Law Name

Anteproyecto de Ley de Protección de Datos Personales y Acción de Hábeas Data de Honduras (2014)

Link to the Law


Data Transfer

Data transfer is allowed if it is explicitly stated in the consent form and consented to by the individual. Data transfer can happen without consent if it is authorized by the law, for justice and legal purposes and lastly for public health purposes. Third parties must comply with the law that is stated in order to use the data provided. International data transfer is allowed as long as the country where the data is being transferred to has the proportionate level of security measures in place.

Data Sharing

Data that is collected can only be used for the purpose described to the data subject; if the data is to be used for another purpose consent is needed. Sensitive data can be used if it was consented to, if it safeguards the interests of the titular, the titular authorizes the use of their data for legitimate reasons, for scientific research and for statistics or for other medical and public health purposes.

Data Retention

Personal data that is collected should be exact, adequate and necessary for the purpose of collection. The titular or data subject has the right to access their data. Consent is not needed if data is found in a public database, for legal purposes, or contractual purposes. The data subject has the right to rectify their data if it is inexact, incomplete, inadequate or excessive as long as it is possible to do so and it does not require disproportionate effort. The data subject has the right to cancel or delete their data if their rights aren’t being met or if the data is no longer useful for what it was collected for and it was stated in the privacy statement of the database. Personal data that is no longer useful for its purpose of collection should be canceled. Canceled means that their data is blocked, but conserved only for the use of public administrators or judges and tribunals. The data subject has the right to oppose to the use of their data if there was no consent given and there exists motives that are not contrary to the law for its opposition. The data subject can only access their data once every six months unless they have a legitimate reason to request again within the given time frame.


The agency responsible for the database is obligated to verify the exactitude and pertinence of the registered data and will take the appropriate measures to ensure that if there is an error the data will be either canceled or rectified. The agency responsible for the database should have the correct security measures in place to ensure that the database is safe from alteration, loss, use or access that is fraudulent or unauthorized. Consent is not needed when it comes to the security of the state or for judicial procedures. The agency responsible for the database has the right to deny the alteration to data if doing so can harm the state or the public security, the protection and rights of third parties or the necessary investigations that the data is being used for. The agency responsible for the database also needs to implement a manual for security procedures to guarantee that the security and protection of data is in accordance with the law. They should register in the database “Solicitud de Trámite”, writing the way in which the law is being regulated;  comply with the instructions of the “Instituto de Acceso a la Información Pública y de Protección de Datos Personales” (IAIP) and with the rights of the titular. 


The “Instituto de Acceso a la Información Pública y de Protección de Datos Personales” (IAIP) can request the agency responsible for the database to provide and adopt preventative measures that avoid infractions to privacy in order to prevent violations to the security of personal data. There can also be a requested consult with the agency responsible for databases to ensure that the appropriate measures of security are in place. This is not needed if the agency responsible for the databse is an authority or public organism, or if the data is being treated according to the law.

Breach Notification 

If there is an infraction, the agency responsible for the database must inform the IAIP within 6 hours of the infraction. If there are infractions, the IAIP will impose certain sanctions that are dictated in the law and are on a case-by-case basis. There are levels of severity with which each case is measured against.

Health Privacy Law


Decreto N. 65-91

The law is devised to protect, recuperate and rehabilitate people’s health as an inalienable human right, in itself, biologically, psychologically, socially and ecologically. Written consent must be given in order to perform scientific investigations on the individual.

Electronic Health Records Law

Does not have an Electronic Health Records Law as of now.


As of May 2020, the Bill for the Protection of Personal Information was not promulgated by the Honduran Congress