Guatemala - Data Protection Overview
1. Governing Texts
Guatemala does not have a specific regime dealing with the protection of personal data. However, there is legislation that may be applicable when processing personal data. In this sense, the Law on Access to Public Information (though applicable solely to State entities or entities funded by the State) does contain provisions which, because of their drafting, is applicable to any sort of personal data processing, including the one done by private entities.
In addition, the Guatemalan Ombudsman has taken an active role and, as such, has filed certain key legal actions against entities that process personal data. This has prompted the Constitutional Court to issue several decisions, all following the same rationale in that protection is recognised and granted in favor of data subjects in the context of data processing upon which data subjects have the following rights: informed consent, access, rectification, cancellation, and opposition. In addition, any transfer of personal data (whether local or international) requires the data subject's express consent written or if digital, in such a manner that can be subsequently retrieved.
There is no general privacy law. However, there are piecemeal provisions, which are referred to herein.
The Guatemalan Constitution
Articles one to five of the Political Constitution of the Republic of Guatemala 1985 (only available in Spanish here) ('the Constitution') implicitly recognises the right to human dignity and human rights that encompass a right to privacy. Article 23 of the Constitution also recognises dignity and the right to privacy in establishing the inviolability of housing, and Article 24 of the Constitution recognises the inviolability of every individual's correspondence, documents, and book-keeping, and provides that the privacy of correspondence by telephone, radio, cable, and other modes of modern digital technology is guaranteed. Furthermore, Article 30 of the Constitution establishes the public nature of administrative acts and recognises that individuals have the right to obtain public information from the administration. Article 31 of the Constitution determines that any individual has the right to know about all private and personal information recorded in public registries, and has the right to know about the purpose for which such information is recorded, as well as having the right to correct, rectify, and update such information. Moreover, Article 44 of the Constitution regulates, in general, those rights which are inherent to persons and provides that the rights and guarantees granted by the Constitution do not exclude others that, although not expressly included, are inherent to humans.
In addition, the following laws (or acts), address privacy matters.
The Criminal Procedure Code
Decree No. 51-92 on the Criminal Procedure Code (only available in Spanish here) states, in Article 183, that evidence gathered through unlawful interference or meddling in the intimacy of a home or residence, private mail, communications, documents, and files is inadmissible. Therefore, Article 183 indirectly protects and enhances the inherent right to privacy recognised by the Constitution in so far as it states that any evidence obtained in violation of such a right is not admissible in a criminal procedure.
The Criminal Code
In a more substantive matter, Decree No. 17-73 on the Criminal Code (only available in Spanish here) ('the Criminal Code'), in force since 1973, has been amended several times. In 1996, various intellectual property related amendments were included, such as Article 274(d) of the Criminal Code, which imposes a four to six year prison term and a fine between GTQ 200 to GTQ 1,000 (approx. €26 to €130) for any individual or corporation that creates a database or computerised registry with data affecting individuals' intimacy. Article 274(d) of the Criminal Code, however, lacks an essential element when attempting to understand its scope and breadth as it does not define or set a parameter by which a judge may rule that the contents of any given database are affecting individuals' intimacy. In other words, there is no definition of intimacy and therefore, of privacy.
In addition, Article 274(f) of the Criminal Code, which created the criminal offence of 'use of information,' imposes a four to six year prison term and a fine between GTQ 2,000 to GTQ 10,000 (approx. €270 to €1,330) for the unauthorised acquiring or usage, for oneself or for a third party, of data contained in informatic registries, data banks, or electronics files.
Law for the Recognition of Communications and Electronic Signatures
Decree No. 47-2008 on the Law for the Recognition of Communications and Electronic Signatures (only available in Spanish here) ('the Electronic Signatures Law') provides that electronic signatures with legal effects must be established with reasonable diligence to avoid the unauthorised use of the data.
Law of the National Registry of Persons
Decree No. 90-2005 on the Law of the National Registry of Persons (only available in Spanish here) regulates the National Registry of Persons' ('RENAP') collection of personal data relating to Guatemalan citizens. The information gathered by RENAP is public unless such information can be used to affect the honour or privacy of citizens. Individuals' information which is considered as public by the law includes names and surnames, identification numbers, dates of birth or death, gender, location, occupation, nationality, and marital status.
The Law on Access to Public Information
Decree No. 57-2008 on the Law on Access to Public Information (only available in Spanish here) ('the Law on Access to Public Information'), introduces key data protection concepts such as personal data and sensitive personal data. Nevertheless, the subject matter of this law is to secure the access to public information that is in possession of public authorities and obliged entities under the Law on Access to Public Information. In general terms, the authorities and/or obliged entities are those which are part of the State, those which function on State funds, and those that have received concessions and/or licenses to exploit a public good. Despite this, Article 64 of the Law on Access to Public Information regulates the commercialisation of personal data and imposes sanctions (fines and imprisonment) to those that distribute, by any means, files containing personal data or sensitive personal data, which do not come from public registries, without the written consent of the data subject.
Human rights treaties
Guatemala is a party to certain key treaties dealing with human rights. These are important as they contain provisions that refer directly or indirectly to privacy. In this regard, Article 11 of the American Convention on Human Rights 1969 states, 'Everyone has the right to have his honour respected and his dignity recognised. No one may be the object of arbitrary or abusive interferences with his private life, his family, his home, or his correspondence, or of unlawful attacks on his honour or reputation'.
Aside from the sectors mentioned above, there are no sectors that have specific privacy legislation. Nevertheless, it is worth mentioning that Articles 177 and 177 TER of Decree No. 57-2000 on Industrial Property Law (only available in Spanish here) protect the information submitted in the context of requests for approval of the commercialisation of pharmaceutical or chemical products, subject to exceptions such as the data referring to products pertaining to new or secondary uses of approved formulas.
No guidelines relating to this matter have been issued.
1.3. Case law
Since Guatemala does not have any specific data protection legislation, data privacy guidelines and principles have been created from case law. Several cases ruled on by the Constitutional Court of Guatemala ('the Constitutional Court') have addressed the recognition and safeguarding of privacy rights, and as a right implicitly recognised in Article 44 of the Constitution.
In a decision issued by the Constitutional Court, Case No. 3552-2014 of 10 February 2015 (only available in Spanish here) ('Case 3552-2014'), where the Ombudsman of Human Rights ('the Ombudsman') had filed a case against various private entities accused of gathering and commercialising private information from individuals without their consent, the Constitutional Court followed its own precedent established in Case No. 1356-2006 of 11 October 2006 (only available in Spanish here) ('Case 1356-2006') and Case No. 863-2011 of 21 June 2011 (only available in Spanish here) ('Case 863-2011'). In particular, the Constitutional Court stated, 'There are other rights that by way of [...] Article 44 of the Constitution or [...] Article 46 of the Constitution may also be the object of protection, considering, as noted before, their nature of [rights] inherent to individuals, even though they are not explicitly mentioned in the normative text'.
Case 1356-2006 was emblematic in the sense that it was the first case in which the Constitutional Court decided to afford data privacy protection despite the absence of a law regulating this matter in detail. In particular, the Constitutional Court outlined, 'Once a person's right to determine the existence or inexistence of registries or databases containing his/her personal data is recognised, as well as their right to obtain the rectification, deletion or blocking thereto if the incorrect use of the data may affect his/her intimacy and honour, the manner in which the judicial protection of such rights can be requested must be determined. It is known that in comparative law and in accordance with procedural constitutional modern doctrine, the protection of such rights is done through the action of 'habeas data', which has not been regulated in Guatemala. In the absence of such a law, and while such a situation prevails in the country, this court holds that given the nature and ample scope of the constitutional remedy of amparo, amparo is the appropriate constitutional action destined to guarantee the right of every person to access their personal data kept in private or official databases or registries [...]'. This case is important and of great relevance because it introduced the right to privacy in Guatemala in the absence of specific data protection legislation.
In the same sense, Case 3552-2014 outlined that individuals or private entities which conduct activities for the commercialisation of information obtained from registries or personal data banks, must, at the time of the commercialisation of the information, ensure that:
- data has been obtained according to a fully defined purpose, in a legitimate manner, and voluntarily by the person whose data will be the object of commercialisation;
- consent by the individual concerned must be given for the use of the personal data, and its use must be made with a purpose compatible with that for which consent was obtained; and
- the registry and use of the data must be made with the implementation of adequate controls for determining and updating the veracity of the data and ensuring individuals' right to rectify the data.
As such, Case 3552-2014 outlines that every commercialisation of personal data that does not comply with these criteria may result in an unlawful activity and a violation of fundamental rights, causing legal liability for individuals providing data and individuals using the data in any decision-making process regarding an individual.
2. Scope of Application
As per the Law on Access to Public Information and the criteria held by the Constitutional Court, the provisions and criteria set forth above would apply to anyone undertaking the processing, transfer, and/or commercialisation of personal information obtained from registries or personal data banks.
Guatemalan laws are territorial in nature. The Law on Access to Public Information is not the exception. In addition, the criteria and rights recognised by the Constitutional Court as previously referred, would result applicable solely with regards to the activities before mentioned which are conducted in Guatemala.
Given that there is no specific law on privacy, there are no types of processing that are exempted as is the case with laws in other countries.
3.1. Main regulator for data protection
There is no regulator for data protection in Guatemala. However, the Ombudsman has assumed an active role in safeguarding individuals' right to privacy by conducting investigations and declaring violations of data privacy rights in cases in which private information has been commercialised, transferred, or processed without individuals' consent. The Ombudsman has the authority to file amparo before the Constitutional Court, seeking relief for human rights violations, or notifying the District Attorney's office of the Public Ministry of the investigation and initiation of criminal procedures.
3.2. Main powers, duties and responsibilities
4. Key Definitions
Personal data: Data relating to any information concerning identified or identifiable individuals. The Constitutional Court has also defined this term in rulings rendered in Case 1356-2006 and in Case 3552-2014, as any data capable of identifying an individual and allowing the determination of an identity exclusively attributable to such individual.
