Join our community for free to access exclusive whitepapers, reports, and regulatory information.
By signing up you agree to OneTrust DataGuidance's Terms and Conditions and Privacy Policy.
Already have an account? Log in
The Government was working on a data protection bill that would provide more specific rules and norms that facilitate an effective protection of this right, and which was approved by the Legislative Assembly but not confirmed by the President in 2021, for reasons of being incomplete and inconvenient. As such, a new bill will be prepared and there is no estimated date for its public discussion and further approval.
Currently, El Salvador does not have a law that specifically regulates data protection. However, there are certain provisions in other laws that regulate this right, such as:
These laws serve as the current legal framework for data protection.
Constitution
The Constitution provides, in Article 2, that all persons have the right to life, physical and moral integrity, liberty, security, work, property, and possession, and to be protected in the conservation and defense of the same. The right to honor, personal and family privacy, and personal image are guaranteed. Moral damages are compensated by law.
Public sector
In respect to the public sector, the Access to Information Law provides citizens with the right to obtain public information from governmental and other public entities to procure the transparency of these institutions. It also includes provisions that mandate the protection of personal data.
Computer crimes
Additionally, the Computer Crimes Law (further detailed in the section on data protection authority below) regulates crimes related to computer and information technology activities, including dispositions that regulate unauthorized use of personal data from undue access to databases that contain such information.
Consumer protection
The Consumer Protection Law (further detailed in the section on data protection authority below) was amended in 2018 to include a number of e-commerce dispositions, which include an obligation for suppliers duly established in El Salvador to use personal information in a confidential manner, and to implement security systems that guarantee the confidentiality and safety of consumers' personal information.
There is no centralized authority. For specific matters, the following authorities have issued guidance:
There is a landmark case regarding data protection, The Salvadoran Association for the Protection of Data and the Internet ('INDATA') v. Equifax de Centroamerica ('DICOM') (only available in Spanish here) ('the Decision') (further explored in the section on personal scope), which mentions for the first time in the country the need to protect the right to self-determination of citizen personal data in private or public registries or databases against the menace of unauthorized and inappropriate use and access. Self-determination, as defined in the Decision, may be considered as the following:
While the Decision mentions the right of access, it does not establish a procedure for requesting such information.
The legislation mentioned above protects any identifiable natural persons. It is not clear whether deceased individuals are within its application. The obligated individuals are natural or any organizations.
The legislation mentioned above applies in the territory of El Salvador, however, it is not clear as to its extraterritorial scope.
There is no main regulator for data protection. However, as the matter is regulated briefly in different special laws, the entity that regulates each law shall be the authority that regulates data protection (i.e., if it refers to consumers, the Center for Consumer Defence is responsible). Also, in general, data protection enforcement may be made through Courts.
As mentioned before, the data protection authority depends on the specific law or matter. However, in general, there is a responsibility to maintain information as confidential and not use, process, or transfer information without the consent of the owner.
There is no special data protection law, however, there are definitions in other special laws. Both the Access to Public Information Law and the Computer Crimes Law make the same definition and distinctions for data subject and personal data as outlined below.
Data controller: There is no definition. There is a type of data controller within the Access of Public Information Law, which is called 'information official' who is in charge of reviewing and authorising the requests to access public information of each public entity (does not apply with respect to private entities).
Data processor: Not applicable.
Personal data: The private information concerning a person, identified or identifiable, relative to their nationality, address, patrimony, electronic address, phone number, or other similar information (Article 6(a) of the Access to Information Law and Article 3(m) of the Computer Crimes Law).
Sensitive data: Data that corresponds to a person in relation to their creed, religion, ethnic origin, affiliation or political ideologies, union affiliation, sexual preferences, physical and mental health, moral situation, family and/or other intimate information of a similar nature or that could affect the right to honor, to one's own image, and to personal and family intimacy (Article 6(b) of the Access to Information Law, and Article 3(n) of the Computer Crimes Law).
Health data: There is no specific definition, however, health data is considered as personal information, that can only be accessed with authorization of the owner of the data. When provided to health professionals (public or private) such data must be maintained confidential.
Biometric data: Not applicable.
Pseudonymization: Not applicable.
There is no specific data protection law, however, the Supreme Court of Justice of El Salvador's ('the Supreme Court') decisions have recognized the right to informative self-determination of personal data contained in public or private databases, especially those stored by computer/technological means. This includes the right that an individual has against the information's arbitrary use, as well as, the possibility to access the information, request its correction, updating, amendment, elimination, transfer, and distribution, and there must also exist the tools or legal recourses that permit the enforcement of such rights.
Other rights that these decisions provide for include knowing the purpose for the collection and processing of the data, to whom and the reason or purpose for which the data shall be transferred, and who is responsible for this information.
These decisions also determine that the right to privacy is a part of the private sphere of the individual and cannot be separated from the social context in which it is performed, which implies that such a right can be limited by social needs and public interests.
Data controller provisions are not included in any law or decision.
In respect to legal bases in other instances, Articles 21, 21-A, and 22 of the Consumer Protection Law protect consumers of electronic commerce. Consumers also have rights over their data and the power to control its processing with respect to financial information service providers and telecommunications.
To use third parties' personal data, consent must be obtained. There is no specific wording that the law requires for valid consent, however, it is recommended to be obtained in Spanish (the official language) and in written form, in case such consent needs to be proved.
The Law for Access of Public Information provides that public interest information (that refers to governmental and public entities) shall be public, unless it is determined by the entity that the damage of revealing the information is higher than the public interest to know the information, or that the disclosure of information may effectively menace the legally protected interest.
There is no specific data protection law, however an important court decision determined the following principles:
In respect to credit information, the Credit History Law includes the following principles:
There are no general requirements to register with or notify any authorities where a business processes personal data. The exceptions include:
Data transfers are not specifically regulated, but according to jurisprudence, authorization/consent for transfer of the data subject's personal data shall be obtained.
Although there is no special law or centralized authority, the protection of the right to informative self-determination is recognized by the Constitution and has been developed from Supreme Court decisions and various provisions in different laws. As such, even if there is no legal provision for the mandatory appointment of data protection officers, there are governmental entities that have the possibility to assist in the enforcement of personal data rights.
Data breach obligations are only found in respect to the financial sector.
The entity shall have a notification procedure, that shall at least include:
This is not specifically regulated, but according to jurisprudence, the data subject may request the deletion of personal data not authorized for processing or for recording.
The Law for the Comprehensive Protection of Children and Adolescents (only available in Spanish here) provides that it is prohibited to use, disclose, publish, or expose data, images, or information against the child's will and the knowledge of their parents or legal representatives. It is also prohibited to expose or disclose data, images, or information that damages the reputation and honor of children or that may be an illegal or arbitrary interference in the personal or private intimacy of the child or their family.
See section on governing texts above.
Individuals must be provided a procedure or remedy to be able to make effective use of the aforementioned rights.
The individual has the right to access their personal information, especially those contained in computer databases.
The individual has the right to request the rectification of its information.
In respect to credit information, consumers have the right to request the erasure of wrong, or out-of-date information. In the case of the use or processing of personal data in general without authorization of the owner, such owner may request the erasure of the data.
An individual has the possibility of controlling, in a reasonable way, the transmission or distribution of their personal information.
Whilst penalties are not regulated in a specific data protection law, there are penalties in respect to specific laws.
In respect to credit information, depending on the gravity, the penalties include:
In respect to public information (stored and processed by governmental and public entities), depending on the authority, penalties include:
In respect to consumer information, penalties include economic fines.
If the information was obtained/extracted by breach of information technology databases, it is considered as a crime with prison penalties.