Types of audits in El Salvador: objectives, scope and regulatory framework

Oct 9, 2025

New Personal Data Protection Law in El Salvador: Keys to its Compliance and Enforcement

With the recent enactment of the Personal Data Protection LawEl Salvador reinforces its commitment to the protection of the right to privacy and informational self-determination. This modern regulatory framework establishes specific and updated guidelines for the processing of personal data, applicable to both public and private organizations.

The following is an exhaustive analysis of the main points, the obligated parties and practical recommendations to facilitate compliance with these regulations.

General Summary of the Personal Data Protection Law

The main objective of this law is to ensure the protection of personal data through key principles such as:

  • Informed consent,
  • Transparency,
  • Data minimization,
  • Information security,
  • and demonstrated responsibility.

These pillars grant citizens fundamental rights known as ARCO-POL rights(Access, Rectification, Cancellation, Opposition, Portability, Forgetfulness and Limitation), which allow them to manage their personal information effectively.

Most relevant provisions of the law:

  • Obligation to notify any security breach within 72 hours of its detection.
  • Strict regulation of the treatment of sensitive data, such as those related to health, political affiliations or religious beliefs.
  • Classification of infractions as minor, serious and very serious, with penalties proportional to the level of non-compliance.
  • Regulation of international data transfer, allowing it only to countries with an adequate level of protection.

Scope and Obligated Parties

The regulations cover both the public and private sectors and apply to three main categories:

1. Public Entities

State bodies, municipalities and other institutions that manage public resources or assets. These entities must ensure compliance with the law in their activities related to the collection and processing of personal data.

2. Private Entities

Companies and individuals that collect, store or process personal data for commercial or professional purposes.

Contracted Third Parties

Natural or legal persons who, under contract, carry out personal data processing activities on behalf of a controller.

Note: Some specific processing operations, such as those related to public security or official records, are outside the scope of this regulation.

Main Obligations of the Obligated Entities

The law imposes key responsibilities on organizations that handle personal data. These are the main ones:

1. Designation of a Data Protection Officer

Responsible for overseeing compliance with the law, handling holder requests and liaising with the State Cybersecurity Agency (ACE).

2. Obtaining Consent

Before collecting or processing personal data, it is mandatory to obtain the free, informed and specific consent of the owner. In the case of sensitive data, this consent must be given in writing.

3. Implementation of Security Measures

Data controllers must ensure the protection of data against unauthorized access, loss or alteration by means of robust technological and organizational measures.

4. Ensuring ARCO-POL Rights

Effective mechanisms should be provided to enable data subjects to exercise their rights in relation to their personal data.

5. Security Incident Notification

In the event of a breach, the responsible parties must inform the ACE and the affected owners within 72 hours.

6. Elaboration of Privacy Policies

Privacy notices should be clear, accessible and detail the purposes of the processing and the rights of the holder.

Timeline and Implementation Schedule

The regulation establishes clear deadlines to facilitate its implementation:

  1. Issuance of guidelines: The ACE must issue the necessary guidelines within three months of the law's entry into force.
  2. Adequacy of entities: Obligated entities have an additional three months to adjust their processes and policies.
  3. Enabling ARCO-POL mechanisms: Organizations have six months to ensure that holders can fully exercise their rights.

Important: The Personal Data Protection Law is based on articles 1 and 2 of the Constitution of El Salvador, which protect privacy, honor and moral integrity. In addition, it is aligned with international standards, strengthening the integration of El Salvador in the global environment of data protection.

Practical Recommendations for Compliance

1. Perform a Data Diagnostic

Identify the types of personal data you collect, where it is stored and how it is used.

2. Internal Training

Implement training programs for staff to understand the law and adopt better data protection practices.

3. Review Contracts

Include confidentiality and compliance clauses in agreements with third parties.

4. Update Privacy Notices

Make sure they are clear, accessible and comply with legal requirements.

5. Establish Response Protocols

Design clear procedures for managing and reporting security incidents.

6. Maintain a Treatment Record

Document all activities related to the processing of personal data.

Conclusion

The Personal Data Protection Law represents a significant change in the management of personal information in El Salvador. Its correct implementation not only ensures the respect for fundamental rights, but also increases the consumer and business partner confidence.

We invite all organizations to start adapting to this regulation. If you need guidance or specialized support, our team is available to assist you.

At Centr4l, we are ready to help you take your business to the next level. Contact us today and find out how our legal solutions can transform your business management.

Return to
Accounting
Auditing
Human Resources
Legal

Fernando Argumedo

Senior Associate.

Central Law El Salvador/ CENTR4L