The Costa Rican Data Protection Agency (PRODHAB), announced that it will soon conduct inspections and other enforcement actions in connection with this matter.
As stated to the press, PRODHAB’s intention is to encourage companies to comply with their Data Protection obligations within the next few months. This includes, when required by Law, the registration of their databases.
PRODHAB announced that next year it will initiate enforcement actions against companies storing or using personal data that fail to comply with the “Law for the Protection of Individuals Against the Use of their Personal Data” (Law No. 8.968).
In summary, the following are the main obligation to be fulfilled by all companies owning or managing databases that contain personal information of individuals:
- Registration: All databases used for commercial purposes must be registered with PRODHAB. The foregoing includes all databases used for marketing and advertising mailing, as well as those containing general customer information (databases for internal use will be exempt from this registration requirement). Such registration will not entail any transfer of data to the authority, as this data will remain in the custody of the company. Certain operational and security protocols must be included in the registration application.
- Informed consent: When it comes to collecting personal information, the prior and express consent of the relevant data owner must be obtained. Such consent in turn must comply with specific requirements and also provide specific information before the disclosure of personal data, as well as clarify certain information in connection with the exercise of the Access, Rectification and Elimination Rights.
- Use of information: Database holders may only use disclosed information for the purpose for which it was originally requested, and in case such data is intended to be transferred or disclosed to a third party, holders must have the corresponding authorization for said purposes, the relevant registration of said data with PRODHAB, as well as the corresponding protocol.
- Privacy policies: All websites must adjust their privacy policies, which should at least contain an express reference to Law No. 8968, as well as all rights protecting data owners. If governed by the corresponding ISO standard, a cookies policy drafted in accordance with the law must also be included based on the collection of browsing data arising therefrom.
- Complaints handling procedures: Database managers must establish procedures to address queries, data rectification, handling of complaints, and the like. These procedures must comply with specific timeframes and requirements. They should also establish operation protocols and take all physical security and technological measures as required to protect databases and the entire system in which client data is being stored.
In the event of violation of this Law, and according to Law No. 8968, PRODHAB may impose fines of up to 16.4 million colones (approx. US$ 30,000.00) in addition to eventually suspend the use of infringing databases.