Territory: Costa Rica

Data Protection Regulations:

  • Law on the Protection of Individuals with regard to the processing of their personal data No. 8968.
  • Regulation to the Law on the Protection of the Person with regard to the Processing of Personal Data N° 37554-JP.

Links: http://www.pgrweb.go.cr/scij/Busqueda/Normativa/Normas/nrm_texto_completo.aspx?nValor1=1&nValor2=74352

Regulatory purpose: This law is of public order and aims to guarantee to any person, regardless of their nationality, residence or domicile, respect for their fundamental rights, specifically, their right to informational self-determination in relation to their private life or activity and other personality rights, as well as the defence of their freedom and equality with regard to the automated or manual processing of data corresponding to their person or property.


  • Data controller: Yes. The natural or legal person who administers, manages, or oversees the database, whether a public or private entity, competent under the law to decide what is the purpose of the database, which categories of personal data shall be recorded and what kind of processing shall be applied to them.
  • Data Processor: Yes. Any natural or legal person, public or private entity, or any other body that processes personal data on behalf of the controller of the database.
  • Data Protection Officer: No.
  • Supervisory Authority: if the Personal Data Protection Agency (PRODHAB)
  • Other: Technology intermediary or service provider: Natural or legal person, public or private, providing infrastructure, platform, software or other services.


  • Informational self-determination
  • Informed consent
  • Quality of information


  • Register of Processing Activities: Yes, databases must be registered with PRODHAB.
  • Impact Assessments: Yes, if provided for in action protocols and/or security measures.
  • Risk analysis: Yes.
  • Technical and organisational security measures: Yes.
  • Duty to inform: Yes.
  • Data Protection Officer: No.

Data subjects' rights:

  • Right of Access: Yes.
  • Right of rectification: Yes.
  • Right of Suppression: Yes.
  • Right to limitation: Yes.
  • Right to portability: Yes.
  • Right to object: Yes.
  • Automated individual decisions, including profiling: No.

International transfers:

Those responsible for databases, whether public or private, may only transfer data contained therein when the right holder has expressly and validly authorised such transfer and it is done without violating the principles and rights recognised by law.

There is no list of countries considered safe.

Sanctioning regime: Yes.

  • For minor offences, a fine of up to five basic salaries for the position of judicial assistant I, according to the Budget Law of the Republic.
  • For serious misconduct, a fine of five to twenty basic salaries for the position of judicial assistant I, according to the Budget Law of the Republic.
  • For very serious offences, a fine of fifteen to thirty basic salaries for the post of judicial assistant I, according to the Budget Law of the Republic, and suspension from the operation of the file for one to six months.

Certification or accreditation of compliance for companies: No.

Other highlights: There is currently a draft law in the legislative stream which, if passed, would repeal the current law and regulations.