Costa Rica - Data Protection Overview
1. Governing Texts
Despite the fact that Costa Rica's the data protection law was enacted in 2011 and there is a Costa Rican data protection authority ('PRODHAB'), the enforcement by PRODHAB and compliance by the Republic of Costa Rica and private companies is very low. At this time, two different bills are being discussed in the Legislative Assembly, but it is unclear what the outcome of these projects will be.
Data protection in Costa Rica is regulated by the Law on the Protection of Persons Regarding the Processing of their Personal Data No. 8968 of 2011 (only available in Spanish here) ('the Law') and Executive Decree No. 37554-JP of 30 October 2012 Regulating Law No. 8968 (only available in Spanish here) ('the Executive Decree'), as amended by Decree No. 40008-JP (only available in Spanish here) ('the Decree').
However, the right to data protection has been recognised and protected in Costa Rica by the Constitutional Court since the 1990s, on the basis of Article 24 of the Political Constitution of Costa Rica ('the Constitution'), which specifically recognises the right to intimacy, as well as the freedom and secrecy of communications.
PRODHAB has issued the following unofficial guidelines:
- Frequently asked questions on the Law (only available in Spanish here); and
- Guidelines on the registration of databases (only available in Spanish here).
1.3. Case law
2. Scope of Application
The Law will not be applicable to any database held by individuals or legal entities for exclusively internal, personal, and/or domestic purposes (Article 2 of the Law, and Article 3 of the Executive Decree). Furthermore, the provisions within the Executive Decree will not apply to data referring to the credit behaviour that will be governed by the special regulations of the national financial system.
The Law and the Executive Decree apply to personal data held in automated or manual databases of public or private organisations, and any form of subsequent use of such data, which has effect within the territory of Costa Rica, or where Costa Rican legislation applies by virtue of the conclusion of a contract or international law (Article 2 of the Law, and Article 3 of the Executive Decree).
The Law applies to personal data contained in automated or manual databases, public or private organisations, and any form of subsequent use of such data within the territory of Costa Rica, or where applicable to Costa Rican legislation by virtue of the conclusion of a contract or international law (Article 2 of the Law, and Article 3 of the Executive Decree).
Technically, the Law does not apply to any database held by individuals or legal entities for exclusively internal, personal, and/or domestic purposes. However, PRODHAB is able to apply the Law to any database even if it has not been used for internal, personal, or domestic purposes.
3.1. Main regulator for data protection
The main regulator in Costa Rica is PRODHAB.
3.2. Main powers, duties and responsibilities
PRODHAB's main duties and responsibilities, among others, are (Article 16 of the Law):
- processing any claim related to a data protection matter;
- administrating the registration procedure of the databases that must comply with such requirements;
- requesting any information regarding the data processing made by any entity;
- creating awareness regarding data protection aspects;
- elaborating guidelines for any aspect regarding data protection; and
- if needed, issuing mandatory orders to the data controllers in order to comply with the data subjects' rights.
4. Key Definitions
Data controller: The 'person responsible for the database' is the individual or legal entity that administers, manages, or is responsible for the database, whether it is a public or private entity, competent to do so, in accordance with the Law, and it decides on the purpose of the database, which categories of personal data will be processed, and the type of processing that will be undertaken (Article 3(h) of the Law, and Article 2(s) of the Executive Decree).
Sensitive data: Information concerning sensitive information of a person, that may not be stored except in very specific circumstances. This includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, spiritual convictions, socioeconomic condition, biomedical or genetic information, health, sex life, and sexual orientation (Article 3(e) of the Law).
Consent: An express, freely given, unequivocal, informed, and specific manifestation from the data subject, granted in writing or in digital form, for a specific purpose, by which the data subject, or their representative, consents to the processing of their personal data. If the consent is granted in the framework of a contract for other purposes, the contract must have a specific and independent clause on consent to the processing of personal data (Article 2(f) of the Executive Decree, and Article 1 of the Decree).
Data subject: Person who owns the personal data protected by the Law, or their representative.
Data breach: Any irregularity that may occur while handling personal data, such as the loss, destruction, and any other consequence that may result while the personal data was under the responsibility of the data controller (Article 38 of the Executive Decree).
