On November 15, 2024, Legislative Decree No. 144, which contains the Law for the Protection of Personal Data, was published in the Official Gazette. 

Purpose and scope of application 

The purpose of the law is the protection of personal data, establishing the essential requirements for its legitimate and informed treatment, and guaranteeing the right to privacy and informative self-determination. 

It applies to natural and legal persons, public or private, that manage personal data through manual or automated methods, within or outside the national territory. It also includes state and municipal entities and public resource administrators. 

Exclusions 

The following are excluded from the scope of application: (i) processing of credit histories; (ii) processing of personal data with no commercial purpose, intended for activities within the framework of family or domestic life; (iii) processing of personal data or activities aimed at public security, defense of the security of the State, prevention, investigation, detection, and repression of crimes; and (iv) any processing of personal data carried out in any public registry. 

Supervising entity  

The State Cybersecurity Agency, hereinafter “ACE” or “Agency”, will be in charge of the supervision and application of this law, dictating policies for action and maintenance of personal data, as well as security and protection measures. Likewise, it will be in charge of creating certification mechanisms for data protection, as well as approving third parties to issue certifications on the same matter.  

Among the most relevant points of this law, the following stand out: 

  • Processing of personal data: The processing of personal data consists of obtaining, disclosing, or storing personal data.  It may only be carried out for the purposes previously informed. In the case of private institutions or companies, only personal data directly related to the nature of the services they provide or have provided to the holder shall be processed. 
  • Transfer of data: Requires prior authorization of the holder and the signing of a contract between the parties, guaranteeing the same protection obligations. 
  • Privacy of personal data: The privacy notice is the physical or digital document that, before the processing and collection of data, informs the owner about the terms under which their personal data will be treated. In no case may the controller be exempted from the obligation to communicate it in writing to the holder at the time it gives its consent. 
  • Treatment of informed consent: Consent must be expressed verbally, in writing, or through unequivocal signs as long as it is recorded by physical or technological means. In the case of sensitive personal data, the data controller must obtain consent by written signature or its equivalent. The consent requirements are that it must be free, specific, informed, express, and individualized. 
  • Storage of information: It shall be stored in such a way as to fully guarantee the right of access by the owner of the information. The holder must be informed, free of charge, expressly, precisely, and unequivocally of the following: (i) The purpose for which the data will be collected and processed, as well as the possible recipients or class; (ii) The existence of the database or replacement; (iii) Identity, address, e-mail, etc. (iv) Any information that facilitates contacting the data controller; (v) The content of the ARCO-POL rights and the mechanisms to exercise them; (vi) Protection measures and mechanisms.  
  • Infringements and fines: Penalties may be minor (with a fine of one to a maximum of ten minimum monthly salaries in force of the commerce sector), serious with a fine of eleven to a maximum of ten minimum monthly salaries in force of the commerce sector, or very serious (with a fine of twenty-six to a maximum of forty minimum monthly salaries of the commerce sector). 

The law is effective as of November 28, 2024. 

For more information, contact us at [email protected]