Since the entry into force of the “Law on the Protection of the Person against the Treatment of Personal Data (Data Law),” the importance that has been given to this topic in Costa Rica has been increasing. In this way, the risk that companies take when handling personal information is increasing.
In 2018 alone, the Data Protection Agency (PRODHAB) received more than 70 complaints of alleged breaches in this area. As a result, it imposed 8 sanctions with an average fine of more than $10,000 each and has initiated more than 350 requests for information ex officio, in which it asked the companies to deliver the documentation that supports compliance with the provisions of the Data Law. The most common breaches detected have been the collecting of information without the consent of the interested parties, not having the proper procedures for handling the information, and transferring the data to other companies without proper authorization. Ex officio actions carried out by PRODHAB could also generate sanctions for those companies that do not comply with the information request.
Given the increasing importance of data privacy issues, each person who is in charge of a personal database should ask, what must I do to comply with the Data Law? Although the obligations included in this Law and its regulations are many and diverse, the following could be considered the most important:
a. When requesting information, informed consent must be obtained from persons who provide personal data. This consent must be free, express, and unequivocal. Likewise, it must contain the minimum information that according to the Data Law must be included. Within this minimum content is the obligation to provide the data or not, identification of the company that collects the information, the uses that would be given to the data, and how to exercise the rights granted by the Data Law.
b. The data that is handled must be current, truthful, and must be adapted to the purpose for which it was requested. At all times, people should be allowed to know the information they have given, to rectify any information they wish to modify, as well as to revoke the consent that they have previously given. All these rights can be exercised in the contact information that the company that collects the information must indicate.
c. The information must be stored securely. Security includes both the physical measures of the place where the information is stored, as well as computer protection in case the information is stored digitally. This level of security is defined according to the type of information that is handled and the risk that its disclosure could entail. In this sense, sensitive data (for example, data related to health, life and sexual orientation) should be stored with greater caution than unrestricted access personal data (defined as “the data contained in generally accessible public databases.”)
d. Minimum action protocols should be established to ensure the proper handling of personal data. These protocols will dictate how all company employees must handle personal data.
e. If the database is used for distribution, dissemination, and/or marketing purposes, the database must be registered with PRODHA. A database that does not meet these conditions should not be registered. However, this does not exempt the other obligations established in the Data Law from being fulfilled.
By following the foregoing guidelines a company that manages a personal database will comply with the main requirements of the Data Law. Consequently, the risk of receiving a sanction from PRODHAB would be reduced, which, in addition to economic penalties such as those indicated, could even include suspension of the database.