October 2023 

1. Governing Texts

In 2013, a citizens law initiative was presented to the National Congress of Honduras ('the Honduran Congress') regarding the Draft Law on the Protection of Personal Data (only available in Spanish here) ('the Draft Law'), which recognized rights of access, rectification, correction, and erasure in Honduran legislation as well as several procedures to certify public and private databases and adequate regulatory norms for personal data processing. In 2018, 29 of the 74 Articles of the Draft Law were approved by the Honduran Congress, but since then no further discussion or debate has been held to finish approving or disproving the Draft Law.

1.1. Key acts, regulations, directives, bills

The first data protection laws that were applied in Honduras came from international treaties approved by the State of Honduras, among them the American Convention of Human Rights 1969 (Article 11), the American Declaration of Rights and Duties of Man (Article 5), and the International Covenant of Civil and Political Rights (Article 17) which recognize familiar individual rights such as the rights to honor, intimacy, privacy, self-image, and reputation. Subsequently, the Constitution of Honduras, 1982 (only available in Spanish here) ('the Constitution') recognized individuals' right to self-image, honor, and personal and familiar intimacy. The provisions of the Constitution in relation to privacy were augmented with the introduction of the Law of Constitutional Justice (only available in Spanish here) ('the Constitutional Justice Law') approved in 2003, which created the habeas data action in order to grant access for an individual's personal information withheld in public or private databases.

In 2006, the Honduran authorities took great steps towards recognizing and assuring data protection and transparency laws, with the Transparency and Access to Public Information Law (Decree 170-2006) (only available in Spanish here) ('the Transparency Law'). The Transparency Law created the Institute for Access to Public Information ('IAIP') and was the first legal document that classified data types, defined confidential personal data, and introduced some accountability for those public entities who mishandled such information.

Nevertheless, Honduras still has a long way to go in order to ensure the protection of privacy rights and individual data, as well as the enforcement of harsher penalties on those who infringe data protection laws, given that in the past some public entities have been accused of the misuse of confidential personal information databases.

Constitution

Articles 76 and 182 of the Constitution, recognize an individual's privacy rights and the habeas data constitutional guarantee respectively.

Special Law for the Intervention of Private Communications

Honduras does not have many laws in place that protect privacy or guarantee data protection. On the contrary, Honduran laws largely focus on establishing the means by which said protection can be evaded, as is the case with the Special Law for the Intervention of Private Communications (only available in Spanish here), which grants the crime investigating entities the faculty to listen, capture, record, and store private communications without the consent of the communication participants.

Penal Code

Honduras' new Penal Code (only available in Spanish here), codifies cybercrimes, including hacking, phishing, identity theft, pornography (child and adult), and sexual provocation, defined as selling, exhibiting, distributing, or showing pornography to underage individuals as well as individuals with special needs, so as to gravely affect their sexual development.

1.2. Guidelines

Not applicable.

1.3. Case law

Data protection judicial processes are very rarely seen in the Honduran legal system, given the lack of proper data protection legislation, the excessive amount of time trials take in most instances, and the general lack of trust in the judicial system. Regardless, there is a ruling issued by the Supreme Court of Justice ('the Supreme Court') in favor of a habeas data guarantee, file HD-721-15, where an individual issued a habeas data action against the Ministry of Security due to him being absolved of crimes, despite the fact of there still being capture orders in place for those very crimes.

Another Supreme Court ruling (only available in Spanish here) was issued rejecting an appeal against a resolution issued by the IAIP that ordered that a list of people who were registered beneficiaries of a land assignment program be handed to those who requested it through a request for public information. The appeal was presented on the basis that these people were extremely poor and that making said records public would harm their honor. The appeal was rejected and the resolution to make the information public was withheld.

Public sector

The main law that regulates public sector data protection and access to public information is the Transparency Law.

In addition, in 2013 the Honduran Congress approved the Law for the Classification of Public Records regarding Security and National Defence (Decree No. 418-2013) (only available in Spanish here) ('the Law on Classification') that establishes restrictions for the access of certain documents for security reasons. This law is strongly criticized by many private and public organizations, including the IAIP which in 2015 issued a resolution ordering the Honduran Congress to reform 15 of the 17 Articles of the Law on Classification, and the derogations of the other two, for going against constitutional principles as well as human rights.

