On March 5, 2013, Costa Rica published the Reglamento a la Ley de Protección de la Persona Frente al Tratamiento de sus Datos Personales (Regulations of the Law of Protection of the Person in the Processing of His Personal Data) (the “Regulations”). The wide-ranging Regulations, which took effect immediately, expand and clarify many aspects of the underlying law and include the requirements described below.
- Data controllers have five business days to notify data subjects of “any irregularity in the processing or storage of their data,” such as loss, destruction or theft. During this same period, the data controller must “commence” an “exhaustive process of review” to determine the scope of the problem and appropriate remedial and preventive measures (though the Regulations do not appear to allow the notification to be delayed pending the outcome of that review). The data controller also must notify the Costa Rican data protection authority (“Prodhab”) of the breach, though the Regulations do not explicitly provide a deadline for such notification.
- Data controllers must register their databases with Prodhab. As part of the registration process, they must provide Prodhab with a “superuser” account for the database, even if the database is maintained by a service provider. The superuser account must allow Prodhab unrestricted access to the database in the event of a complaint, or if Prodhab has evidence of wrongful data processing activities.
- Under provision labeled “right to be forgotten,” personal data that could affect the data subject may not be retained for longer than 10 years after the facts to which they pertain occurred, except as specified by law or an agreement between the parties. If it is necessary to retain the data beyond this period, the data must be rendered anonymous. Unlike the right to be forgotten that is the focus of extensive debate in the European Union, the Costa Rican right to be forgotten is not a right that a data subject may invoke, but rather is a legally imposed default deadline for anonymization.
- Express written consent is required for most processing of personal data, with the main exception being processing required by law.
- Data processors (service providers) have direct obligations under the Regulations, including confidentiality and security obligations.
The Regulations contain a limited exception for databases maintained for purely internal purposes not linked to the “commercialization” or disclosure of personal data. The Regulations are available at pages 75-97 of the March 5, 2013 Gazette.