Restricted access to personal data: Data that may be accessed and stored only with authorisation, as it is of interest only to the data subject (Article 3(d) of the Law).
Unrestricted Access to Personal Data: Data contained in public and open databases with general public access, the use of which is governed by specific laws and subject to the purpose for which such data is collected. This data type falls outside of the scope of the transfer restrictions (Article 3(c) of the Law).
5. Legal Bases
The Law states that it is mandatory to obtain informed and express consent from individuals in order to process their information. No other bases for processing are included. The consent must be unequivocal, freely given, specific, and delivered by written or digital means.
Processing may take place without consent where any of the following exceptions are met:
- there is a reasoned order issued by a competent judicial authority (including, in our opinion, foreign judicial authorities), or an agreement adopted by a special investigative committee of the Legislative Assembly in the exercise of its office;
- the personal data is unrestricted access personal data, and will not be processed for purposes other than those for which they were originally collected; or
- the data must be provided by the individual or by the data controller as a result of a constitutional or legal provision. Although there is no case law or guidance on this, we would expect that requirements under foreign law would suffice.
Please see section on consent above.
Please see section on consent above.
The main right is the right to informational self-determination (i.e. the fundamental right of individuals to decide what information about themselves should be communicated to others and under what circumstances). It states that the principles and guarantees regarding the lawful processing of personal data set out in the Law form part of that fundamental right.
All processing of personal data should comply with the following principles:
- Principle of informed consent: in the absence of an exemption, express, informed consent is required for all processing of personal data.
- Principle of quality of information:
- Purpose limitation: Data controllers must only collect personal data for specific, explicit, and legitimate purposes, and must not subsequently process such data in a way that is incompatible with said purposes.
- Accuracy: Personal data must be accurate. The data controller must take the necessary measures so that inaccurate or incomplete data, with respect to the purposes for which they were collected or for which they were subsequently processed, are deleted or rectified.
- Up to date: Personal data must be current. The data controller must delete personal data that is no longer relevant or necessary for the purposes for which they were received and registered.
- Truthfulness: The data controller is obliged to modify or delete the data that is incorrect. In the same way, it will ensure that the data is processed fairly and lawfully.
7. Controller and Processor Obligations
The data controller has the responsibility of respecting all the rights of the data subjects (Article 10 of the Law). Additionally, all the personal data handled must be up to date, truthful, and in conformity with the purpose requested for collection (Article 6 of the Law). It is also mandatory to ensure that all the individuals included in all databases will have the right to access, rectify, revoke, or cancel their authorisation to store and to make use of their personal data (Article 7 of the Law, and Articles 21, 23, and 25 of the Executive Decree).
In addition to these general regulations, one of the main aspects of the Law is that it is mandatory to obtain the informed and express consent from data subjects in order to process their personal data. The consent must be unequivocal, freely given, specific, and delivered by written or digital means (Article 5 of the Law, and Article 4(c) of the Executive Decree). Moreover, and in obtaining consent, the following information must be provided (Article 5(1) of the Law):
- the existence of a private database;
- the purposes for collecting the personal data;
- the final recipients of such information and who will have access to it;
- whether it is mandatory or not for the data subject to provide their personal data, and the consequences of not doing so;
- the type of data processing that will be carried out on the personal data;
- information for the data subjects of their rights; and
- the name and address of the company that will administer the database.
Informed consent must also be obtained for the authorisation to transfer information to third parties (Article 14 of the Law, and Article 40 of the Executive Decree).
Additionally, there is a general confidentiality and security obligation for the processing of personal data. The security obligation provides that the data controller must conduct all technical and organisational safeguards in order to avoid the loss, destruction, alteration, and/or unauthorised access to the personal data (Article 10 of the Law). The duty of confidentiality provides that the data controller, and those involved in any phase of the processing of personal data, are bound by professional or functional secrecy, even after the end of their relationship with the database (Article 11 of the Law). The obliged person may be relieved of the duty of secrecy by a court decision were deemed strictly necessary.
The Executive Decree includes some obligations for data processors and, in general, requires a guarantee on the integrity and security of the data. In particular, the data processor must comply with the following requirements (Article 31 of the Executive Decree):
- process personal data following the data controller's instructions;
- refrain from processing personal data for purposes other than those instructed by the data controller;
- implement security measures and comply with any minimum performance protocols;
- maintain the confidentiality of the data that was processed;
- avoid proceeding with a data transfer, unless it was duly instructed by the data controller; and
- delete personal data as soon as the relationship with the data controller has ended.
