Changes to Data Protection Rules in Costa Rica

Guest post by Leon Weinstok

Last December 2016, a major reform to the Regulation of the Personal Data Protection Act (Data Protection Act) came into force in Costa Rica.

Said reform adjusts our rules to leading international regulations and trends, and further eases compliance with data protection obligations, as this relate to new data handling technologies.

Among the most relevant changes, it is important to highlight the following:

  1. The “super-user” definition set forth in section 45 of the Regulation is deleted. Accordingly, it is no longer necessary to comply with the highly controversial super-user figure that was in force. In this regard, the Citizen Data Protection Agency (Prodhab, as per its Spanish acronym) has already requested the companies that had met this requirement and previously granted the corresponding access to deactivate the same.
  2. The mandatory informed consent to be requested at the time of collecting the information should no longer be written as previously required. As the result of the reform, now said informed consent must be “unequivocal” and delivered by “written or digital means”, thus easing the collecting mechanism thereof. The foregoing, notwithstanding certain mandatory information that should be included in said consent, including, among others, informing the purpose for which the information is requested, the rights of the interested party, and stating whether the data will be transferred or not.
  3. The new Regulation to the Data Protection Act provides greater clarity on the definitions of “distribution” and “dissemination” of personal data, as well as on the definition of “economic interest group” (group of companies under a single command unit or economic dependency). Thus, in addition to that certain databases used for commercial prospecting purposes, it is further specified that databases subject to registration before the Prodhab are those that are intended for distribution or dissemination purposes.

The above-sated are the main amendments to the Regulation.

It should not be overlooked that this reform includes changes in the period to account for the right to be forgotten, clarification on the non-mandatory registration of the databases of institutions regulated by the General Superintendence of Financial Institutions (Sugef, as per its Spanish acronym), as well as an adjustment in the fee payable by certain companies.

To comply with the modifications made to the Regulation, as well as with the remaining provisions of the Data Protection Act, companies must determine, among others, the corresponding action protocols to guarantee a proper information handling.

Likewise, if companies intend to share data with other companies, whether locally based or abroad, consent from the data owner is necessary (and such consent shall meet the required formalities). In addition, appropriate security measures should be implemented to safeguard the data.

These measures shall be implemented in accordance with the risks of the information to be protected.

In this same sense, if the security system suffers any breach, there is an obligation to notify the same to Prodhab.

Therefore, it is important to adjust database handling to the requirements of the Data Protection Act. In case of any violations to said Law, penalties of up to thirty thousand dollars may be assessed and the use of the database may be subject to suspension.

by Leon Weinstok

Phone: +506 2205 3884 • Mobile: +506 8330 8181 | vCard

Costa Rica • Guatemala • El Salvador • Honduras • Nicaragua |

Uber and data protection in Argentina

The DPA has cited Uber by publishing a legal notice in the Official Gazzete. This method is used when a court or an agency is not able to find a legal domicile to serve process.

As far as I know, this is the first case where the DPA of Argentina is using this method to serve process of the begining of a data protection investigation.

Legal notice here at!DetalleNorma/158559/20170202



DPA of Argentina issues draft data protection BIll – comments until march 2017


On February 2017, the Argentine Data Protection Agency (“DPA”) posted online the first draft bill for a new data protection act. Argentina current data protection was enacted in December 2000 and has been effective since then. Argentina was the first Latin American country to be recognized as an adequate country by the European Union.

The new bill was prepared taking into consideration several changes proposed in a public consultation during 2016. The bill is heavily based on the EU GDPR but with some changes and maintains the model of the old law in terms of structure.

The DPA shall be accepting comments on the draft bill from February 1 to 24, 2017 using the digital platform created by the Government for public participation in rulemaking. Comments are also accepted by paper and in English or Spanish.

Among the changes introduced by the draft bill is the elimination of the duty to register databases.

Also, the draft bill only recognizes individuals as data subject; the current data protection act covers both individuals and legal entities (e.g. companies). Moreover, the proposed bill adds several new definitions like biometric data and genetic data, among others.

The draft bill introduces new ways to determine whether an entity or certain data processing is subject to Argentine law, quite similar to the criteria found in the European General Data Processing Regulation. Also, and in connection with the European regulation, the proposed bill introduces new legal basis, besides consent, to allow data processing, like the legitimate interests of the data controller (with a test similar to the GDPR).

