Request A Demo Login Now Sign up to DataGuidance Alerts DataGuidance DataPrivacy Index Cookie Consent Guide Data Protection Law & Policy Download a DataGuidance Brochure DataGuidance Videos


The transverse study performed by DataGuidance is particularly interesting and innovative as it enables one, at a glance, to obtain information on the obligations that lie with companies in terms of data breach in a large number of countries. Yet, very often, companies which are victims of a data breach are not subject to the breach in only one of the countries where they are set up, but in several countries. In such case, they must react extremely quickly notably in terms of informing control authorities if applicable. Having this transverse study, they will necessarily save precious time.
Florence Chafiol-Chaumont, Partner at August & Debouzy
RSS feed of this page Updated: 21/03/2013 
Sharing disabled by cookie consent preference.
Privacy This Week powered by DataGuidance

back to Privacy This Week

Costa Rica: Regulations introduce mandatory breach notification

Costa Rica gazetted - on 5 March 2013 - Regulations of the Law for the Protection of the Individual against the Processing of their Personal Data (the Regulations). The Regulations, which entered into force on the same day, establish the Costa Rican data protection authority (Prodhab), a five-day data breach notification period, and a maximum data retention period of 10 years.

Following enactment of Law 8968 in 7 July 2011, the Regulations were published to establish the scope of the Law and applicable penalties and fees in case of violation of the protected rights.

Ignacio Esquivel, Partner at Sfera Legal, told DataGuidance: "The Law introduces the concept of informational self-determination, understood as the fundamental right to control the flow of personal information, and the right to revoke such consent at any point in time". In particular, the Regulations require that express written consent be obtained for data processing, except for data processing required under law.

Alejandra Castro, Junior Partner at Arias & Muñoz said: "There are many doubts about how consent can be given. Legislation requires it to be given in writing, but businesses are trying to make sure it will be possible to give it electronically."

Castro also notes that the scope of the law still remains unclear. "The Bar Association and the Chamber of Information Technologies had filled a request for professional data to be left out, as well as internal databases", said Castro. "It remains unclear how cloud services will be affected [as well], given that the rule includes a definition of 'technology intermediary'. The original wording for this figure is that it creates uncertainty for contracting cloud services."

The Regulations further introduce a data breach period of five days for notifying affected data subjects, and to conduct an exhaustive investigation to determine the extent of the breach and implement the corresponding corrective and preventive measures. Data controllers are also obliged to notify Prodhab.

"The Bylaws only establish that such investigation must initiate within said timeframe, but does not specifically imply that the investigation must be conducted and completed within such term", said Esquivel. "Therefore, as long as the Company takes the proper steps to protect and mitigate the damages, it will be in compliance with the Bylaws. Without a doubt, the Law and the Regulations set a new milestone for Costa Rican protection standards and set a precedent for the rest of Central America."

© 2014 Cecile Park Publishing Ltd. All rights reserved

Sharing disabled by cookie consent preference.

Other News

©2014 Cecile Park Publishing Ltd. | Privacy Policy | Terms and Conditions | Sitemap
Address: 17 The Timber Yard, Drysdale Street, London, N1 6ND, UK | Phone: +44 (0)20 7012 1380 | Email: