Costa Rica: Towards a comprehensive reform on Data Privacy

February 2021

Just over twenty years ago, it was the Constitutional Chamber of the Republic that began to establish the first precedents in Costa Rica, of a right to Informative Self-determination. Taking as a basis what was decided in turn in 1983 by the Constitutional Court of the Federal Republic of Germany.

For about 10 years, the principles of Informed Consent and the Quality of Information (Veracity, Actuality, Accuracy and Suitability to the Privacy Policy) were developed based on the norm provided for in Article 24 of the Costa Rican Political Constitution (Right to Privacy).

After approximately 10 years, the constitutional jurisdiction itself begins to insist on the need to create specific regulations for the protection of personal data, as well as the proper constitution of a regulatory body on the matter, as part of the government. This need materialized in July 2011, with the approval of Act 8968, Protection of the Person against the Processing of their Personal Data, which in turn contained the authorization of PRODHAB, the Data Protection Agency of the inhabitants. The legislation is of a clear European continental cut, founded on the precepts of the already repealed Directive 95/46/CE of the European Parliament and the Council, based on the provisions of Spaniard legislation and some notes, from other sources such as the Right to be Forgotten and the Data Breach Notification.

However, it is not until 2014, when, with the clear intention of putting into operation what was until then a “paper agency”, the undersigned was appointed as National Director of the body. In this way and until 2017, we took care of giving body, instruments, criteria, objectives, and purposes to the nascent PRODHAB.

Four years later, we are faced with the inevitable challenge of updating our legislation, to bring it up to the level of the most contemporary regulations, especially the new General Data Protection Regulation (GDPR), Regulation (EU) 2016/679. Accordingly, the development and duly presentation of a complete and integral reform to Act 8968, was materialized on January 28, 2021, coinciding with the International Day of Data Protection. In this proposal, we find the introduction or renewal of principles such as Loyalty, Legality, Transparency, Data Minimization, Purpose, Limited Conservation, Information Quality, Informed Consent, Integrity and Confidentiality. Likewise, rights such as Informative Self-determination (already conceived as a fundamental right by law), Access, Rectification and Suppression are renewed. Also incorporating those of Opposition, Limitation of Treatment, Portability, Explanation and Authorization for Transfer.


Likewise, a transcendental step is taken by materializing the absolute independence, technical, administrative, and budgetary of the Agency for the Protection of Inhabitants Personal Data; a fact worth mentioning, taken into account the difficulties that have existed in Latin America to guarantee such a degree of freedom to the regulatory bodies in this matter. In the same way, the necessary rules are established to ensure an appropriate level in the cross-border transfer of data and regulations are incorporated regarding the processing of personal data of minors.


This reform constitutes a technically and formally adequate step to guarantee that Costa Rica assumes a position equivalent to that of the legal systems with the most contemporary regulations on the matter; and emphasizes its position, as a benchmark for the Protection of Personal Data in the region.


Mauricio J. Garro

Managing Partner Costa Rica