Law: Law on the Protection of Persons Regarding the Processing of their Personal Data No. 8968 of 2011 (only available in Spanish here) (the Law), and Executive Decree No. 37554-JP of 30 October 2012 Regulating Law No. 8968 (only available in Spanish here)

Regulator: Costa Rican data protection authority (PRODHAB)

Summary: The Law on the Protection of Persons Regarding the Processing of their Personal Data No. 8968 of 2011 (only available in Spanish here) (the Law) governs data protection in Costa Rica and has been enforceable in relation to organizations and individuals since July 7, 2012. The Law is applicable to personal data contained in automated or manual databases, and requires databases to be registered with the Costa Rican data protection authority (PRODHAB), which is the entity responsible for enforcing the Law. The Law has introduced data subject rights, including the right to access, rectify, or delete personal data, established express consent of the data subject as a central principle, and has also required that controllers and processors ensure adequate security safeguards to protect data.

The Law is further complemented by Executive Decree No. 37554-JP of October 30, 2012, Regulating Law No. 8968 (only available in Spanish here) (the Executive Decree), as amended by Decree No. 40008-JP (only available in Spanish here) (the Decree).

There are currently two bills regarding data protection in Costa Rica: Bill No. 22.388 (only available in Spanish here), aiming to reform the Law, and Bill No. 23.097 (only available in Spanish here) on the protection of personal data.