Among other changes, the draft bill makes an overhaul of the current section dealing with international transfers, including Binding corporate rules as a legal basis for data transfers.

The Bill also introduces sections on child consent (now processing under 13 allowed unless consent from parent), cloud computing, data breaches, accountability, privacy by design and by default, the duty to have a data protection officer and mandatory impact studies.

Credit reports, one of the main issues of the current data protection act, has received certain amendments, like the time limit to kept negative data as well as the introduction of a duty to inform an individual in the event that certain agreement or equivalent was not entered into due to negative information contained in a credit report. It should be noted that, considering the elimination of protection for legal entities, the data protection act will not apply to financial information of corporations.

Finally, one of last amendments proposed by the DNPDP in its draft bill is the independence of the DPA from any other governmental entity; currently, the DNPDP depends from the National Ministry of Justice and Human Rights. The bill seeks to remedy one of the observations made by the European Union when Argentina was deemed a jurisdiction with an adequate level of data protection.

We expect the DPA to send the Bill to the President later this year. The Bill will be discussed during 2018 in Congress.

Pablo A. Palazzi is a partner at Allende & Brea, a law firm based in Buenos Aires.

Andres Chomczyk is an associate Allende & Brea.

Text of the draft bill here.

Text of the Report of the DPA here.

Summary of the paper used to open the public consultation.

DPA of Argentina issues report about amendment of the law

On December 2016 the DPA of Argentina issued a report containing its full conclusions of the process of amendment of the data protection act of Argentina. The text of the report is a compilation with a summary of each proposal of academia, civil society, internet companies and chambers of companies, indexed by areas of the law. Still there is an interrogation mark with respect to the amendment of the Data Protection Act of Argentina, which in December 2016 turned 16 years old. Argentine’s statute was recognized as adequate by the EU Commission and the DPA opened a consultation process in early 2016.

The PDF is available below, with the letter that the DPA issued on December 19, 2016.



La DNPDP, la agencia de protección de datos de Argentina abre el proceso para modificar la ley 25.326 luego de 16 años de vigencia. Esta apertura ocurrió en marzo de 2016 y luego de varios meses la DNPDP compilo todas las presentaciones de académicos, empresas de internet, organizaciones de la sociedad civil y camaras empresariales. El siguiente es el texto en castellano en la web de la DNPDP.

El proceso de reflexión se desarrolló en el marco de los trabajos de la Dirección Nacional de Protección de Datos Personales y formó parte de la plataforma Justicia 2020 del Ministerio de Justicia y Derechos Humanos de la Nación.

La ley argentina sobre protección de los datos personales (Nº 25.326) fue sancionada en octubre del 2000. Sin duda, los cambios de la tecnología en los últimos quince años impactaron en la protección de la privacidad. Asimismo, presenciamos un nuevo contexto normativo internacional, particularmente por los recientes cambios ocurridos en Europa. Por estas razones, la DNPDP inició un proceso de reflexión sobre la necesidad de una reforma a la ley citada. Este proceso fue convocado dentro del programa de “Justicia 2020” del Ministerio de Justicia y Derechos Humanos de la Nación.


Para dar transparencia y publicidad a este proceso, se optó por compilarlo de manera estructurada y por temas en el documento Ley de Protección de los Datos Personales en Argentina (Sugerencias y aportes recibidos en el proceso de reflexión sobre la necesidad de su reforma. Agosto-Diciembre 2016). El documento refleja las sugerencias y opiniones de los distintos actores que acudieron a la convocatoria de la DNPDP y tiene como principal objeto el de constituirse en un insumo importante para una futura discusión sobre las reformas necesarias para mejorar la protección de los datos personales en Argentina.


Pablo Palazzi


Continue reading

Argentina – new regulation on international transfer of personal data

Argentina – New regulation on data transfers – See Spanish version here.

The Argentina data Protection Agency (DPA) has issues a new regulation on international transfers of personal data (DNPDP Disposition 60 – E/2016). Under the new regulation the DPA has:

  • Approved a model form for international transfers to a data controller and also another form for transfer to a data processor (for rendering services).
  • The model is party based in the EU model with some changes.
  • If the data controller is using a different model, then he needs to file its agreement with the DPA for approval within 30 days.
  • The new regulation list countries that are considered adequate (those recognized as adequate by the EU).