We are at a time where big data, machine learning, and artificial intelligence have positioned the information that can be obtained from consumers and customers as one of the most valuable assets a company can have. The adequate and strategic use given to these data can mean a competitive advantage for a company over the other market participants. Nowadays commercial activities are increasingly carried out through the interaction of customers with digital platforms and information systems, which allows customers to have a direct and immediate interaction with the products and services offered by a company.
This interaction with the platform implies the registration of personal data belonging to customers, allowing companies access to: (and eventually, store) names, ID information, contact information, and customer address, amongst others.
Additionally, more developed systems are capable of storing and processing personal data related to consumption habits, location, medical information, biometric information, voice recordings, political inclinations, or commercial preferences, amid others. This personal information usually is used by companies with the purpose of knowing the client better, improving their service, and responding more immediately to the market's needs and demands.
New technologies have been implemented and developed by companies, allowing them to massively process the information received from their customers, thereby improving the products and services they offer. Parallelly, there has also been an increased concern from individuals and governmental authorities, resulting on initiatives to regulate the proper use of personal data, as well as to protect people against improper use of this data that could be considered as harmful or unlawful. Information leaks, theft of data or identity, as well as numerous scandals that have uncovered mass commercialization systems of irregularly obtained personal information, have remarked the need to adapt and strengthen the regulations aimed for protecting personal data.
Given this situation, it is necessary to align the company's personal information management and privacy policies with the regulation that protects the privacy of personal data. In this sense, the term Data Privacy becomes relevant. This term encompasses: the definition of personal data; the treatment that should be given to such information; the regulations regarding the collection, storage, processing, commercialization, transfer and subsequent destruction of personal data; and the relationships that exist between the owner of the data, the person who makes use of it, and the regulatory authorities.
The proper use of the information collected from consumers benefits companies, customers and the market in general, allowing the production of goods and services that are more in line with the needs of the market. The use of personal information of consumers is not a new practice, thus, it is thanks to the technological development that it is possible to obtain and process such data in a massive way, therefore becoming one of the main and most valuable assets a company may have. However, the use of personal data requires the application of rules that safeguard stored personal information, with the purpose of respecting the privacy of people and not incurring in violations of their human rights.
Given the importance of personal data and with the purpose of treating them adequately, the worldwide trend - since the end of the last century has been to enact regulations that protect the privacy of personal data and set the parameters that must be complied by the companies or individuals who are responsible for the collection, processing, use, transfer and commercialization of that information. An example of this trend, is the General Data Protection Regulation (GDPR) of the European Union, in force since May 2018, which implemented a common protection framework for all member countries of the European community, replacing the Directive on the Protection of Personal Data of the European Community number 95/46/EC regarding the protection of personal data. The GDPR is intended to protect people's right to privacy and create a single and uniform regulatory framework with the purpose of simplifying the application and protection of this right.
Guatemala has not promulgated any regulations in this matter, being one of the few countries in Latin America that has not enacted any law on Data Privacy. However, this situation does not imply that the companies that carry out commercial activities in Guatemala and obtain personal data from their clients, are not subject to any type of regulation, action guidelines or penalty resulting from inadequate and unlawful use of said personal information.
In the absence of specific legislation promulgated by the Congress of the Republic and a government authority responsible for the exclusive protection of this right, the Constitutional Court (in few cases and followed by amparo actions promoted by the Human Rights Ombudsman) has issued judgments that, although binding only to the parties to the respective cases, have outlined criteria and principles intended to achieve the protection of the right to privacy of personal data.
The Human Rights Ombudsman (Procurador de los Derechos Humanos) has taken an active role in the protection of data privacy and has been responsible for receiving complaints related to the violation of said right, and from the investigations carried out on the occasion of these complaints, he has declared the violation of human rights, requesting to the Constitutional Court, through the filing of amparo actions, the restoration of the violated rights. From the amparo actions promoted by the Ombudsman or individuals, the Constitutional Court has established in its rulings the main guidelines that should be observed by those who commercialize or process personal information, for them to not incur in the commission of crimes and the violation of human rights. It is necessary to highlight that, despite the limited scope of the amparo, which is binding only for the parties to the case, these precedents are of great importance because of the authority the Constitutional Court has regarding the interpretation of constitutional and human rights.
 The Human Rights Ombudsman is a commissioner of the Congress of the Republic for the defense of Human Rights. His functions include investigating and condemning behaviors contrary to human rights, as well as promoting judicial or administrative actions with the purpose of protecting and ensuring Human Rights. The effect of its resolutions on the violation of Human Rights consists in an act of public censorship, and the subsequent prosecution by the District Attorney (Ministerio Pblico), in he event of a criminal act.
In this regard, the Constitutional Court has established a series of parameters to regulate the proper use of personal information so that those who collect, process, use, transfer and commercialize are able to respect the human rights from the owners of the personal information. The adoption of these guidelines is of vital importance to protect the privacy of customer information, and the Constitutional Court has indicated that any activity that does not comply with these guidelines can be considered as a violation of human rights.
Additionally, it is possible to find in the Guatemalan legislation a series of rules, which, although scattered, create certain obligations that must be observed by companies that are in some manner treating with personal data. As an example and although it is not its main objective, the Law on Access to Public Information establishes the concept of personal data, sensitive personal data, confidential information or reserved information; as well as contemplates crimes that can be incurred by the commercialization without authorization of personal data or the disclosure of sensitive personal data. In addition, it is possible to find specific regulation for certain economic sectors, such as financial, telecommunications, medical, or legal; that impose obligations on the subjects that intervene in these market areas and contemplates specific situations for the processing of personal data, the requirements for their processing or commercialization, and also certain obligations in case of data breaches or irregular use of data.
Given this particular situation presented by the regulatory sector of Guatemala regarding Data Privacy, it is recommended for all those companies that in some way collect, process, use, transfer and commercialize personal data, to implement data privacy policies that, as much less, adopt the parameters established by the Constitutional Court, as well as the foreign regulation that may be applicable to the company regarding Data Privacy, such as, for example, the GDPR.
 Despite the GDPR is a European Union regulation, its provisions regarding Data Privacy are applicable to people or companies that offer products or services directly and deliberately to people located within the European Union, or who monitor or control behavior from people located in said territory.
Francisco Zuluaga Paralegal [email protected]