August 2023

1. Governing Texts

Despite the fact that Costa Rica's data protection law was enacted in 2011 and there is a Costa Rican data protection authority ('PRODHAB'), the enforcement by PRODHAB and compliance by the Republic of Costa Rica and private companies is very low. At this time, two different bills are being discussed in the Legislative Assembly, but it is unclear what the outcome of these projects will be.

1.1. Key acts, regulations, directives, bills

Data protection in Costa Rica is regulated by the Law on the Protection of Persons Regarding the Processing of their Personal Data No. 8968 of 2011 (only available in Spanish here) ('the Law') and Executive Decree No. 37554-JP of October 30, 2012, Regulating Law No. 8968 (only available in Spanish here) ('the Executive Decree'), as amended by Decree No. 40008-JP (only available in Spanish here) ('the Decree').

However, the right to data protection has been recognized and protected in Costa Rica by the Constitutional Court since the 1990s, on the basis of Article 24 of the Political Constitution of Costa Rica ('the Constitution'), which specifically recognizes the right to intimacy, as well as the freedom and secrecy of communications.

1.2. Guidelines

PRODHAB has issued the following unofficial guidelines:

• frequently asked questions on the Law (only available in Spanish here); and
• guidelines on the registration of databases (only available in Spanish here).

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The Law will not be applicable to any database held by individuals or legal entities for exclusively internal, personal, and/or domestic purposes (Article 2 of the Law, and Article 3 of the Executive Decree). Furthermore, the provisions within the Executive Decree will not apply to data referring to the credit behavior that will be governed by the special regulations of the national financial system.

2.2. Territorial scope

The Law and the Executive Decree apply to personal data held in automated or manual databases of public or private organizations, and any form of subsequent use of such data, which has effect within the territory of Costa Rica, or where Costa Rican legislation applies by virtue of the conclusion of a contract or international law (Article 2 of the Law, and Article 3 of the Executive Decree).

2.3. Material scope

The Law applies to personal data contained in automated or manual databases, public or private organizations, and any form of subsequent use of such data within the territory of Costa Rica, or where applicable to Costa Rican legislation by virtue of the conclusion of a contract or international law (Article 2 of the Law, and Article 3 of the Executive Decree).

Technically, the Law does not apply to any database held by individuals or legal entities for exclusively internal, personal, and/or domestic purposes. However, PRODHAB can apply the Law to any database, even if it has not been used for internal, personal, or domestic purposes.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The main regulator in Costa Rica is PRODHAB.

3.2. Main powers, duties and responsibilities

PRODHAB's main duties and responsibilities, among others, are (Article 16 of the Law):

• processing any claim related to a data protection matter;
• administrating the registration procedure of the databases that must comply with such requirements;
• requesting any information regarding the data processing made by any entity;
• creating awareness regarding data protection aspects;
• elaborating guidelines for any aspect regarding data protection; and
• if needed, issuing mandatory orders to the data controllers in order to comply with the data subjects' rights.

4. Key Definitions

Data controller: The 'person responsible for the database' is the individual or legal entity that administers, manages, or is responsible for the database, whether it is a public or private entity, competent to do so, in accordance with the Law, and it decides on the purpose of the database, which categories of personal data will be processed, and the type of processing that will be undertaken (Article 3(h) of the Law, and Article 2(s) of the Executive Decree).

Data processor: Any individual or legal entity, public or private, or any other body that may process the personal data on behalf of the responsible party (Article 2(k) of the Executive Decree).

Personal data: Any information that relates to an identified or identifiable living individual (Article 3(b) of the Law).

Sensitive data: Information concerning sensitive information of a person, that may not be stored except in very specific circumstances. This includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, spiritual convictions, socioeconomic condition, biomedical or genetic information, health, sex life, and sexual orientation (Article 3(e) of the Law).

Health data: There is no definition of 'health data' in the applicable law.

Biometric data: There is no definition of 'biometric data' in the applicable law.

Pseudonymization: There is no definition of 'pseudonymization' in the applicable law.

Consent: An express, freely given, unequivocal, informed, and specific manifestation from the data subject, granted in writing or in digital form, for a specific purpose, by which the data subject, or their representative, consents to the processing of their personal data. If the consent is granted in the framework of a contract for other purposes, the contract must have a specific and independent clause on consent to the processing of personal data (Article 2(f) of the Executive Decree, and Article 1 of the Decree).

Data subject: Person who owns the personal data protected by the Law, or their representative.

Data breach: Any irregularity that may occur while handling personal data, such as the loss, destruction, and any other consequence that may result while the personal data was under the responsibility of the data controller (Article 38 of the Executive Decree).

