All questions

Data protection

i Requirements for registration

Companies are allowed to maintain a data protection service for the control of the quality, goods, and other information regarding the work being done by their employees. In accordance with Article 43 of the Labour Code, a company must always maintain this system of protection while not infringing the dignity of the employee, using these systems with discretion and under objective criteria. The implementation of the system, according to the provisions of Article 44 of the Labour Code, must be notified to the Department of Labour within 30 days of the start of the implementation of such system.

The creation of databases of personal data in the Dominican Republic is subject to compliance with the provisions contained in both the Constitution and the Data Protection Law, regarding the conditions for the collection of data and the rights of the data subjects on the information kept on said databases, as well as the handling of the data. However, Article 41 of the Data Protection Law No. 172-13 provides that 'individuals that create files, records or databases of personal data that are not intended for their exclusive personal use should comply with the requirements established by this law'. Hence, if the creation of the database is for the exclusive use of the employer, there is no need to comply with registration requirements established by the law.

Article 27(4) of Data Protection Law No. 172-13 includes as an exception to the requirement of consent of the data subject to access, process and transfer personal data, the information 'arising from a business, employment or contractual, scientific, or professional relationship with the individual, and necessary for the development or performance of the relationship'.

The Supreme Court of Justice acknowledged that employers are entitled to search and revise all emails issued by members of its personnel subject to the fact that the email is sent from a company owned email account (institutional email account) and kept in a company owned or controlled server. The Supreme Court of Justice established that the institutional email account is a tool provided by the employer to the employee for the performance of its labour and, therefore, property of the employer, which entitles the employer to have access to all emails issued regardless of the addressee.

ii Cross-border data transfers

As previously established, if the use and handling of the data is exclusively for private purposes, the provisions of the Data Protection Law No. 172-13 do not apply. In any case, Article 28 of the Data Protection Law provides that the transfer of personal data contained in any file, record or database shall be expressly consented to by at least one of the data subjects whose information is contained therein. However, according to the provisions of Article 27.1 of this law, information from publicly available sources does not require the consent of the data subject for its processing and transferring to third parties.

iii Sensitive data

Maintaining databases of sensitive data is strictly prohibited. This consists of, in general: political opinions; religious; philosophical or moral convictions; union work affiliation; and medical information.

iv Background checks

Background checks are not expressly prohibited under Dominican law if they refer or are limited to publicly available information. Consent of the employee is required to access information from credit bureaus.