Previously, the data protection and privacy landscape in Cuba was primarily sustained by Article 97 of the Constitution of the Republic of Cuba and a network of sectoral laws with relevance to telecommunications, information systems, and security. There was no general data protection or privacy law.

On 25 August 2022, the Law and the Regulation for Safety and Protection of Personal Data in an Electronic Format ('the Regulation') were published in the Official Gazette of the Republic of Cuba², triggering a 180-day timeline before both enter into force on 21 February 2023.

Scope and definitions

Generally, the Law applies to natural persons insofar as it protects their personal data, and legal and natural persons when they are carrying out processing activities. It addresses the protection of personal data belonging to deceased persons, persons with disabilities, and minors under specific circumstances. To supplement this, the Regulation applies to public telecommunications and ICT service providers and operators.

Materially, the Law establishes principles and procedures to ensure that natural persons may enjoy the protection of their personal data contained in records, files, archives, databases, or any other technical means of data processing, either by private or public bodies, and whether in physical or digital form (Article 1(a) of the Law).

Crucially, the Law includes a comprehensive definition for 'personal data', including examples which may be considered sensitive in other global jurisdictions. Personal data is defined as relating to sex, age, image, voice, gender, identity, gender identity, sexual orientation, skin colour, ethnic, national and territorial origin, migratory status and classification, status of disability, religious beliefs, political affiliation, marital status, address, medical or health, economic-financial, academic and training, professional and employment, judicial and administrative data, and any information related to these data that may lead to the identification of a certain person, compiled from records, files, archives, and databases (Article 4 of the Law). Additionally, sensitive data is considered as including data which may reveal sex, gender, identity, gender identity, sexual orientation, ethnic origin and skin colour, present or future health status, disability status, genetic information, or obtained from diagnostic tests carried out in health institutions or linked to assisted reproduction techniques, religious beliefs, political affiliation, police, and criminal records.

Furthermore, the Law defines 'processing of personal data' as 'the operations and systematic procedures, electronic or not, that allow the collection, conservation, ordering, storage, modification, relationship, evaluation, blocking, destruction and, in general, the processing of data. personal data, as well as their transfer to third parties through communications, consultations, interconnections and transfers' (Article 6 of the Law).

Comparable to the European concepts of data controller and processor, the 'responsible person' is the natural or legal person who determines the purpose, content, and use of the processing of personal data, while the 'designated person' processes personal data at the request of the responsible person. The designated person may act individually or jointly (Article 7 of the Law). Data owners, holders, or individuals are some terminology used to the concept of those to whom the personal data refers or belongs.

Personal data protection principles

Organisations will need to ensure all processing of personal data complies with the personal data protection principles laid out under Section 2 of the Law. The following 12 principles are provided:

• collection limitation;
• data quality;
• purpose specification;
• use limitation;
• legitimacy, whereby personal data may only be collected, stored, or processed when authorised to do create files in accordance with their business activities;
• security safeguards;
• transparency;
• individual participation, whereby personal data can only be collected with the participation of its owner;
• responsibility/accountability;
• legality;
• confidentiality; and
• consent.

The key legal basis for processing

The Law provides that organisations must obtain the consent of data owners for the processing of their personal data, as well as provides individuals with disabilities with the ability to designate powers of representation in order to provide valid consent. Furthermore, the Law conditions that the consent must be freely-given, unequivocal, specific, and informed. As part of these information provision obligations, the Law specifies that organisations need to specify the purpose for which the consent is granted, the recipients or class of recipients of said data, whether the processing is optional, where and how the data will be stored, the nature of the processing, and any consequences should the data not be provided (Article 12 of the Law).

Although consent may be provided in writing or equivalent, it may also be expressed verbally. The Law does not clarify conditions for verbal consent. Additional protections are provided for sensitive data insofar as individuals cannot be forced to provide such data (Article 16.1. of the Law).

Exceptions to the requirement to obtain consent prior to commencing any data processing activities include (Article 17 of the Law):

• before an event that could potentially harm an individual person or their estate;
• where necessary to carry out treatment for prevention, diagnosis, or urgent healthcare;
• where the data can be found in publicly accessible sources;
• where a data dissociation (deidentification) procedure has taken place prior to processing to the extent that it can no longer be associated with a specific or determinable person;
• if the owner of the personal data is reported missing; and/or
• reasons of general welfare, public order, and national security.

