence of the Constitutional Chamber, specifically, the aforementioned judgments 934-2007 and 142-2012 are the ones that regulate this issue. Likewise, there are isolated regulations that allow having a general protection on this subject.

In Honduras there is the Law of Transparency and Access to Public Information. Art. 3 numeral 7), 24 and 25 and in Nicaragua the subject of data protection is regulated in Law No. 787 Law for the Protection of Personal Data. 787 Personal Data Protection Law and its Regulations, which date from 2012, the law establishes the creation of the Directorate for the Protection of Personal Data, which is in charge of the control, supervision and protection of the processing of personal data contained in data files of public and private nature; however, although the law and its regulations have several years since its publication, as of today such Directorate has not been created and therefore in practice it is not possible to apply the entirety of the law.

Costa Rica, mainly the subject is regulated in the Law for the Protection of the Person against the Processing of Personal Data, No. 8968 of 2011 and its Regulation, Decree No. 37554, of 2012. In these rules we can find the basic concepts about personal data, databases, categories of data, rights of the holders and duties of the collectors, sanctions, creation of the Agency for the Protection of Personal Data (PRODHAB). In addition, we have some articles scattered in specific regulations in Chapter 10 of the Regulation to the Consumer Law related to the protection of personal data in electronic commerce and in articles 22 to 25 of the Regulation of Credit and Debit Cards No. 35867 of 2010.

Does the law require the informed consent of the owner of the data before it is collected?

In Guatemala, although there are no data protection regulations, the Constitutional Court has issued legal doctrine establishing that the consent of the person concerned is required for the use of data.

For El Salvador it is contemplated in the Constitution of the Republic and the Law Regulating the Information Services on the Credit History of Individuals in the rulings of the aforementioned amparo proceedings 934-2007 and 142-2012.

In Honduras it is important to express that, article 41 numeral 3, of the Regulation of the Law, obliges the obliged institutions to make available to the public the document in which the purposes for the treatment of personal data are established.

In Nicaragua and Costa Rica it is an obligation. For Nicaragua, the Personal Data Protection Law and its Regulations establish that the owner of the data must give his consent prior to the processing of his data, except in those cases where the law expressly establishes that consent is not required. This consent must be free, specific and informed, according to article 4 of the Regulation of Law No. 787. And in the case of Costa Rica, as a general rule, all collection of personal data requires the express and unequivocal consent of the owner, article 5 of the Law for the Protection of the Person with Respect to the Processing of Personal Data and in the same article 5 of its Regulation, are established not only as an obligation for those who collect personal data but also its formalities which we will discuss later on. Of course this has exceptions that will also be discussed below.

Is there legally any specific content or form that the informed consent must contain?

For El Salvador, Nicaragua and Costa Rica, the answer is Yes. In El Salvador the Constitution of the Republic and the Law Regulating the Information Services on the Credit History of Individuals (judgments of amparo proceedings 934-2007 and 142-2012).

In Nicaragua, Article 4 of the Regulations of Law No. 787 establishes that consent must be: free, i.e. there must be no error, bad faith, violence or fraud affecting the will of the owner; specific, only for the determined purpose or purposes; and informed, i.e. the owner must be clearly informed of the informative notice prior to the processing of his/her data, and must be informed of the consequences of giving or withholding consent. It is also established that consent may be given in writing or by other suitable means, physical or electronic, or verbally. Article 5 of the Regulation of Law 787 establishes that tacit consent will be valid as a general rule, except in cases where express consent is expressly required; but in accordance with article 11 of the same regulation, it is the responsibility of the data controller to prove in all cases of claims that he had the consent of the data subject, for which reason it is advisable to keep evidence of the consent given.

And for Costa Rica, the informed consent must have a specific content: existence of the database, purposes to be pursued, recipients of the information and those who may consult it, the mandatory or optional nature, type of treatment to be given, consequences of refusal, rights, identity and address of the data controller. In addition, it must be prior, free, specific, informed, unequivocal, individualized and in writing (physical or digital).

Does the existing legislation contemplate categories of personal data, for example, sensitive data, restricted access data, unrestricted access data?

For El Salvador, the Constitution of the Republic, the Law of Duties and Rights of Patients and Health Service Providers and the Law Regulating Information Services on the Credit History of Individuals are established. Special Law against Computer and Related Crimes. In Honduras only confidential personal data is regulated.

For Nicaragua, the legislation establishes categories:

    • Sensitive data,
    • Personal data related to health,
    • Personal computer data, which are those processed through electronic or automated means.
    • Commercial personal data, which is the sensitive data of companies, their databases of customers, suppliers, human resources, etc.

And in Costa Rica, the existence and definition of sensitive data, restricted access data, unrestricted access data and credit data is contemplated.

Is there a specific regulation for sensitive data?

In Guatemala, the law of access to public information establishes that sensitive data or sensitive personal data is understood as: Those personal data that refer to the physical or moral characteristics of persons or to facts or circumstances of their private life or activity, such as personal habits, racial origin, ethnic origin, political ideologies and opinions, religious beliefs or convictions, physical or psychological health, sexual preference or life, moral and family situation or other intimate matters of similar nature.

In El Salvador, this is specified in the rulings of amparo proceedings 934-2007 and 142-2012. Likewise, there are special legislations that classify certain categories of data as sensitive, such as the Law of Duties and Rights of Patients and Health Service Providers and the Law Regulating Information Services on the Credit History of Individuals, Special Law against Computer and Related Crimes. “In Nicaragua, the law prohibits the creation of information on a person’s credit history, which is not only confidential, but also includes information about the person’s creed, religion, ethnic origin, political affiliation or ideology, union membership, sexual preferences, physical and mental health, moral and family situation and other intimate information of a similar nature or that could affect the right to honor, self-image, personal and family privacy”.

In Nicaragua, the creation of personal data files that store information of sensitive data is prohibited, these may only be obtained and processed for reasons of general interest of the law or with the consent of the owner or court order. They may be processed for statistical or scientific purposes when the owners cannot be identified.

In Costa Rica, no person is obliged to provide sensitive data; the processing of personal data revealing racial or ethnic origin, political opinions, religious, spiritual or philosophical convictions, as well as data related to health, life and sexual orientation is prohibited. There are certain exceptions.

For Honduras, although there is no specific regulation for sensitive data, Article 3 paragraph 7) of the Law on Transparency and Access to Public Information applies, which regulates confidential personal data, among others: ethnic or racial origin, beliefs, ideology.

Are there legal exceptions to obtaining informed consent or collecting personal data without the consent of the owner?

Yes, in Guatemala, the Constitutional Court has already established in its jurisprudence that, like any right, the right to informational self-determination is not absolute. This right must yield to actions that seek to guarantee the supreme values and purposes of the State (life, liberty, justice, security, peace and the integral development of the person) on the understanding that these values constitute a collective or general interest, whose fulfillment or realization exceeds the relevance for society of keeping certain personal data in reserve (the case of a criminal investigation, for example).

In El Salvador, the constitutional court is consistent with its jurisprudential line and affirms that there are no absolute rights, therefore, the right to informational self-determination has limits in its application due to the general interest, among them are mentioned the proper functioning of economic traffic and the security of the financial system. The latter, allows in certain specific cases such as compliance with contractual obligations (sending account statements, transmitting payment data in payment ecosystems, among others) or compliance with legal obligations (sending reports to state institutions, safeguarding information by legal provisions, among others) to be entitled to treat or share data without authorization, strictly for the fulfillment of the contractual purpose or legal obligation. Likewise, for matters regulated by the Special Law Regulating Credit Information Services for Natural Persons.

Honduras, in the Regulation of the Law of Transparency and Access to Public Information. Art. 44., specifies that when they are necessary for statistical, scientific or general interest reasons, by court order.

Nicaragua, the law establishes as exceptions: when there is a reasoned order, issued by a competent judicial authority; when the personal data is subject to a prior dissociation procedure, which makes it impossible to associate the owner of the data with the information; when the purpose is to comply with obligations arising from a legal relationship between the owner and the responsible party; and in case the data is obtained from sources of unrestricted public access and the data is limited to name, national identity card and date of birth. In addition, the law establishes that consent will not be required for reasons of public health, social interest or national security.

Costa Rica, there are exceptions to informed consent and exceptions to informative self-determination, they are different. Self-determination is a fundamental right, to decide on the information and the amount of information contained in any database, what it is being used for, as well as to demand that it be rectified, updated, supplemented or deleted, when do I not have the right to decide? R/- State security, prevention, investigation and prosecution of criminal offenses or professional infractions, databases used for statistical, historical or scientific research purposes, when there is no risk of individuals being identified, The adequate provision of public services and The efficient ordinary activity of the Administration, by official authorities. when there is an order from a judge, when it is data of unrestricted access, when they must be delivered by legal or constitutional provision. Exceptions to informed consent: judge’s order, unrestricted access data obtained from general access sources, must be provided by law.

Are there sanctions applicable to individuals or legal entities for non-compliance with personal data protection issues?

In Guatemala there are no sanctions. However, in the rest of the region there are. These are the sanctions in each country.

El Salvador:

Serious infringements with a fine of up to two hundred minimum monthly salaries of the commerce and services sector and up to three hundred minimum monthly salaries of the commerce and services sector, if the affectation is to diffuse collective interests;

Very serious violations with a fine of up to four hundred minimum monthly salaries of the commerce and services sector, and up to five hundred minimum monthly salaries of the commerce and services sector, if the affectation is to collective or diffuse interests;
Suspension of operations in case of recidivism in very serious infractions, for a term not exceeding ninety days;
In case of recurrence in the suspension of operations, or if the reasons for which it was suspended are not remedied, the authority to operate will be cancelled.

The amount of the sanctions is measured under the following parameters:

    • Seriousness of the infraction, Damage or Amount of the Damages caused.
    • Duration of the infraction.
    • Economic benefit obtained by the infringer with the fact.
    • Size of the company.
    • The impact on consumer rights.
    • The nature of the damage caused or degree of affectation to the life, health, integrity or patrimony of consumers.
    • The degree of intentionality of the offender, the degree of participation in the action or omission, undue payment made and the circumstances in which it is committed.
    • Recidivism or repeated non-compliance

The procedure for the application of sanctions will be in accordance with the provisions of the consumer protection law and the law of supervision and regulation of the financial system, as appropriate, without prejudice to the provisions of the Credit History Law, being the consumer ombudsman and/or the Superintendence the sanctioning entities, basing and determining the sanctions under a sanctioning resolution.

Honduras:

    • Written warning,
    • Suspension in case of recidivism,
    • Fine up to 26 minimum wages,
    • In case of subsequent recidivism, dismissal or dismissal, in case of not being a public servant, fine of 45 to 50 minimum wages.
    • In case not foreseen in the law, if someone collects or captures personal data or refuses to rectify it or remove false information fine of 15 to 25 salaries.

Nicaragua:

Article 46 of Law 787 establishes the applicable sanctions for non-compliance with data protection obligations, this without prejudice to the administrative responsibilities of those responsible for or users of public data files; liability for damages arising from non-compliance with the Law, and the applicable criminal sanctions.

The sanctions will be applied according to the type of infringement, and these are:

Warning;
Suspension of operations related to the processing of personal data; and
Temporary or definitive closure or cancellation of personal data files.

Costa Rica: There are minor, serious and very serious offenses (from 5 to 30 base salaries, i.e. from 2250 thousand to 13 million colones). Some offenses are: not informing sufficiently, not guaranteeing data security, not requesting informed consent, unauthorized data transfers, denying ARCO rights, collecting sensitive data, collecting by deception or threat, not registering the database, transferring data abroad. Crime, violation of personal data, imprisonment from 1 to 4 years.