Puerto Rico currently has four (4) preeminent data privacy and cybersecurity laws and regulations that were enacted for the purposes of protecting Puerto Rico residents from data breaches, identity thefts, and attacks on their personal information, namely:

1)    Puerto Rico Citizen Notice on Databank Security Act, Act 111-2005, 10 LPRA § 4051 et seq. (“Act 111”). Act 111 requires a person or entity in possession of a database containing personal information belonging to Puerto Rico residents to notify affected individuals and report to the Puerto Rico Department of Consumers Affairs’ (“DACO” for its acronym in Spanish) certain security breaches.

2)    Puerto Rico Privacy Policy Notification Act, Act 39-2012, 10 LPRA § 4061 et seq. (“Act 39”), supported by DACO, Regulation No. 8568 of February 27, 2015 (“Regulation 8568”). Under Act 39 and Regulation 8568, any person or entity that collects personal information belonging to Puerto Rico residents must adopt a privacy policy that includes and addresses certain matters, including but not limited to, the following: type of personal information collected, persons with whom collected personal information is shared, personal information management procedures, and changes to privacy policy.

3)    DACO Regulation No. 9158 of February 6, 2020 (“Regulation 9158”, together with Act 111, Act 39 and Regulation 8568, collectively the “PR DPC Laws”). Regulation 9158 requires entities (i.e., entities that offer or sell goods/services to consumers) to adopt measures to protect consumers’ personal data and inform consumers how they will use their personal information.

4)    Cybersecurity Act of the Commonwealth of Puerto Rico, Act 40-2024 (“Act 40”). Act 40 introduces a comprehensive cybersecurity framework applicable to the Executive Branch of the Commonwealth of Puerto Rico, its agencies, departments, public corporations (the “Government”), and any natural or legal person doing business or having contracts with the Government (the “Contractors”). As mandated under Act 40, the Government and its Contractors are required to, among other things: establish control mechanisms to stop inappropriate material, malware and other threats; establish control mechanisms to protect the confidentiality and integrity of information, including the use of encryption in their systems; establish policies regarding the adequate use of information systems; report any cybersecurity incident within 48 hours; and comply with industry practice and standards when accepting credit card payments in web portals. Moreover, Puerto Rico government agencies are required to confer with the Puerto Rico Innovation and Technology Service (“PRITS”) before entering into any contract, amendment, or renewal with a Contractor. Act 40 empowers PRITS to terminate contracts that are found to be non-compliant with the established cybersecurity standards.

To date, there is no current binding caselaw for Act 40 and PR DPC Laws.

Personal Information (i.e. personal data) refers to any name or number that, alone or combined with other data, can be used to identify a specific individual. This includes, but is not limited to: full name, Social Security number, date or place of birth, marital status, gender, physical or mailing address, ZIP code, email address, phone number, driver’s license or passport number, fingerprints, voice recordings, retina images, tax information, employment evaluations, and any other data that enables physical or electronic identification of a natural person.
Sensitive data is not defined in the PR DPC Laws. However, Act 40 defines “Sensitive Assets” as information, equipment, or resources whose loss, misuse, unauthorized access, or alteration could negatively impact the interests of the Government and/or the privacy of citizens.

The data must be protected with at least a password and some sort of encryption technology.

Any person or entity in possession of a database containing personal information belonging to Puerto Rico residents.

 The PR DPC Laws and Act 40 do not define "data processing". 

 Because the PR DPC Laws and Act 40 do not define "data processing", there are no specific applicable principles for personal data processing. However, processors of personal data must follow applicable federal legislation and are also encouraged to abide by industry specific fair information practices.

The PR DPC Laws do not currently regulate the processing of personal information beyond its collection and storage.