Restricted access to personal data: Data that may be accessed and stored only with authorization, as it is of interest only to the data subject (Article 3(d) of the Law).

Unrestricted Access to Personal Data: Data contained in public and open databases with general public access, the use of which is governed by specific laws and subject to the purpose for which such data is collected. This data type falls outside of the scope of the transfer restrictions (Article 3(c) of the Law).

5. Legal Bases

5.1. Consent

The Law states that it is mandatory to obtain informed and express consent from individuals in order to process their information. No other bases for processing are included. The consent must be unequivocal, freely given, specific, and delivered by written or digital means.

Processing may take place without consent where any of the following exceptions are met:

• there is a reasoned order issued by a competent judicial authority (including, in our opinion, foreign judicial authorities), or an agreement adopted by a special investigative committee of the Legislative Assembly in the exercise of its office;
• the personal data is unrestricted access personal data, and will not be processed for purposes other than those for which they were originally collected; or
• the data must be provided by the individual or by the data controller as a result of a Constitutional or legal provision. Although there is no case law or guidance on this, we would expect that requirements under foreign law would suffice.

5.2. Contract with the data subject

Not applicable.

5.3. Legal obligations

Please see the section on consent above.

5.4. Interests of the data subject

Not applicable.

5.5. Public interest

Not applicable.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Please see the section on consent above.

6. Principles

The main right is the right to informational self-determination (i.e., the fundamental right of individuals to decide what information about themselves should be communicated to others and under what circumstances). It states that the principles and guarantees regarding the lawful processing of personal data set out in the Law form part of that fundamental right.

All processing of personal data should comply with the following principles:

• principle of informed consent: in the absence of an exemption, express, informed consent is required for all processing of personal data;
• principle of quality of information:
  • purpose limitation: Data controllers must only collect personal data for specific, explicit, and legitimate purposes, and must not subsequently process such data in a way that is incompatible with said purposes;
  • accuracy: Personal data must be accurate. The data controller must take the necessary measures so that inaccurate or incomplete data, with respect to the purposes for which they were collected or for which they were subsequently processed, are deleted or rectified;
  • up to date: Personal data must be current. The data controller must delete personal data that is no longer relevant or necessary for the purposes for which it was received and registered; and
  • truthfulness: The data controller is obliged to modify or delete the data that is incorrect. In the same way, it will ensure that the data is processed fairly and lawfully.

7. Controller and Processor Obligations

Data controller

The data controller has the responsibility of respecting all the rights of the data subjects (Article 10 of the Law). Additionally, all the personal data handled must be up to date, truthful, and in conformity with the purpose requested for collection (Article 6 of the Law). It is also mandatory to ensure that all the individuals included in all databases will have the right to access, rectify, revoke, or cancel their authorization to store and to make use of their personal data (Article 7 of the Law, and Articles 21, 23, and 25 of the Executive Decree).

In addition to these general regulations, one of the main aspects of the Law is that it is mandatory to obtain informed and express consent from data subjects in order to process their personal data. The consent must be unequivocal, freely given, specific, and delivered by written or digital means (Article 5 of the Law, and Article 4(c) of the Executive Decree). Moreover, and, in obtaining consent, the following information must be provided (Article 5(1) of the Law):

• the existence of a private database;
• the purposes for collecting the personal data;
• the final recipients of such information and who will have access to it;
• whether it is mandatory or not for the data subject to provide their personal data, and the consequences of not doing so;
• the type of data processing that will be carried out on the personal data;
• information for the data subjects of their rights; and
• the name and address of the company that will administer the database.

Informed consent must also be obtained for the authorization to transfer information to third parties (Article 14 of the Law, and Article 40 of the Executive Decree).

Additionally, there is a general confidentiality and security obligation for the processing of personal data. The security obligation provides that the data controller must conduct all technical and organizational safeguards in order to avoid loss, destruction, alteration, and/or unauthorized access to personal data (Article 10 of the Law). The duty of confidentiality provides that the data controller, and those involved in any phase of the processing of personal data, are bound by professional or functional secrecy, even after the end of their relationship with the database (Article 11 of the Law). The obliged person may be relieved of the duty of secrecy by a court decision if it were deemed strictly necessary.

Data processor

The Executive Decree includes some obligations for data processors and, in general, requires a guarantee on the integrity and security of the data. In particular, the data processor must comply with the following requirements (Article 31 of the Executive Decree):

• process personal data following the data controller's instructions;
• refrain from processing personal data for purposes other than those instructed by the data controller;
• implement security measures and comply with any minimum performance protocols;
• maintain the confidentiality of the data that was processed;
• avoid proceeding with a data transfer, unless it was duly instructed by the data controller; and
• delete personal data as soon as the relationship with the data controller has ended.

