	Global Data Privacy Guide
	Bolivia
	(Latin America) Firm C.R. & F. Rojas - Abogados Contributors Paula Bauer Updated 21 July 2025
1. What is the key legislation?	Not applicable.
2. What are the key decisions applying that legislation?	Not applicable.
1. How are “personal data” and “sensitive data” defined?	Personal data: Any information about an individual (natural or legal person) that identifies or makes them identifiable. Sensitive data: Subset of personal data requiring special protection: biometric, health, sexual life, religious, political, union, ethnicity, and income.
2. How is the defined data protected?	The Bolivian Constitution (2009) explicitly guarantees the right to privacy, intimacy, honor, and protection of one's image. It also recognizes the individual's right to information self-determination, enabling actions to know, rectify, suppress or object to personal data held by others. Bolivia lacks a comprehensive national data-protection law. Protection currently rests in Law N° 164 ("Telecommunications Law") and its implementing Supreme Decree N° 1793 of November 2013, which governs providers of digital certification, e-government, digital signatures, email systems, and related ICT services. These regulations apply to data controllers in the telecommunications sector (no separate “processors” or designated Data Protection Officer roles) and are enforced by the Telecommunications Authority.
3. Who is subject to privacy obligations?	Operators/Service providers: Authorized telecom or ICT network controllers (public or private). Intermediaries: Support entities handling data messages, transmission, and storage. Data controllers: Those determining the purposes/means of personal data processing.
4. How is “data processing” defined?	It is any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.
5. What are the principles applicable to personal data processing?	Purpose: The use and processing of personal data by authorized certifying entities must comply with a legitimate purpose, of which the data subject must be aware in advance. Truthfulness: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and intelligible. The processing of incomplete or misleading data is prohibited. Transparency: The data subject's right to obtain from the authorized certifying entity, at any time and without hindrance, information related to the existence of data concerning them must be guaranteed. Security: The technical and administrative controls required to preserve the confidentiality, integrity, availability, authenticity, non-repudiation, and reliability of the information must be implemented, ensuring the security of records and preventing falsification, loss, unauthorized or fraudulent use and access. Confidentiality: All persons involved in and intervening in the processing of personal data are obliged to guarantee the confidentiality of the information, even after their relationship with any of the activities comprising the processing has ended. They may only provide or communicate personal data when this corresponds to the performance of authorized tasks.
6. How is the processing of personal data regulated?	The use of personal data will respect the fundamental rights and guarantees established in the Political Constitution. The technical processing of personal data in the public and private sectors in all its forms, including the collection, storage, processing, blocking, erasure, transfer, consultation, and interconnection, will require the prior knowledge and express consent of the data subject, which will be provided in writing or by other comparable means depending on the circumstances. This consent may be revoked when there is justified cause, but such revocation will not have retroactive effect. Individuals from whom personal data is requested must be previously informed that their data will be processed, the purpose of its collection and recording; the potential recipients of the information; the identity and address of the data controller or their representative; and the possibility of exercising the rights of access, rectification, updating, erasure, objection, revocation, and any other rights that may be relevant. The personal data being processed may not be used for purposes other than those stated at the time of collection and recording. The personal data being processed may only be used, communicated, or transferred to a third party with the prior consent of the data subject or by written order of a competent judicial authority. The controller of personal data, whether in the public or private sectors, must adopt the necessary technical and organizational measures to guarantee the security of the personal data and prevent its alteration, loss, or unauthorized processing. These measures must be tailored to the state of the art, the nature of the data stored, and the risks to which they are exposed, whether arising from human action or from the physical or natural environment.
7. How are storage, security and retention of personal data regulated?	Unlike some jurisdictions, Bolivia does not impose a uniform mandatory data retention period for telecommunications or ICT data generally. However, financial institutions—regulated under the Financial Services Law—are required to retain client consent records and certain documentation for 10 years, and documents linked to penalized credit operations for 20 years.
8. What are the data subjects' rights under the data legislation?	Individuals from whom personal data is requested must be informed in advance that their data will be processed, the purpose of its collection and recording; the potential recipients of the information; the identity and address of the data controller or their representative; and the right to exercise their rights of access, rectification, updating, cancellation, objection, revocation, and other rights that may be relevant. The personal data processed may not be used for purposes other than those stated at the time of its collection and recording.
9. What are the consent requirements for data subjects?	The technical processing of personal data in the public and private sectors in all its forms, including collection, storage, processing, blocking, erasure, transfer, consultation, and interconnection, will require the prior knowledge and express consent of the data subject, which will be provided in writing or by other comparable means depending on the circumstances. This consent may be revoked when there is justified cause, but such revocation will not have retroactive effect. The personal data being processed may only be used, communicated, or transferred to a third party with the prior consent of the data subject or by written order of a competent judicial authority.
