Today, January 28, we observe the signing of the 108th Convention of the Council of Europe, the first international instrument on the protection of privacy and personal information, by analyzing the actions companies in Costa Rica should take in order to comply with the provisions of the Law on Personal Protection against the Processing of Personal Data (“Data Law”).

Although the obligations included in this Law and its regulations are many and diverse, the following could be considered as the most important:

  • At the time of requesting the information, informed consent must be obtained from the persons who provide their personal data. This consent must be free, expressed, and unambiguous.
  • The data handled must be current, truthful, and suitably adapted to the purpose for which the information was requested.
  • At all times people should be allowed to know the information on file about them, rectify any information they wish to change, as well as revoke the consent they had previously given.
  • The information must be stored securely. Security includes both the physical protection at the place where the information is stored, as well as computer access measures in case the information is stored digitally.
  • Minimum action protocols must be established in order to ensure the proper handling of personal data. These protocols will establish the way in which the company must handle personal data submitted by all of its employees.
  • In the event that the database is used for distribution, dissemination and/or commercialization purposes, the database must be registered with PRODHAB (Inhabitants’ Data Protection Agency). If any database does not meet these conditions, it must not be registered. However, this does not exempt from compliance all other obligations which must be met as established in the Data Law.

By meeting the responsibilities outlined above, any company that manages a personal database will comply with the main requirements of the Data Law, reducing the risk of receiving sanctions from PRODHAB, which, besides economic penalties, could include suspension of database use.