Skip to main content

El Salvador's New Data Protection Law

|

El Salvador's Legislative Decree No. 144, known as the "Personal Data Protection Law" (the "Law"), came into effect on November 23, 2024. This law applies to both the public and private sectors, marking the country's first specific legislation on this matter after President Nayib Bukele vetoed a similar initiative in May 2021. The Law shares structural and thematic similarities with other Latin American data protection laws, covering data collection and processing, data subject rights, and cross-border data transfers. However, it also includes unique aspects that must be considered when implementing business initiatives in this Central American country.

Key Differentiators of the Law

Unlike Brazil and Ecuador, which have specific provisions on territorial application (and even extraterritorial reach in certain scenarios), El Salvador's new law does not include such provisions. It also lacks specific requirements for database registrations, unlike Nicaragua and Peru.

While the Law introduces the role of the data processor, it does not list specific duties or requirements for them, unlike Colombia and Costa Rica. It also omits the need for impact assessments, which are required by Uruguayan and Chilean laws.

Other unique aspects of El Salvador's new law include:

  1. Special emphasis on processing personal data of children, adolescents, and disadvantaged groups such as people with disabilities, the elderly, and indigenous populations.
  2. The requirement for a data protection officer, who plays a crucial role in managing privacy rights requests.
  3. In the event of security incidents, controllers must notify the supervisory authority, affected data subjects, and the Attorney General's Office.


All the above is structured around fundamental principles, including:

  1. Data Minimization: Collect only the data strictly necessary for the established purpose.
  2. Consent and Purpose: Ensure all data collection and processing have the explicit consent of the data subject and a clear, legitimate purpose.
  3. Lawfulness: Data processing must comply with current regulations and have a valid legal basis.
  4. Transparency: Inform data subjects clearly and accessibly about how their data will be used, avoiding technical jargon or fine print.
  5. Accuracy: Ensure data is precise, complete, and up to date to prevent errors that could affect data subjects.
  6. Security: Implement measures to protect data from unauthorized access, loss, or alterations.

 

New Supervisory Authority

The new supervisory authority responsible for enforcing the Law is the "State Cybersecurity Agency" (the "Agency"), established by Legislative Decree No. 143, the "Cybersecurity and Information Security Law." Both Decrees No. 143 and No. 144 were published in the same issue of the Official Gazette on November 15, 2024.

The Agency will be led by a Director General, who has yet to be appointed, and currently lacks an assigned budget. Once operational, the Agency must issue policies, measures, guidelines, and any other necessary provisions for the Law's implementation within three months of its effective date. Specific pending documents include policies for data controllers on personal data handling and security measures for data protection. Data controllers will have three months from the issuance of these provisions to comply.

The Law also sets a six-month deadline from its effective date to establish mechanisms for data subjects to exercise their rights.

Current National Context

The Law's enactment comes amid a positive national outlook. Real and encouraging facts and statistics about El Salvador can be found on the official website of the Investment and Export Promotion Agency – “Invest in El Salvador”, in the "Tourism Doing Business in El Salvador" report by UN Tourism and CAF dated November 15, 2024, and in the “2024 Investment Climate Statements: El Salvador” by the U.S. Department of State. The Law brings modernization, strengthens constitutional principles, and provides confidence and security to both local and foreign investors. An educational challenge now begins to ensure that citizens, government entities, and local and foreign companies understand and correctly apply the Law's content.

 

Article provided by INPLP member: Fabian Solis (Aguilar Castillo Love, Costa Rica) with the special collaboration of Flor de María Cortez and Bryan Guevara (Aguilar Castillo Love, El Salvador).

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

VIEW STREAM

About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.

{$page.footerData}