The principal data protection law in Costa Rica is Law No. 8968 (2011), the Law on Protection of the Person Regarding the Treatment of Personal Data (often called the Data Protection Act), along with its implementing regulations under Executive Decree No. 37554-JP (the “Regulation”). These govern the processing of personal data in both automated and manual databases by public and private entities. 

In addition, Law No. 7975 (2000) (the Undisclosed Information Law) makes it a crime to disclose confidential or personal information without authorization. 

Under the Data Protection Act and Regulation, any company or entity that distributes, commercializes, or publicly shares personal data must register its database with the national data protection authority (PRODHAB). However, databases used purely for internal purposes (e.g. HR or client lists not shared externally) do not require registration, and financial institutions supervised by the financial regulator (SUGEF) are exempt from PRODHAB registration.

Costa Rica's data protection legislation has been shaped by a series of foundational decisions issued primarily by the Sala Constitucional (Constitutional Chamber) and PRODHAB, which have clarified the scope, limitations, and enforceability of Law No. 8968.

One of the most significant constitutional rulings is Decision No. 5802-99, which laid the groundwork for the constitutional right to informational self-determination, declaring that individuals have control over their personal data and must give informed consent before it is collected or disclosed.

Another pivotal case is Decision No. 010671-2007, which clarified that data stored in public or private databases is protected, regardless of whether it is sensitive or not, and that unauthorized access or failure to rectify inaccuracies constitutes a violation of fundamental rights. This case confirmed that even public institutions must strictly comply with data access and correction obligations.

On the administrative side, a landmark enforcement action is PRODHAB Resolution No. 697-2023, which ordered the Central Bank of Costa Rica to suspend the collection and transfer of personal data through the “Registro de Transparencia y Beneficiarios Finales” until a complaint was resolved. This was the first time PRODHAB imposed a precautionary suspension on a major government data initiative, signaling its growing enforcement authority.

Under Costa Rica’s Law No. 8968 on the Protection of the Person Regarding the Processing of Their Personal Data, personal data is defined as any information concerning an identified or identifiable natural person. This includes names, identification numbers, contact information, and other data that directly or indirectly allows someone to be identified. Sensitive data, on the other hand, refers to information related to a person’s most private aspects, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, health status, sexual orientation, or trade union membership. Due to the nature of this data, its misuse could cause serious harm or discrimination, and therefore it is subject to stricter legal protection and processing limitations.

Both personal and sensitive data are protected through a legal framework based on informed consent, purpose limitation, data quality, and confidentiality. Any processing of personal data requires the prior, express, and informed consent of the individual, except in limited situations permitted by law. Sensitive data, in particular, may only be processed under strict conditions, such as explicit consent or legal/medical necessity. Data controllers are obligated to implement technical and organizational measures to protect data from unauthorized access, alteration, or loss.

The data protection rules apply to any natural or legal person, whether public or private, that handles personal data. This includes individuals, companies, government agencies, and other entities that collect, store, use, or otherwise process personal data as part of their activities.

In the terminology of the law: a “Data Controller” is the person or entity (public or private) responsible for a personal data file or database and who determines the purposes and means of processing, and a “Data Processor” is a person or entity that processes personal data on behalf of a controller (e.g. an outsourced service provider).

The law and regulations also refer to “technology intermediaries” or service providers, meaning companies that provide infrastructure, cloud storage, platforms or software for data processing.

All such parties involved in data processing are obligated to comply with the data protection requirements. (There is an exception for purely personal or household data usage – data kept by individuals for domestic purposes that is not commercialized or shared – which is outside the scope of the law.

Data processing is defined in Article 3 of the Regulation to Law No. 8968 (Executive Decree No. 37554-JP). It refers to any operation or set of operations applied to personal data, whether through automated or manual means.

This definition includes a broad range of activities such as collection, registration, organization, storage, modification, extraction, consultation, use, communication by transmission or dissemination, distribution, interconnection, blocking, deletion, and destruction of data. It essentially covers the full life cycle of personal data — from the moment it is collected to when it is deleted or anonymized.

Costa Rica’s data protection regime is built on the principle of informed consent and data subject autonomy. 

In general, personal data may only be collected and processed with the prior, express, and informed consent of the data subject, unless a specific legal exception applies (for example, a judicial order, important public interests, or other limited bases allowed by the law). 