2. Scope of Application

2.1. Personal scope

There is no specific Draft Law in Honduras, but the Habeas Data guarantee applies to natural persons, living or deceased as well as to public/private entities with legal existence.

2.2. Territorial scope

The data protection provisions apply within all sovereign territories of the Republic of Honduras, including but not limited to its airspace, underground, islands, seas, and embassies. The extraterritorial scope of the protections includes but is not limited to radio frequencies, broadband, social networks, published works, private communications, public discourse, and any verifiable means of communication.

2.3. Material scope

There are no data processing provisions in Honduran law, only the collection of confidential or reserved data is regulated, as well as the rights to access, rectify, and suppress records.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

There is no specific data protection authority except the Supreme Court when reviewing the Habeas Data guarantee or the Penal Courts and Tribunals when judging alleged data breaches.

3.2. Main powers, duties and responsibilities

Since there is no specific data protection authority or regulator, the judicial processes must be instigated by the affected parties; the powers and responsibilities are those granted to the judicial system by the Constitution, which in a general sense is to applies, upholds, and enforces the law (Article 304 of the Constitution).

The IAIP is another public institution that may receive complaints against a natural or legal person when abuses are committed while gathering personal or confidential data, but this has yet to be enforced for two main reasons, first the general population's lack of knowledge of the protection that their personal information, and second the lack of faith in public institutions, as well as the amount of time and possible costs of undertaking any legal action against data privacy breachers.

4. Key Definitions

Data controller: There is no definition of 'data controller' in Honduran law.

Data processor: There is no definition of 'data processor' in Honduran law.

Personal data: The Transparency Law defines 'confidential personal data' as those relating to ethnic or racial origin, physical, moral or emotional characteristics, personal address, personal phone number, personal email address, participation or affiliation to a political organization, political ideology, religious or philosophical beliefs, physical or mental health status, personal or family patrimony and any other related to honor, personal or family intimacy or self-image.

Sensitive data: There is no definition of 'sensitive data' in Honduran law.

Health data: There is no definition of 'health data' in Honduran law.

Biometric data: There is no definition of 'biometric data' in Honduran law.

Pseudonymisation: There is no definition of 'pseudonymisation' in Honduran law.

5. Legal Bases

5.1. Consent

Legal consent is required for those entities who because of their purpose must collect and store personal data and confidential data; said entities will not be able to use the data collected without the consent of the information holder (Article 42 of the Transparency Law). Also, distribution for commercial purposes on this database is strictly prohibited, unless authorized with written authenticated consent by the persons whom the information refers to.

5.2. Contract with the data subject

There is no legal stipulation regarding a contract for processing information from or with data subjects.

5.3. Legal obligations

Not applicable. 

5.4. Interests of the data subject

There are no specific regulations or policies regarding the interest of data subjects.

5.5. Public interest

There is no public interest policy regarding data protection stipulations, the only policies refer to transparency and access to public information in classification as reserved or confidential procedures.

5.6. Legitimate interests of the data controller

There are no policies regarding the legitimate interest of the data controller, as the figure does not exist in the Honduran legal framework.

5.7. Legal bases in other instances

There are no legal bases regarding direct marketing of databases or processing of employee data, apart from the consent requirement.

6. Principles

Since there is no data protection law in Honduras, specific data protection principles cannot be found in our legal system, so we must consider the principles established in the Transparency Law and the Regulation. Article 5 of the Regulation states the following applicable principles:

• maximum disclosure, relating to the extent of public disclosure of an obliged entity's records and its duty to inform the regulating authority of transparency whichever personal or confidential databases it keeps and collects;
• social audit;
• accountability; and
• access to information without any form of discrimination (which in the case of personal or confidential data works in the negative sense of only allowing access to the data subjects or legitimately interested third-party entities).

7. Controller and Processor Obligations

7.1. Data processing notification

There are no policies or regulations regarding data processing notifications.

