The key legislation in Costa Rica is Law No. 8968 on the Protection of Individuals in Connection with the Processing of Personal Data 2011 ("Data Protection Act") and the Executive Decree No. 37554-JP ("Regulation"), which supplements the Data Protection Act.

Note: The Data Protection Act and the Regulation apply to personal data found in automated and manual databases, from companies and public entities.

Any public or private database managed for distribution or marketing purposes must be registered with the data protection authority ("PRODHAB").

Financial institutions subject to the control and regulation of the supervisory authority of financial institutions ("SUGEF") are not required to register their databases before PRODHAB.

Any data relating to an identified or identifiable natural person (data subject).

Note: The Data Protection Act establishes four data categories:

• Sensitive data: personal data revealing racial or ethnic origin, political opinions, religious, spiritual or philosophical beliefs, as well as those relating to health, life and sexual orientation, among others. Individuals are not required to provide such sensitive data and their processing is not allowed, although there are some exceptions.
• Restricted access personal data: those who, even though they are part of public records, can not be accessed unrestrictedly because they are only of interest to their owner or to the Public Administration. Its processing is allowed only for public purposes or if you have the express consent of its owner.
• Personal data of unrestricted access: those contained in public databases of general access, according to special laws and the purpose for which these data were collected.
• Data regarding credit behavior: They are governed by the rules of the National Financial System, so as to ensure an acceptable level of risk to financial institutions.

Individuals, companies and public entities.

Note: Definitions from the Regulation:

Data Controller: any natural or legal person, public or private entity, who manages, is responsible for, or owns, one or more databases with public or private data.

Data Processor: any natural or legal person, public or private entity, or any other body that processes personal data on behalf of the Data Controller.

Technology Intermediary or Service Provider: natural or legal person, public or private entity, that provides services of infrastructure, platform, software or other services.

The Data Controller shall, in all cases, obtain the express consent of the holder for the processing of personal data, with the exceptions established in the Data Protection Act and the Regulation.

Note: Consent must be granted by the Data Subject in a physical or electronic document. Consent can be obtained online.

Likewise, the document by which the Data Subject extends its consent must be easily understood, free of charge and properly identified. Information to be communicated to the Data Subject:

• the existence of the database with personal data;
• the purpose intended with the data collection;
• the recipients of the information, as well as who will be able to consult it;
• mandatory or optional nature of the answers to the questions asked during data collection;
• processing that will be given to the requested data;
• consequences of refusal to provide the data;
• the possibility of exercising their rights; and
• the identity and address of the Data Controller.

The Data Controller or Data Processor will be responsible for processing the data, as determined in the consent given by the Data Subject, even if the data is stored or hosted by a Technology Intermediary.

The Data Processor may only intervene in the processing of personal databases as established in the agreement signed with Data Controller for such purposes.

Note: According to the Regulation, data processing is any operation or set of operations carried out by automated or manual procedures and applied to personal data, such as collection, registration, organization, conservation, modification, extraction, consultation, use, communication by transmission, dissemination, distribution or any other form that facilitates access to them, collation or interconnection, as well as their blocking, suppression of destruction, among others.

The Data Controller shall establish and document procedures for the inclusion, preservation, modification, blocking and suppression of personal data, on the site or in the cloud, based on minimum protocols of action and security measures in the processing of personal data. In addition, the controller must ensure the application of the principle of quality of information.
 

Data Controllers must issue a minimum protocol of action with the steps to follow in the collection, storage and handling of the personal data. Such protocol (and their amendments) must be registered in PRODHAB.

In addition, Data Controllers must adopt technical and organizational measures necessary to ensure the security of personal data and to prevent its alteration, accidental or unlawful destruction, loss, unauthorized processing or access, as well as any other action contrary to the Data Protection Act.

Note: Protocols of action must include at least the following:

• Mandatory policies and privacy manuals within the controller organization.
• Implement a manual of training, updating and awareness-raising for staff on the provisions regarding the protection of personal data.
• Set an internal control procedure for compliance with privacy policies.
• Set agile, expeditious and free procedures to receive and answer doubts and complaints from the holders of personal data or their representatives, as well as to access, rectify, modify, block or delete the information contained in the database and revoke their consent.
• Create measures and technical procedures to keep track of personal data during processing.
• Provide a mechanism through which the Data Controller informs the Data Processor the conditions under which the Data Subject consented to the collection, transfer and processing of their data.

