Since the entry into force of the Law for the Protection of the Person against the Processing of their Data (Data Law), the importance of this topic in Costa Rica has increased. Likewise, the risk assumed by companies when handling personal information is increasing.

In the past year alone, the Data Protection Agency (PRODHAB) has received more than 70 complaints about alleged breaches of data security. It has also imposed 8 sanctions with an average of more than $10,000 each and has initiated ex officio more than 350 requests for documentation from companies in compliance with the provisions of the Data Law. The most common non-compliances that have been detected have been collecting information without the consent of the interested parties, not having the proper procedures for handling the information, and transferring the data to other companies without proper authorization. In addition, ex officio actions carried out by PRODHAB could generate penalties for those companies that do not comply with the documentation request.

Faced with the increasing importance of this issue, every person in charge of a database of personal information should ask how one complies with the Data Law. Although there are many and diverse obligations that are included in this Law and its regulations, the following could be considered the most important obligations:

  • At the moment of requesting the information, informed consent must be obtained from the persons who provide their personal data. This consent must be free, expressed, and unequivocal. Likewise, it must contain the minimum information required under the Data Law. Within this minimum content is the obligation or not to provide the data, identification of the company that collects the information, uses that would be given to the data, and how to exercise the rights granted by the Data Law, among others.
  • The data handled must be current, true, and adapted to the purpose for which the request was made. At all times people should be allowed to know the information collected about them, rectify any information they wish to modify, as well as revoke the consent they had previously given. All these rights can be exercised in the contact information that the information-compiling must indicate.
  • The information must be stored securely. Security includes both the physical measurements of the place where the information is stored, as well as the computer measures in case the information is stored digitally. This level of security is defined according to the type of information that is managed and the risk that its disclosure could entail. In this regard, sensitive data (for example, data related to health, life and sexual orientation, among others) should be stored with greater caution than personal data of unrestricted access (defined as “those data contained in databases of general access public data “)
  • Minimum action protocols should be established in order to ensure the proper handling of personal data. These protocols establish the way in which the company should handle personal data by all employees of the company.
  • In the event that the database is used for distribution, dissemination and/or commercialization purposes, the database must be registered with the PRODHA. In case any database does not meet these conditions, it should not be registered. However, this does not exempt a data manager from compliance with other obligations established in the Data Law.

The fulfillment of these obligations will allow any company that manages a database of a personal nature to comply with the main requirements of the Data Law. In this way, the risk of being sanctioned by the PRODHAB would be reduced, preventing the aforementioned economic penalties or worse, suspension of the database.