Territory: El Salvador
Data Protection Regulations: Data protection law
Regulatory purpose: The purpose of the law is the comprehensive protection of the personal data of natural persons insofar as it is relevant, regardless of the form in which they are stored and safeguarded, whether in the possession of private individuals or legal persons or public and private entities, or any other type of entity without legal personality, with the aim of regulating their legitimate and informed processing, in order to guarantee the privacy and the right to informational self-determination of natural persons.
Parties:
- Data controller: Natural or legal person, public or private, owner of the database or who decides on the purpose and means of the processing.
- Data Processor: Natural or legal person, whether public or private, who alone or jointly with others processes personal data on behalf of the controller.
- Data Protection Officer: No.
- Supervisory Authority: Consumer Ombudsman.
Principles:
- Principle of Legality.
- Principle of Quality.
- Principle of Purpose.
- Principle of Lawfulness or Prior Informed Consent.
- Principle of data security.
- Principle or duty of confidentiality.
- Principle of Transparency.
- Prohibition Principle.
- Proactive accountability principle.
- Privacy Principle.
Obligations:
- Register of Processing Activities: Yes, the Ombudsman's Office will keep a Register, which will include a) the names of those responsible for the databases, the physical address of the person responsible for the database and of those responsible for processing requests, as well as the electronic means of receiving notifications; b) the types of information in the public or private databases, the form of capture and its safekeeping; c) the modifications to the databases; d) the final decisions issued by the Ombudsman's Office.
- Impact Assessments: No.
- Risk analysis: No.
- Technical and organisational security measures: Yes.
- Duty to inform: Yes.
- Data Protection Officer: No.
Data subjects' rights:
- Right of Access: Yes.
- Right of rectification: Yes.
- Right of Suppression: Yes.
- Right to limitation: No.
- Right to portability: No.
- Right to object: No.
- Automated individual decisions, including profiling: Yes.
International transfers:
The transfer of personal data of any kind is permitted and does not require consent when it is made to countries or international organisations that provide adequate levels of protection in accordance with the standards of this Law or international law on the matter or when the transfer is made to entities or technological intermediaries and the data controller ensures that the necessary measures are adopted so that the data are protected in a manner consistent with this Law through contracts, codes of conduct or applicable international standards.
Sanctioning regime:
There are three types of misdemeanours:
- Minor fine: a fine of one to five times the minimum wage of the commerce and services sector,
- Serious fine: a fine of six to twenty times the minimum wage of the commerce and services sector,
- Very serious fine: a fine of twenty-one to fifty times the minimum wage of the commerce and services sector.
Certification or accreditation of compliance for companies: No.
Other related legislation: Constitution, Special Law against Computer and Related Crimes.