10. How is authorization for use of data handled?	All types of personal data processing—including collection, conservation, processing, blocking, cancellation, transfer, consultation, and interconnection—require prior knowledge and the explicit consent of the data subject. Consent must be provided in writing or via an equivalent means, appropriate to the context. It may be revoked by the subject for justified reasons, although such revocation does not have retroactive effect. Subjects must receive clear information before giving authorization, covering: The fact their data will be processed; The purpose of data use; The potential recipients; The identity and address of the data controller or its representative; Their available rights, including access, rectification, cancellation, objection, and revocation
11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers?	Subject to regulation under Law 164 / DS 1793. Typically, explicit consent; exceptions exist (e.g., legal claims, contracts). Explicit, written or equivalent, prior and informed consent is required. Judicial transfer is allowed if supported by court order.
12. How are data "incidents" and "breaches" defined?	In the absence of specific legislation on personal data protection, information security breaches can give rise to: Civil actions: Affected individuals may file lawsuits for damages arising from the unauthorized disclosure of their personal data. Criminal actions: The Bolivian Penal Code provides penalties for crimes related to the unauthorized manipulation or access to computer data, which could be applied in cases of data breaches.
13. Are there any notification requirements for incidents and/or data breaches?	In Bolivia, there is no specific legal obligation to notify incidents or personal data breaches, either to the authorities or to the affected individuals. However, entities must take appropriate measures to remedy any security breaches in the processing of personal data, especially in sectors such as telecommunications and financial services.
14. Who is/are the privacy regulator(s)?	In Bolivia, there is no specific national authority responsible for regulating and supervising personal data protection. Although the Agency for Electronic Government and Information and Communication Technologies ("AGETIC") plays a role in promoting digital policies, it does not have the legal authority to directly oversee compliance with data protection laws. Furthermore, the Ombudsman's Office is an independent institution responsible for the protection of human rights in Bolivia. Although its mandate includes the defense of the right to privacy, it does not have specific powers to supervise or sanction the processing of personal data.
15. What are the consequences of a data breach?	In the absence of specific legislation on personal data protection, information security breaches can give rise to: Civil actions: Affected individuals may file lawsuits for damages arising from the unauthorized disclosure of their personal data. Criminal actions: The Bolivian Penal Code provides penalties for crimes related to the unauthorized manipulation or access to computer data, which could be applied in cases of data breaches.
16. How is electronic marketing regulated?	General Law on Telecommunications, Information and Communication Technologies (Law No. 164): This law establishes the foundations for the use of digital technologies in Bolivia, including provisions on e-commerce and the validity of documents and digital signatures. Specifically, Article 85 regulates the electronic offering of goods and services, requiring that it be carried out in a technically reliable environment and in accordance with the conditions of the Commercial Code. Law No. 453 on the Rights of Consumers and Users: This law prohibits misleading and abusive advertising, especially that related to illicit or unhealthy products. Specifically, Article 25 establishes clear restrictions, and Article 16 prohibits the dissemination of advertising that incites hatred, violence, or discrimination. It also regulates advertising in digital media, requiring transparency in paid advertisements and establishing penalties for violations. Although Bolivia does not have specific legislation for e-marketing, practices in this area are subject to general consumer protection and data privacy provisions. For example, users' express written consent is required for the use of their data for advertising purposes. Furthermore, advertising must be clear and not misleading about the characteristics, quality, or price of the products or services.
17. Are there sector-specific or industry-specific privacy requirements?	Financial Sector: The Financial System Supervisory Authority ("ASFI") regulates aspects related to the confidentiality and security of clients' financial information. Financial institutions must implement security policies to protect sensitive data and guarantee privacy, in accordance with regulations on the prevention of money laundering and terrorist financing. Reporting and internal auditing obligations apply to data management. Telecommunications and ICT: The General Law on Telecommunications, Information and Communication Technologies ("Law No. 164") and its regulations establish security, confidentiality, and data protection principles for telecommunications companies. The Agency for Electronic Government and Information and Communication Technologies ("AGETIC") is involved in the management of digital policies, although it is not the exclusive privacy regulator. There are obligations to protect data in digital certification services, email, and other ICT services. Health: Although there is no specific law regulating personal health data at the national level, healthcare institutions must safeguard the confidentiality of medical information and comply with basic standards of privacy and professional secrecy. In practice, general provisions on medical secrecy and confidentiality of information apply. Public Sector: The Law on Transparency and Access to Public Information establishes rules for the management of public information, but also contemplates the protection of personal data to prevent its improper disclosure. Public entities must implement security measures to protect the personal data they manage.
