Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Bolivia - Data Protection Overview
Back

Bolivia - Data Protection Overview

August 2024

1. Governing Texts

Bolivia currently does not have a general data protection law. However, Bolivian law provides a broad constitutional right to privacy. Moreover, there are several provisions on data privacy scattered across the Bolivian legal system, applicable to specific sectors and activities.

1.1. Key acts, regulations, directives, bills

The Bolivian Political Constitution of 2009 (only available in Spanish here) (the Constitution) establishes the rights to inviolability of private communications, as well as the right to know, object to, eliminate, or rectify registered data.

Private communications are generally considered those that concern information regarding an individual's body and health, religious, philosophical, or political ideas and beliefs, a person's family and sex life, as well as personal finances.

There is currently one draft law on data protection pending consideration by the Legislative Assembly:

  • Draft law No. 349/2020-2021 (only available in Spanish here) (the 2021 Draft Law), presented by the organization Internet Bolivia, on October 19, 2021 before the Legislative Assembly.

The Electronic Government, Information and Communication Technologies Agency (AGETIC) is working on a new Draft law, (only available in Spanish here) which has not been formally presented to the Legislative Assembly yet. At this time, no specific date has been established for the submission of the draft.

For the purpose of this document, we used Draft Law No. 349/2020-2021 because it is the official draft law submitted to the Legislative Assembly.

Telecommunications

The Telecommunications Law No.164 of 8 August 2011 (available only in Spanish here) (the Telecommunications Law), and its regulation, the Supreme Decree No. 1793 of 13 November 2013 (only available in Spanish here) (the Decree) and Supreme Decree No. 1391 General Regulation to the Telecommunications Law (only available in Spanish here) (the Telecommunications Decree) establish a general regulatory framework for personal data. The Telecommunications Law also establishes that a personal email, including its creation, transmission, reception, and storage, is a private communication.

Consumer protection

The General Consumer Rights Law 2013 (only available in Spanish here) (the Consumer Law) establishes that product and service vendors must adopt appropriate mechanisms to guarantee the confidentiality of their clients' data.

Banking

The Financial Services Law 2013 (only available in Spanish here) establishes that financial institutions must maintain the secrecy of their customers' information. Moreover, the transfer of data is prohibited unless the information's owner has consented to the transfer.

Medical Professional Practice

The Law of Medical Professional Practice (only available in Spanish here) (Law of 8 August 2005) establishes that a medical secret is all information identified during the medical act regarding the patient's health or illness, their treatment, and all other personal information, and that it must be kept secret, even after death, to safeguard the dignity of the patient. It further regulates, as an exemption to this secrecy, where the health of the family and the community are at imminent risk.

Public sector

Supreme Decree No. 28168/2005 (only available in Spanish here) establishes that any person may request the updating, supplementation, elimination, or rectification of their registered data regarding their fundamental rights to identity, image, and privacy.

Digital Citizenship Law

The Digital Citizenship Law (only available in Spanish here) provides that public officials should use personal data and information generated on the digital citizenship platform only for the purposes established by this law.

1.2. Guidelines

Not applicable.

1.3. Case law

Constitutional Decision No. 0965/2004-R (only available in Spanish here) defines 'sensitive data' as personal data regarding an individual's body and health; religious, philosophical, or political ideas and beliefs; a person's family life and sex life; and personal finances.

It also creates the right to 'informational self-determination' which is the ability to verify, correct, and prevent the dissemination of inaccurate or sensitive information that violates the individual's right to privacy and reputation. This right allows to every person to verify:

  • what information or data was obtained and stored about them;
  • what data from them is disseminated; and
  • what is the purpose of storage and dissemination of the information collected.

This right also allows to correct or clarify inaccurate information, and prevent its dissemination, or request the elimination of the information if it is sensitive data or information that infringes the right to private or intimate life or the 'honor, good image or good name' of the data owner.

Constitutional Decision SCP 0819/2015-S3 (only available in Spanish here), with regard to 'informational self-determination', states that it is 'the prerogative that every person has against any public or private entity, by which no one may enter, without express authorization (from himself or mandate of the law), into aspects that are not public and that relate to his personal and family life, in order to process and/or disseminate them as he sees fit, regardless of the existence or not of any damage.'