Consent must be unequivocal and documented (it can be given in writing either on paper or electronically, including online, and can be revoked at any time without retroactive effect). 

The law imposes a duty to inform the individual at the time of data collection about key details such as: the existence of the personal data database, the purpose for which data is collected, the recipients or types of people who may have access, whether providing each data item is mandatory or optional, how the data will be processed, the consequences of refusing to provide data, the individual’s rights under the law, and the identity and address of the data controller. 

This information must be presented clearly (for example, in a collection form or privacy notice) so the data subject understands it before consenting. 

Other fundamental principles include the data quality principle – personal data must be accurate, truthful, up-to-date, and relevant to the stated purpose for which it is collected.

The law also embodies principles of confidentiality and security, requiring those who process data to maintain secrecy and protect data against unauthorized access or misuse.

The Data Protection Act and its Regulation set out detailed rules for how personal data must be handled throughout its lifecycle. “Processing” of personal data is defined broadly to include any operation or set of operations performed on personal data, whether by automated or manual means – such as collection, recording, organization, storage, modification, retrieval, consultation, use, disclosure, transmission, dissemination, collation, interconnection, blocking, deletion, or destruction of data. 

A Data Controller remains responsible for ensuring that data is processed only for the purposes and under the conditions to which the data subject consented, even if the data are stored or processed by a third-party service or in the cloud. The Regulation explicitly provides that the controller (or a processor, as applicable) may carry out communication, transfer, or other processing of data only as permitted by the data subject’s informed consent, and this holds true even when the data is hosted by a technology intermediary – the controller cannot evade responsibility by outsourcing. 

A Data Processor (encargado) is only allowed to process the personal data in accordance with the instructions and purposes given by the controller, as established in a contract between them. 
In fact, the Regulation (Article 30-31) spells out that processors must: process data only per the controller’s instructions, not use the data for any other purposes, implement security measures and follow the controller’s protocols, maintain confidentiality, and delete or return the data once the service is completed or as directed by the controller (unless law requires retention).

To ensure compliance, controllers must establish and document internal procedures for key stages of data handling – including how data is collected/added to a database, how it is kept and updated, how it can be blocked or deleted, among others. 

Article 27 of the Regulation requires that these procedures apply whether the data is processed on-site or in the cloud, and that they adhere to minimum action protocols and security measures established for data protection. 
The controller is also obligated to uphold the “principle of data quality” during processing – in other words, to ensure data remains accurate, relevant and up-to-date for the purposes for which it is processed. 

In practice, this means a controller should correct or delete information that is incorrect or no longer needed. The Regulation even specifies that if data have ceased to be pertinent or necessary for the original purpose, the controller must remove or anonymize them (and in general, personal data that could affect the data subject should not be kept beyond 10 years, absent a special legal requirement).

Controllers are required to implement robust security and data management protocols for any personal data they hold. The Regulation mandates that every data controller create a “minimum action protocol” setting out the procedures for collecting, storing, using, and eventually deleting personal data. 

This internal protocol (and any future updates to it) must be registered with PRODHAB, the data protection authority. 

The controller must follow the protocol and ensure the database is managed in compliance with it (PRODHAB has the power to verify at any time that the protocol is being followed). 

The law also imposes a general duty to maintain appropriate technical and organizational security measures to safeguard personal data against risks such as accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, or any other form of unlawful processing. 

Controllers must implement administrative, physical, and logical security controls, and are responsible for ensuring that any data processors or technology intermediaries they use also uphold those security measures.

The Regulation specifies factors a controller should consider when determining the necessary level of security, including the sensitivity of the data, the state of technology, potential consequences of a breach for data subjects, the number of data subjects, past security incidents, and the overall risk associated with the data. 

Importantly, the Regulation lists concrete security actions that controllers must carry out (and be prepared to demonstrate to PRODHAB on request). 

These include, at a minimum: (a) Preparing an up-to-date inventory of the personal data being processed, with a detailed description of the categories of data; (b) Maintaining an inventory of the IT infrastructure used for data processing, including hardware, software, and software licenses; (c) Documenting the systems, programs, or methods used to process and store data (including the name and version of any database software); (d) Conducting a risk analysis to identify potential hazards and estimate risks to the personal data; (e) Establishing specific security measures for the data and noting which measures are effectively implemented; (f) Calculating the “residual risk” – i.e., evaluating the gap between existing security measures and any additional measures needed to adequately protect the data; and (g) Developing a work plan to implement any missing security measures identified by that risk analysis.

