Adjustments in data protection standards

If your company collects personal data from customers in order to send them promotional mailing or any other information; if your company sends other businesses any information about your employees to offer them goods or services; if your company requests personal information to begin a business relationship or to otherwise handle a personal information database, you should bear in mind that a significant amendment of the Regulations to the Law for the Protection of Individuals against the Use of their Personal Data (Personal Data Act) came into force last December.

This amendment adjusted our standards to the main international regulations and trends. It also enables the fulfillment of the obligations established on these matters, given that they are linked with the new technologies involved in the use of personal data.

Some of the main changes include the following:

  1. The “super-user” concept as established in article 45 of the Regulations was eliminated. Thus, it is no longer necessary to comply with this extremely controversial concept. Accordingly, the Costa Rican Data Protection Agency (Prodhab) has requested all companies that have already fulfilled this requirement to deactivate the access previously granted.
  2. The informed consent required at the time of data collection should no longer be given in writing as it was before. As a result of the amendment, such informed consent should be given “unequivocally” in “writing or digitally”, which allows for the flexibilization of the means to obtain such consent. The foregoing was established without prejudice to specific compulsory information that should be included in this consent, such as communicating the purpose for which the information is requested, the rights of the interested party, and if the data are to be transferred, among others.
  3. The new version of the Regulations to the Personal Data Act provides more accurate details on the concepts of “distribution” and “dissemination” of personal data, as well as the definition of “economic stakeholders” (a group of companies with a common controlling entity or economic dependence). Thus, besides those databases used for commercial research purposes, this new version of the Regulations sets forth that all databases to be disseminated or distributed must be registered with Prodhab.

These are the main changes made to the Regulations.

It should also be noted that this amendment includes changes in the period to account for the right to be forgotten, a clarification on the non-mandatory nature of the registration of databases used by institutions regulated by the General Superintendence of Financial Entities (Sugef), as well as an adjustment in the fee that should be paid by some companies.

In order to comply with the changes made to the Regulations, as well as the other provisions established by the Personal Data Act, companies must determine, among other things, the corresponding action protocols to ensure the proper use of said information.

Also, in case of companies willing to share data with other companies, whether within the national territory or abroad, they must previously obtain the consent from the corresponding data owner (and such consent must meet with the required formalities).

In addition, all appropriate security measures must be established in order to protect the data.

These measures will be established in accordance with the risks arising from the information to be protected.

In this connection, if the security system experiences some sort of breach, companies are required to inform the Prodhab regarding this situation.

Based on the foregoing, it is important that the use of databases is adjusted to the requirements set forth in the Personal Data Act.  In case of any infringement, penalties might be up to approximately fifteen million colones and may even include the suspension of the use of the specific database.


By: León Weinstok, BLP Attorney.

León Weinstok has ample experience in data protection and privacy. He also advises in anti-piracy cases, and in intellectual property rights, especially in brands and copyrights. His work includes the review of advertising materials, drafting of promotion’s terms and conditions, handling of image rights issues and unfair competition.

Article published by El Financiero January 28th, 2017.