Constitutional Decision 1738/2010-R (only available in Spanish here) established that both intimacy and privacy are the basis of the action for the protection of privacy. However, it distinguishes both concepts. Regarding intimacy, the Decision states that intimacy is 'the set of feelings, thoughts, and innermost inclinations, such as ideology, religion or beliefs, personal tendencies that affect sexual life, health problems that we wish to keep secret, and other inclinations,' while privacy refers to 'the sphere of the person formed by his family life, hobbies, certain goods, and personal activities.'

Constitutional Decision 0524/2018-S2, (only available in Spanish here) consolidates the criterion established by the Constitutional Decision 1738/2010, and it also refers to the right to 'informative self-determination', which is different from informational self-determination. It states that 'the informative self-determination is the power or ability that every person has to dispose of the information or personal data concerning his or her personality, to preserve his or her own computer identity, or, in other words, to consent to, control, and, if necessary, correct the computer data concerning his or her personality.'

On these matters, we note that 'sensitive data' was defined by constitutional jurisprudence as personal data regarding an individual's body and health; religious, philosophical, or political ideas and beliefs; a person's family life and sex life; and personal finances.

2. Scope of Application

2.1. Personal scope

The Telecommunications Law generally applies to all persons in the Bolivian territory, whether natural or legal, and/or Bolivian or foreign, that carry out activities and provide telecommunications services and ICT, originated, in transit, or terminated in Bolivian territory. The Telecommunications Law also applies to all natural or legal persons who provide services or offer goods. Specific regulations, such as financial or health-related, apply to those sectors specifically.

The 2021 Draft Law applies to all individuals or legal entities that process the personal data of individuals who are in Bolivian territory, regardless of whether the treatment is given in Bolivia or not.

2.2. Territorial scope

The Telecommunications Law applies to all individuals or legal entities that carry out activities and provide telecommunications and ICT services, originated, in transit, or completed in Bolivian territory, as well as the postal service, and to regulated financial services entities. In general, current legislation applies only to Bolivian territory, there is no extraterritorial principle available.

The 2021 Draft Law applies to national or international natural and/or legal persons regardless of whether the treatment took place in the national territory or not, as well as regardless of the form of its treatment or method of creation.

2.3. Material scope

The Telecommunications Law regulates all acts concerning the processing of personal data. These acts include any operation or set of operations involving personal data, such as:

  • collection;
  • storage;
  • use;
  • movement; and
  • deletion.

The constitutional decision 0965/2004-R established jurisprudence regarding the right to Informational self-determination giving the individual the ability to:

  • access to personal data and purpose;
  • update the information;
  • correct inaccurate information;
  • preserve the confidentiality of the information; and/or
  • exclude sensitive data.

The 2021 Draft Law covers the processing of personal data including any use of personal data. These acts include any operation or set of operations involving personal data, including but not limited to:

  • collection;
  • access;
  • registration;
  • organization;
  • adaptation;
  • modification;
  • storage;
  • conservation;
  • processing;
  • transfer;
  • dissemination; and/or
  • deletion.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The Telecommunications and Transport Regulation and Supervision Authority (ATT) is the telecommunications regulatory authority, however, it is not an active regulator on this matter.

The 2021 Draft Law determines the creation of the Authority for the Protection of Personal Data (APDP), and the Plurinational Council for the Protection of Personal Data (CPPDP). The APDP will be responsible for exercising regulatory functions, supervision, and control of natural and legal persons and will be the technical arm of the CPPDP.

3.2. Main powers, duties and responsibilities

The general mission of the ATT is to promote the right to equitable, universal, and quality access to telecommunications, ICT, transportation, and postal service for Bolivians.

Among the legal responsibilities of the authority is the planning and establishment of general guidelines, and at a legal level granting of licenses, implementing regulations, determining sanctioning processes, attention to administrative claims, notification acts, and internal administrative and judicial processes.

