Blog

, EL SALVADOR – New Personal Data Protection Law: Keys to Compliance and Application

EL SALVADOR – New Personal Data Protection Law: Keys to Compliance and Application

With the recent enactment of the Personal Data Protection Law, El Salvador reinforces its commitment to the protection of the right to privacy and informational self-determination. This modern regulatory framework establishes specific and updated guidelines for the processing of personal data, applicable to both public and private bodies.

Below we offer an exhaustive analysis of the main points, the obligated entities and practical recommendations to facilitate compliance with this regulation.

Overview

The main objective of this law is to ensure the protection of personal data through key principles, such as informed consent, transparency, data minimization, information security, and demonstrated accountability. These pillars grant citizens fundamental rights, known as ARCO-POL rights (Access, Rectification, Cancellation, Opposition, Portability, Oblivion and Limitation), which allow them to manage their personal information effectively.

Among the most relevant provisions of the law are:

  • The obligation to notify any security breach within a maximum period of 72 hours from its detection.
  • Strict regulation of the processing of sensitive data, such as those related to health, political affiliations, or religious beliefs.
  • The classification of infractions into minor, serious and very serious, with penalties proportional to the level of non-compliance.
  • The regulation of international data transfer, allowing it only to countries that offer an adequate level of protection.

Scope and Obligated Entities

The regulations cover both the public and private sectors and apply to:

  • Public Entities: State bodies, municipalities and other institutions that administer public resources or goods. These entities must ensure that their activities related to the collection and processing of data comply with the provisions of the law.
  • Private Entities: Companies and individuals that collect, store or process personal data for commercial or professional purposes.
  • Contracted Third Parties: Natural or legal persons who, on request, carry out personal data processing activities on behalf of a data controller.

Some specific processing, such as those linked to public security or official records, are outside the scope of application of this regulation.

Main Obligations

The law imposes key responsibilities on the obligated subjects, among which the following stand out:

  • Designation of a Data Protection Officer: This professional will be in charge of supervising compliance with the law, managing requests from data subjects and acting as a liaison with the State Cybersecurity Agency (ACE).
  • Obtaining Consent: Before collecting or processing personal data, the free, informed and specific consent of the owner must be obtained. For sensitive data, this consent must be given in writing.
  • Implementation of Security Measures: Controllers must protect personal data against unauthorized access, loss or alteration through robust technological and organizational measures.
  • Guarantee ARCO-POL Rights: Effective and accessible mechanisms must be enabled so that data subjects can exercise their rights in relation to their personal data.
  • Notification of Security Incidents: In the event of a breach, those responsible must inform the ACE and the affected owners within a period of no more than 72 hours.
  • Preparation of Privacy Policies: Clear and accessible privacy notices must be drafted, detailing the purposes of the processing and the rights of the owner.

Implementation Timelines and Timeline

The law establishes clear deadlines for its implementation:

  • Issuance of Guidelines: The ACE must issue the necessary guidance and measures within three months of the entry into force of the law.
  • Adaptation of Entities: Obligated entities have an additional three months to adjust their processes and policies in accordance with the guidelines of the ACE.
  • Enabling ARCO-POL Mechanisms: Organizations have a period of six months to ensure that holders can fully exercise their rights.

It is important to note that the Personal Data Protection Law is based on Articles 1 and 2 of the Constitution of El Salvador, which protect the privacy, honor and moral integrity of individuals. In addition, the regulation reflects international standards, reinforcing El Salvador’s integration into the global data protection environment.

Practice

To ensure compliance with these regulations, we suggest that organizations adopt the following measures:

  • Perform a Data Diagnostic: Identify the types of personal data you collect, where it is stored, and how it is used.
  • Internal Training: Implement training programs for staff to understand the provisions of the law and best practices in data protection.
  • Review Contracts: Be sure to include confidentiality and compliance clauses in your agreements with third parties that handle personal data.
  • Update Privacy Notices: Verify that notices are clear, accessible, and comply with legal requirements.
  • Establish Response Protocols: Design clear procedures for managing and reporting security incidents.
  • Maintain a Record of Processing: Document all activities related to the processing of personal data.

The Personal Data Protection Law represents a significant change in the management of personal information in El Salvador. Its correct implementation not only ensures respect for the fundamental rights of citizens, but also increases the confidence of consumers and business partners.

We invite all organizations to begin the process of adapting to this regulation. If you need assistance in interpreting the provisions or implementing the necessary changes, we are available to offer specialist support and guidance.

For more information or inquiries, please contact us at info@central-law.com

Fernando Argumedo
Senior Associate
El Salvador

Tags: , , , , , , , , ,

Leave a Reply