Law Name

Ley de Protección de Datos Personales, Ley No. 787 (2012)

Data Sharing

All personal data that is collected should be necessary and proportionate for the reason they were collected. The data subject must consent in order to collect data unless in certain cases otherwise stated in the law. Sensitive personal data can only be obtained and used for interests in the law, under the consent of the data subject or ordered by a judicial authority. This data can also be used for statistics or scientific purposes as long as the data subject cannot be identified. Sensitive data can only be obtained through expressed consent of the data subject or through express social interest or a judicial mandate.

Data Retention

Consent to use personal data can be revoked at any time without any retroactive effect within the limits of the law. Acquiring consent isn’t necessary if ordered by a judiciary authority, if the data is submitted through a procedure of disassociation, if the data is necessary for judicial reasons or if the data can be accessed through public databases. The data subject has the right to access, rectify, modify, suppress, add to, include, actualize or cancel the use of their personal data. Data can be canceled once it is no longer necessary for the reason it was collected, unless otherwise stated by the law, if it conflicts with social interests or public health interests.


The agency responsible for personal data should previously inform the data subject of the reason for usage of personal data and of who can use the data, the existence of the database, the potential negative effects of having their data in the database, the rights of the data subject and remedy any changes made or requested by the data subject. The agency responsible should adopt the adequate technical measures to guarantee the security of the personal data and avoid the access, use, alteration, loss, revelation or transfer of data that is not authorized. All data must remain private unless the data pertains to members of the national police or Nicaraguan military, in these cases all relevant data must be transmitted to the appropriate institution. The agency responsible has the right to not modify changes of personal data if it contradicts the law or if a judicial resolution exists. The agency responsible should be registered in the “Registro de ficheros de datos” which in turn informs the “Dirección de Protección de Datos Personales” (DPDP).


The Ministry of Finance and Public Credit created the DPDP to control, supervise and protect the use of personal data in private and public database. The DPDP dictates the norms and administrative dispositions necessary, solicits information to guarantee security, integrity and confidentiality of data, imposes sanctions, verifies the security of the database and cooperates with other protective authorities at the international level.

Breach Notification

If during an investigation a breach or infringement of rights is found, the DPDP will determine whether it is a light or grave infraction and act accordingly. Light and grave infractions are defined in the law, and sanctions are enacted accordingly.

Health Privacy Law

We could not identify a Health Privacy Law in Nicaragua

Electronic Health Records Law

Norma para el Manejo del Expediente Clínico y Guía para el Manejo del Expediente Clínico