In general, all databases, public or private, which are managed for distribution, dissemination, or marketing purposes, must be registered with PRODHAB, registration forms (only available to access in Spanish here). In this sense, distribution, and dissemination is defined as any way in which personal data is distributed or published, to a third party, by any means, provided that the aim is to market the data or to obtain a profit from the database (Article 2(j) of the Executive Decree, and Article 1(j) of the Decree).
Such 'commercialisation' is defined as the sale, trade, exchange, or in any way the transfer or pledge to obtain a profit in favour of a third party, one or more times, of the personal data contained in databases (Article 2(e) of the Executive Decree).
If an entity would like to proceed with the registration of the database, it must (under Article 44 of the Executive Decree, and Article 9 of the Decree):
- provide the request of the individual or legal owner, authenticated with a signature or through a notary;
- appoint a person responsible for the database before PRODHAB, indicating the means and place of contact, and a letter of acceptance of the position;
- identify the data processors, including their contact information and location of the data, and submit a copy of the contract that they have with the owner of the database;
- provide the name of the database and its location;
- specify its purposes and foreseen uses;
- specify the type of data to be stored;
- provide information on the data collection procedures;
- provide a technical description of the measures used to safeguard the data, as well as risk assessments;
- provide information on the recipients of transfers of data;
- provide a certified copy of the minimum security protocols (this document must include all processes followed by the company for the management of its data); and
- provide an indication of fax or email in order to receive notifications from PRODHAB.
In line with the above, controllers must ensure the database is always up to date and must pay an annual registration fee of $200 to PRODHAB (Article 33 of the Law, and Article 78 of the Executive Decree).
Financial institutions subject to the control and regulation of the General Superintendence of Financial Entities ('SUGEF') are not required to register their databases with PRODHAB (Article 2 of the Decree).
In addition, personal, internal, and domestic databases do not have to be registered with PRODHAB (Article 9 of the Decree). Moreover, the regulations provided in the Executive Decree do not apply to databases maintained by individuals or legal entities for exclusively personal, internal, or domestic purposes (Article 3 of the Executive Decree).
The Law requires that data controllers obtain consent from the data subject in order to transfer personal data to another country (it does not include special regulations for specific countries) (Article 14 of the Law and Article 40 of the Executive Decree). Moreover, the transferor must ensure that, where personal data is transferred to any other country, adequate levels of protection of the data subject's rights in connection with the processing of their personal data will be provided.
Nevertheless, when personal data is transferred to a data processor for processing purposes only (i.e. the processor does not become a data controller), or is moved between companies of the same economic interest group, or to companies under joint control, the transfer of data to the data processor does not constitute a transfer under the Law and it is not necessary to obtain the data subject's consent (Article 8 of the Decree).
It is not mandatory for data controllers to maintain data processing records.
It is not mandatory for data controllers or processors to carry out a Data Protection Impact Assessment ('DPIA').
In Costa Rica, there is no obligation to appoint a data protection officer.
In the event of a data breach, a data breach notification is mandatory, with the requirements of such notifications being (Articles 38 and 39 of the Executive Decree):
- the data controller must notify the data subjects and PRODHAB within five business days following the discovery of the breach;
- within that same term (five business days), the data controller must initiate a thorough review to determine the extent of the damages caused by the breach, and to indicate the corrective and preventive measures that must be adopted; and
- the notification to affected data subjects and PRODHAB must include, at least, the following information:
- nature of the incident;
- compromised data;
- corrective measures immediately taken upon notice of the breach and those taken thereafter; and
- contact information and place where more details about this matter can be obtained.
Failing to comply with the data breach notification requirements does not result in any penalty. However, this notification is highly recommended (even more so for cases that will be well-known internationally), as processing personal data without taking the appropriate security measures may be subject to a fine of up to $5,000.
Article 11 of the Executive Decree includes a right to be forgotten, which states that personal data cannot be processed for more than ten years upon the conclusion of the purpose for which the data was initially collected, unless there is a particular specification including a different term for that particular data. After this period, the personal data can be retained only after an anonymisation process has been completed.
