El Salvador - Data Protection Overview
1. Governing Texts
The Government was working on a data protection bill that would provide more specific rules and norms that facilitate an effective protection of this right, and which was approved by the Legislative Assembly but not confirmed by the President in 2021, for reasons of being incomplete and inconvenient. As such, a new bill will be prepared and there is no estimated date for its public discussion and further approval.
Currently, El Salvador does not have a law that specifically regulates data protection. However, there are certain provisions in other laws that regulate this right, such as:
- Constitution of the Republic of El Salvador (only available in Spanish here) ('the Constitution');
- Consumer Protection Law (as duly amended in 2018) (only available in Spanish here);
- Law for the Regulation of Information Services on Credit History of Persons 2011 (only available in Spanish here) ('the Credit History Law');
- Criminal Code 1997 (only available in Spanish here);
- Access to Public Information Law 2011 (only available in Spanish here) ('the Access to Information Law'); and
- Special Law on Computer Crimes and Related Crimes 2016 (only available in Spanish here) ('the Computer Crimes Law').
These laws serve as the current legal framework for data protection.
The Constitution provides, in Article 2, that all persons have the right to life, physical and moral integrity, liberty, security, work, property and possession, and to be protected in the conservation and defence of the same. The right to honour, personal and family privacy, and personal image are guaranteed. Moral damages are compensated by law.
In respect to the public sector, the Access to Information Law provides citizens with the right to obtain public information from governmental and other public entities to procure the transparency of these institutions. It also includes provisions that mandate the protection of personal data.
Additionally, the Computer Crimes Law (further detailed in section on data protection authority below) regulates crimes related to computer and information technology activities, including dispositions that regulate unauthorised use of personal data from undue access to databases that contain such information.
The Consumer Protection Law (further detailed in section on data protection authority below) was amended in 2018 to include a number of e-commerce dispositions, which include an obligation for suppliers duly established in El Salvador to use personal information in a confidential manner, and to implement security systems that guarantee the confidentiality and safety of consumers' personal information.
There is no centralised authority. For specific matters, the following authorities have issued guidance:
- Centre for Consumer Defence;
- Superintendent of the Financial System ('the Superintendent');
- National Council for Childhood and Adolescence; and
- Institute for Access to Public Information ('the Institute').
1.3. Case law
There is a landmark case regarding data protection, The Salvadoran Association for the Protection of Data and the Internet ('INDATA') v. Equifax de Centroamerica ('DICOM') (only available in Spanish here) ('the Decision') (further explored in the section on personal scope), which mentions for the first time in the country the need to protect the right to self-determination of citizen personal data in private or public registries or databases against the menace of unauthorised and inappropriate use and access. Self-determination, as defined in the Decision, may be considered as the following:
- any person has the right to access their personal information, with special regard to information contained in a computerised database;
- any person has the possibility and right to control, in a reasonable way, the transmission or distribution of their personal information; and
- personal information in computer databases or another type of database shall be protected against unauthorised third-party use, transfer, or distribution.
While the Decision mentions the right of access, it does not establish a procedure for requesting such information.
2. Scope of Application
The legislation mentioned above protects any identifiable natural persons. It is not clear whether deceased individuals are within its application. The obligated individuals are natural or any organisations.
The legislation mentioned above applies in the territory of El Salvador, however it is not clear as to its extraterritorial scope.
3.1. Main regulator for data protection
There is no main regulator for data protection. However, as the matter is regulated briefly in different special laws, the entity that regulates each law shall be the authority that regulates data protection (i.e., if it refers to consumers, the Center for Consumer Defence is responsible). Also, in general, date protection enforcement may be made through Courts.
3.2. Main powers, duties and responsibilities
As mentioned before, the data protection authority depends on the specific law or matter. However, in general, there is a responsibility to maintain information as confidential and not use, process, or transfer information without consent of the owner.
4. Key Definitions
There is no special data protection law, however there are definitions in other special laws. Both the Access to Public Information Law and the Computer Crimes Law make the same definition and distinctions for data subject and personal data as outlined below.
Data controller: There is no definition. There is a type of data controller within the Access of Public Information Law, which is called 'information official' who is in charge of reviewing and authorising the requests to access public information of each public entity (does not apply with respect to private entities).
Personal data: The private information concerning a person, identified or identifiable, relative to their nationality, address, patrimony, electronic address, phone number, or other similar information (Article 6(a) of the Access to Information Law and Article 3(m) of the Computer Crimes Law).
Sensitive data: Data that corresponds to a person in relation to their creed, religion, ethnic origin, affiliation or political ideologies, union affiliation, sexual preferences, physical and mental health, moral situation, family and/or other intimate information of a similar nature or that could affect the right to honour, to one's own image, and to personal and family intimacy (Article 6(b) of the Access to Information Law, and Article 3(n) of the Computer Crimes Law).
Health data: There is no specific definition, however health data is considered as personal information, that can only be accessed with authorisation of the owner of the data. When provided to health professionals (public or private) such data must be maintained confidential.
