Law No. 8968 Costa Rica

    Overview

    Costa Rica's Data Protection Law (Law No. 8968), enacted on July 5, 2011, aims to protect individuals' rights to informational self-determination and privacy. The law regulates how personal data is collected, stored, and processed, whether manually or automatically, by public and private entities. It establishes fundamental principles such as informed consent, data quality, and confidentiality while creating a legal framework for the secure handling of personal information. Additional regulations supporting this law include the Reglamento a la Ley de Protección de la Persona frente al Tratamiento de sus Datos Personales (Decree No. 37554-JP)

     

    Regulation Summary

    Timeline
    • July 5, 2011 – Law No. 8968 is enacted.
    • October 30, 2013 – Decree No. 37554-JP is published, implementing regulations.
    • 2021 – Updates to enforcement measures and PRODHAB’s role.
    What Businesses Are Affected
    • All public and private entities handling personal data in Costa Rica.
    • Databases containing personal information, whether manually or automatically processed.
    • International organizations processing personal data of Costa Rican residents.
    Exemptions
    • Personal or household databases not shared or commercialized.
    • Public access records maintained by governmental bodies.
    • Data processing for national security, law enforcement, and public interest purposes.
    Responsibilities for Businesses
    • Obtain explicit and informed consent before processing personal data.
    • Ensure transparency by informing individuals about data usage and their rights.
    • Implement security measures to prevent unauthorized access or breaches.
    • Register databases with the PRODHAB.
    • Limit international data transfers unless safeguards are in place.
    Specific Responsibilities for Website Owners
    • Display a clear privacy policy outlining data collection and usage.
    • Obtain consent for cookies and tracking technologies.
    • Enable users to exercise their data rights through an accessible online portal.
    • Ensure encryption and security for online forms collecting personal data.
    Additional Requirements
    • Restrictions on international data transfers require prior approval or adequate safeguards.
    • Sensitive data (e.g., biometric, health, financial) requires stricter handling and explicit consent.
    • Data breach notifications must be reported to PRODHAB within 5 days.
    Data Subject Rights
    • Right to Access: Individuals can request a copy of their data.
    • Right to Rectification: Users can request corrections to inaccurate data.
    • Right to Erasure: Individuals may request data deletion in certain circumstances.
    • Right to Object: Users can restrict or object to certain data processing activities.
    • Right to Portability: Users can request the transfer of their data to another service provider.
    Enforcement
    • Regulatory Authority: *Agency for the Protection of Data of the Inhabitants (PRODHAB).
    • Penalties: Fines range from 5 to 30 base salaries (approximately USD 4,000 to USD 24,000) for non-compliance.
    • Sanctions: Suspension of databases and potential criminal liability for unauthorized data disclosure.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596