Law: The Data Protection Law

Regulator: There is no general data protection regulator.

Summary: On November 13, 2024, the Legislative Assembly announced that it approved the Data Protection Law (the Law) and the Cybersecurity Law (the Cybersecurity Law). The Law provides for data subject rights of access, rectification, erasure, and opposition to direct marketing, as well as the imposition of obligations on private and public entities, namely for obtaining previous consent for processing data, and requirements related to data transfers and to the processing of sensitive data. The Law also establishes the State Cybersecurity Agency as the supervisory authority, and provides for sanctions for non-compliance. The Cybersecurity Law, on the other hand, applies to public and private entities that process data in possession of the State and establishes specific obligations in order to protect citizens' personal information, including obligations of entities processing personal data, including to elaborate a cybersecurity strategy aligned with national and international standards.

Currently, a patchwork of provisions, regulations, laws, and judicial decisions support a general framework for personal data protection. The Constitution of the Republic of El Salvador (only available in Spanish here) guarantees the right to life, physical and moral integrity, liberty, security, work, property, and possession, among other things. In addition, the Consumer Protection Law as amended in 2018 (only available in Spanish here) regulates the financial sector and e-commerce and outlines data security and confidentiality obligations in relation to consumer personal information.