Article 44 of the Dominican Constitution includes among individuals’ fundamental right of intimacy and personal honor the access to their personal data registered in private or public records, its destination and use as well as the principles ruling the treatment of personal data; and, Law No. 172-13 on Protection of Data Privacy as of December 15, 2013, which governs the collection, storage, security, retention, use and disclosure of personal data and credit bureaus.

Law 172-13 defines “personal data” as any information that may be recorded in a numeric, alphabetic, graphic, photographic, or acoustic manner; or in any other form whatsoever, concerning identified or identifiable individuals. For purposes of said law, an individual is considered “identifiable” whenever his/her identity can be determined, directly or indirectly, through any information referred to his/her physical, physiologic, mental, economic, cultural or social identity.

It also regulates in a particular manner the (i) sensitive personal data; and, (ii) the health personal data; while minors’ personal data is subject to the provisions of Law 136-03 on the Protection of Fundamental Rights of Minors.

Data Privacy Protection does not apply to (i) personal data kept by individuals in the exercise of household or personal activities exclusively; (ii) to the personal data records kept by the official intelligence and investigation bodies in charge of prevention, pursuit and punishment of crimes and offenses; (iii) personal data referred to deceased individuals; or (iv) treatment of data referred to juridical persons or the records related to personal data of individuals rendering services to the corporate entity, which only consist of full name, position, electronic or physical address, phone and fax numbers. 

Pursuant to Law 172-13 are subject to privacy obligations on personal data, the party in charge of the records of personal data and those who intervene in any phase of the treatment of said personal data. In the case of credit bureau services providers, the privacy obligations extend to its directors, employees, as well as to consumers, subscribers and users to their credit bureau services must keep confidential the information contained in the credit reports.

In the case of health personal data, the health services providers, may be individuals or corporate entities, public or private, have a confidentiality obligation on the information pertaining to the mental or physical condition of patients; except for the racial origin, health and sexual life whenever the treatment of such data may be deemed necessary for prevention purposes, medical diagnosis, rendering of health services, medical treatment or the management of health services subject to said treatment being handled by a health practitioner subject to professional confidentiality or any other individual under similar secrecy obligation. Health services providers can collect and treat individuals’ health data of their patients under the condition of respect to the professional secrecy and confidentiality of patients’ records.

In a broader scope, based upon the abovementioned provisions of the Dominican Constitution, any governmental authority or private individuals that may violate the right to the intimacy of individuals are mandated to indemnify the victim as established by law.

The treatment and transfer of personal data is considered illicit when the data subject has not provided the free, express and informed consent by written or through any other equivalent means upon having complied with the information obligation to the data subject on (i) the use or destination of the personal data and who shall be the addressee, the existence of the records, registration or database, or of any other type; (ii) the identity and domicile of the responsible party; and (iii) the data subject’s possibility to access, rectify and delete said personal data.

Treatment of data is defined by Law 172-13 as “the systematic operations and procedures, may them be electronic or not, used to collect, record, organize, store, amend, list, assess, block, destroy, and, in general, the processing of personal data as well as its transfer to third parties through communications, consultations, interconnection or transfer”. 

They may be released from such obligation by judicial resolution or in those cases when public safety, national defense or public health may be involved

The Dominican Constitution provides that the treatment of personal data must be performed respecting the principles of quality, legality, loyalty, safety and purpose; which as well are established by Law 172-13. 

In consequence, the use of personal data must abide by the following fundamental principles: 

• The legality of the personal data records; 
• Quality of the data which means that they must be (i) true, correct and appropriate to the scope and purpose for which they have been collected; (ii) accurate and updated whenever necessary; (iii) suppressed and substituted or completed when they are totally or partially inaccurate; and (iv) stored in a manner that the right to access of the individual can be exercised.
• Right to information: Prior to granting consent, individuals must be informed in an express and clear manner on (i) the purpose to which their personal data shall be used and who shall be the addressee in case of transfer; (ii) the existence of the record, database or any other type of registration of the personal data and the identity and domicile of the responsible party; and (iii) the possibility of accessing, rectifying or suppressing their personal data.
• Security of the information.
• Secrecy duty: professional secrecy duty which extends beyond the existence of the relationship with the data subject except for the release by a judicial decision based upon reasons of public security, national defense or public health. 
• Prior written voluntary and informed consent of the individual whose personal data may be subject to treatment or transfer.
• Loyalty duty under which it is forbidden to collect personal data by fraudulent, illegal or unfair means.
• Purpose of the personal data means that the personal data can only be collected when it is suitable, relevant and not excessive vis-à-vis the scope and the determined, explicit and legitimate purpose for which it has been obtained.

