October 2023

1. Governing Texts

The Government was working on a data protection bill that would provide more specific rules and norms that facilitate an effective protection of this right, and which was approved by the Legislative Assembly but not confirmed by the President in 2021, for reasons of being incomplete and inconvenient. As such, a new bill will be prepared and there is no estimated date for its public discussion and further approval.

1.1. Key acts, regulations, directives, bills

Currently, El Salvador does not have a law that specifically regulates data protection. However, there are certain provisions in other laws that regulate this right, such as:

• Constitution of the Republic of El Salvador (only available in Spanish here) ('the Constitution');
• Consumer Protection Law (as duly amended in 2018) (only available in Spanish here);
• Law for the Regulation of Information Services on Credit History of Persons 2011 (only available in Spanish here) ('the Credit History Law');
• Criminal Code 1997 (only available in Spanish here);
• Access to Public Information Law 2011 (only available in Spanish here) ('the Access to Information Law'); and
• Special Law on Computer Crimes and Related Crimes 2016 (only available in Spanish here) ('the Computer Crimes Law').

These laws serve as the current legal framework for data protection.

Constitution

The Constitution provides, in Article 2, that all persons have the right to life, physical and moral integrity, liberty, security, work, property, and possession, and to be protected in the conservation and defense of the same. The right to honor, personal and family privacy, and personal image are guaranteed. Moral damages are compensated by law.

Public sector

In respect to the public sector, the Access to Information Law provides citizens with the right to obtain public information from governmental and other public entities to procure the transparency of these institutions. It also includes provisions that mandate the protection of personal data.

Computer crimes

Additionally, the Computer Crimes Law (further detailed in the section on data protection authority below) regulates crimes related to computer and information technology activities, including dispositions that regulate unauthorized use of personal data from undue access to databases that contain such information.

Consumer protection

The Consumer Protection Law (further detailed in the section on data protection authority below) was amended in 2018 to include a number of e-commerce dispositions, which include an obligation for suppliers duly established in El Salvador to use personal information in a confidential manner, and to implement security systems that guarantee the confidentiality and safety of consumers' personal information.

1.2. Guidelines

There is no centralized authority. For specific matters, the following authorities have issued guidance:

• Centre for Consumer Defence;
• Superintendent of the Financial System ('the Superintendent');
• National Council for Childhood and Adolescence; and
• Institute for Access to Public Information ('the Institute').

1.3. Case law

There is a landmark case regarding data protection, The Salvadoran Association for the Protection of Data and the Internet ('INDATA') v. Equifax de Centroamerica ('DICOM') (only available in Spanish here) ('the Decision') (further explored in the section on personal scope), which mentions for the first time in the country the need to protect the right to self-determination of citizen personal data in private or public registries or databases against the menace of unauthorized and inappropriate use and access. Self-determination, as defined in the Decision, may be considered as the following:

• any person has the right to access their personal information, with special regard to information contained in a computerized database;
• any person has the possibility and right to control, in a reasonable way, the transmission or distribution of their personal information; and
• personal information in computer databases or another type of database shall be protected against unauthorized third-party use, transfer, or distribution.

While the Decision mentions the right of access, it does not establish a procedure for requesting such information.

2. Scope of Application

2.1. Personal scope

The legislation mentioned above protects any identifiable natural persons. It is not clear whether deceased individuals are within its application. The obligated individuals are natural or any organizations.

2.2. Territorial scope

The legislation mentioned above applies in the territory of El Salvador, however, it is not clear as to its extraterritorial scope.

2.3. Material scope

Not applicable.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

There is no main regulator for data protection. However, as the matter is regulated briefly in different special laws, the entity that regulates each law shall be the authority that regulates data protection (i.e., if it refers to consumers, the Center for Consumer Defence is responsible). Also, in general, data protection enforcement may be made through Courts.

3.2. Main powers, duties and responsibilities

As mentioned before, the data protection authority depends on the specific law or matter. However, in general, there is a responsibility to maintain information as confidential and not use, process, or transfer information without the consent of the owner.