7.1. Data processing notification

In general, all databases, public, or private, which are managed for distribution, dissemination, or marketing purposes, must be registered with PRODHAB, registration forms (only available to access in Spanish here). In this sense, distribution, and dissemination is defined as any way in which personal data is distributed or published, to a third party, by any means, provided that the aim is to market the data or to obtain a profit from the database (Article 2(j) of the Executive Decree, and Article 1(j) of the Decree).

Such 'commercialization' is defined as the sale, trade, exchange, or in any way the transfer or pledge to obtain a profit in favor of a third party, one or more times, of the personal data contained in databases (Article 2(e) of the Executive Decree).

If an entity would like to proceed with the registration of the database, it must (under Article 44 of the Executive Decree, and Article 9 of the Decree):

• provide the request of the individual or legal owner, authenticated with a signature or through a notary;
• appoint a person responsible for the database before PRODHAB, indicating the means and place of contact, and a letter of acceptance of the position;
• identify the data processors, including their contact information and the location of the data, and submit a copy of the contract that they have with the owner of the database;
• provide the name of the database and its location;
• specify its purposes and foreseen uses;
• specify the type of data to be stored;
• provide information on the data collection procedures;
• provide a technical description of the measures used to safeguard the data, as well as risk assessments;
• provide information on the recipients of transfers of data;
• provide a certified copy of the minimum security protocols (this document must include all processes followed by the company for the management of its data); and
• provide an indication of fax or email in order to receive notifications from PRODHAB.

In line with the above, controllers must ensure the database is always up to date and must pay an annual registration fee of $200 to PRODHAB (Article 33 of the Law, and Article 78 of the Executive Decree).

Exemptions

Financial institutions subject to the control and regulation of the General Superintendence of Financial Entities ('SUGEF') are not required to register their databases with PRODHAB (Article 2 of the Decree).

In addition, personal, internal, and domestic databases do not have to be registered with PRODHAB (Article 9 of the Decree). Moreover, the regulations provided in the Executive Decree do not apply to databases maintained by individuals or legal entities for exclusively personal, internal, or domestic purposes (Article 3 of the Executive Decree).

7.2. Data transfers

The Law requires that data controllers obtain consent from the data subject in order to transfer personal data to another country (it does not include special regulations for specific countries) (Article 14 of the Law and Article 40 of the Executive Decree). Moreover, the transferor must ensure that, where personal data is transferred to any other country, adequate levels of protection of the data subject's rights in connection with the processing of their personal data will be provided.

Nevertheless, when personal data is transferred to a data processor for processing purposes only (i.e., the processor does not become a data controller), or is moved between companies of the same economic interest group, or to companies under joint control, the transfer of data to the data processor does not constitute a transfer under the Law and it is not necessary to obtain the data subject's consent (Article 8 of the Decree).

7.3. Data processing records

It is not mandatory for data controllers to maintain data processing records.

7.4. Data protection impact assessment

It is not mandatory for data controllers or processors to carry out a Data Protection Impact Assessment ('DPIA').

7.5. Data protection officer appointment

In Costa Rica, there is no obligation to appoint a data protection officer ('DPO').

7.6. Data breach notification

In the event of a data breach, a data breach notification is mandatory, with the requirements of such notifications being (Articles 38 and 39 of the Executive Decree):

• the data controller must notify the data subjects and PRODHAB within five business days following the discovery of the breach;
• within that same term (five business days), the data controller must initiate a thorough review to determine the extent of the damages caused by the breach, and to indicate the corrective and preventive measures that must be adopted; and
• the notification to affected data subjects and PRODHAB must include, at least, the following information:
  • nature of the incident;
  • compromised data;
  • corrective measures immediately taken upon notice of the breach and those taken thereafter; and
  • contact information and the place where more details about this matter can be obtained.

Failing to comply with the data breach notification requirements does not result in any penalty. However, this notification is highly recommended (even more so for cases that will be well-known internationally), as processing personal data without taking the appropriate security measures may be subject to a fine of up to $5,000.

7.7. Data retention

Article 11 of the Executive Decree includes a right to be forgotten, which states that personal data cannot be processed for more than 10 years upon the conclusion of the purpose for which the data was initially collected, unless there is a particular specification including a different term for that particular data. After this period, the personal data can be retained only after an anonymization process has been completed.