Under the 2021 Draft Law, the APDP will be able to:

  • register, regulate, supervise, and sanction individuals, as well as entities that have public and/or private databases that store and process personal information. Specifically, sanctions will include:
    • sanctions for claims regarding the right of access, rectification, cancellation, and opposition by giving priority to the data owner over the data processor; and
    • sanctions in the event of non-compliance with its resolutions, the 2021 Draft Law, and related regulations;
  • issue specific regulations and monitor their compliance in the framework of the applicable regulations;
  • impose penalties for the violation of legal and regulatory provisions;
  • approve and register contracts and legal documents for the transfer of personal data;
  • resolve claims filed against entities that process personal data;
  • conduct audits on entities that process personal data; and
  • intervene when there is a breach of the applicable regulatory framework.

Sanctions will be defined by the APDP through regulatory provisions.

4. Key Definitions

Data controller: The 2021 Draft Law outlines the 'responsible person' is a natural person or legal entity who is in charge of obtaining the consent of the data owners, directly or indirectly, and is in charge of the collection, application of security means, and processing of personal data.

Data processor: Bolivian legislation does not define 'data processor' but defines 'data processing' as 'any operation or combination of operations involving personal data, such as collection, storage, use, circulation, or suppression' (Article 3 part IV of the Decree).

Moreover, Article 5 of the 2021 Draft Law outlines a responsible person who is a natural person or legal entity, private, public, or mixed, that by itself or in conjunction with others, defines the purposes and means of, and performs, the processing of personal data for its own, directly or through hired third parties.

Personal data: All information concerning a natural or legal person that identifies it or makes it identifiable (Article 3 part IV of the Decree). In addition, Article 5 of the 2021 Draft Law defines 'personal data' as information (data and metadata) of any type, that permits identifying, locating, or contacting natural persons or legal entities.

Sensitive data: As established by constitutional jurisprudence, 'sensitive personal data' includes information regarding an individual's body and health, religious, philosophical, or political ideas and beliefs, a person's family life and sex life, and personal finances. In addition, Article 5 of the 2021 Draft Law defines 'sensitive data' as information that refers to the intimate sphere of a natural person, personal data can be considered sensitive if it can reveal aspects such as racial or ethnic origin, beliefs or religion, philosophical, and moral convictions, union membership, political opinions, data related to health, life, preference, or sexual orientation, genetic information, or biometric data aimed to unmistakably identify a natural person.

Health data: This concept is included in the definition of 'sensitive data.'

Biometric data: The 2021 Draft Law defines biometric data as personal information that refers to the physical, physiological, or behavioral characteristics of a person that allow their identification, including but not limited to fingerprints, facial recognition, iris recognition, hand geometry recognition, retina recognition, voice recognition, and genetic data.

Pseudonymization: The reversible process of disassociation of the owner's personal data, replacing them with codes, words, or other similar symbols, in order to protect personal and/or sensitive data (Article 5 of the 2021 Draft Law).

5. Legal Bases

5.1. Consent

The Telecommunications Law provides that the technical treatment of personal data in the public and private sector in all their modalities, including data collection activities, storage, processing, blocking, cancellation, transfers, and interconnections, will require prior knowledge and the express consent of the data owner, which must be provided in writing or another comparable means according to the circumstances. This consent may be revoked when there is a justified cause for it, but such revocation will not have a retroactive effect (Article 56 of the Decree).

The 2021 Draft Law establishes that the data processor, prior to the processing of personal data, must obtain the explicit, written consent of the data subject (Article 11 of the 2021 Draft Law).

5.2. Contract with the data subject

Data processing on the bases of a contract is not specifically regulated.

However, the Telecommunications Law establishes that the contract made with the user must guarantee the rights of the user (including personal data rights) within the general conditions of the agreement. The 2021 Draft Law considers that the processing of data will be legitimate and legal when it is conducted for the fulfilment of contractual obligations executed by the controller, or by an authorized third party (Article 10 of the 2021 Draft Law).

5.3. Legal obligations

It is possible to process personal data to comply with legal obligations, such as labor or fulfilment of a contract.

The 2021 Draft Law allows the processing of personal data when the processing is conducted by the controller in compliance with a legal obligation or the mandate of public institutions (Article 10 of the 2021 Draft Law).

