Law Name

(Bill) Ley Orgánica de Protección de los Derechos a la Intimidad y Privacidad sobre los DatosPersonales, 2019-2020

Link to the Law

Data Transfer

Other parties that have access to the database may handle personal data if it was previously consented to and as long as they are only using the data for what it is intended to be used for. The same security measures and expectations are held for third parties as are held for the agency responsible for the database. International data transfer is possible if the country has the adequate security measures in place, unless otherwise specified by the data subject.

Data Sharing

If a third party will be involved with the treatment of the data, express authorization of the competent authority is needed. Data can be transferred to a country that does not have the appropriate security measures if it deals with prevention or medical diagnosis.

Data Retention

The data subject has the right to actualize and rectify their personal data; they have the right to be informed about the use of their data; have the right to access their data; they also have the right to revoke their consent, oppose or solicit the suspension of the use of their data if their rights have not been respected; they also the right to place a claim about the misuse of their information.


The agency responsible for the database must acquire consent before obtaining and using the personal data. The agency responsible for the database must also inform the data subject of the existence of the database, what their data will be used for, as well as the consequences or what may come of using the data. They must respect the general principles of the protection of personal data. They must immediately rectify, actualize or suppress the personal data when they are inexact, incomplete or no longer valid. They must inscribe the archive, base or database into the “Registro Nacional de Bases de Datos” created by the control organism (the company).


The “Dirección Nacional de Registro de Datos Públicos” (DNRDP) a component of the “Ministerio de Telecomunicaciones y Sociedad de la Información” will be the vigilance and control to guarantee the proper and legal treatment of personal data. The DNRDP will promote the rights of the people in relation to the treatment of their data and implement mechanisms to ensure the constitutional right to the protection of their data. They should block information systems when there is a confirmed risk that the constitutional rights can be broken. They should provide the agency responsible for the database with the necessary information to effectively exercise their function. They are in charge of international transfers and ensuring that all parties cooperate and participate effectively in the protection of the personal data. They should implement a safeguard to avoid the deterioration or disappearance of information. They will determine the sanctions imposed on infractions.

Breach Notification

If there is a breach in the security or protocol is not followed the infractions are classified into minor or major infractions and each has its own set of legal procedures and penalties associated.

Health Privacy Law

Ley Orgánica de Salud, N. 423 (2006)

Consent is needed in order to do research or other lab or clinical investigations.

Electronic Health Records Law

Ley 00005216, (2014) Reglamento Para el Manejo de Información Confidencial en el Sistema Nacional de Salud

There is a law detailing health confidentiality, which includes maintaining the confidentiality of electronic health records. Only authorized personnel have access to these electronic health records.