On the other hand, Data Controllers must carry out at least the following security actions, which may be requested at any time by PRODHAB:

• Develop a detailed description of the type of personal data processed or stored.
• Create and maintain an inventory of the technological infrastructure, including computer equipment, programs and their licenses.
• Indicate the type of system, program, method or process used in the processing or storage of data.
• Perform a risk analysis, which consists of identifying hazards and estimating risks that could affect personal data.
• Set security measures applicable to personal data, and identify those effectively implemented.
• Calculate the existing residual risk based on the difference between existing and missing security measures that are necessary for the protection of personal data.
• Create a work plan for the implementation of the missing security measures, derived from the result of the residual risk calculation.
   

Yes, there are. The Data Protection Act guarantees the right of all persons to access their personal data, to request its correction or deletion and to consent to its assignment.

Note: Powers of the Data Subjects regarding their right of access:

• Obtain at reasonable intervals, without delay and free of charge, the confirmation of the existence of their data in files or databases.
• Receive information about the file or database, as well as the purpose by which the data was collected and the use that has been given to them.
• Be informed in writing in a comprehensive manner, by physical or electronic means, about the entire registration belonging to the Data Subject.
• Have knowledge of the system, program, method or process used in the processing of their personal data.

Also, Data Subjects can request and obtain from controllers the rectification, updating, cancellation or elimination and compliance with the guarantee of confidentiality with respect to their personal data.
 

Cross-border data transfers are not expressly regulated in the Data Privacy Act and the Regulation. As a general rule, Data Controllers may only transfer data when the Data Subject has expressly and validly authorized such transfer, without violating the principles and rights recognized in the Data Privacy Act.

Note: Transfers of personal data by Data Controllers will be subject to faithful compliance with the minimum protocols of action duly registered before PRODHAB.

In order to demonstrate that the transfer of personal data was performed in accordance with the Data Privacy Act and the Regulation, the burden of proof will lie with the Data Controller.

Data Controller and receiver must sign an agreement whereby Data Controller transfers to the receiver the same obligations to which controller is subject.

Yes, there are some requirements in the Regulation. The Data Controller must inform Data Subject about any irregularities in the processing or storage of his data.

Note: The Data Controller must inform the holder about any irregularities in the processing or storage of his data, such as loss or destruction, as a result of a vulnerability in the security, for which it will have five working days from the moment in which the vulnerability happened.

In the case of security vulnerabilities, the Data Controller must inform the Data Subject and PRODHAB, at least the following:

• the nature of the incident;
• personal data compromised;
• corrective actions performed immediately; and
• means or places where they can get more information.

PRODHAB (http://prodhab.go.cr/) is the Costa Rican data protection authority.

Note:

Attributions of PRODHAB:

• ensure compliance with the regulations on data protection;
• keep a record of the databases regulated by the Data Protection Act.
• require, from those who manage databases, the information necessary for the exercise of their position, including the protocols used;
• access the databases regulated by the Data Protection Act, in order to effectively enforce the rules on protection of personal data;
• resolve claims for infringement of the rules on protection of personal data;
• order on its own initiative or at the request of a third party the deletion, rectification, addition or restriction of the circulation of information contained in files and databases, when they contravene the rules on the protection of personal data;
• impose the penalties established in the Data Protection Act and transfer to the Public Prosecutor's Office the cases that may constitute an offense;
• promote and contribute to the drafting of regulations tending to implement the rules on the protection of personal data;
• issue necessary guidelines, which must be published in the official newspaper La Gaceta; and
• promote among citizens the knowledge of rights concerning the collection, storage, transfer and use of their personal data.
   

There are administrative and criminal consequences set forth in the Data Privacy Act and the Criminal Code, respectively.

Note: Disclosure of information recorded in a personal database whose secrecy is required to be kept is a very serious offense under the Data Privacy Act. 

