We inform you that the Salvadoran Congress, in its plenary session of November 12, 2024, approved the Law for the Protection of Personal Data and the Law on Cybersecurity and Information.
The purpose of the Law for the Protection of Personal Data is to establish the regulation for the protection of personal data, determining the essential requirements for the processing of such data, for which some parameters are established.
General Regulations
– The regulation for the protection of personal data is established, which will be applicable to any natural or legal person of a public or private nature that carries out activities related to the processing of personal data, whether manually, partially or totally automated or through third parties.
– Personal data is information that allows the identification of a person, i.e. address, nationality, family status, telephone number, e-mail or any other data that allows the identification or location of a person.
– The exercise of ARCO-POL rights is regulated, which consists of Access, Rectification, Cancellation, Opposition, Portability, Forgetfulness and Limitation, by means of which the owner of the personal data may exercise control over the processing of such data.
– The obliged subjects must appoint a Data Protection Delegate who will be in charge of managing the requests for the exercise of the ARCO-POL rights.
– The exercise of the ARCO-POL right is free of charge and only reproduction, certification or shipping costs may be charged.
– Every owner will have the right to know by himself or by means of a representative with special powers, if his data is being processed.
– The owner of the data may request the rectification, cancellation or blocking of their data, in case of deceased persons, their heirs will be responsible for submitting such request.
Exceptions
– The following are excluded from the regulation for the protection of personal data: Credit history data (such exclusion does not apply to members of the Financial System and others supervised by the Superintendence of the Financial System); Personal data intended exclusively for activities within the framework of family or domestic life; Personal data intended for public safety, defense, State security, prevention, investigation, detection and repression of crime; Personal data made in the property registry, Family Status Registry and the issuance of Single Identity Document (DUI), among others, in order not to restrict access to information from public records.
Processing of Personal Data.
– The parties obliged to process data must: Limit personal data according to the consent of the holder; Implement security measures; Keep Confidentiality, etc.
– No person may be forced to provide their personal data, except to be used to safeguard the life of the owner or another person.
Monitoring.
– The application and supervision will correspond to the State Cybersecurity Agency (ACE), which will be in charge of controlling, inspecting and supervising the institutions, exercising the sanctioning power in data protection, among other functions, which will be created following the guidelines of the Cybersecurity and Information Security Law.
On the other hand, the purpose of the Cybersecurity and Information Security Law is to establish guidelines for structuring, monitoring and supervising cybersecurity and information security measures held by public institutions.
General Regulations.
– Government agencies, its dependencies, autonomous official institutions, municipal authorities or any other entity or organism are obliged to comply with this law.
– One of the main obligations to be complied with by the regulated entities is the implementation of a permanent cybersecurity and information security management system in order to determine and mitigate those risks that may affect the security of the systems.
– As stated in the Law for the Protection of Personal Data, the Cybersecurity Agency will be created as an agency of the State, of Public Law, of a technical nature, with legal personality and its own assets, which will be in charge of the correct application of the guidelines established in the Law.
– Infringements and penalties are established, which will be applicable administratively, for non-compliance of the obligated parties, which will be applied according to the infraction committed and will range from written warnings or fines to dismissal or dismissal.
It should be clarified that the aforementioned laws are pending approval and publication in the Official Gazette and such regulations will be in force 8 days after their publication.
We reiterate that our professional services are at your disposal for advice on this matter.