18. What are the requirements for appointing Data Protection Officers or similar roles?	Data Protection Officers or similar roles? In Bolivia, there is no specific regulation that formally requires companies or organizations to appoint a Data Protection Officer (DPO) or an equivalent position. Unlike other countries with comprehensive data protection laws, in Bolivia, there is no regulation establishing requirements for this position or regulating its functions, responsibilities, or profile.
19. What are the record-keeping and documentation obligations?	In Bolivia, there is no specific, general regulation on registration and documentation obligations regarding personal data protection due to the absence of a comprehensive privacy law. However, certain obligations related to the handling of personal information in regulated sectors and recommended practices for regulatory compliance can be identified. Financial Sector: Financial institutions must maintain detailed records related to the management of their clients' personal data, especially for the purposes of preventing money laundering and terrorist financing. The Financial System Supervisory Authority ("ASFI") establishes guidelines for the retention of documentation and records that allow for audits and internal controls. Telecommunications and Information Technology: The General Telecommunications Law (Law No. 164) and its regulations require operators and providers to maintain documentation on data management and the security measures implemented. It is advisable to keep records of security incidents and internal audits to demonstrate compliance. Public Sector: Public entities must maintain documentation on the processing of personal data in accordance with the Law on Transparency and Access to Public Information, ensuring that the data is handled securely and responsibly. They must retain records to respond to requests for access to information and data protection.
20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)?	In Bolivia, there is no specific regulation requiring Data Protection Impact Assessments (DPIAs) due to the absence of a general personal data protection law.
21. What are the requirements for third-party vendor management and data sharing?	In Bolivia, since there is no comprehensive personal data protection legislation, specific obligations for managing third-party providers and sharing personal data are not formally regulated. However, some sector-specific frameworks and recommended best practices establish guidelines that organizations should follow to protect personal information when engaging third parties.
22. What are the penalties and enforcement mechanisms for non-compliance?	In Bolivia, due to the lack of a comprehensive personal data protection law, there are no sanctions or specific and detailed mechanisms for non-compliance in this area. However, some relevant aspects can be identified regarding penalties and enforcement mechanisms applicable in related sectors or cases. Financial Sector: The Financial System Supervisory Authority ("ASFI") may impose fines and sanctions for non-compliance with personal data management related to the prevention of money laundering and terrorist financing. Telecommunications: The Telecommunications and Transport Regulatory Authority ("ATT") oversees compliance with the Telecommunications Law and may apply sanctions in the event of non-compliance with obligations related to information confidentiality and security. Civil Liability: Data subjects may file lawsuits to claim compensation for damages arising from the misuse or unauthorized disclosure of their data. Criminal liability: The Bolivian Penal Code includes offenses related to unauthorized access to computer systems, improper disclosure of secrets, identity theft, and other cybercrimes that may apply in cases of data breaches.
23. What are the ongoing compliance and audit requirements?	In Bolivia, due to the absence of a specific general law on personal data protection, there are no express and mandatory legal requirements for ongoing compliance or formal audits regarding privacy and data protection for all organizations. However, in some regulated sectors and in accordance with good practices, certain obligations and recommendations related to compliance and auditing are observed. Financial Sector: The Financial System Supervisory Authority ("ASFI") requires financial institutions to implement internal control systems that include the protection and proper handling of personal information. Periodic internal and external audits are required to verify compliance with anti-money laundering regulations, which include aspects related to data security. Compliance reports to the ASFI are mandatory depending on the sector. Telecommunications and Information Technology: Telecommunications companies must maintain oversight and control mechanisms that ensure the confidentiality and security of information, in accordance with the General Telecommunications Law (Law No. 164). It is recommended to conduct periodic internal audits to evaluate the effectiveness of the security measures implemented. Public Sector: Public entities must comply with the Law on Transparency and Access to Public Information, which requires maintaining controls to guarantee the protection of personal data. Periodic audits and evaluations are encouraged to ensure compliance with internal privacy and security policies.
24. Are there any recent developments or expected reforms?	Bolivia currently lacks a comprehensive data protection law. However, several legislative proposals are under consideration: Draft Law No. 185/2019: Introduced in 2018, this bill aims to establish a framework for personal data protection. While it remains archived, there is potential for its reactivation in the near future. Draft Law No. 349/2020-2021: Presented in 2021, this bill addresses personal data protection and is currently pending in the Legislative Assembly. These initiatives reflect Bolivia's commitment to enhancing data privacy protections, although no comprehensive law has been enacted yet.

