Law No. 172-13 Dominican Republic

    Overview

    The Dominican Republic’s  Law No. 172-13 establishes comprehensive data protection regulations aimed at safeguarding personal data stored in public and private databases. Enacted on December 13, 2013, it seeks to ensure the privacy, accuracy, and confidentiality of personal information while promoting lawful data processing activities. This law complements other national regulations, such as the High Technology Crimes Law (Law No. 53-07), which addresses cybercrimes related to personal data breaches.

     

    Regulation Summary

    Timeline
    • December 15, 2013: Law No. 172-13 is enacted.
    • January 2014: Law takes effect.
    • Six-month compliance window: Organizations had until mid-2014 to comply.
    What Businesses Are Affected
    • All organizations processing personal data in the Dominican Republic, including public and private entities.
    • Foreign companies processing data of Dominican residents or utilizing local data processing infrastructure.
    • Entities handling personal data for financial, health, or credit reporting purposes.
    Exemptions
    • Personal data processing for exclusively personal or household purposes.
    • Data used by law enforcement or intelligence agencies for crime prevention.
    • Data related to deceased persons unless requested by authorized family members.
    • Processing of basic professional contact data within companies.
    Responsibilities for Businesses
    • Lawful Processing: Data collection must have a legal basis such as consent, contractual necessity, or legal obligation.
    • Purpose Limitation: Data must only be used for the purpose it was collected.
    • Data Security: Companies must implement technical and organizational measures to prevent data breaches.
    • Accountability: Data controllers must maintain compliance records and appoint responsible officers where required.
    Specific Responsibilities for Website Owners
    • Cookie Consent: Websites must obtain consent before storing non-essential cookies.
    • Privacy Notice: A clear and accessible privacy policy must be provided.
    • User Rights Portal: Websites should offer an interface for users to exercise their data rights.
    • Secure Data Transmission: Websites must encrypt personal data collected via forms.
    Additional Requirements
    • Cross-Border Data Transfers: Allowed only if the receiving country provides an adequate level of protection or specific safeguards are implemented.
    • Data Protection Officer (DPO): Required for entities involved in large-scale or sensitive data processing.
    • Impact Assessments: Mandatory for high-risk processing activities, including profiling and credit reporting.
    Data Subject Rights
    • Access: Individuals can request copies of their personal data.
    • Rectification: Right to correct inaccurate or incomplete data.
    • Erasure: Right to request deletion of personal data under certain conditions.
    • Portability: Right to obtain and transfer data in a structured format.
    • Objection: Right to refuse data processing for direct marketing or other purposes.
    • Restriction: Right to limit processing under certain circumstances.
    Enforcement
    • Regulatory Body: There is currently no designated supervisory authority overseeing enforcement of this law.
    • Fines: Violations can result in penalties ranging from ten to one hundred times the national minimum wage, which is approximately $3,385 to $33,856 USD.
    • Legal Actions: Individuals can file legal claims for damages caused by non-compliance.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596