Published and draft legislation - Costa Rica

Reform to the Data protection law

Executive Decree 40008

This decree modifies several provisions in Regulation 3755/5th March 2013, regulating Law 8968/7th July 2011, on the Protection of the Individual in the Processing of their Personal Data.

The reform is designed to clarify certain issues where doubts have arisen, to make it easier to apply the law properly and to simplify the procedure for registering data. The decree seeks to specify the scope of application of Law 8968 in the following areas:

  • Internal, personal or domestic data base: clarification of these terms. These three categories are exempt from the requirement to register with the Residents’ Data Protection Agency (“the Agency”).
  • Consent for the processing of personal data: permission for the processing of personal data must be free, unequivocal, informed and specific; it must be expressly granted in writing or digitally. The requirement that this consent be granted in an independent document has been suppressed, which makes the procedure much more straightforward.
  • Distribution, dissemination: this refers to any way in which personal data is shared with a third party or published, by any means, for a commercial purpose.
  • Transfer of personal data: informed and unequivocal consent of the data holder will always be required; the procedure is defined as the action through which personal data are transferred from the person responsible for a database to any third party different from that officer, from their economic interest group (that must be defined), from the handler, from the service provider or technology intermediary, provided that the recipient does not use them for commercial, distribution or dissemination purposes.
  • Financial institutions: the databases of financial institutions which are subject to monitoring and regulation from the Financial Institutions Authority [Superintendencia General de Entidades Financieras] do not have to register with the Agency. Nonetheless, the Agency still has full authority to regulate and uphold the protection of the rights and safeguards covered by Law 8968, and to exercise those faculties permitted under this law.
  • Right to be forgotten: the limit of 10 years for conserving personal data is unchanged, but with the clarification that this limit is calculated from the date when the purpose of the data processing is finished. There are some exceptions to this provision: regulatory provisions or by agreement between the parties.
  • Outsourcing the service provider or technology intermediary: in these cases the party contracting these services is responsible for the data, party who, furthermore, must verify that the intermediary or provider complies with a set of minimum security measures to ensure the safety and security of the personal data.
  • Registering databases: clarifications are made as to the information which the database owner must supply when registering their database with the Agency.
  • Calculating and charging the licence fee in the case of global contracts: the amounts payable have been reduced and the manner of payment has been changed.

 Furthermore, the “superuser” construct has been suppressed, given that this does not exist either in Law 8968 or in comparative law, but without prejudice to the Agency’s faculties of verification and inspection, stipulated in other legal and regulatory provisions.