Privacy Laws in Costa Rica
Law in Costa Rica
The development of data privacy regulation in Costa Rica is divided among two laws. The first law is Law No. 7975, Undisclosed Information Law, which makes it a crime to disclose confidential/personal information without authorization.
The second law is Law No. 8968, Protection in the Handling of the Personal Data of Individuals, which was enacted to regulate the activities of companies that administer databases containing personal information. Therefore, its scope is limited.
Definitions
Definition of Personal Data
Personal information contained in public or private registries (eg medical records) that identifies or could be used to identify a natural person. Personal information can only be disclosed to persons/entities with a ‘need to know’ such information.
Definition of Sensitive Personal Data
Personal information relating to ideological orientation, creed, sexual preferences. Sensitive personal data cannot be disclosed without express prior authorization from the data subject.
National Data Protection Authority
Pursuant to Law No. 8968, the Agency for the Protection of Individual’s Data, hereinafter the ‘Agency’ is the entity charged with enforcing compliance with the regulation. The Constitutional Court also has jurisdiction to hear claims alleging violations of the Laws.
Registration
Under Law 8968, companies that manage databases containing personal information and that sell such personal information must register with the Agency.
Data Protection Officers
There is no requirement for a data protection officer.
Collection & Processing
Any company may store and manage a database containing personal information if the following rules are respected:
- When accumulating personal information, private companies and/or the government must respect the 'sphere of privacy' to which all individuals are entitled;
- Companies that maintain personal information about others in their databases must ensure that such information is 1) Materially, 2) Truthful complete, 3) Accurate, and 4) Individuals have access to their personal data and must be entitled to dispute any erroneous or misleading information about them.
Companies that manage databases containing personal information and that sell such personal information must comply with Law 8968, including by:
- Reporting the company and the database to the Agency
- Reporting the technical issues related to the security of the database
- Protecting and respecting confidentiality issues
- Securing the information they maintain, and
- Establishing a proceeding to review requests by individuals to review and amend any error or mistakes in the database.
Transfer
Transfer of personal information is authorised if:
- Data subjects give written consent, or
- Information transferred is public.
Security
Any company or individual using and/or managing this type of information must take all necessary steps to guarantee that the information is kept in a safe environment. If security is breached because of improper management or protection, then the responsible company may be held liable, and may be subject to penalties and civil liability for any harm.
Breach Notification
There is no mandatory requirement. Nonetheless, if there is a breach the entity is liable.
Enforcement
All claims can be brought directly to:
- The entity
- The Agency, or
- The Constitutional Court.
Electronic Marketing
General rules of data protection will apply. There is little to no regulation of electronic marketing. However, pursuant to the Telecommunications Act, marketing companies may not advertise via phone unless they have express written consent from the data subject.
Online Privacy
There has been little to no regulation in this area. However, the general rules of data protection issued by the Constitutional Court, with respect to the collection and processing of personal information, do apply.