The Law does not establish any particular regulation regarding the personal data of children. In Costa Rica, the age of majority is 18. Thus, anyone below 18 is considered a minor.
In this same sense, any action taken by someone under 15 will be null and void, therefore any consent that a minor under 15 years of age may give will not be valid and their personal data cannot be collected unless there is express consent from their parents or guardians.
If the minor is between 15 and 18 years of age, all contracts, agreements, and any other economic activity (i.e. online activity) is presumed valid but may be annulled if one of the representatives of this minor requests its annulment. Therefore, in these cases, it is possible to collect personal data from individuals between 15 and 18 years of age without any inconvenience, as long as they (or their parents or guardians) are able to revoke consent at any time without any inconveniences or consequences.
Data subjects have the right to refrain from providing sensitive data, and, when such data is provided, it must not be processed without the express consent of the data subject. The exceptions are the following (Article 9(1) of the Law):
- the processing is necessary to protect the vital interests of the data subject, or in other circumstances where the affected person is physically or legally incapable of giving consent;
- the processing is undertaken by a foundation, association, or other body for political, philosophical, religious, or union purposes, provided that the personal data is that of its members or regular contacts and the processing is undertaken in the course of its legitimate activities and in accordance with the Law, and provided that the consent of the data subject is obtained for transfers to third parties;
- the processing relates to sensitive personal data that the data subject has voluntarily made public, or is required for the recognition, exercise, or defence of a right in judicial proceedings; or
- the processing is necessary for medical or health purposes, provided that the processing is undertaken by a person in the medical profession, subject to professional secrecy obligations or the equivalent.
There are no relevant provisions for agreements between data controllers and data processors. The only aspect related to this matter is provided under Article 30 of the Executive Decree, which states that the data processor should process the personal data in accordance with the agreement made with the data controller.
8. Data Subject Rights
This right is not included in the Law.
The right of access is defined as the right of data subjects to receive, within five working days after submitting a request, the information from the data controller in reasonable intervals, and free of charge. This right includes the possibility to receive an accurate report of the personal data being processed, and includes the possibility of receiving extensive information, in writing (whether digitally or physically), concerning all the data being processed, as long as this does not affect third party rights.
Data subjects have the right to provide their personal data, when it has been requested, by means of an informed consent. Express consent will not be required under a few exceptions stated in the Law, namely (Article 5(2) of the Law):
- if there is a reasoned order issued by a competent judicial authority, or an agreement adopted by a special investigative committee of the Legislative Assembly in the exercise of its office;
- if it is personal data of unrestricted access, obtained from sources of general public access; and
- if the data must be provided as a result of a constitutional or legal provision.
Under the right to rectification, data subjects are entitled to request the modification of all incomplete, inaccurate, and/or unclear data.
Under the right to deletion, data subjects may request, at any time, the deletion of their personal data. The data controller may refuse such a request only under the following circumstances:
- the data should be maintained in order to comply with other laws;
- the data is needed for security reasons or for the prevention or investigation of any crime;
- the data is maintained for adequate provision of a public service;
- the data is unrestricted personal data, obtained from sources of general public access; and
- the personal data was anonymised.
This right is not included in the Law.
This right is not included in the Law.
This right is not included in the Law.
The competent authority in charge of imposing sanctions against non-compliance of the Law is PRODHAB, and in the event of its absence, the Constitutional Court.
PRODHAB may initiate proceedings sua sponte, or upon request by a person with a legitimate interest or subjective right (Article 24 of the Law, and Article 58 of the Executive Decree). After receiving such a request, PRODHAB will grant data controllers three working days to reply and offer evidence considered relevant for their defence (Article 25 of the Law). PRODHAB can also investigate and gather evidence and may issue any interim and provisional measures that it deems necessary. Proceedings end with a final judgment which is subject to appeal.
For an offence under the Law, PRODHAB can issue sanctions which can be minor (Article 29 of the Law), serious (Article 30 of the Law), or extremely serious (Article 31 of the Law). Accordingly, the penalty will vary depending on the seriousness of the offence and can range from a fine of approximately $3,000 to $18,000. In the most severe cases, the result could be the closure of the database for a period of one to six months (Article 28(c) of the Law).