Collecting, keeping and using sensitive personal data in Costa Rica

According to the Costa Rican Data Protection Law Number 8968 (denominated “Law for the Protection of People Against the Treatment of their Personal Data”), no person is obligated to provide sensitive data (as described below), and it is expressly prohibited, according to Article 9 of such law (the only exceptions to this prohibition are provided by the same law and are very specific) to process or treat personal data that may reveal “the racial or ethnic origin, political opinions, religious, spiritual, or philosophic convictions, as well as any data related to health, life and sexual orientation among others”. This data is considered to be “sensitive data”.

Furthermore, Article 3 of above indicated Law defines “sensitive data” as the “information related to the intimate sphere of the person, as for example the one that reveals the racial origin, political opinions, religious or spiritual convictions, socioeconomic status, biomedical or genetic information, life and sexual orientation, among others”.

If a company processes such type of personal data (data corresponding to third parties or its own employees) then such company will be in breach of local law and this may entitle any affected data subject (as for example an employee) to file a complaint before the local data protection authority (denominated “Prodhab”).

The breach of the above indicated prohibition to process or treat sensitive personal data is expressly included on Article 31 of the indicated Law , as follows:

It will be considered as a major breach, for the purposes of this law:

  1. a) Collecting, keeping, transferring or in any other way using sensitive data, as defined by Article 3 of the law, by any individual or private corporate entity …”

Despite the above, companies may look for alternative collection procedures and implement creative ways to keep and use such type of personal data. Furthermore, it is highly recommended, if collecting sensitive data is absolutely necessary for the company, to support such sensitive data collection with appropriate documentation, evidencing the informed consent of the data subject for providing their sensitive personal data.