Costa Rica

Costa Rica

Law Name

Protección de la Persona Frente al Tratamiento de Sus Datos Personales, Ley 8968 (2011)

Data Transfer

Personal and sensitive data can be transferred to third parties as long as prior consent was given and as long as the data provided is being used for what it was collected for. Personal data can be transferred as long as it was explicitly consented to and the third party receiving the data follows the principles and regulations recognized in the presented law.

Data Sharing

The individual is not obliged to provide sensitive data, such as health data. The public cannot use or know about the personal private sensitive data of individuals. The prohibition of use of sensitive data does not apply when the data is necessary to safeguard the individual or another person (if the person is not capable of providing consent for the data to be used). No consent is needed if the data is being used for the reasons it was collected to be used and as long as it is not transferred to third parties without prior consent. Consent is not needed if the data is in a public database or if the data is necessary for prevention of a medical diagnosis, other medical reasons, sanitary services, or if the data is continuously used and the information is kept private.

Data Retention

When acquiring personal data, the data subject must be informed of the existence of a databank, what their data is being collected for, and their rights regarding their data and who can access their private data. The data collected must be used for the reason it was collected; it cannot be used for other reasons after it has been collected. Everyone has the right to access, rectify or suppress their data and eliminate their data from the system. Data can be rectified or eliminated if the data is incomplete or deleted if the data was used without consent for a means that was not previously stated. The rights of the individual can be limited or done away with when it comes to the security of the state or of the public, when it comes to penal infractions of the law, or for statistic, historic or scientific use (as long as the person cannot be identified).


The agency responsible for the data must delete expired or unused data. The agency responsible for the data must also modify or suppress incorrect data. Inexact or incomplete data should be corrected or suppressed. The agency responsible for the database should adopt the appropriate technical measures to guarantee the security of the data and to avoid the alteration, accidental or purposeful destruction, loss or improper use or unauthorized access to the data. Protocols must be established and followed for the collection and treatment of data (these protocols vary depending on the function and use of the data and depending on each corporation collecting the data).


Agencia de Protección de Datos de los habitantes (Prodhab) is the enforcement of this law created by the Ministry of Justice and Peace. Prodhab is responsible for the enforcement of the functions that are assigned to the law. They have to assure that the laws are being followed for the protection of the data, they have to have a register of the databases that are  regulated  by  this  law,  they  have  to  ask  each  database  for  the  protocols  used in collecting data, deal with infractions to the law, order the suppression or modification of data and impose sanctions established in article 28 for an infraction of the law. There are designated rules for who is in charge of Prodhab and the different restrictions imposed on the employees of this juridical organization, these restrictions focus on maintaining information of the individuals private and protected.

Breach Notification

When there is an infraction, the sanctions outlined in article 28 are imposed. Anyone has the right to denounce a database for mishandling their information. Sanctions are imposed and differ depending on the gravity of the infraction including fines and restrictions placed on the databanks.

Health Privacy Law

Ley General de Salud, N. 5395 (1973)

No person can be subject to medical or surgical treatment that implies a grave risk without his or her consent. Authorization must be granted before undergoing scientific investigation.

Electronic Health Records Law


Ley Expediente Digital Unico de Salud, Expediente 17.214

Expediente Digital Unico de Salud (EHR) will be implemented for the whole country. Electronic data that can be stored and interchanged in a secure manner and have multiple authorized users. These EHR will be under the jurisdiction of the “Caja Costarricense de Seguro Social” (Social Security).