5. Legal Bases
There is no specific data protection law, however the Supreme Court of Justice of El Salvador's ('the Supreme Court') decisions have recognised the right to informative self-determination of personal data contained in public or private databases, especially those stored by computer/technological means. This includes the right that an individual has against the information's arbitrary use, as well as, the possibility to access the information, request its correction, updating, amendment, elimination, transfer and distribution, and there must also exist the tools or legal recourses that permit the enforcement of such rights.
Other rights that these decisions provide for include knowing the purpose for the collection and processing of the data, to whom and the reason or purpose for which the data shall be transferred, and who is the responsible for this information.
These decisions also determine that the right to privacy is a part of the private sphere of the individual and cannot be separated from the social context in which it is performed, which implies that such a right can be limited by social needs and public interests.
Data controller provisions are not included in any law or decision.
In respect to legal bases in other instances, Articles 21, 21-A, and 22 of the Consumer Protection Law protect consumers of electronic commerce. Consumers also have rights over their data and the power to control its processing with respect to financial information service providers and telecommunications.
To use third parties' personal data, consent must be obtained. There is no specific wording that the law requires for a valid consent, however it is recommended to be obtained in Spanish (the official language) and in written form, in case such consent needs to be proved.
The Law for Access of Public information provides that public interest information (that refers to governmental and public entities) shall be public, unless it is determined by the entity that the damage of revealing the information is higher than the public interest to know the information, or that the disclosure of information may effectively menace the legally protected interest.
There is no specific data protection law, however an important court decision determined the following principles:
- accuracy; and
- self-determination of personal data in databases.
In respect to credit information, the Credit History Law includes the following principles:
- access of the entitled person: any consumer or client that proves their identity has the right to know if their credit information and history is being processed, and also has the right to request its amendment when the data is illicit, incorrect, unjustified, or inexact;
- quality of the data: the information processed must be exact and updated;
- reservation/confidentiality: any person with access to information cannot reveal it to third parties, unless it is a governmental and competent authority or is within the normal operations of an information agency; and
- security: the economical agents and the information agencies shall adopt measures or technical controls necessary to avoid alterations, loss, or unauthorised processing or access to credit information.
7. Controller and Processor Obligations
There are no general requirements to register with or notify any authorities where a business processes personal data. The exceptions include:
- data information agencies for credit information, which must obtain an authorisation before the Superintendent; and
- governmental/public entities that process personal information, who can provide information only by authorisation of the Unit for Access of Information (directed by the Official of Information).
Data transfers are not specifically regulated, but according to jurisprudence, authorisation/consent for transfer of the data subject's personal data shall be obtained.
Although there is no special law or centralised authority, the protection of the right to informative self-determination is recognised by the Constitution and has been developed from Supreme Court decisions and various provisions in different laws. As such, even if there is no legal provision for the mandatory appointment of data protection officers, there are governmental entities that have the possibility to assist in the enforcement of personal data rights.
This is not specifically regulated, but according to jurisprudence, the data subject may request the deletion of personal data not authorised for processing or for recording.
The Law for the Comprehensive Protection of Children and Adolescents (only available in Spanish here) provides that it is prohibited to use, disclose, publish, or expose data, images or information against the child's will and the knowledge of their parents or legal representatives. It is also prohibited to expose or disclose data, images, or information that damages the reputation and honour of children or that may be an illegal or arbitrary interference in the personal or private intimacy of the child or their family.
See section on governing texts above.
8. Data Subject Rights
Individuals must be provided a procedure or remedy to be able to make effective use of the aforementioned rights.
The individual has the right to access their personal information, especially those contained in computer databases.
The individual has the right to request the rectification of its information.
In respect to credit information, consumers have the right to request the erasure of wrong, or out of date information. In the case of the use or processing of personal data in general without authorisation of the owner, such owner may request the erasure of the data.
An individual has the possibility of controlling, in a reasonable way, the transmission or distribution of their personal information.
Whilst penalties are not regulated in a specific data protection law, there are penalties in respect to specific laws.
In respect to credit information, depending on the gravity, the penalties include:
- economic fines;
- temporal or permanent suspension of activities; and/or
- seizure of database.
In respect to public information (stored and processed by governmental and public entities), depending on the authority, penalties include:
- economic fines;
- suspension of the infringing authority/governmental employee; and
- destitution of the infringing authority/governmental employee.
In respect to consumer information, penalties include economic fines.
If the information was obtained/extracted by breach of information technology databases, it is considered as a crime with prison penalties.
- Supreme Court Decision 934-2007 of 4 March 2011: INDATA V. INFORNET, S.A. de C.V. (only available in Spanish here) concerned the infringement of the right to self-determination of personal data.
- Decision according to the Law for Public Access to Information: NUE 052 National Civil Police ordered the deletion of data about criminal precedents in a case where the individual was not convicted in a criminal procedure.