Dominican Republic

Dominican Republic

Law Name

Ley orgánica sobre protección de datos de caracter personal, Ley 172-13 (2013)

Link to the Law

Data Transfer

If data is modified, the responsible of the database should inform whomever the data has been transferred to of these alterations and modifications. It seems that data can be transferred to third parties or countries. If the data subject wants their data suppressed it must be suppressed wherever the data was transferred to as well. To transfer data internationally, consent and an explicit reason is needed for data transfer that can be for the individual or for the good of the public. Transfer of data can happen if necessary for health or public health reasons.

Data Sharing

The use of personal data must be consented. Personal Data should be correct, adequate and relevant to the purpose it was collected for. No consent is needed if data is obtained through a public forum; it is necessary for functions of the state or marketing purposes. Personal Data and sensitive data related to health does not require consent if it is necessary for public health reasons, emergency reasons or for epidemiological studies as long as the identity of the data subject is maintained private. Public or private health establishments and the professionals that deal with science and health can recollect and use personal data relative to physical or mental health of those that are currently being treated and those that were treated, as long as they respect the principles of professional secrecy. Health data can be used as long as the identity of the data subject remains anonymous.

Data Retention

Partial, inexact or incomplete data should be suppressed and substituted or completed by the person responsible for the database. The data subject has the right to access their data as well as rectify and suppress their personal data. Data cannot be suppressed if it could damage the rights or legitimate interests of third parties or when there is a contractual or legal obligation to maintain and conserve the data.


The agency responsible for archiving the personal data in the database should adopt and implement technical, organizational and necessary security measures to safeguard the data and to avoid their alteration, loss, or unauthorized access. If the data subject requests amendment or suppression of their personal data the person responsible for the database should remedy the issue requested by the data subject within 10 days. The agency responsible for the database should guarantee to the titular or data subject their rights of habeas data; conserve information under necessary security measures; rectify or amend information when it is incorrect or requested; address consults and claims formulated; adopt an internal manual about politics and procedure to guarantee that the law is being followed.


Enforcement is regulated primarily for banks by the “Superintendencia de Bancos”. They enforce regulations upon the Sociedad de informacion crediticia.

Breach Notification

Whoever violates the law will be sanctioned with possible prison time as well as a steep fine.

Health Privacy Law

Ley General de Salud, Ley N. 42-01 (2001)

You must consent to have medical treatment or surgery done to you unless you are incapable of providing such consent. In health emergencies or in public health emergencies or for scientific investigations, consent is not necessary. Investigations should correspond with scientific and bioethical principles that are nationally and internationally approved. The institution SESPAS will elaborate more on the regulations. SESPAS must be consulted in order to do scientific investigation. SESPAS: La Secretaría de Estado de Salud Pública y Asistencia Social.

Electronic Health Records Law

Does not have an Electronic Health Records Law as of now.


The law speaks primarily about monetary (banking) protection of personal data. This law does not apply to databanks created by armed forces and used by the police for administrative purposes; this data is permanent.