In its session No. 707, the outgoing National Assembly approved the Organic Law for Personal Data Protection with a vote of 118 in favor and one abstention.

Here are twelve things you should know about the Data Protection Law.

1. The Data Protection Law is divided into 12 chapters, 77 articles, 9 general provisions, 4 transitory provisions, 4 amending provisions, 4 repealing provisions, and 1 final provision.
2. The aim of the law is to ensure exercise of the right to protect one’s personal data, which includes access to and decisions regarding this type of information and data, as well as its respective protection.
3. The need for consent from the owner of personal data is stressed, specifying that personal data may only be processed and communicated when one has a statement of the owner’s willingness to allow so (consent). Since it deals with personal data, this law focuses on the data of individuals, not that of companies. 
4. The Data Protection Law makes a special classification of data, which is to be treated in different ways. Data is differentiated into Sensitive data; Data of girls, boys, and adolescents; Health data; and Data of people with disabilities and its substitutes, according to the disability. 
5. The following additional specific rights are granted to owners of credit information:
   • To personally access the information they own;
   • That their credit reports enable them to know clearly and precisely the condition of their credit history; and
   • That the information sources update, rectify, or eliminate, on a case-by-case basis, any information that is illegal, false, inaccurate, erroneous, incomplete, or out of date.
6. The Data Protection Law mandates that all health-related data processing must comply with minimum parameters determined by the Personal Data Protection Authority, which stresses respect for the principles of confidentiality and professional secrecy.
7. Respecting data transfer, including information from databases, the law specifies that personal data may be transferred or communicated to third parties when:
   •  It is done in fulfillment of purposes directly related to the legitimate responsibilities of the person in charge and of the recipient;
   • When the transfer falls within one of the grounds of legitimacy established by law; and 
   • The owner’s consent has been given.
8. The law creates the figure of the person responsible for or in charge of processing personal data, who must abide by the principle of personal data security, to which end he or she must take into account:
   • The categories and volume of personal data
   • The state of the art.
   • Comprehensive best security practices and the costs of applying them according to the nature, scope, context, and purposes of their treatment
   • Identification of the probability of risks
9. The Personal Data Protection Authority is created as a control and surveillance body responsible for ensuring all citizens of the protection of their personal data and for carrying out all the necessary measures so that the principles, rights, guarantees, and procedures provided for in the law and in its future enforcement regulations are respected.
10. The law states the proactive responsibility of those responsible for and in charge of processing personal data, who may voluntarily adhere to or comply with codes of conduct, certifications, seals and brands of protection, and standard clauses, without thereby constituting a waiver of their responsibility to comply with the provisions of the law, its regulations, directives, guidelines, and regulations issued by the Personal Data Protection Authority and other regulations on the matter.
11. The law creates the National Registry for Personal Data Protection, where the person responsible for personal data processing must report and keep the information updated with the Personal Data Protection Authority.
    Information on international transfers of personal data must be previously registered with the National Registry for Personal Data Protection by the person responsible for such treatment or, where appropriate, by the person acting in their place.  
12. In the event of non-compliance with the provisions of the Data Protection Law, corrective measures, violations, and a penalty system have been established for third parties and for the data protection officer.

Do not hesitate to contact us for any further information you may require.