7.8. Children's data

The Law does not establish any particular regulation regarding the personal data of children. In Costa Rica, the age of majority is 18. Thus, anyone below 18 is considered a minor.

In this same sense, any action taken by someone under 15 years of age will be null and void, therefore any consent that a minor under 15 years of age may give will not be valid and their personal data cannot be collected unless there is express consent from their parents or guardians.

If the minor is between 15 and 18 years of age, all contracts, agreements, and any other economic activity (i.e., online activity) is presumed valid but may be annulled if one of the representatives of this minor requests its annulment. Therefore, in these cases, it is possible to collect personal data from individuals between 15 and 18 years of age without any inconvenience, as long as they, or their parents or guardians, are able to revoke consent at any time without any inconveniences or consequences.

7.9. Special categories of personal data

Data subjects have the right to refrain from providing sensitive data, and, when such data is provided, it must not be processed without the express consent of the data subject. The exceptions are the following (Article 9(1) of the Law):

• the processing is necessary to protect the vital interests of the data subject, or in other circumstances where the affected person is physically or legally incapable of giving consent;
• the processing is undertaken by a foundation, association, or other body for political, philosophical, religious, or union purposes, provided that the personal data is that of its members or regular contacts and the processing is undertaken in the course of its legitimate activities and in accordance with the Law, and provided that the consent of the data subject is obtained for transfers to third parties;
• the processing relates to sensitive personal data that the data subject has voluntarily made public, or is required for the recognition, exercise, or defense of a right in judicial proceedings; or
• the processing is necessary for medical or health purposes, provided that the processing is undertaken by a person in the medical profession, subject to professional secrecy obligations or the equivalent.

7.10. Controller and processor contracts

There are no relevant provisions for agreements between data controllers and data processors. The only aspect related to this matter is provided under Article 30 of the Executive Decree, which states that the data processor should process the personal data in accordance with the agreement made with the data controller.

8. Data Subject Rights

8.1. Right to be informed

This right is not included in the Law.

8.2. Right to access

The right of access is defined as the right of data subjects to receive, within five working days after submitting a request, the information from the data controller in reasonable intervals, and free of charge. This right includes the possibility to receive an accurate report of the personal data being processed, and includes the possibility of receiving extensive information, in writing (whether digitally or physically), concerning all the data being processed, as long as this does not affect third party rights.

Data subjects have the right to provide their personal data when it has been requested, by means of informed consent. Express consent will not be required under a few exceptions stated in the Law, namely (Article 5(2) of the Law):

• if there is a reasoned order issued by a competent judicial authority or an agreement adopted by a special investigative committee of the Legislative Assembly in the exercise of its office;
• if it is personal data of unrestricted access, obtained from sources of general public access; and
• if the data must be provided as a result of a Constitutional or legal provision.

8.3. Right to rectification

Under the right to rectification, data subjects are entitled to request the modification of all incomplete, inaccurate, and/or unclear data.

8.4. Right to erasure

Under the right to deletion, data subjects may request, at any time, the deletion of their personal data. The data controller may refuse such a request only under the following circumstances:

• the data should be maintained in order to comply with other laws;
• the data is needed for security reasons or for the prevention or investigation of any crime;
• the data is maintained for adequate provision of a public service;
• the data is unrestricted personal data, obtained from sources of general public access; and
• the personal data was anonymized.

8.5. Right to object/opt-out

This right is not included in the Law.

8.6. Right to data portability

This right is not included in the Law.

8.7. Right not to be subject to automated decision-making

This right is not included in the Law.

8.8. Other rights

Not applicable.

9. Penalties

The competent authority in charge of imposing sanctions against non-compliance with the Law is PRODHAB, and in the event of its absence, the Constitutional Court.

PRODHAB may initiate proceedings sua sponte, or upon request by a person with a legitimate interest or subjective right (Article 24 of the Law, and Article 58 of the Executive Decree). After receiving such a request, PRODHAB will grant data controllers three working days to reply and offer evidence considered relevant for their defense (Article 25 of the Law). PRODHAB can also investigate and gather evidence and may issue any interim and provisional measures that it deems necessary. Proceedings end with a final judgment which is subject to appeal.

For an offense under the Law, PRODHAB can issue sanctions that can be minor (Article 29 of the Law), serious (Article 30 of the Law), or extremely serious (Article 31 of the Law). Accordingly, the penalty will vary depending on the seriousness of the offense and can range from a fine of approximately $3,000 to $18,000. In the most severe cases, the result could be the closure of the database for a period of one to six months (Article 28(c) of the Law).

9.1 Enforcement decisions

Not applicable.