On the other hand, according to section 196 bis of the Criminal Code, there will be a penalty of prison from one to three years for those who for their own benefit or for a third party's benefit, with danger or harm to privacy and without the authorization of the holder of the data, take, modify, interfere, access, copy, transmit, publish, broadcast, collect, use, intercept, hold, sell, buy, divert to a different purpose for which they were collected or give unauthorized treatment to the images or data of a natural or legal person stored in computer or telematic systems or networks, in electronic, optical or magnetic containers.

On October 25, 2017, the Regulations to the Promotion of Competition and Effective Consumer Protection Law No. 7472’ were amended by Executive Decree No. 40703, which added a new chapter X entitled "Consumer Protection in the Context of Electronic Commerce".

According to Article 264 of this Regulation, prior consent is required to be able to send commercial information to consumers by electronic means. Any communication made with automatic communication systems without the prior consent of the recipient or when the origin of the communication is hidden or false and there is no alternative to put an end to such communications corresponds to unsolicited communication.

In addition, all personal information must be treated confidentially and in full adherence to the provisions of the Data Protection Law and the General Telecommunications Law. Communications for marketing purposes are regulated in article 44 and following the General Telecommunications Law, which indicates that in order for it to be possible to send un-requested marketing communications, the person must have given their express consent to receive them, or else, on the occasion of the purchase of a good or service, have given their email and, in addition, has been informed that the email will be used for future marketing communications of goods of the same category as those purchased.

Moreover, the communication must clearly identify the sender and include an address to which people can request to unsubscribe from further communications. Also calls not requested by subscribers for direct sales purposes, which are made through systems that are not automatic, may not be made, except those addressed to those who have expressed their desire to receive such calls.

There are local rules on data protection, telecommunications, criminal law, competition law and customer protection that may apply to electronic marketing.

Note: The following sections of the Data Protection Act may be useful:

• Section 5 ‘Principle of informed consent’;
• Section 9 ‘Categories of data’;
• Section 12 ‘Protocols of action’;
• Section 14 ‘Transfer of personal data’ and
• Section 21 ‘Registration of files and databases’.

Other rules:

Telecommunications:

Agreement No. 007-010-2010 of the Regulatory Authority of Public Services: ‘Regulations on the Protection Regime to the End User of Telecommunications Services’ (Reglamento sobre el Régimen de Protección al Usuario Final de los Servicios de Telecomunicaciones). Effective from March 2010. Useful section: 58 ‘Massive messages’.

Executive Decree No. 35205-MINAET: ‘Regulations on Protective Measures to the Privacy of Communications’ (Reglamento sobre Medidas de Protección de la Privacidad de las Comunicaciones). Effective from May 2009. Useful sections: 2 ‘Scope’, 6 ‘Privacy of communications’, 25 ‘Traffic and location data’, 30 ‘Location data other than data of traffic’, 31 ‘Unsolicited communications’, 32 ‘Characteristics of messages’.

Criminal Law:

Criminal Code. Useful sections: 196 bis ‘Violation of personal data’; 232 paragraph e) ‘Installing or propagating malicious software’.

Competition Law and Consumer Protection:

Executive Decree No. 35205: ‘Regulations to the Promotion of Competition and Effective Consumer Protection Law No. 7472’ (Reglamento a la Ley de Promoción de la Competencia y Defensa Efectiva del Consumidor N° 7472). Effective from October 25, 2017. Useful articles: 261 ‘About advertising’; 262 ‘Advertising aimed at minors, vulnerable or disadvantaged consumers’; 263 ‘Protection of personal data’ and, in general, Chapter X ‘on consumer protection in the context of commerce’.

No. The latest was made on December 6, 2016, when the Government published some amendments to the Regulation. These amendments introduce new definitions of key concepts such as database, consent, Technology Intermediary or Service Provider, data transfer, and the right to be forgotten.

Note: The last amendments simplify the procedures for database registration and clarify that financial institutions subject to the control and regulation of SUGEF are not required to register their databases before PRODHAB.

The amendments have also introduced the concept of ‘economic interest group,’ which states that sending data within the said group does not constitute a transfer, nor does the transmission of data to Technology Intermediaries or Service Providers.