Territory: Nicaragua

Data Protection Regulations: Law on the Protection of Personal Data (Law No. 787)

Link: http://legislacion.asamblea.gob.ni/normaweb.nsf/9e314815a08d4a6206257265005d21f9/

Regulatory purpose: The protection of natural or legal persons with regard to the processing, automated or otherwise, of their personal data in public and private data files.

The right to privacy, in order to guarantee the right to personal and family privacy and the right to informational self-determination.


  • Data controller: Yes. The controller is any natural or legal person, public or private, who decides on the purpose and content of the processing of personal data.
  • Data Processor: No.
  • Data Protection Officer: No.
  • Supervisory Authority: No.


  • Information: data subjects should be informed when their data is collected;
  • Purpose: data should only be used for the stated purpose and not for other purposes;
  • Consent: data should not be disclosed without the data subject's consent;
  • Security: collected data should be kept safe from potential abuse;
  • Disclosure: data subjects should be informed about who collects their data;
  • Accountability: data subjects should have a method available to hold data collectors accountable for following the above principles.


  • Register of Processing Activities: Yes. Every data controller must register in the Register of Data Files set up for this purpose by the Directorate for the Protection of Personal Data and wait for a decision on its registration within thirty days.
  • Impact Assessments: No.
  • Risk analysis: No.
  • Technical and organisational security measures: Yes.
  • Duty to inform: Yes.
  • Data Protection Officer: No.

Data subjects' rights:

  • Right of Access: Yes.
  • Right of rectification: Yes.
  • Right of Suppression: Yes.
  • Right to limitation: Yes.
  • Right to portability: Yes.
  • Right to object: Yes.
  • Automated individual decisions, including profiling: No.

International transfers:

There are currently no mechanisms of adequacy or list of countries considered safe. In general terms, the Data Protection Act prohibits the assignment and transfer of personal data of any kind to countries or international organisations that do not provide adequate levels of security and protection.

The prohibition shall not apply in cases of international judicial collaboration, exchange of personal data in health matters, when necessary for epidemiological research, banking or stock exchange transfers, when the transfer has been agreed within the framework of international treaties ratified by the State of Nicaragua, and when the transfer is for the purpose of international cooperation between intelligence agencies in cases of crime.

Sanctioning regime:

Without prejudice to the administrative responsibilities of the controllers or users of public data files; of the liability for damages derived from the non-observance of this Law, and of the criminal sanctions, the Directorate for the Protection of Personal Data is responsible for applying the administrative sanctions of:

  • Warning;
  • Suspension of operations related to the processing of personal data; and
  • Temporary or definitive closure or cancellation of personal data files. The amount of the sanctions must be determined in civil proceedings and will be determined by the competent judge, taking into account the particularities of each specific case.

Certification or accreditation of compliance for companies: No.

Other highlights: To date, the necessary steps for the creation of the Directorate for the Protection of Personal Data (DIPRODAP) have not been taken, so that despite the existence of the law in Nicaragua there are no mechanisms for its implementation and effectiveness.

Other related legislation:

Executive Decree No. 36-2012 - Regulation of Law No. 787 Personal Data Protection Law