- personal habits, racial origin, ethnic origin, ideologies, and political opinions;
- beliefs or religious convictions;
- mental or physical health states;
- preferences or sex life;
- moral and family circumstances; or
- issues of this sort.
No other relevant terms are defined.
5. Legal Bases
Given that there is no specific law on privacy, there are no specific rights and responsibilities assigned to a data controller. However, based on the criteria outlined by the Constitutional Court, the data controller must ensure that the following conditions are met either when performing the processing of personal data or when hiring a third party for such processing, namely that consent from the data subject must be given for the use of the personal data, and its use must be made with a purpose compatible with that for which consent was obtained. The Court has not provided a high level of detail as to other aspects surrounding consent. However, the consent can be provided in the respective of agreements bounding the data subject and the data processor.
There is no specific law dealing with this matter.
7. Controller and Processor Obligations
Given that there is no specific law on privacy, there are no obligations for notification or registration when processing personal data.
The data controller must ensure that the following conditions are met either when performing the processing of personal data or when hiring a third party for such processing if there will be a transfer or commercialisation, to make sure that the personal data has been obtained according to a fully defined purpose, in a legitimate manner, and voluntarily by the data subject.
As noted above, the transfer of personal data would require the consent of the data subject in the terms previously stated (i.e. for a definite purpose and with the adequate safeguards).
There is no obligation which stems for the law or otherwise, under which data controllers and/or data processors must maintain data processing records.
There are no requirements from law or recommendations for data controllers and/or data processors to carry out DPIA/PIA.
The post of data protection officer is not regulated or required in the Guatemalan laws.
Though there is no legislation (either primary or secondary) regulating data breaches, or addressing the procedures to be followed or measures to be implemented in the event of a data breach, it is important to mention that in the event of a data breach, the entity acting as data controller or data processor may be held liable, at least from a strict civil liability point of view.
Criminal liability may also be incurred, if, for instance, it is determined that the person acting as the data processor or data controller commits the crime of holding forbidden records, which entails maintaining a database affecting the intimacy of persons, or if they had committed the crime of disclosing or facilitating the disclosure of confidential or classified private information.
In other words, even in the absence of legislation addressing data breaches, there may still be consequences for the person acting as a data controller and/or data processor. For the reasons set out previously, it is advisable to consider reporting a data breach event to the Attorney General of the Public Ministry for the commencement of any criminal procedure in case any criminal offence was committed.
There is no regulation applicable to data retention. However, for general purposes, it is advisable to keep collected data for the period of their active use plus the term established in the applicable statute of limitations.
There are no specific provisions regulating the processing of children's data.
Note that under the Law on Access to Public Information, personal data which constitutes sensitive personal data (i.e. data that refers to the physical or moral characteristics of individuals or to facts or circumstances of their private life or activity, such as personal habits, racial origin, ethnic origin, political ideologies and opinions, religious beliefs or convictions, physical or mental health status, preference or sex life, moral and family situation or other intimate issues of a similar nature) cannot be processed, transferred, or commercialised without the data subject's express and written consent.
There is no specific regulation on this matter. However, it would be reasonable if such agreements are managed contractually.
8. Data Subject Rights
The Constitutional Court has recognised for the benefit of data subjects the following rights:
- informed consent;
- opposition and/or opt out; and
- need for express consent for transfer of personal data.
Given that there is no specific law on privacy, there are no specific rights and responsibilities assigned to a data controller. However, based on the criteria outlined by the Constitutional Court, the data controller must ensure that the following conditions are met either when performing the processing of personal data or when hiring a third party for such processing including the registry and use of the data must be made with the implementation of adequate controls for determining and updating the veracity of the data and ensuring data subjects' rights to rectify the data.
Please see section on data subject rights above.
Please see section on data subject rights above.
Please see section on data subject rights above.
Please see section on data subject rights above.
Please see section on data subject rights above.
Given that there is no specific law on privacy, there are no specific rights assigned to data subjects. However, based on the criteria outlined by the Constitutional Court, data subjects would have at least the following rights:
- right to grant consent prior to the transfer or commercialisation of data subjects' personal data, and where such consent must be granted for a fully defined purpose, in a legitimate manner, and voluntarily:
- right to consent regarding the use of data subjects' personal data, and such use must be made with a purpose compatible with that for which consent was obtained; and
- other rights that in a given scenario, the Constitutional Court deems worthy of protection, by way of applying Articles 44 and 46 of the Constitution, considering that human rights are inherent to individuals, even though they are not explicitly mentioned in the normative text.
There are no regulated sanctions in the event of data breaches in the context of data privacy. Note, however, that the entity acting as data controller or data processor of the personal data may be held liable, at least from a strict civil liability point of view if, for instance, it was determined that the processing was done negligently, with no minimum standards and recklessly.
To the best of our knowledge, no recent enforcement decisions have been issued.