4. Key Definitions

There is no special data protection law, however, there are definitions in other special laws. Both the Access to Public Information Law and the Computer Crimes Law make the same definition and distinctions for data subject and personal data as outlined below.

Data controller: There is no definition. There is a type of data controller within the Access of Public Information Law, which is called 'information official' who is in charge of reviewing and authorising the requests to access public information of each public entity (does not apply with respect to private entities).

Data processor: Not applicable.

Personal data: The private information concerning a person, identified or identifiable, relative to their nationality, address, patrimony, electronic address, phone number, or other similar information (Article 6(a) of the Access to Information Law and Article 3(m) of the Computer Crimes Law).

Sensitive data: Data that corresponds to a person in relation to their creed, religion, ethnic origin, affiliation or political ideologies, union affiliation, sexual preferences, physical and mental health, moral situation, family and/or other intimate information of a similar nature or that could affect the right to honor, to one's own image, and to personal and family intimacy (Article 6(b) of the Access to Information Law, and Article 3(n) of the Computer Crimes Law).

Health data: There is no specific definition, however, health data is considered as personal information, that can only be accessed with authorization of the owner of the data. When provided to health professionals (public or private) such data must be maintained confidential.

Biometric data: Not applicable.

Pseudonymization: Not applicable.

5. Legal Bases

There is no specific data protection law, however, the Supreme Court of Justice of El Salvador's ('the Supreme Court') decisions have recognized the right to informative self-determination of personal data contained in public or private databases, especially those stored by computer/technological means. This includes the right that an individual has against the information's arbitrary use, as well as, the possibility to access the information, request its correction, updating, amendment, elimination, transfer, and distribution, and there must also exist the tools or legal recourses that permit the enforcement of such rights.

Other rights that these decisions provide for include knowing the purpose for the collection and processing of the data, to whom and the reason or purpose for which the data shall be transferred, and who is responsible for this information.

These decisions also determine that the right to privacy is a part of the private sphere of the individual and cannot be separated from the social context in which it is performed, which implies that such a right can be limited by social needs and public interests.

Data controller provisions are not included in any law or decision.

In respect to legal bases in other instances, Articles 21, 21-A, and 22 of the Consumer Protection Law protect consumers of electronic commerce. Consumers also have rights over their data and the power to control its processing with respect to financial information service providers and telecommunications.

5.1. Consent

To use third parties' personal data, consent must be obtained. There is no specific wording that the law requires for valid consent, however, it is recommended to be obtained in Spanish (the official language) and in written form, in case such consent needs to be proved.

5.2. Contract with the data subject

Not applicable.

5.3. Legal obligations

Not applicable.

5.4. Interests of the data subject

Not applicable.

5.5. Public interest

The Law for Access of Public Information provides that public interest information (that refers to governmental and public entities) shall be public, unless it is determined by the entity that the damage of revealing the information is higher than the public interest to know the information, or that the disclosure of information may effectively menace the legally protected interest.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Not applicable.

6. Principles

There is no specific data protection law, however an important court decision determined the following principles:

• accuracy; and
• self-determination of personal data in databases.

In respect to credit information, the Credit History Law includes the following principles:

• access of the entitled person: any consumer or client that proves their identity has the right to know if their credit information and history is being processed, and also has the right to request its amendment when the data is illicit, incorrect, unjustified, or inexact;
• quality of the data: the information processed must be exact and updated;
• reservation/confidentiality: any person with access to information cannot reveal it to third parties, unless it is a governmental and competent authority or is within the normal operations of an information agency; and
• security: the economical agents and the information agencies shall adopt measures or technical controls necessary to avoid alterations, loss, or unauthorized processing or access to credit information.

7. Controller and Processor Obligations

7.1. Data processing notification

There are no general requirements to register with or notify any authorities where a business processes personal data. The exceptions include:

• data information agencies for credit information, which must obtain an authorization before the Superintendent; and
• governmental/public entities that process personal information, who can provide information only by authorization of the Unit for Access of Information (directed by the Official of Information).

7.2. Data transfers

Data transfers are not specifically regulated, but according to jurisprudence, authorization/consent for transfer of the data subject's personal data shall be obtained.

7.3. Data processing records

Not applicable.

7.4. Data protection impact assessment

Not applicable.

7.5. Data protection officer appointment

Although there is no special law or centralized authority, the protection of the right to informative self-determination is recognized by the Constitution and has been developed from Supreme Court decisions and various provisions in different laws. As such, even if there is no legal provision for the mandatory appointment of data protection officers, there are governmental entities that have the possibility to assist in the enforcement of personal data rights.

7.6. Data breach notification

Data breach obligations are only found in respect to the financial sector.  

The entity shall have a notification procedure, that shall at least include:  

• information that according to the policy and at the opportune moment, the company will report to clients and users of the products and financial services affected, about the security incident that affected the confidentiality or the integrity of their information, and the measures taken to mitigate the incident; and
• information to report to the leadership of the company and to the Superintendent about the incident, upon knowledge of the same, including a brief description of the incident, general information available, or the cause, impact, and actions performed. Within the next 10 days, the following information must be submitted:  
  • date and time the incident started; 
  • date and time of the end of the incident, if such ending has been reached; 
  • causes of the failure; 
  • technical assessment; 
  • affected channels; 
  • time out of service; 
  • impact; and 
  • corrective actions taken or plan of action to solve the causes that originated the incident and to prevent them in the future.

7.7. Data retention

This is not specifically regulated, but according to jurisprudence, the data subject may request the deletion of personal data not authorized for processing or for recording.

7.8. Children's data

The Law for the Comprehensive Protection of Children and Adolescents (only available in Spanish here) provides that it is prohibited to use, disclose, publish, or expose data, images, or information against the child's will and the knowledge of their parents or legal representatives. It is also prohibited to expose or disclose data, images, or information that damages the reputation and honor of children or that may be an illegal or arbitrary interference in the personal or private intimacy of the child or their family.

7.9. Special categories of personal data

See section on governing texts above.

7.10. Controller and processor contracts

Not applicable.

8. Data Subject Rights

Individuals must be provided a procedure or remedy to be able to make effective use of the aforementioned rights.

8.1. Right to be informed

Not applicable.

8.2. Right to access

The individual has the right to access their personal information, especially those contained in computer databases.

8.3. Right to rectification

The individual has the right to request the rectification of its information.

8.4. Right to erasure

In respect to credit information, consumers have the right to request the erasure of wrong, or out-of-date information. In the case of the use or processing of personal data in general without authorization of the owner, such owner may request the erasure of the data.

8.5. Right to object/opt-out

Not applicable.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other rights

An individual has the possibility of controlling, in a reasonable way, the transmission or distribution of their personal information.

9. Penalties

Whilst penalties are not regulated in a specific data protection law, there are penalties in respect to specific laws.

In respect to credit information, depending on the gravity, the penalties include:

• economic fines;
• temporal or permanent suspension of activities; and/or
• seizure of database.

In respect to public information (stored and processed by governmental and public entities), depending on the authority, penalties include:

• economic fines;
• suspension of the infringing authority/governmental employee; and
• destitution of the infringing authority/governmental employee.

In respect to consumer information, penalties include economic fines.

If the information was obtained/extracted by breach of information technology databases, it is considered as a crime with prison penalties.

9.1 Enforcement decisions

• Supreme Court Decision 934-2007 of 4 March 2011: INDATA V. INFORNET, S.A. de C.V. (only available in Spanish here) concerned the infringement of the right to self-determination of personal data.
• Decision according to the Law for Public Access to Information: NUE 052 National Civil Police ordered the deletion of data about criminal precedents in a case where the individual was not convicted in a criminal procedure.