Global Data Privacy Guide

Back XLS

1. What is the key legislation?

Not applicable.

2. What are the key decisions applying that legislation?

Not applicable.

1. How are “personal data” and “sensitive data” defined?

Personal data: Any information about an individual (natural or legal person) that identifies or makes them identifiable.

Sensitive data: Subset of personal data requiring special protection: biometric, health, sexual life, religious, political, union, ethnicity, and income.

2. How is the defined data protected?

The Bolivian Constitution (2009) explicitly guarantees the right to privacy, intimacy, honor, and protection of one's image. It also recognizes the individual's right to information self-determination, enabling actions to know, rectify, suppress or object to personal data held by others. Bolivia lacks a comprehensive national data-protection law. Protection currently rests in Law N° 164 ("Telecommunications Law") and its implementing Supreme Decree N° 1793 of November 2013, which governs providers of digital certification, e-government, digital signatures, email systems, and related ICT services. These regulations apply to data controllers in the telecommunications sector (no separate “processors” or designated Data Protection Officer roles) and are enforced by the Telecommunications Authority.

3. Who is subject to privacy obligations?

Operators/Service providers: Authorized telecom or ICT network controllers (public or private). Intermediaries: Support entities handling data messages, transmission, and storage. Data controllers: Those determining the purposes/means of personal data processing.

4. How is “data processing” defined?

It is any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion.

5. What are the principles applicable to personal data processing?

Purpose: The use and processing of personal data by authorized certifying entities must comply with a legitimate purpose, of which the data subject must be aware in advance.
Truthfulness: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable, and intelligible. The processing of incomplete or misleading data is prohibited.
Transparency: The data subject's right to obtain from the authorized certifying entity, at any time and without hindrance, information related to the existence of data concerning them must be guaranteed.
Security: The technical and administrative controls required to preserve the confidentiality, integrity, availability, authenticity, non-repudiation, and reliability of the information must be implemented, ensuring the security of records and
preventing falsification, loss, unauthorized or fraudulent use and access.
Confidentiality: All persons involved in and intervening in the processing of personal data are obliged to guarantee the confidentiality of the information, even after their relationship with any of the activities comprising the processing has ended. They may only provide or communicate personal data when this corresponds to the performance of authorized tasks.

