Law No. 787 on Personal Data Protection Nicaragua

    Overview

    The Personal Data Protection Law No. 787, enacted on 29 March 2012, regulates the collection, processing, storage, and security of personal data in Nicaragua. It aims to protect individuals' rights, ensure lawful data processing, and establish enforcement mechanisms. 

     

    Regulation Summary

    Timeline
    What Businesses Are Affected
    • Any public, private, or cooperative entity processing personal data in Nicaragua.
    • International companies handling data of Nicaraguan residents.
    • Organizations maintaining computerized or physical personal data records.
    • Businesses involved in data collection, processing, or storage for commercial, financial, health, or research purposes.
    Exemptions
    • Personal use of data for private activities.
    • Government security and defense agencies handling data for national security.
    • Journalistic and academic research using anonymized data.
    Responsibilities for Businesses
    • Obtain explicit consent before collecting or processing personal data.
    • Ensure accuracy and security of stored data.
    • Limit data processing to lawful, necessary purposes.
    • Implement security measures to prevent unauthorized access.
    • Maintain processing records for accountability.
    • Provide individuals access to their personal data upon request.
    Specific Responsibilities for Website Owners
    • Cookie Consent: Obtain explicit user consent for non-essential cookies.
    • Privacy Policy: Publish a detailed notice covering:
      • Types of data collected
      • Processing purposes and retention policies
      • Third-party sharing practices
      • User rights and how to exercise them
    • Data Security: Encrypt transmitted user data (e.g., contact forms, payments).
    • Right to Deletion: Provide an option for users to request deletion of their data.
    Additional Requirements
    • Cross-Border Data Transfers: Allowed only if the recipient country provides adequate protections.
    • Data Breach Notification: Businesses must report breaches to the Directorate of Personal Data Protection (DIPRODAP) and affected individuals.
    • Mandatory Compliance Measures: Companies must establish internal policies ensuring compliance.
    • Sensitive Data Handling: Additional security requirements apply for financial, health, and biometric data.
    Data Subject Rights
    • Access: Individuals can request a copy of their personal data.
    • Correction: Users can request data rectification if inaccurate.
    • Deletion: Individuals may request deletion in certain cases.
    • Objection: Users can refuse data processing under specific grounds.
    • Portability: Data subjects may request their data in a portable format.
    Enforcement
    • Regulatory Authority:
      • Directorate of Personal Data Protection (DIPRODAP) oversees compliance.
    • Penalties:
      • Unauthorized processing or data misuse – Fine up to NIO 500,000 (≈ USD 13,700).
      • Failure to notify a data breach – Fine up to NIO 200,000 (≈ USD 5,480).
      • Obstruction of government audits – Fine up to NIO 300,000 (≈ USD 8,220).
      • Severe violations – Fine up to NIO 1,000,000 (≈ USD 27,400).
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596