 These steps form part of an ongoing security management process. The documentation of a controller’s security measures is considered confidential (non-disclosable) information, but PRODHAB can review it on-site if a complaint arises or for oversight purposes. 

Regarding data retention, Costa Rican law adheres to a proportionality principle: personal data should not be kept for longer than necessary. In fact, under a rule introduced by the 2013 Regulation (referred to as a “right to be forgotten” provision), personal data that could affect the data subject must not be retained for more than 10 years from the date of the last relevant fact, unless a special law permits a longer period. 

If data needs to be preserved beyond that period (for example, for legal obligations), it should be dissociated (anonymized) so it can no longer be linked to an identifiable person. 

In practice, this means controllers should have retention policies to delete or anonymize personal data once it is no longer needed for the purpose it was collected, and certainly after 10 years if keeping it would impact the individual’s privacy. 

Controllers also must honor any specific requests from data subjects to delete data (provided there is no overriding legal requirement to keep it). All of these requirements – the registered protocols, security measures, and retention limits – aim to ensure that stored personal data is handled safely and not kept indefinitely or insecurely.

Individuals (data subjects) have several key rights under the Costa Rican Data Protection Act (often referred to as “ARCO” rights – Access, Rectification, Cancellation, and Opposition – though the law’s scope is a bit specific in terminology). Yes, the law guarantees that everyone has the right to access their personal data, to request correction or deletion of that data, and to give or withhold consent for its disclosure or transfer.

More specifically:

-    Right of Access: Any person can request confirmation of whether a controller holds personal data about them and receive a copy of all such data in an understandable form. Upon request, the data controller must inform the individual about the existence of personal data concerning them in any database, the purpose for which it is used, and the actual use and recipients of that data. The individual is entitled to be informed of all information related to them in the database (the law says the response must include the entire set of personal data on file, not just a summary). The controller must also, if asked, indicate the systems or processes used to process the person’s data (i.e., the individual can know if their data is processed manually or by what computerized system). Access should be provided without undue delay and at no cost to the data subject (the law envisions that access requests be handled “at reasonable intervals, without delay and free of charge”). If the data subject is deceased, their successors or heirs may exercise the access right in their stead.

-    Right of Rectification and Update: If a person finds that their personal data is inaccurate, incomplete, erroneous or out-of-date, they have the right to have it corrected or updated. Controllers are obligated to rectify data that is incorrect or misleading. In fact, the law explicitly requires that personal data be truthful and exact, and that controllers proactively ensure any inaccuracies are fixed or that incomplete data is completed, so the data remains accurate over time. Data subjects can request the update of their data if it changes, and the controller must comply promptly.

-    Right of Cancellation or Deletion: A data subject has the right to request cancellation or elimination of their personal data when it is not being processed in accordance with the law or when it’s no longer necessary for the purpose collected. For example, if data was collected without proper consent, or kept longer than allowed, the individual can demand its deletion. The law also refers to guaranteeing confidentiality, meaning the person can insist that their data be kept confidential or removed if it’s being improperly disclosed. In practice, upon a valid deletion request, a controller must erase or anonymize the data (unless retention is required by law). As noted earlier, the Regulation’s “right to be forgotten” rule automatically mandates deletion/anonymization after ten years for data that could affect the person, so a person could also invoke that if needed. If the individual has died, their heirs can also request deletion of data on their behalf.

-    Right to Object or Consent to Data Use: Costa Rica’s law does not enumerate a formal “right to object” to processing in the same broad way as, for instance, the European GDPR. However, because processing (especially for sharing or marketing purposes) requires the data subject’s consent, an individual effectively has the right to refuse or withdraw consent to certain uses of their data. In particular, the law gives data subjects the power to refuse the transfer of their data to third parties – a controller cannot transfer personal data to another party without the individual’s express consent (except in the limited exceptions provided by law). This is sometimes described as the right to consent to the assignment (transfer) of data: the person controls whether or not their personal data is passed along to others. Consent, once given, can also be revoked, and the controller must honor such revocation (with the limitation that it doesn’t have retroactive effect on processing already done).

