Data Privacy in El Salvador

By, Nadya León, Brand Protection associate

nadya@romeropineda.com

Romero Pineda & Asociados joins the celebration of Data Privacy Day, which is observed internationally today, to promote the importance of information privacy for both businesses and individuals. We are sharing information about the new Personal Data Protection Law approved by the Government of El Salvador, a regulation that protects the information of the population circulating in technologies and cyberspace, as well as personal data provided in public and private establishments and state institutions.

The Law was published in the Official Gazette Number 219 of Book 445 on November 15, 2024, with a total of 64 articles, and came into force eight days after its publication. However, obligated entities have a period of six months from the law's effective date to establish mechanisms for data subjects to exercise their rights under the personal data protection framework.

The overseeing entity is the State Cybersecurity Agency “ACE,” which must issue policies, measures, guidelines, and necessary provisions for the implementation of the law no later than 3 months from its effective date. Meanwhile, obligated entities will have 3 months from the issuance of these provisions to adapt and implement the regulations regarding personal data privacy.

According to Article 2, the Law applies to all natural or legal persons, whether public or private, that carry out activities related or connected to the processing of personal data, either manually, partially or fully automated, or through third parties.

Entities obligated by this law must designate a personal data privacy officer who will be responsible for managing and processing requests for the exercise of ARCO-POL rights.

Additionally, the Law defines the following roles:

Data Processor: A natural or legal person, public or private, who, alone or jointly with others, processes personal data on behalf of the data controller.

Data Controller (Controller): A natural or legal person, public or private, who administers the database and/or repository or decides on the purpose and means of processing the personal data they manage or possess.

WHAT RIGHTS ARE RECOGNIZED TO US AS PERSONAL DATA SUBJECTS?

According to Article 4, item f), personal data is personal information any information in text, image, or audio that allows the identification of a person, such as their address, nationality, family status, and contact details, including phone number, email address, or any other data that provides numerical, alphabetical, photographic, acoustic, or any other type of information. sensitive personal data refers to data about a person’s physical or moral characteristics or facts or circumstances from their private or intimate life, which affect the most intimate sphere of the data subject and whose improper use could lead to discrimination, severely affecting the right to honor, personal and family privacy, personal image, religious beliefs, ethnic origin, political affiliation or ideologies, union membership, sexual preferences, physical and mental health, biometric information, genetics, moral and family status, personal habits, and other similar private information.

Any person, either personally or through their authorized representative, has the right to know whether their personal data is being processed in order to ensure its protection, and when appropriate, they may request rectification, cancellation, or blocking of such data, oppose its processing, or request that its future processing be limited to uses other than those consented to by the data subject. The data subject has the right to know who will safeguard their data.

The ARCO-POL rights will be guaranteed: ARCO-POL:

1. A: Right of Access topersonal data
2. R: Right of Rectification
3. R: Right of CRight of Cancellation or Deletion
4. R: Right of Oposition

PORight to Portability

LRight of LLimitation

The Law also establishes rules for data transfers, the powers of the overseeing entity, as well as a sanctioning regime.

With this regulation, El Salvador aligns with international standards, which will encourage foreign investment and provide citizens with access to their personal data to request corrections, deletions, as well as modifications and updates.

Privacy is not just a right, it is a responsibility that we all must protect. This Law is an important step to safeguard data in a rapidly changing digital world.

If you have any questions, contact us.