6. How is the processing of personal data regulated?

The use of personal data will respect the fundamental rights and guarantees established in the Political Constitution.

The technical processing of personal data in the public and private sectors in all its forms, including the collection, storage, processing, blocking, erasure, transfer, consultation, and interconnection, will require the prior knowledge and express consent of the data subject, which will be provided in writing or by other comparable means depending on the circumstances. This consent may be revoked when there is justified cause, but such revocation will not have retroactive effect.

Individuals from whom personal data is requested must be previously informed that their data will be processed, the purpose of its collection and recording; the potential recipients of the information; the identity and address of the data controller or their representative; and the possibility of exercising the rights of access, rectification, updating, erasure, objection, revocation, and any other rights that may be relevant. The personal data being processed may not be used for purposes other than those stated at the time of collection and recording.

The personal data being processed may only be used, communicated, or transferred to a third party with the prior consent of the data subject or by written order of a competent judicial authority.

The controller of personal data, whether in the public or private sectors, must adopt the necessary technical and organizational measures to guarantee the security of the personal data and prevent its alteration, loss, or unauthorized processing. These measures must be tailored to the state of the art, the nature of the data stored, and the risks to which they are exposed, whether arising from human action or from the physical or natural environment.

7. How are storage, security and retention of personal data regulated?

Unlike some jurisdictions, Bolivia does not impose a uniform mandatory data retention period for telecommunications or ICT data generally. However, financial institutions—regulated under the Financial Services Law—are required to retain client consent records and certain documentation for 10 years, and documents linked to penalized credit operations for 20 years.

8. What are the data subjects' rights under the data legislation?

Individuals from whom personal data is requested must be informed in advance that their data will be processed, the purpose of its collection and recording; the potential recipients of the information; the identity and address of the data controller or their representative; and the right to exercise their rights of access, rectification, updating, cancellation, objection, revocation, and other rights that may be relevant. The personal data processed may not be used for purposes other than those stated at the time of its collection and recording.

9. What are the consent requirements for data subjects?

The technical processing of personal data in the public and private sectors in all its forms, including collection, storage, processing, blocking, erasure, transfer, consultation, and interconnection, will require the prior knowledge and express consent of the data subject, which will be provided in writing or by other comparable means depending on the circumstances. This consent may be revoked when there is justified cause, but such revocation will not have retroactive effect.

The personal data being processed may only be used, communicated, or transferred to a third party with the prior consent of the data subject or by written order of a competent judicial authority.

10. How is authorization for use of data handled?

All types of personal data processing—including collection, conservation, processing, blocking, cancellation, transfer, consultation, and interconnection—require prior knowledge and the explicit consent of the data subject. Consent must be provided in writing or via an equivalent means, appropriate to the context. It may be revoked by the subject for justified reasons, although such revocation does not have retroactive effect.

Subjects must receive clear information before giving authorization, covering:
The fact their data will be processed;
The purpose of data use;
The potential recipients;
The identity and address of the data controller or its representative;
Their available rights, including access, rectification, cancellation, objection, and revocation

11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers?

Subject to regulation under Law 164 / DS 1793. Typically, explicit consent; exceptions exist (e.g., legal claims, contracts). Explicit, written or equivalent, prior and informed consent is required. Judicial transfer is allowed if supported by court order.

12. How are data "incidents" and "breaches" defined?

In the absence of specific legislation on personal data protection, information security breaches can give rise to: Civil actions: Affected individuals may file lawsuits for damages arising from the unauthorized disclosure of their personal data. Criminal actions: The Bolivian Penal Code provides penalties for crimes related to the unauthorized manipulation or access to computer data, which could be applied in cases of data breaches.

13. Are there any notification requirements for incidents and/or data breaches?

In Bolivia, there is no specific legal obligation to notify incidents or personal data breaches, either to the authorities or to the affected individuals. However, entities must take appropriate measures to remedy any security breaches in the processing of personal data, especially in sectors such as telecommunications and financial services.

14. Who is/are the privacy regulator(s)?

In Bolivia, there is no specific national authority responsible for regulating and supervising personal data protection. Although the Agency for Electronic Government and Information and Communication Technologies ("AGETIC") plays a role in promoting digital policies, it does not have the legal authority to directly oversee compliance with data protection laws.

Furthermore, the Ombudsman's Office is an independent institution responsible for the protection of human rights in Bolivia. Although its mandate includes the defense of the right to privacy, it does not have specific powers to supervise or sanction the processing of personal data.

15. What are the consequences of a data breach?

In the absence of specific legislation on personal data protection, information security breaches can give rise to:

Civil actions: Affected individuals may file lawsuits for damages arising from the unauthorized disclosure of their personal data.
Criminal actions: The Bolivian Penal Code provides penalties for crimes related to the unauthorized manipulation or access to computer data, which could be applied in cases of data breaches.

16. How is electronic marketing regulated?

General Law on Telecommunications, Information and Communication Technologies (Law No. 164): This law establishes the foundations for the use of digital technologies in Bolivia, including provisions on e-commerce and the validity of documents and digital signatures. Specifically, Article 85 regulates the electronic offering of goods and services, requiring that it be carried out in a technically reliable environment and in accordance with the conditions of the Commercial Code.
Law No. 453 on the Rights of Consumers and Users: This law prohibits misleading and abusive advertising, especially that related to illicit or unhealthy products. Specifically, Article 25 establishes clear restrictions, and Article 16 prohibits the dissemination of advertising that incites hatred, violence, or discrimination. It also regulates advertising in digital media, requiring transparency in paid advertisements and establishing penalties for violations.

Although Bolivia does not have specific legislation for e-marketing, practices in this area are subject to general consumer protection and data privacy provisions. For example, users' express written consent is required for the use of their data for advertising purposes. Furthermore, advertising must be clear and not misleading about the characteristics, quality, or price of the products or services.

17. Are there sector-specific or industry-specific privacy requirements?

Financial Sector: The Financial System Supervisory Authority ("ASFI") regulates aspects related to the confidentiality and security of clients' financial information. Financial institutions must implement security policies to protect sensitive data and guarantee privacy, in accordance with regulations on the prevention of money laundering and terrorist financing. Reporting and internal auditing obligations apply to data management.
Telecommunications and ICT: The General Law on Telecommunications, Information and Communication Technologies ("Law No. 164") and its regulations establish security, confidentiality, and data protection principles for telecommunications companies.
The Agency for Electronic Government and Information and Communication Technologies ("AGETIC") is involved in the management of digital policies, although it is not the exclusive privacy regulator. There are obligations to protect data in digital certification services, email, and other ICT services.
Health: Although there is no specific law regulating personal health data at the national level, healthcare institutions must safeguard the confidentiality of medical information and comply with basic standards of privacy and professional secrecy. In practice, general provisions on medical secrecy and confidentiality of information apply.
Public Sector: The Law on Transparency and Access to Public Information establishes rules for the management of public information, but also contemplates the protection of personal data to prevent its improper disclosure. Public entities must implement security measures to protect the personal data they manage.

18. What are the requirements for appointing Data Protection Officers or similar roles?

Data Protection Officers or similar roles? In Bolivia, there is no specific regulation that formally requires companies or organizations to appoint a Data Protection Officer (DPO) or an equivalent position. Unlike other countries with comprehensive data protection laws, in Bolivia, there is no regulation establishing requirements for this position or regulating its functions, responsibilities, or profile.

19. What are the record-keeping and documentation obligations?

In Bolivia, there is no specific, general regulation on registration and documentation obligations regarding personal data protection due to the absence of a comprehensive privacy law. However, certain obligations related to the handling of personal information in regulated sectors and recommended practices for regulatory compliance can be identified.