The disclosure requires the consent of the data subject as it is part of the treatment of the personal data, referred to in our response to "How is the collection of personal data regulated?".

Personal data must be stored in a manner that the data subject’ is not impeded from exercising the right to access his/her own personal data. 

The party responsible for recording the personal data and the party in charge of the treatment must adopt and implement measurements of a technical, organizational and security nature required to safeguard the personal data and avoid altering, losing, and treating it, or access without authorization. Consequently, it is forbidden to register personal data in records or databases not meeting the technical conditions of integrity and security. 

Those responsible for the treatment of the personal data must (i) guarantee to the data subject the full and satisfactory exercise of the habeas data right; (ii) keep the information under the necessary security conditions to avoid its destruction, loss, not authorized use or access; (iii) to register immediately the update, rectification or deletion of the personal data; (iv) to process the consultations and claims of the data subject; (v) to adopt an internal manual of policies and procedures to guarantee the appropriate legal compliance; and (vi) grant access only to individuals legally entitled to.

Yes, the data subject is entitled to access to their own personal data as well as the right to rectify, update or delete such personal data whenever it is included in a database.

The rights of access, rectification, cancellation and opposition are independent. It cannot be considered that the exercise of any of them is a prerequisite to exercising another.

Regardless of the abovementioned rights, the data subjects are legally entitled to a judicial action of habeas data in order to take knowledge of personal data stored in records, registries or databases may they be public or private, derived from a commercial, employment or contractual relationship or simply to take knowledge of personal data assumed to be recorded in records, registries or databases, privates or public, in those cases of inaccuracy, lack of update of the personal data, or that which treatment is legally forbidden to request its rectification, deletion or update.

For purposes of Law 172-13 an international transfer of personal data is defined as the treatment of personal data which supposes a transfer outside of the Dominican Republic regardless of the means, may it consist of a transfer or communication of personal data, may it pursue treatment of said personal data by the party responsible for the registry located in the Dominican Republic.

Any type of cross-border transfer of personal data with countries, international or supranational organizations which require the consent of the data subject can only be done in certain cases as follows (i) upon obtaining such free, voluntary, express, written and informed consent; (ii) when it refers to health personal data whenever the medical treatment so requires or for epidemiologic research or public health or hygiene; (iii) for bank or stock market exchange concerning transactions and pursuant to the applicable legislation; (iv) when the transfer of personal data has been agreed or included in international treaties or agreements or in free trade agreements of which the Dominican Republic is a party; (v) for international cooperation between intelligence organizations for the fight against organized crime, terrorism, drug trafficking, human trafficking or any other crime; (vi) it is required to perform an agreement between the data subject and the responsible of the treatment or for the execution of precontracting measures; (vii) The transfer legally requested pursues the safeguard of the public interest or for the acknowledgment, exercise or defense of a right in a judicial process or requested by a tax or custom authority to comply with their obligations; (viii) for international judicial aid; and (ix) by request of an international organization with legitimate interest from a public registry.

No, there are no notification requirements for data breaches. 

There is not a specific privacy regulator, but for credit bureaus operations, the regulator is the Superintendent of Banks. 

In addition to the indemnification for damages caused that the data subject can claim, the law establishes fines and imprisonment for the responsible parties.

Law 310-14 forbids the deliverance of unsolicited commercial, advertising or promotional electronic mails except when there has been a commercial relationship between the sender and recipient and the latter has not noticed a request to not receive the commercial electronic communications, or when consent has been granted. Consent of the recipient must be free, unambiguous and informed.

The law defines unsolicited commercial communications as the delivery to a massive group of individuals of any text message without the request of the recipient with the object of promoting, directly or indirectly, the image of the goods or services of an enterprise, an organization or an individual that performs any commercial, professional, industrial or craft activities; such communication must indicate in its subject “advertising purposes”; and, when it is intended only for adults it must expressly indicate as such in the subject matter.

Electronic commercial communications must comply with the identification of the sender, the relationship between the sender and the electronic mail address as well as the mechanisms how the recipient can notify the sender of the request not to receive any communications.

Commercial electronic communication shall be considered illegal when (i) no consent has been granted; (ii) it contains false or deceitful information in the subject matter; (iii) it does not facilitate the recipients, the services providers or the governmental authorities to identify, locate, answer to, or investigate the sender; or (iv) continuing with the delivery of the message after five days has elapsed from the request of the recipient to be excluded from the delivery of messages.

No, there are not any recent developments however, there are indeed expected reforms to the Data Privacy Law and also Cybersecurity Law.