Thank You!

Join our community for free to access exclusive whitepapers, reports, and regulatory information.

By signing up you agree to OneTrust DataGuidance's Terms and Conditions and Privacy Policy.

Already have an account? Log in

El Salvador - Data Protection Overview

October 2023

1. Governing Texts

The Government was working on a data protection bill that would provide more specific rules and norms that facilitate an effective protection of this right, and which was approved by the Legislative Assembly but not confirmed by the President in 2021, for reasons of being incomplete and inconvenient. As such, a new bill will be prepared and there is no estimated date for its public discussion and further approval.

1.1. Key acts, regulations, directives, bills

Currently, El Salvador does not have a law that specifically regulates data protection. However, there are certain provisions in other laws that regulate this right, such as:

These laws serve as the current legal framework for data protection.

Constitution

The Constitution provides, in Article 2, that all persons have the right to life, physical and moral integrity, liberty, security, work, property, and possession, and to be protected in the conservation and defense of the same. The right to honor, personal and family privacy, and personal image are guaranteed. Moral damages are compensated by law.

Public sector

In respect to the public sector, the Access to Information Law provides citizens with the right to obtain public information from governmental and other public entities to procure the transparency of these institutions. It also includes provisions that mandate the protection of personal data.

Computer crimes

Additionally, the Computer Crimes Law (further detailed in the section on data protection authority below) regulates crimes related to computer and information technology activities, including dispositions that regulate unauthorized use of personal data from undue access to databases that contain such information.

Consumer protection

The Consumer Protection Law (further detailed in the section on data protection authority below) was amended in 2018 to include a number of e-commerce dispositions, which include an obligation for suppliers duly established in El Salvador to use personal information in a confidential manner, and to implement security systems that guarantee the confidentiality and safety of consumers' personal information.

1.2. Guidelines

There is no centralized authority. For specific matters, the following authorities have issued guidance:

1.3. Case law

There is a landmark case regarding data protection, The Salvadoran Association for the Protection of Data and the Internet ('INDATA') v. Equifax de Centroamerica ('DICOM') (only available in Spanish here) ('the Decision') (further explored in the section on personal scope), which mentions for the first time in the country the need to protect the right to self-determination of citizen personal data in private or public registries or databases against the menace of unauthorized and inappropriate use and access. Self-determination, as defined in the Decision, may be considered as the following:

While the Decision mentions the right of access, it does not establish a procedure for requesting such information.

2. Scope of Application

2.1. Personal scope

The legislation mentioned above protects any identifiable natural persons. It is not clear whether deceased individuals are within its application. The obligated individuals are natural or any organizations.

2.2. Territorial scope

The legislation mentioned above applies in the territory of El Salvador, however, it is not clear as to its extraterritorial scope.

2.3. Material scope

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

There is no main regulator for data protection. However, as the matter is regulated briefly in different special laws, the entity that regulates each law shall be the authority that regulates data protection (i.e., if it refers to consumers, the Center for Consumer Defence is responsible). Also, in general, data protection enforcement may be made through Courts.

3.2. Main powers, duties and responsibilities

As mentioned before, the data protection authority depends on the specific law or matter. However, in general, there is a responsibility to maintain information as confidential and not use, process, or transfer information without the consent of the owner.

4. Key Definitions

There is no special data protection law, however, there are definitions in other special laws. Both the Access to Public Information Law and the Computer Crimes Law make the same definition and distinctions for data subject and personal data as outlined below.

Data controller: There is no definition. There is a type of data controller within the Access of Public Information Law, which is called 'information official' who is in charge of reviewing and authorising the requests to access public information of each public entity (does not apply with respect to private entities).

Data processor: Not applicable.

Personal data: The private information concerning a person, identified or identifiable, relative to their nationality, address, patrimony, electronic address, phone number, or other similar information (Article 6(a) of the Access to Information Law and Article 3(m) of the Computer Crimes Law).

Sensitive data: Data that corresponds to a person in relation to their creed, religion, ethnic origin, affiliation or political ideologies, union affiliation, sexual preferences, physical and mental health, moral situation, family and/or other intimate information of a similar nature or that could affect the right to honor, to one's own image, and to personal and family intimacy (Article 6(b) of the Access to Information Law, and Article 3(n) of the Computer Crimes Law).

Health data: There is no specific definition, however, health data is considered as personal information, that can only be accessed with authorization of the owner of the data. When provided to health professionals (public or private) such data must be maintained confidential.

Biometric data: Not applicable.

Pseudonymization: Not applicable.

5. Legal Bases

There is no specific data protection law, however, the Supreme Court of Justice of El Salvador's ('the Supreme Court') decisions have recognized the right to informative self-determination of personal data contained in public or private databases, especially those stored by computer/technological means. This includes the right that an individual has against the information's arbitrary use, as well as, the possibility to access the information, request its correction, updating, amendment, elimination, transfer, and distribution, and there must also exist the tools or legal recourses that permit the enforcement of such rights.

Other rights that these decisions provide for include knowing the purpose for the collection and processing of the data, to whom and the reason or purpose for which the data shall be transferred, and who is responsible for this information.

These decisions also determine that the right to privacy is a part of the private sphere of the individual and cannot be separated from the social context in which it is performed, which implies that such a right can be limited by social needs and public interests.

Data controller provisions are not included in any law or decision.

In respect to legal bases in other instances, Articles 21, 21-A, and 22 of the Consumer Protection Law protect consumers of electronic commerce. Consumers also have rights over their data and the power to control its processing with respect to financial information service providers and telecommunications.

5.1. Consent

To use third parties' personal data, consent must be obtained. There is no specific wording that the law requires for valid consent, however, it is recommended to be obtained in Spanish (the official language) and in written form, in case such consent needs to be proved.

5.2. Contract with the data subject

5.3. Legal obligations

5.4. Interests of the data subject

5.5. Public interest

The Law for Access of Public Information provides that public interest information (that refers to governmental and public entities) shall be public, unless it is determined by the entity that the damage of revealing the information is higher than the public interest to know the information, or that the disclosure of information may effectively menace the legally protected interest.

5.6. Legitimate interests of the data controller

5.7. Legal bases in other instances

6. Principles

There is no specific data protection law, however an important court decision determined the following principles:

In respect to credit information, the Credit History Law includes the following principles:

7. Controller and Processor Obligations

7.1. Data processing notification

There are no general requirements to register with or notify any authorities where a business processes personal data. The exceptions include:

7.2. Data transfers

Data transfers are not specifically regulated, but according to jurisprudence, authorization/consent for transfer of the data subject's personal data shall be obtained.

7.3. Data processing records

7.4. Data protection impact assessment

7.5. Data protection officer appointment

Although there is no special law or centralized authority, the protection of the right to informative self-determination is recognized by the Constitution and has been developed from Supreme Court decisions and various provisions in different laws. As such, even if there is no legal provision for the mandatory appointment of data protection officers, there are governmental entities that have the possibility to assist in the enforcement of personal data rights.

7.6. Data breach notification

Data breach obligations are only found in respect to the financial sector.

The entity shall have a notification procedure, that shall at least include: