Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Already have an account? Log in

Guatemala - Data Protection Overview

Back

Guatemala - Data Protection Overview

September 2023

1. Governing Texts

Guatemala does not have a specific regime dealing with the protection of personal data. However, there is legislation that may be applicable when processing personal data. In this sense, the Law on Access to Public Information (only available in Spanish here) (though applicable solely to State entities or entities funded by the State) does contain provisions that, because of their drafting, is applicable to any sort of personal data processing, including the one done by private entities.

In addition, the Guatemalan Ombudsman has taken an active role and, as such, has filed certain key legal actions against entities that process personal data. This has prompted the Constitutional Court to issue several decisions, all following the same rationale in that protection is recognized and granted in favor of data subjects in the context of data processing upon which data subjects have the following rights: informed consent, access, rectification, cancellation, and opposition. In addition, any transfer of personal data (whether local or international) requires the data subject's express consent written or where digital, in such a manner that can be subsequently retrieved.

1.1. Key acts, regulations, directives, bills

There is no general privacy law. However, there are piecemeal provisions, which are referred to herein.

The Guatemalan Constitution

Articles one to five of the Political Constitution of the Republic of Guatemala 1985 (only available in Spanish here) ('the Constitution') implicitly recognizes the right to human dignity and human rights that encompass a right to privacy. Article 23 of the Constitution also recognizes dignity and the right to privacy in establishing the inviolability of housing, and Article 24 of the Constitution recognizes the inviolability of every individual's correspondence, documents, and book-keeping, and provides that the privacy of correspondence by telephone, radio, cable, and other modes of modern digital technology is guaranteed. Furthermore, Article 30 of the Constitution establishes the public nature of administrative acts and recognizes that individuals have the right to obtain public information from the administration. Article 31 of the Constitution determines that any individual has the right to know about all private and personal information recorded in public registries, and has the right to know about the purpose for which such information is recorded, as well as having the right to correct, rectify, and update such information. Moreover, Article 44 of the Constitution regulates, in general, those rights that are inherent to persons and provides that the rights and guarantees granted by the Constitution do not exclude others that, although not expressly included, are inherent to humans.

In addition, the following laws (or acts), address privacy matters:

The Criminal Procedure Code

Decree No. 51-92 on the Criminal Procedure Code (only available in Spanish here) states, in Article 183, that evidence gathered through unlawful interference or meddling in the intimacy of a home or residence, private mail, communications, documents, and files is inadmissible. Therefore, Article 183 indirectly protects and enhances the inherent right to privacy recognized by the Constitution insofar as it states that any evidence obtained in violation of such a right is not admissible in a criminal procedure.

The Criminal Code

In a more substantive matter, Decree No. 17-73 on the Criminal Code (only available in Spanish here) ('the Criminal Code'), in force since 1973, has been amended several times. In 1996, various intellectual property-related amendments were included, such as Article 274(d) of the Criminal Code, which imposes a four to six-year prison term and a fine between GTQ 200 to GTQ 1,000 (approx. $25 to $130) for any individual or corporation that creates a database or computerized registry with data affecting individuals' intimacy. Article 274(d) of the Criminal Code, however, lacks an essential element when attempting to understand its scope and breadth as it does not define or set a parameter by which a judge may rule that the contents of any given database are affecting individuals' intimacy. In other words, there is no definition of intimacy and therefore, of privacy.

In addition, Article 274(f) of the Criminal Code, which created the criminal offense of 'use of information,' imposes a four to six-year prison term and a fine between GTQ 2,000 to GTQ 10,000 (approx. $250 to $1,270) for the unauthorized acquiring or usage, for oneself or for a third party, of data contained in informatic registries, data banks, or electronics files.

Law for the Recognition of Communications and Electronic Signatures

Decree No. 47-2008 on the Law for the Recognition of Communications and Electronic Signatures (only available in Spanish here) ('the Electronic Signatures Law') provides that electronic signatures with legal effects must be established with reasonable diligence to avoid the unauthorized use of the data.

Law of the National Registry of Persons

Decree No. 90-2005 on the Law of the National Registry of Persons (only available in Spanish here) regulates the National Registry of Persons' ('RENAP') collection of personal data relating to Guatemalan citizens. The information gathered by RENAP is public unless such information can be used to affect the honor or privacy of citizens. Individuals' information which is considered as public by the law includes names and surnames, identification numbers, dates of birth or death, gender, location, occupation, nationality, and marital status.

The Law on Access to Public Information

Decree No. 57-2008 on the Law on Access to Public Information (only available in Spanish here) ('the Law on Access to Public Information'), introduces key data protection concepts such as personal data and sensitive personal data. Nevertheless, the subject matter of this law is to secure access to public information that is in possession of public authorities and obliged entities under the Law on Access to Public Information. In general terms, the authorities and/or obliged entities are those that are part of the State, those that function on State funds, and those that have received concessions and/or licenses to exploit a public good. Despite this, Article 64 of the Law on Access to Public Information regulates the commercialization of personal data and imposes sanctions (fines and imprisonment) to those that distribute, by any means, files containing personal data or sensitive personal data, which do not come from public registries, without the written consent of the data subject.

Human rights treaties

Guatemala is a party to certain key treaties dealing with human rights. These are important as they contain provisions that refer directly or indirectly to privacy. In this regard, Article 11 of the American Convention on Human Rights 1969 states, 'Everyone has the right to have his honor respected and his dignity recognized. No one may be the object of arbitrary or abusive interferences with his private life, his family, his home, or his correspondence, or of unlawful attacks on his honour or reputation'.

Other legislation

Aside from the sectors mentioned above, there are no sectors that have specific privacy legislation. Nevertheless, it is worth mentioning that Articles 177 and 177 TER of Decree No. 57-2000 on Industrial Property Law (only available in Spanish here) protect the information submitted in the context of requests for approval of the commercialization of pharmaceutical or chemical products, subject to exceptions such as the data referring to products pertaining to new or secondary uses of approved formulas.

1.2. Guidelines

No guidelines relating to this matter have been issued.

1.3. Case law

Since Guatemala does not have any specific data protection legislation, data privacy guidelines and principles have been created from case law. Several cases ruled on by the Constitutional Court of Guatemala ('the Constitutional Court') have addressed the recognition and safeguarding of privacy rights, and as a right implicitly recognised in Article 44 of the Constitution.

In a decision issued by the Constitutional Court, Case No. 3552-2014 of 10 February 2015 (only available in Spanish here) ('Case 3552-2014'), where the Ombudsman of Human Rights ('the Ombudsman') had filed a case against various private entities accused of gathering and commercialising private information from individuals without their consent, the Constitutional Court followed its own precedent established in Case No. 1356-2006 of 11 October 2006 (only available in Spanish here) ('Case 1356-2006') and Case No. 863-2011 of 21 June 2011 (only available in Spanish here) ('Case 863-2011'). In particular, the Constitutional Court stated, 'There are other rights that by way of [...] Article 44 of the Constitution or [...] Article 46 of the Constitution may also be the object of protection, considering, as noted before, their nature of [rights] inherent to individuals, even though they are not explicitly mentioned in the normative text'.

Case 1356-2006 was emblematic in the sense that it was the first case in which the Constitutional Court decided to afford data privacy protection despite the absence of a law regulating this matter in detail. In particular, the Constitutional Court outlined, 'Once a person's right to determine the existence or inexistence of registries or databases containing his/her personal data is recognised, as well as their right to obtain the rectification, deletion or blocking thereto if the incorrect use of the data may affect his/her intimacy and honour, the manner in which the judicial protection of such rights can be requested must be determined. It is known that in comparative law and in accordance with procedural constitutional modern doctrine, the protection of such rights is done through the action of 'habeas data', which has not been regulated in Guatemala. In the absence of such a law, and while such a situation prevails in the country, this court holds that given the nature and ample scope of the constitutional remedy of amparo, amparo is the appropriate constitutional action destined to guarantee the right of every person to access their personal data kept in private or official databases or registries [...]'. This case is important and of great relevance because it introduced the right to privacy in Guatemala in the absence of specific data protection legislation.

In the same sense, Case 3552-2014 outlined that individuals or private entities which conduct activities for the commercialization of information obtained from registries or personal data banks, must, at the time of the commercialization of the information, ensure that:

data has been obtained according to a fully defined purpose, in a legitimate manner, and voluntarily by the person whose data will be the object of commercialization;
consent by the individual concerned must be given for the use of the personal data, and its use must be made with a purpose compatible with that for which consent was obtained; and
the registry and use of the data must be made with the implementation of adequate controls for determining and updating the veracity of the data and ensuring individuals' right to rectify the data.

As such, Case 3552-2014 outlines that every commercialization of personal data that does not comply with these criteria may result in an unlawful activity and a violation of fundamental rights, causing legal liability for individuals providing data and individuals using the data in any decision-making process regarding an individual.

2. Scope of Application

2.1. Personal scope

As per the Law on Access to Public Information and the criteria held by the Constitutional Court, the provisions and criteria set forth above would apply to anyone undertaking the processing, transfer, and/or commercialization of personal information obtained from registries or personal data banks.

2.2. Territorial scope

Guatemalan laws are territorial in nature. The Law on Access to Public Information is not the exception. In addition, the criteria and rights recognized by the Constitutional Court as previously referred, would result applicable solely with regards to the activities before mentioned which are conducted in Guatemala.

2.3. Material scope

Given that there is no specific law on privacy, there are no types of processing that are exempted as is the case with laws in other countries.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

There is no regulator for data protection in Guatemala. However, the Ombudsman has assumed an active role in safeguarding individuals' right to privacy by conducting investigations and declaring violations of data privacy rights in cases in which private information has been commercialized, transferred, or processed without individuals' consent. The Ombudsman has the authority to file amparo before the Constitutional Court, seeking relief for human rights violations, or notifying the District Attorney's office of the Public Ministry of the investigation and initiation of criminal procedures.

