New Personal Data Protection Law in El Salvador
New Personal Data Protection Law in El Salvador: Keys to its Compliance and Enforcement
Con la reciente promulgación de la Ley de Protección de Datos Personales, El Salvador refuerza su compromiso con la protección del derecho a la privacidad y la autodeterminación informativa. Este marco regulatorio moderno establece directrices específicas y actualizadas para el tratamiento de datos personales, aplicable tanto a organismos públicos como privados.
The following is an exhaustive analysis of the main points, the obligated parties and practical recommendations to facilitate compliance with these regulations.
General Summary of the Personal Data Protection Law
The main objective of this law is to ensure the protection of personal data through key principles such as:
- Informed consent,
- Transparency,
- Data minimization,
- Information security,
- and demonstrated responsibility.
These pillars grant citizens fundamental rights known as ARCO-POL rights(Access, Rectification, Cancellation, Opposition, Portability, Forgetfulness and Limitation), which allow them to manage their personal information effectively.
Most relevant provisions of the law:
- Obligation to notify any security breach within 72 hours of its detection.
- Strict regulation of the treatment of sensitive data, such as those related to health, political affiliations or religious beliefs.
- Classification of infractions as minor, serious and very serious, with penalties proportional to the level of non-compliance.
- Regulation of international data transfer, allowing it only to countries with an adequate level of protection.
Scope and Obligated Parties
The regulations cover both the public and private sectors and apply to three main categories:
1. Public Entities
State bodies, municipalities and other institutions that manage public resources or assets. These entities must ensure compliance with the law in their activities related to the collection and processing of personal data.
2. Private Entities
Companies and individuals that collect, store or process personal data for commercial or professional purposes.
Contracted Third Parties
Natural or legal persons who, under contract, carry out personal data processing activities on behalf of a controller.
Note: Some specific processing operations, such as those related to public security or official records, are outside the scope of this regulation.
Main Obligations of the Obligated Entities
The law imposes key responsibilities on organizations that handle personal data. These are the main ones:
1. Designation of a Data Protection Officer
Responsible for overseeing compliance with the law, handling holder requests and liaising with the State Cybersecurity Agency (ACE).
2. Obtaining Consent
Before collecting or processing personal data, it is mandatory to obtain the free, informed and specific consent of the owner. In the case of sensitive data, this consent must be given in writing.
3. Implementation of Security Measures
Data controllers must ensure the protection of data against unauthorized access, loss or alteration by means of robust technological and organizational measures.
4. Ensuring ARCO-POL Rights
Effective mechanisms should be provided to enable data subjects to exercise their rights in relation to their personal data.
5. Security Incident Notification
In the event of a breach, the responsible parties must inform the ACE and the affected owners within 72 hours.
6. Elaboration of Privacy Policies
Privacy notices should be clear, accessible and detail the purposes of the processing and the rights of the holder.
Timeline and Implementation Schedule
The regulation establishes clear deadlines to facilitate its implementation:
- Issuance of guidelines: The ACE must issue the necessary guidelines within three months of the law's entry into force.
- Adequacy of entities: Obligated entities have an additional three months to adjust their processes and policies.
- Enabling ARCO-POL mechanisms: Organizations have six months to ensure that holders can fully exercise their rights.
Important: The Personal Data Protection Law is based on articles 1 and 2 of the Constitution of El Salvador, which protect privacy, honor and moral integrity. In addition, it is aligned with international standards, strengthening the integration of El Salvador in the global environment of data protection.
Practical Recommendations for Compliance
1. Perform a Data Diagnostic
Identify the types of personal data you collect, where it is stored and how it is used.
2. Internal Training
Implement training programs for staff to understand the law and adopt better data protection practices.
3. Review Contracts
Include confidentiality and compliance clauses in agreements with third parties.
4. Update Privacy Notices
Make sure they are clear, accessible and comply with legal requirements.
5. Establish Response Protocols
Design clear procedures for managing and reporting security incidents.
6. Maintain a Treatment Record
Document all activities related to the processing of personal data.
Conclusion
La Ley de Protección de Datos Personales representa un cambio significativo en la gestión de la información personal en El Salvador. Su correcta implementación no solo asegura el respeto por los derechos fundamentales, sino que también incrementa la confianza de los consumidores y socios comerciales.
We invite all organizations to start adapting to this regulation. If you need guidance or specialized support, our team is available to assist you.
At Centr4l, we are ready to help you take your business to the next level. Contact us today and find out how our legal solutions can transform your business management.