The PR DPC Laws do not require persons or entities that collect personal information belonging to Puerto Rico residents to adopt specific technical/security measures to protect the confidentiality of said information. However, Act 40 outlines minimum cybersecurity and data privacy standards and principles applicable to the Government and its Contractors. Some examples of the minimum standards and principles are: establish control mechanisms and a security policy to stop internet traffic classified as inappropriate; implement layered security controls; implement encrypted administrative controls; use virtual private networks (“VPN”) or any other type of virtual private network to access Government data bases; credit card payment processing with PCI-DSS  compliance; and complying with the Federal Information Security Management Act and keep not less than three (3) years of information.

  “PCI-DSS” means Payment Card Industry Data Security Standard.

Data subjects are entitled to: know the uses and policies applicable to their personal information; receive data breach notices, and file lawsuits. 

Both opt-in and opt-out consent mechanisms are considered valid under Puerto Rico’s data protection framework, provided that consent is informed and explicit. Additionally, Regulation 9158 requires entities to obtain their consumers’ written consent to use their personal data for marketing purposes.

Please refer to Question No. 9.

The PR DPC Laws do not currently regulate cross-border data transfers.

“Breaches” and “Incidents” refers to any situation in which unauthorized persons gain access to data files, compromising the security, confidentiality, or integrity of the information. It also includes cases where authorized persons access the data but are known or reasonably suspected to have violated professional confidentiality or obtained access through false representations with the intent to use the information unlawfully. The same applies equally for both digital access to information systems and physical access to the storage media containing the data, including any unauthorized removal or transfer of such media.

In general, persons and entities are required to notify Puerto Rico governmental agencies and their consumers of data breaches. Failure to do so may trigger administrative fines. Act 111 requires a person or entity in possession of a database containing personal information belonging to Puerto Rico residents to notify affected individuals and report to DACO certain security breaches. If a data breach is detected, Act 111 requires the custodian of the database to notify affected data subjects and file a data breach report with DACO, each, within 10 days from the date on which the breach is detected. Other requirements may apply depending on the data breach. The notice and reporting requirements of Act 111 are triggered whenever (1) the dataset containing personal information is not password protected and encrypted and (2) is subject to unauthorized access. Therefore, Act 111 does not require all kinds of data breaches to be notified to affected individuals and reported to DACO. Rather, these notice and reporting requirements must be met when the dataset has been accessed by unauthorized users and the dataset was not protected with at least a password and some sort of encryption technology.
Moreover, Act 40 requires the Government and its Contractors to notify PRITS within forty-eight (48) hours of any incident or potential incident. Failure to provide notice may result in fines.

DACO and PRTIS.

Under Puerto Rico law, the consequences of a data breach may include: notification to regulators and data subjects, fines, government oversight and enforcement, and liability to individuals for any damages caused.

Regulation 9158 requires entities to obtain their consumers’ written consent to use their personal data for marketing purposes.

Act 40, which introduces a comprehensive cybersecurity framework applicable to the Government, and its Contractors.

The PR DPC Laws do not establish any specific legal requirements for appointing Data Protection Officers (“DPOs”) or similar roles within private organizations.

Puerto Rico’s Data Protection and Cybersecurity Laws do not impose specific record-keeping or documentation obligations related to data privacy or cybersecurity. However, entities operating in Puerto Rico must comply with the record retention requirements established under the Puerto Rico General Corporations Act , Act 164-2009, 14 LPRA § 3501 et seq. (“PRGCA”), which mandate the maintenance of certain corporate documents and records.

The PR DPC Laws do not impose specific requirements for conducting DPIAs. Act 40, however, requires the Government and its Contractors to carry out a yearly educational plan aimed at training its personnel, Contractors, and clients, including specialized courses for system and technology administrators on cybersecurity best practices, and to perform penetrations testing.

Third-party vendors are subject to the PR DPC Laws.

Penalties and enforcement mechanisms include fines, cancellation of contracts, and lawsuits.

The PR DPC Laws do not impose specific ongoing compliance and audit requirements.

There are no current recent legislation developments or expected changes.