3.2. Main powers, duties and responsibilities

Not applicable.

4. Key Definitions

Data controller: Not applicable.

Data processor: Not applicable.

Personal data: Data relating to any information concerning identified or identifiable individuals. The Constitutional Court has also defined this term in rulings rendered in Case 1356-2006 and in Case 3552-2014, as any data capable of identifying an individual and allowing the determination of an identity exclusively attributable to such individual.

Sensitive data: Personal data which refers to the moral or physical characteristics of persons, or that refers to facts or circumstances pertaining to their private life or activity, such as:

personal habits, racial origin, ethnic origin, ideologies, and political opinions;
beliefs or religious convictions;
mental or physical health states;
preferences or sex life;
moral and family circumstances; or
issues of this sort.

No other relevant terms are defined.

Health data: Not applicable.

Biometric data: Not applicable.

Pseudonymisation: Not applicable.

5. Legal Bases

5.1. Consent

Given that there is no specific law on privacy, there are no specific rights and responsibilities assigned to a data controller. However, based on the criteria outlined by the Constitutional Court, the data controller must ensure that the following conditions are met either when performing the processing of personal data or when hiring a third party for such processing, namely that consent from the data subject must be given for the use of the personal data, and its use must be made with a purpose compatible with that for which consent was obtained. The Court has not provided a high level of detail as to other aspects surrounding consent. However, consent can be provided in the respective of agreements binding the data subject and the data processor.

5.2. Contract with the data subject

Not applicable.

5.3. Legal obligations

Not applicable.

5.4. Interests of the data subject

Not applicable.

5.5. Public interest

Not applicable.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Not applicable.

6. Principles

There is no specific law dealing with this matter.

7. Controller and Processor Obligations

7.1. Data processing notification

Given that there is no specific law on privacy, there are no obligations for notification or registration when processing personal data.

7.2. Data transfers

The data controller must ensure that the following conditions are met either when performing the processing of personal data or when hiring a third party for such processing if there will be a transfer or commercialization, to make sure that the personal data has been obtained according to a fully defined purpose, in a legitimate manner, and voluntarily by the data subject.

As noted above, the transfer of personal data would require the consent of the data subject in the terms previously stated (i.e. for a definite purpose and with adequate safeguards).

7.3. Data processing records

There is no obligation that stems from the law or otherwise, under which data controllers and/or data processors must maintain data processing records.

7.4. Data protection impact assessment

There are no requirements from law or recommendations for data controllers and/or data processors to carry out DPIA/PIA.

7.5. Data protection officer appointment

The post of data protection officer is not regulated or required in Guatemalan laws.

7.6. Data breach notification

Though there is no legislation (either primary or secondary) regulating data breaches, or addressing the procedures to be followed or measures to be implemented in the event of a data breach, it is important to mention that in the event of a data breach, the entity acting as data controller or data processor may be held liable, at least from a strict civil liability point of view.

Criminal liability may also be incurred, if, for instance, it is determined that the person acting as the data processor or data controller commits the crime of holding forbidden records, which entails maintaining a database affecting the intimacy of persons, or if they had committed the crime of disclosing or facilitating the disclosure of confidential or classified private information. In other words, even in the absence of legislation addressing data breaches, there may still be consequences for the person acting as a data controller and/or data processor. For the reasons set out previously, it is advisable to consider reporting a data breach event to the Attorney General of the Public Ministry for the commencement of any criminal procedure in case any criminal offense was committed.

7.7. Data retention

There is no regulation applicable to data retention. However, for general purposes, it is advisable to keep collected data for the period of their active use plus the term established in the applicable statute of limitations.

7.8. Children's data

There are no specific provisions regulating the processing of children's data.

7.9. Special categories of personal data

Note that under the Law on Access to Public Information, personal data that constitutes sensitive personal data (i.e. data that refers to the physical or moral characteristics of individuals or to facts or circumstances of their private life or activity, such as personal habits, racial origin, ethnic origin, political ideologies and opinions, religious beliefs or convictions, physical or mental health status, preference or sex life, moral and family situation or other intimate issues of a similar nature) cannot be processed, transferred, or commercialized without the data subject's express and written consent.

7.10. Controller and processor contracts

There is no specific regulation on this matter. However, it would be reasonable if such agreements were managed contractually.

8. Data Subject Rights

The Constitutional Court has recognized for the benefit of data subjects the following rights:

informed consent;
access;
rectification;
cancellation;
opposition and/or opt-out; and
need for express consent for the transfer of personal data.

Given that there is no specific law on privacy, there are no specific rights and responsibilities assigned to a data controller. However, based on the criteria outlined by the Constitutional Court, the data controller must ensure that the following conditions are met either when performing the processing of personal data or when hiring a third party for such processing including the registry and use of the data must be made with the implementation of adequate controls for determining and updating the veracity of the data and ensuring data subjects' rights to rectify the data.