Request A Demo Login Now Sign up to DataGuidance Alerts DataGuidance DataPrivacy Index Cookie Consent Guide Data Protection Law & Policy Download a DataGuidance Brochure DataGuidance Videos


I find DataGuidance to be intuitive and easy to use. It is by far one of the best "one-stop" sites for fast and easy access to an extensive library of data protection and privacy sources globally. It enables me to research and obtain regulatory updates with confidence.

Given that more and more countries in the Asia Pacific region are implementing data protection laws, keeping abreast with such newly implemented laws and ensuring compliance in these jurisdictions can be extremely challenging. DataGuidance is definitely the resource tool that one can safely turn to for access to the latest legal and regulatory information making compliance a much simpler and less daunting process.
Tepee Phuah, Partner, Tay & Partners
RSS feed of this page Updated: 21/03/2013 
Sharing disabled by cookie consent preference.
Privacy This Week powered by DataGuidance

back to Privacy This Week

Costa Rica: Regulations introduce mandatory breach notification

Costa Rica gazetted - on 5 March 2013 - Regulations of the Law for the Protection of the Individual against the Processing of their Personal Data (the Regulations). The Regulations, which entered into force on the same day, establish the Costa Rican data protection authority (Prodhab), a five-day data breach notification period, and a maximum data retention period of 10 years.

Following enactment of Law 8968 in 7 July 2011, the Regulations were published to establish the scope of the Law and applicable penalties and fees in case of violation of the protected rights.

Ignacio Esquivel, Partner at Sfera Legal, told DataGuidance: "The Law introduces the concept of informational self-determination, understood as the fundamental right to control the flow of personal information, and the right to revoke such consent at any point in time". In particular, the Regulations require that express written consent be obtained for data processing, except for data processing required under law.

Alejandra Castro, Junior Partner at Arias & Muñoz said: "There are many doubts about how consent can be given. Legislation requires it to be given in writing, but businesses are trying to make sure it will be possible to give it electronically."

Castro also notes that the scope of the law still remains unclear. "The Bar Association and the Chamber of Information Technologies had filled a request for professional data to be left out, as well as internal databases", said Castro. "It remains unclear how cloud services will be affected [as well], given that the rule includes a definition of 'technology intermediary'. The original wording for this figure is that it creates uncertainty for contracting cloud services."

The Regulations further introduce a data breach period of five days for notifying affected data subjects, and to conduct an exhaustive investigation to determine the extent of the breach and implement the corresponding corrective and preventive measures. Data controllers are also obliged to notify Prodhab.

"The Bylaws only establish that such investigation must initiate within said timeframe, but does not specifically imply that the investigation must be conducted and completed within such term", said Esquivel. "Therefore, as long as the Company takes the proper steps to protect and mitigate the damages, it will be in compliance with the Bylaws. Without a doubt, the Law and the Regulations set a new milestone for Costa Rican protection standards and set a precedent for the rest of Central America."

© 2015 Cecile Park Publishing Ltd. All rights reserved

Sharing disabled by cookie consent preference.

Other News

© 2016 Cecile Park Publishing Ltd. Privacy Policy | Terms and Conditions | Sitemap
Address: 17 The Timber Yard, Drysdale Street, London, N1 6ND, UK | Phone: +44 (0)20 7012 1380 | Email: