The currently applicable data protection law in Costa Rica is Law Number 8968 – denominated “Law for the Protection of People Against the Treatment of their Personal Data” and its Regulations (Executive Decree N. º 37554-JP of October 30th, 2012) and its amendments. Although there is a Data Protection Law and Regulation in Costa Rica, the law is quite old since it was issued in 2011, and it has been criticized, since in some aspects it lacks of clarity and leaves several matters to interpretation.

Personal Data, according to Law Number 8968, is “any data related with an identified physical person or subject of being identified”. This definition is also quite broad since it includes the phrase “any data”.

The purpose of Law Number 8968 is to “guarantee to any person, independently of its citizenship, residence or domicile, the respect of its fundamental rights, specifically of its right to the informative auto determination regarding its life and private activity…” Furthermore, Article 2 of Law Number 8968 establishes that such Law will be applicable to “personal data contained in automatic or manual databases, of public or private entities, and to any type of further use of such data”. The above indicated phrase “and to any type of further use of such data” includes any further treatment or processing of personal data after data collection. Finally, Law Number 8968 and its Regulations define as an “owner or concerned individual” (which basically refers to a “data subject”) as a “physical person, who owns the personal data protected in the Law, or its representative”.

The Law’s goal is to protect not only the individual’s personal data but also a person’s right to informative self-determination, i.e. a person’s right to be ensured that its personal data is being treated legitimately, for the authorized purposes, and also to control the transfer of personal information to third parties, through the establishment of guarantees as described in Section 4 of the Law and in several Sections of its Regulations. Any collected personal data belongs, in all cases, to the data subject.

Data subject’s rights included in the Law, are, among others, for the data subject to provide an express consent for the use of its personal data; the rights of revocation, access and the rectification of its personal data. For guarantying all of these rights, the Law and Regulations currently in force in Costa Rica establish a series of obligations, such as for the owner of the personal database to acquire the express consent from the data subject in order to be able to legally collect, process and use its personal data. In order for the data subject to duly provide its consent, it is necessary for the owner of the personal database to provide such data subject with a set of information, as required by Costa Rican Law Number 8968.

There are no prior registrations or licenses to be obtained in order to process data, rather than following all the legal procedures and requirements in order to process or collect it. However, regarding the databases, depending on the type of database, a registration of such database and the corresponding Protocols of Control (which the owner of the database needs to follow and comply with, according to applicable Costa Rican regulations) before the PRODHAB (which is the Costa Rican Data Protection Agency) would be legally required.

Tags: , , , , , , , , ,