Data owner rights

Individuals holding or owning personal data are gifted a range of rights and the Law further provides for conditions as to how organisations must facilitate the exercise of these rights. The rights are subject to certain exemptions, such as where responding may impact the rights of a third party.

Importantly, the Law grants individuals in Cuba with the following rights in relation to their personal data (Articles 19 to 23 of the Law):

• right of access;
• right to rectification;
• right to deletion, when they consider that the purpose for which they were obtained has been fulfilled or that an inadequate processing has taken place, which may affect their rights and interests;
• right to oppose to processing of personal data when it likewise may cause such harm; and
• right to oppose to automated decision-making.

Upon verifying the origins of the request, responsible persons must respond within 10 business days following from the date that the request was submitted. The response period may be extended once by 10 days, where supported by reasonable justification.

Data transfers

The transfer of personal data is included as part of the definition for processing personal data, and as such the restrictions applicable to processing may be presumed to apply to data transfers. Fortunately, Article 63 of the Law permits responsible and designated persons to transfer personal data internationally or domestically in the following cases:

• for the exchange of data of a medical, health, or investigative nature when required for treating the data owner or for an alternative collective interest;
• for general welfare, public order, national defense, and security;
• for bank transfers; and
• for facilitating the right to vote.

Interestingly, a fifth open exemption signifies that any other reasons may be used where it significantly warrants a transfer of personal data (Article 63(e) of the Law).

International data transfers may also be authorised by the Council of Ministers, the President of the People's Supreme Court, the Attorney General, the Minister-President of the Central Bank of Cuba, the Minister of Foreign Affairs, the Minister of the Interior, the Minister of Justice, and/or the Minister of Public Health (Article 66 and the Second Final Provision of the Law).

Accountability and recordkeeping

Organisations in charge of records, files, archives, and databases are responsible for their lawful use in accordance with the purposes informed to the data owner and in guaranteeing the security of the data. The Law explicitly outlines the responsibility/accountability of natural and legal persons under the aptly named personal data protection principle.

As part of this, any register, file, archive, or database must be registered with the national register and notify it of any changes to the contained information (Articles 40 to 43 of the Law). The Ministry of Justice must establish the national register within one year of the entry into force of the Law and subsequently supervise compliance with the register. Once the national register is established, organisations will have one year to ensure any records, files, archives, or databases have been declared.

Articles 44 to 48 of the Law highlight data processing obligations to which both responsible persons and designated persons are held, including data security, responses to data owner requests to exercise rights, and the deletion of any personal data accordingly.

Data security

Not only must organisations ensure the security of data under the principles relating to security safeguards, legality, and confidentiality, the Law expressly requires the appropriate technological, administrative, material, or physical measures to be implemented and that only the relevant persons or authorised personnel may access or carry out processing via established procedures (Article 10(f) of the Law). Article 44(1) of the Law also repeats that the responsible person and the designated person must adopt security measures to prevent any data security incident (i.e. alteration, loss, processing, or unauthorised access).

Data retention regimes

Organisations must establish a data retention regime, which considers any applicable legal requirements and the requirement that personal data may not be stored for longer than for which it is required for the specifically stated purposes of processing (Article 39 of the Law).

Generally, the Law provides a statutory retention period of up to five years, if it is not otherwise stated by law for that record or consented to by the data owner (Article 39).

Supervision and enforcement

Finally, the Ministry of Justice is tasked with enforcing the Law and a dedicated supervisory authority is not provided for. The Law provides for enforcement actions, including warnings, suspension of a database for up to five days, and subsequent, or separately, closure of any such register, file, archive, or database. Moreover, organisations found to be in violation with the Law may receive a fine of up to CUP 20,000 (approx. €830) (Articles 56 and 57 of the Law).

Additionally, civil action is provided for by the Law, and individuals may launch action against a responsible party where data protection requests are not completed as required by the Law (Articles 29 to 38 of the Law).

Amelia Williams Senior Privacy Analyst
[email protected]

1. See: https://www.gacetaoficial.gob.cu/sites/default/files/goc-2022-o90_0.pdf
2. See: https://www.minjus.gob.cu/es/noticias/publica-gaceta-oficial-de-la-republica-de-cuba-ley-de-proteccion-de-datos-personales