-    The right to confidentiality is implicitly protected: data subjects can expect that controllers and processors keep their data secret and secure. If a data subject feels their rights are violated (for example, a request for access or correction is not honored), they can file a complaint to PRODHAB or even pursue a constitutional “habeas data” action in court to enforce their rights. Controllers are legally required to have procedures in place to handle data subjects’ requests to exercise these rights and must do so free of charge and within a short timeframe (the Regulation specifies, for instance, that access or rectification requests should be resolved within five business days).

Costa Rican data protection legislation requires that the collection and processing of personal data be based on the express, prior, and informed consent of the data subject. This consent must be freely given, specific, and based on clear information about the purpose and scope of the data processing. The law allows consent to be documented either in written or electronic form, and it must be presented in a clear and understandable manner, free of coercion or ambiguity.

Authorization for the use of personal data is formalized through the same mechanism as consent, and it governs how, by whom, and for what purposes personal data may be processed. Data controllers must ensure that authorization is granted for each specific purpose, and any use of the data outside of the scope of that authorization is considered unlawful. The Regulation to Law 8968 requires data controllers to retain a record of the data subject’s authorization, including the means through which it was obtained and the conditions under which the data may be used or transferred.

Cross-border data transfers are not expressly regulated in the Data Privacy Act and the Regulation. 

Generally, Data Controllers may only transfer data when the Data Subject has expressly and validly authorized such transfer, without violating the principles and rights recognized in the  Data Privacy Act.

Transfers of personal data by Data Controllers will be subject to faithful compliance with the minimum protocols of action duly registered before PRODHAB. In order to demonstrate that the transfer of personal data was performed in accordance with the  Data Privacy Act and the  Regulation, the burden of proof will lie with the Data Controller. Data Controller and receiver must sign an agreement whereby Data Controller transfers to the receiver the same obligations to which controller is subject.

The terms “incident” and “breach” in the context of personal data are addressed under the Regulation to Law No. 8968 (Executive Decree No. 37554-JP), though the law does not explicitly define both terms separately as done in some jurisdictions like the EU. Instead, the Regulation refers broadly to “irregularities in the processing or storage of personal data”, which encompasses both data incidents and breaches.

A data incident or breach is understood as any event that compromises the confidentiality, integrity, or availability of personal data—whether by loss, unauthorized access, alteration, destruction, or disclosure. This includes, for example, a data leak, hacking, accidental exposure, or unauthorized transfer of data. These situations are especially relevant when the data involved includes sensitive personal data or when the incident arises from a security vulnerability in the systems used to process or store the information.

Yes. Costa Rica’s Regulation imposes data breach notification duties on data controllers. If a controller becomes aware of any “irregularity in the processing or storage” of personal data – such as loss, theft, unauthorized access, accidental disclosure or destruction of personal data (essentially a data security breach) – the controller must notify the incident to both the affected data subjects and to PRODHAB within five business days of the breach’s occurrence.

 In the case of security vulnerabilities, the Data Controller must inform the Data Subject and PRODHAB, at least the following: the nature of the incident; personal data compromised; corrective actions performed immediately; and means or places where they can get more information.

The national data protection authority in Costa Rica is the Agencia de Protección de Datos de los Habitantes (PRODHAB). 

PRODHAB is the governmental body charged with overseeing and enforcing the data protection law. It maintains a public registry of databases covered by the law and is responsible for ensuring compliance with data protection regulations across both public and private sectors.

PRODHAB has a broad mandate which includes: monitoring and verifying that data controllers follow the law, handling complaints from individuals, and sanctioning non-compliance. It can require information from those who manage databases as needed for its oversight duties.

There are administrative and criminal consequences set forth in the Data Privacy Act and the Criminal Code, respectively.

Disclosure of information recorded in a personal database whose secrecy is required to be kept is a very serious offense under the Data Privacy Act. 

Minor offenses may result in fines of 1 to 5 base salaries. Serious offenses carry fines of 5 to 20 base salaries. Very serious offenses, such as unauthorized disclosure of confidential personal data, may lead to fines of 20 to 30 base salaries, and suspension of database operations for 1 to 6 months.

On the other hand, according to section 196 bis of the Criminal Code, there will be a penalty of prison from one to three years for those who for their own benefit or for a third party's benefit, with danger or harm to privacy and without the authorization of the holder of the data, take, modify, interfere, access, copy, transmit, publish, broadcast, collect, use, intercept, hold, sell, buy, divert to a different purpose for which they were collected or give unauthorized treatment to the images or data of a natural or legal person stored in computer or telematic systems or networks, in electronic, optical or magnetic containers.