5.4. Interests of the data subject

The 2021 Draft Law allows the processing of personal data when the processing is necessary to defend the rights of the data owner (Article 10 of the 2021 Draft Law).

5.5. Public interest

Doctors are exempt from medical secrecy when the health of the family and the community are at imminent risk (Article 17 of the Law of Medical Professional Practice).

The 2021 Draft Law allows the processing of personal data when the processing is conducted by the controller in compliance with a legal obligation or by mandate of public institutions (Article 10 of the 2021 Draft Law).

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

In principle, the use of personal data for marketing purposes can only be made with data subject authorization.

In addition, the Telecommunication Law establishes that employer-provided email accounts are considered the property of the employer.

6. Principles

The Telecommunications Law establishes the following principles:

Purpose: The use and processing of personal data by the authorized entities must follow a legitimate purpose, which requires the owner's prior knowledge.

Veracity: The personal data that will be subject to treatment must be truthful, complete, accurate, updated, verifiable, and intelligible, and the treatment of personal data that is incomplete or that can induce errors is prohibited.

Transparency: The right of the data subject to obtain information related to the existence of data that concerns them.

Security: The technical and administrative controls that are required to preserve the confidentiality, integrity, availability, authenticity, non-repudiation, and reliability of the information must be implemented, providing security to the records, avoiding their falsification, loss, use, and unauthorized or fraudulent access.

Confidentiality: All the individuals involved and those who intervene in the processing of personal data, are required to guarantee the reservation of the information collected, even after the end of the link with any of the activities that include data treatment. The supply or communication of personal data can only be done when it corresponds to the development of the data treatment activities.

Inviolability: The conversations or private communications made through the use of telecommunications, information, and communication technology services, as well as the postal service, are inviolable and secret, they cannot be intercepted, interfered with, obstructed, altered, diverted, used, published, or disclosed, except in the cases determined by law.

The 2021 Draft Law determines the following principles:

Confidentiality: Confidentiality must be maintained with regard to the processing of personal data.

Responsibility: The data processor will implement the necessary mechanisms to certify compliance with the principles and obligations established by law, and will also allow the person in charge of the APDP to perform institutional inspections and verifications.

Purpose: Personal data shall not be processed for purposes other than those instructed by the data controller.

Pro Homine Principle: Establishes that the norm or the most favorable interpretation must be applied to the person or owner of the personal data, considering the protection and prohibition of the limitation of human rights, applying the norm, interpretation, or situations less restrictive and more favorable to the data holder.

Limited conservation: Personal data will be kept only for the time necessary to fulfill the purpose of its treatment.

7. Controller and Processor Obligations

7.1. Data processing notification

The Telecommunications Law does not require organizations to notify a regulator before collecting or processing personal data. However, data owners must be informed:

  • that their information will be subject to processing;
  • of the purpose of the collection and registry of the data;
  • of the potential recipients of the information;
  • of the identity and domicile of the party responsible for the processing or its representative; and
  • of the possibility of exercising its rights of access, rectification, updating, cancellation, objection, or revocation to/of the data collected.

The 2021 Draft Law determines that the data processors must be registered with the APDP. In addition, the data owner must be informed that their information will be processed, as well as the purpose of the processing.

7.2. Data transfers

The prior knowledge and the express consent of the data owner are necessary for any data transfer, which must be provided in writing or another comparable means according to the circumstances (Article 56(b) of the Decree).

The consent for the transfer of personal data does not give third parties the right to process personal data. If a third-party processes data on behalf of the data controller, the data subject must be:

  • informed that the third party will process the data; and
  • provided with the third party's identity and domicile.

Also, financial entities must take security measures that guarantee the integrity, confidentiality, authentication, and non-repudiation in the operations carried out by financial entities, including data transfers (Section 1, Article 3(bb) and (ff) of the Regulation for the Security Management of the Information (only available in Spanish here) (the Financial Regulation)).

