Privacy Law at El Salvador
El Salvador enacted two significant laws in November 2024 to regulate cybersecurity and personal data protection:
Cybersecurity and Information Security Law (Decree No. 143)
Personal Data Protection Law (Decree No. 144)
Both laws came into effect on November 23, 2024, following their publication in the Official Gazette on November 15, 2024
🇸🇻 Key Features of El Salvador’s Data Protection Framework
1. Scope and Applicability
Personal Data Protection Law Applies to all individuals and entities, public and private, that process personal data, both within and outside El Salvadr
Exemptions Certain data processing activities are excluded, including those related to credit histories, domestic life without commercial intent, public safety, state defense, crime prevention, and public registris
2. Data Subject Rights (ARCO-POL)
The law establishes the following rights for data subject:
Access Right to know if personal data is being processe.
Rectification Right to correct inaccurate or incomplete dat.
Cancellation Right to delete data under certain condition.
OppositionRight to object to data processi
Portability Right to transfer data to another entit.
Limitation Right to restrict data processig
3. "Right to Be Forgotten"
The law introduces a "right to be forgotten," allowing individuals to request the removal of outdated, inaccurate, or incomplete informatin
4. Cross-Border Data Transfer
International data transfers are permitted under the following condition:
Adequate Protection Recipient country must provide an adequate level of data protectio.
Consent Data subject's explicit consen.
Legitimate Interests Transfers aligned with legitimate interest.
Regional Agreements Transfers under Central American Integration Treatis
5. Enforcement and Oversight
The State Cybersecurity Agency (ACE) is responsible fo:
Developing and enforcing data protection policies and guideline.
Monitoring compliance and imposing sanctions for violatios
6. Penalties for Non-Compliance
Violations of the data protection law can result in fines categorized a:
Minor Up to 10 minimum monthly salarie.
Serious 11 to 20 minimum monthly salarie.
Very Serious 21 to 40 minimum monthly salaris
⚠️ Concerns and Criticisms
Human Rights Watch has raised concerns that these laws could be used to suppress free expression and press freedo. The broad powers granted to the ACE, including the ability to remove online information, may lead to censorship and reduced transpareny
✅ Compliance Checklist for Organizations
To comply with El Salvador's data protection laws, organizations should:
Appoint a Data Protection Officer (DPO.
Obtain explicit consent from data subjects before processing personal dat.
Implement data protection policies and procedure.
Ensure data security measures are in plac.
Establish mechanisms for data subjects to exercise their right.
RELATED Blog
0 comments