Law: Law No. 172-13 on the Comprehensive Protection of Personal Data Contained in Archives, Public Registries, Databases or Other Technical Means of Data Processing Used for Reporting, Whether Public or Private 2013 (only available in Spanish here) (the Law)

Regulator: There is no general data protection authority.

Summary: Law No. 172-13 on the Comprehensive Protection of Personal Data Contained in Archives, Public Registries, Databases or Other Technical Means of Data Processing Used for Reporting, Whether Public or Private 2013 (only available in Spanish here) (the Law) functions as comprehensive data protection legislation. Specifically, the Law provides that data controllers and processors must comply with certain principles, including data security, professional secrecy, data quality, and data loyalty. The Law also establishes data subject rights and sanctions for violations of its provisions.

Although there is no general data breach notification requirement under the Law, the Dominican Telecommunications Institute (INDOTEL) requires the adoption of security measures, classified as basic, medium, or high depending on the type of information, and the notification of data breaches if they occur.

Notably, although there is no general data protection authority under the Law, the Banking Authority is responsible for supervising the data processing activities of credit information companies.

The Dominican Constitution (only available in Spanish here) provides for the right to the protection of personal data in public or private records under Article 44(2).