In the 2021 Draft Law, the data controller or exporter is permitted to make international data transfers if (Article 38 of the 2021 Draft Law):

  • the country to where the data is being transferred meets the adequate level of protection required by the APDP;
  • the exporter offers sufficient guarantees on the treatment of the personal data in receipt and proves compliance under the minimum conditions established in the applicable legislation;
  • the exporter and recipient have clauses in their contract to provide sufficient guarantees on the treatment and the scope of processing of the personal data;
  • the APDP must be informed about the data transfers; and
  • when required, the APDP directly authorizes the transfer.

7.3. Data processing records

There is not an express obligation to maintain processing records, but the Telecommunications Law implicitly recognizes that data controllers should keep records of their users' data and include some of that information in the public guides they provide to their users free of charge.

Also, Article 218 of the Bolivian Criminal Code (only available in Spanish here) (the Criminal Code), provides that if there is a criminal process involving a user within the Bolivian jurisdiction, the competent authority may request the company to present the user's data through a judicial order, with the purpose of investigating the commission of a possible crime.

7.4. Data protection impact assessment

Not currently regulated, however, the 2021 Draft Law states that when a data controller intends to process sensitive personal data or other risky information that may affect the personal data, an evaluation of the impact on the protection of personal data must be done prior to the collecting and treating of the personal data. Furthermore, the data controller should stipulate in a report specific security measures that allow greater protection for data subjects. This report will be presented to the APDP for its corresponding approval (Article 43 of the 2021 Draft Law).

In addition, the APDP will carry out periodic audits in order to detect non-compliance with the legislative framework applicable to the matter and the violation of the rights of the data subjects (Article 53 of the 2021 Draft Law).

7.5. Data protection officer appointment

Not currently regulated, however, Article 40 of the 2021 Draft Law establishes an obligation to appoint a data protection officer (DPO) when:

  • the organization in question is a public entity;
  • the organization carries out the regular and systematic processing of personal data; or
  • the organization performs personal data processing in a manner that could give rise to the probability of a high-risk of affecting the right of the owners to the protection of their personal data.

7.6. Data breach notification

There is no data breach notification requirement in Bolivia. However, entities processing personal data should take appropriate remedial measures following a security breach in the telecommunications and communication and information technologies sectors, as well as in the financial sector (Annex to the Telecommunications Decree).

Financial entities must have an information security policy that could prevent any possible data breach. This information security policy must be published and communicated to the different departments of the supervised entity, in an understandable and accessible manner. The supervised entity must review and update the policy at least once a year, ensuring the correct implementation of the security practices (Article 8 of the Financial Regulation).

Under the 2021 Draft Law, the data controller must notify the APDP of the personal data breach no later than ten days after becoming aware of it, unless the breach does not constitute a risk. In addition, the data controller must notify the owner of the data about the security breach (Articles 44 and 45 of the 2021 Draft Law).

Data subjects have the right to demand information regarding the security breach. A data controller must, when it learns of a breach of security of personal data, notify the APDP and the owner of the personal data without undue delay (Article 45 of the 2021 Draft Law).

7.7. Data retention

Telecommunications (specific to digital signature certifying agencies)

The ATT, through an administrative resolution, will determine the procedure and conditions that must be met by the certifying entities for the conservation of the physical and digitized documents, ensuring their storage in servers located in the territory and under the legislation of Bolivia.

Financial sector

Documents related to the operations, microfilmed, registered in magnetic, and/or electronic media, must be kept and remain in custody for a period not less than ten years.

The documentation that constitutes evidence in an administrative, judicial, or other instance, that is pending resolution, should not be destroyed, in order to safeguard the rights of the parties of the proceedings.

7.8. Children's data

Persons under the age of 18 are unable to give consent, and organizations must protect their personal data, unless there is an express authorization from the competent authority (Code of the Boy, Girl and Adolescent (only available in Spanish here) (Law No. 548 of November 2018)).

7.9. Special categories of personal data

Not applicable.

7.10. Controller and processor contracts

Not applicable.

8. Data Subject Rights

8.1. Right to be informed

Data subjects must be informed of the following:

  • that their information will be subject to processing;
  • of the purpose of the collection and registry of the data;
  • of the potential recipients of the information;
  • of the identity and domicile of the party responsible for the processing or its representative; and
  • of the possibility of exercising their rights of access, rectification, updating, cancellation, objection, or revocation to/of the data collected.