Electronic marketing in Costa Rica is regulated under a combination of data protection, consumer protection, and telecommunications laws, and is based on an opt-in model. As of October 25, 2017, Executive Decree No. 40703 amended the Regulations to the Promotion of Competition and Effective Consumer Protection Law No. 7472 by adding Chapter X on consumer protection in the context of electronic commerce. According to Article 264 of this regulation, sending commercial communications by electronic means—such as emails, text messages, or automated calls—requires the prior express consent of the recipient. Any communication sent without this consent, that conceals the identity of the sender, or that lacks a clear option to unsubscribe, is considered unsolicited and therefore prohibited.

The content of marketing messages must adhere to strict requirements. All communications must clearly identify the sender and include an accessible method to opt out of further messages. Personal data used for marketing purposes must be handled confidentially and in accordance with the Data Protection Act and the General Telecommunications Law. Specifically, unsolicited telemarketing calls, whether made through automated systems or manually, are not permitted unless the recipient has explicitly agreed to receive them.

Several other legal instruments reinforce these protections. The ARESEP User Protection Regulation for Telecommunications Services (Resolution 007-010-2010) requires prior user consent for bulk messaging, while the Executive Decree No. 35205 outlines protective measures for communication privacy. In addition, the Criminal Code (Article 232(e)) prohibits cyber-related offenses such as spreading malware, which may be relevant in cases of unlawful marketing practices.

In summary, electronic marketing without consent is unlawful in Costa Rica. Companies must obtain express prior consent, honor unsubscribe requests, clearly disclose their identity in messages, and ensure full compliance with privacy and data protection standards. Failure to do so can lead to administrative or even criminal sanctions under the applicable legal framework.

Costa Rica’s data protection framework under Law No. 8968 is broadly applicable across sectors, with no sector-specific privacy requirements formally embedded in the law itself. Instead, obligations are uniform regardless of the industry. However, electronic marketing is additionally regulated under consumer protection and telecommunications laws.

Under current legislation, there is no legal requirement to appoint a Data Protection Officer (DPO) or an equivalent role in Costa Rica.

Data controllers must maintain comprehensive internal protocols of action covering the collection, storage, processing, and deletion of personal data. These protocols must describe security measures, data handling procedures, the processing infrastructure, risk assessments, and corrective action plans. Crucially, these protocols must be registered with PRODHAB, the national data protection authority.

Costa Rican law does not require Data Protection Impact Assessments or similar risk-assessment documentation (e.g., DPIAs), unlike modern privacy regimes such as the EU GDPR.

Transfers of personal data to third parties (e.g., processors) require the data subject’s prior, express, and valid written consent, and such transfers must comply with the protocols registered with PRODHAB. Transfers to service providers, technology intermediaries, or entities within the same corporate group are not considered transfers under the law and thus are exempted from needing additional consent.

PRODHAB may impose administrative fines for violations of Law 8968. These fines range from one to thirty base salaries, depending on the severity of the offense (e.g., unauthorized disclosure of confidential data is considered very serious). In severe cases, PRODHAB can also order the suspension of data processing operations. Additionally, violations may result in civil liability, and egregious breaches may trigger criminal charges under the criminal code.

Costa Rica does not impose mandatory periodic audits or certification regimes. However, controllers must establish and maintain internal protocols, technical security measures, and documentation—including details about their infrastructure and risk assessments—and make them available to PRODHAB upon request. These internal mechanisms serve de facto as ongoing compliance tools, with PRODHAB empowered to inspect and verify them at any time.

Yes, while the last major changes to the data protection framework were made by amendments to the Regulation in late 2016, which introduced definitions like “technology intermediary” and the concept of a 10-year data retention limit (termed a right to be forgotten), , Costa Rica is now moving toward a comprehensive overhaul of its data protection law. In May 2022, a new draft law – Bill No. 23097, the Personal Data Protection Bill – was introduced in the Legislative Assembly, aiming to replace Law 8968 with a modern data protection regime aligned with EU GDPR principles. This bill has been added to the legislative agenda and, as of early 2025, it is showing strong prospects of approval (it has been prepared for plenary debate, with observers predicting possible passage by the first half of 2025).