Privacy Laws in Costa Rica

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Law in Costa Rica

The development of data privacy regulation in Costa Rica is divided among two laws. The first law is Law No. 7975, Undisclosed Information Law, which makes it a crime to disclose confidential/personal information without authorization.

The second law is Law No. 8968, Protection in the Handling of the Personal Data of Individuals, which was enacted to regulate the activities of companies that administer databases containing personal information. Therefore, its scope is limited.

Definitions

Definition of Personal Data

Personal information contained in public or private registries (eg medical records) that identifies or could be used to identify a natural person. Personal information can only be disclosed to persons/entities with a ‘need to know’ such information.

Definition of Sensitive Personal Data

Personal information relating to ideological orientation, creed, sexual preferences. Sensitive personal data cannot be disclosed without express prior authorization from the data subject.

National Data Protection Authority

Pursuant to Law No. 8968, the Agency for the Protection of Individual’s Data, hereinafter the ‘Agency’ is the entity charged with enforcing compliance with the regulation. The Constitutional Court also has jurisdiction to hear claims alleging violations of the Laws.

Registration

Under Law 8968, companies that manage databases containing personal information and that sell such personal information must register with the Agency.

Data Protection Officers

There is no requirement for a data protection officer.

Collection & Processing

Any company may store and manage a database containing personal information if the following rules are respected:

  • When accumulating personal information, private companies and/or the government must respect the 'sphere of privacy' to which all individuals are entitled;
  • Companies that maintain personal information about others in their databases must ensure that such information is 1) Materially, 2) Truthful complete, 3) Accurate, and 4) Individuals have access to their personal data and must be entitled to dispute any erroneous or misleading information about them.

Companies that manage databases containing personal information and that sell such personal information must comply with Law 8968, including by:

  • Reporting the company and the database to the Agency
  • Reporting the technical issues related to the security of the database
  • Protecting and respecting confidentiality issues
  • Securing the information they maintain, and
  • Establishing a proceeding to review requests by individuals to review and amend any error or mistakes in the database.

Transfer

Transfer of personal information is authorised if:

  • Data subjects give written consent, or
  • Information transferred is public.

Security

Any company or individual using and/or managing this type of information must take all necessary steps to guarantee that the information is kept in a safe environment. If security is breached because of improper management or protection, then the responsible company may be held liable, and may be subject to penalties and civil liability for any harm.

Breach Notification

There is no mandatory requirement. Nonetheless, if there is a breach the entity is liable.

Enforcement

All claims can be brought directly to:

  • The entity
  • The Agency, or
  • The Constitutional Court.

Electronic Marketing

General rules of data protection will apply. There is little to no regulation of electronic marketing. However, pursuant to the Telecommunications Act, marketing companies may not advertise via phone unless they have express written consent from the data subject.

Online Privacy

There has been little to no regulation in this area. However, the general rules of data protection issued by the Constitutional Court, with respect to the collection and processing of personal information, do apply.