8.2. Right to access

Data owners have the right to access, rectification, updating, cancellation, objection, or revocation to/of the data collected (Article 56 of the Decree).

The Constitution also grants citizens the privacy protection action for any individual or collective person who is believed to be unduly or illegally prevented from knowing, objecting to, or obtaining the elimination or rectification of the data registered by any physical, electronic, magnetic, or information technology, in public or private files or databases, or that affect their fundamental right to personal or family privacy, or their own image, honor, and reputation.

Article 17 of the 2021 Draft Law provides for the right to access. Data owners have the right to access the data collected.

8.3. Right to rectification

Article 18 of the 2021 Draft Law provides for the right to rectification. Data owners have the right to rectification, correction, or updating of their personal data.

8.4. Right to erasure

Article 19 of the 2021 Draft Law states that data owners have the right to request the cancellation or deletion of their personal data.

8.5. Right to object/opt-out

The Consumer Law and the Telecommunications Law state that users have control regarding the use of their data for marketing or advertising purposes, and the service providers must protect them from unauthorized advertisement. Said laws also establish that service providers should always give an option to opt-out of mailing lists.

Article 22(II)(d) of the Consumer Law establishes silence cannot be interpreted as acceptance of additional non-required benefits, services, or other obligations not expressly stipulated.

8.6. Right to data portability

Article 21 of the 2021 Draft Law states that when personal data is processed electronically or by automated means, data owners have the right to obtain a copy of the personal data.

8.7. Right not to be subject to automated decision-making

Article 22 of the 2021 Draft Law establishes that the owner of the data will have the right not to be subject to decisions that produce legal effects or significantly affect them, or those that are based solely on automated processing.

8.8. Other rights

Right to limit the processing of personal data

The processing and storage of personal data will be limited to the time and purpose granted in the consent for it (Article 23 of the 2021 Draft Law).

Right to compensation

Data owners have the right to be compensated when they have suffered damages as a result of a violation of any of their rights in the processing of their data (Article 25 of the 2021 Draft Law).

Right to informational self-determination.

It is the ability to verify, correct, and prevent the dissemination of inaccurate or sensitive information that violates the individual's right to privacy and reputation.

Right to informative self-determination.

It is the power or ability that every person has to dispose of the information or personal data concerning his or her personality, to preserve his or her own computer identity, or, in other words, to consent to, control, and, if necessary, correct the computer data concerning their personality.

9. Penalties

The Constitution establishes the right to commence a privacy action against organizations that violate data subjects' rights of access, objection, deletion, or correction with respect to their personal data (Article 130 of the Constitution).

The Consumer Law establishes that in cases of infringement, users can present a complaint before the service provider. In case of non-response from the service provider, users may file the claim before the 'Users and Consumers Service Centers,' to repair the violated right and impose sanctions. In addition, users can formally present a claim for infringement before the local regulatory authority, this is the ATT (Article 26 of the Consumer Law).

Additionally, the ATT may impose the following sanctions for violations of the Telecommunications Law:

  • administrative warnings;
  • seizure of equipment, components, parts, and materials;
  • monetary fines; and
  • disqualification from operating in the Bolivian telecommunications sector.

Data subjects may present a constitutional action for the protection of privacy (habeas data), or a civil claim for damages caused by violations of data privacy norms.

A data subject can present civil claims before civil courts for damages related to administrative or criminal violations of data privacy norms. Damages would be determined by a judge on a case-by-case basis.

Criminal action for tampering with correspondence and private papers based on the Criminal Code, which provides for potential imprisonment of three months to a year, or a fine.

9.1 Enforcement decisions

Constitutional Decision SCP 0819/2015-S3, (only available in Spanish here) confirms the disposition that ordered ATT to withdraw, annul, and eliminate any publication that involves the owner of the personal data, including material from the offices of the Municipal Governments. Further, the decision urges the State Attorney General to manage and coordinate with the relevant government bodies the necessary measures for the implementation of protection programs for victims arising from virtual platforms and the internet.