However, public entities or entities bound by the Transparency Law are legally obliged to inform the IAIP that they are collecting and creating personal or confidential information databases as per Article 42 of the Regulation, but this stipulation is seldomly abided by or enforced. The IAIP maintains an updated list of said systems or databases, the National Registry of Data Protection ('the Registry') (Articles 42 and 66 of the Transparency Law). 

Article 61 of the Draft Law stipulates that all persons who proceed to create, modify, or delete personal databases, not for any personal or domestic use, must register the same before the IAIP. The notification for registration must include information about:

• the person or entity responsible for the treatment of the database;
• the purpose of the database;
• the persons whose data is being processed;
• the procedures in place for processing personal data with;
• a clear determination of the fields where the personal data will be processed and the types of personal data included;
• the guarantee that security, organizational, and confidentiality measures have been adopted;
• in the case of data transfers, the natural or legal persons to whom the data is being transferred;
• the estimated time of retention of personal data;
• the conditions in which the data subject can exercise their rights stated in the Draft Law; and
• in the event of international data transfers, the countries or international organizations to which the transfer is made. 

7.2. Data transfers

There are no policies regarding data transfers.

Health

Patients' medical histories and charts can be shared but only with the patient's consent. Non-consensual data transfers are not permitted.

Financial Sector

Only data regarding due diligence, Know Your Client ('KYC'), and credit scoring information can be transferred or shared.

7.3. Data processing records

There is no obligation for data controllers and/or processors to maintain data processing records.

7.4. Data protection impact assessment

There are no requirements or recommendations for data controllers and/or processors to carry out a Data Protection Impact Assessment ('DPIA').

7.5. Data protection officer appointment

There are no requirements for data controllers and/or processors to appoint a data protection officer.

7.6. Data breach notification

There is no legal requirement to notify a data breach, except when said data breach is of information that violates the secrecy or intimacy of individuals or it violates industrial or commercial secret, in which case it constitutes a crime, therefore it must be reported as soon as possible for purpose of the criminal investigation.

7.7. Data retention

The general provision for the keeping of records is five years, as stated in Article 73 of the Regulation, but this is oriented to documental archives, not for digital databases.

7.8. Children's data

There are no specific provisions regulating the processing of children's data.

7.9. Special categories of personal data

There are no specific provisions regarding the processing of data by special categories.

7.10. Controller and processor contracts

There are no specific provisions of such nature in the Honduran legal framework.

8. Data Subject Rights

8.1. Right to be informed

In the Honduran legal framework, the right to be informed is recognized but only to the extent that the population has the right to be informed about the actions of public entities or entities bound by the Transparency Law; the right to be informed about data transfers or data processing has yet to be recognized.

8.2. Right to access

The right to access is recognized in Article 13(2) of the Constitutional Justice Law.

8.3. Right to rectification

The right to rectification is recognized in Article 13(2) of the Constitutional Justice Law.

8.4. Right to erasure

There is no right to erasure in Honduras unless the information stored is wrong or inaccurate.

8.5. Right to object/opt-out

The right to object data collection exists only in regards to personal confidential data, there is public personal data that is not protected by this right.

8.6. Right to data portability

The right to portability is limited to a person's mobile number from one mobile service provider to another; since the data is not stored by any of the service providers if a person switches from one to another the data remains with the third party entity.

Telecommunications

In, 2013 the Numerical Portability Law (only available in Spanish here) was approved, which granted mobile users the ability to keep their phone number while changing from one company to the other. The databases are administered by a third-party entity (Systor Trondheim AS, Norway), so local service providers are not in charge of client information but access this third-party database. Even if the scope of this law is limited to mobile phone services, it's a significant advance in regard to data protection regulations, because it recognizes individual's right to portability.

8.7. Right not to be subject to automated decision-making

The state of Honduras has yet to recognize the right not to be subjected to automated decision-making.

8.8. Other rights

There are no other data protection-specific rights recognized in the Honduran legal system.

9. Penalties

The penalties derived from wrongful data management vary from termination of employment to a fine up to 40 minimum wages (approx. $16,687). If the wrongful data processing constitutes 'Disclosure of Secrets' the offender faces one to three years in prison with a monetary fine.

9.1 Enforcement decisions

There are no notable data enforcement decisions to date.