Financial Sector: Financial institutions must maintain detailed records related to the management of their clients' personal data, especially for the purposes of preventing money laundering and terrorist financing. The Financial System Supervisory Authority ("ASFI") establishes guidelines for the retention of documentation and records that allow for audits and internal controls.

Telecommunications and Information Technology: The General Telecommunications Law (Law No. 164) and its regulations require operators and providers to maintain documentation on data management and the security measures implemented. It is advisable to keep records of security incidents and internal audits to demonstrate compliance.

Public Sector: Public entities must maintain documentation on the processing of personal data in accordance with the Law on Transparency and Access to Public Information, ensuring that the data is handled securely and responsibly. They must retain records to respond to requests for access to information and data protection.

20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)?

In Bolivia, there is no specific regulation requiring Data Protection Impact Assessments (DPIAs) due to the absence of a general personal data protection law.

21. What are the requirements for third-party vendor management and data sharing?

In Bolivia, since there is no comprehensive personal data protection legislation, specific obligations for managing third-party providers and sharing personal data are not formally regulated. However, some sector-specific frameworks and recommended best practices establish guidelines that organizations should follow to protect personal information when engaging third parties.

22. What are the penalties and enforcement mechanisms for non-compliance?

In Bolivia, due to the lack of a comprehensive personal data protection law, there are no sanctions or specific and detailed mechanisms for non-compliance in this area. However, some relevant aspects can be identified regarding penalties and enforcement mechanisms applicable in related sectors or cases.

Financial Sector: The Financial System Supervisory Authority ("ASFI") may impose fines and sanctions for non-compliance with personal data management related to the prevention of money laundering and terrorist financing.
Telecommunications: The Telecommunications and Transport Regulatory Authority ("ATT") oversees compliance with the Telecommunications Law and may apply sanctions in the event of non-compliance with obligations related to information confidentiality and security.
Civil Liability: Data subjects may file lawsuits to claim compensation for damages arising from the misuse or unauthorized disclosure of their data.
Criminal liability: The Bolivian Penal Code includes offenses related to unauthorized access to computer systems, improper disclosure of secrets, identity theft, and other cybercrimes that may apply in cases of data breaches.

23. What are the ongoing compliance and audit requirements?

In Bolivia, due to the absence of a specific general law on personal data protection, there are no express and mandatory legal requirements for ongoing compliance or formal audits regarding privacy and data protection for all organizations. However, in some regulated sectors and in accordance with good practices, certain obligations and recommendations related to compliance and auditing are observed.

Financial Sector: The Financial System Supervisory Authority ("ASFI") requires financial institutions to implement internal control systems that include the protection and proper handling of personal information. Periodic internal and external audits are required to verify compliance with anti-money laundering regulations, which include aspects related to data security. Compliance reports to the ASFI are mandatory depending on the sector.

Telecommunications and Information Technology: Telecommunications companies must maintain oversight and control mechanisms that ensure the confidentiality and security of information, in accordance with the General Telecommunications Law (Law No. 164). It is recommended to conduct periodic internal audits to evaluate the effectiveness of the security measures implemented.

Public Sector: Public entities must comply with the Law on Transparency and Access to Public Information, which requires maintaining controls to guarantee the protection of personal data.
Periodic audits and evaluations are encouraged to ensure compliance with internal privacy and security policies.

24. Are there any recent developments or expected reforms?

Bolivia currently lacks a comprehensive data protection law. However, several legislative proposals are under consideration:

Draft Law No. 185/2019: Introduced in 2018, this bill aims to establish a framework for personal data protection. While it remains archived, there is potential for its reactivation in the near future.
Draft Law No. 349/2020-2021: Presented in 2021, this bill addresses personal data protection and is currently pending in the Legislative Assembly.

These initiatives reflect Bolivia's commitment to enhancing data privacy protections, although no comprehensive law has been enacted yet.