Costa Rica’s 2011 data protection law came into force March 5, 2013. While this imposes new obligations on businesses operating or looking to do business in the country, as with other data protection laws modelled on the EU’s data protection regime, it will boost the trust and should result in increased trade .
And given the similarity to the EU data protection regime, we are likely to see Costa Rica apply for adequate protection status in the future.
The Costa Rican law requires data subject consent for any processing; and e-commerce sites must publish privacy notices, and individuals must have a private right of action if their personal data are published.
Data controllers are required to register their processing with the Prodhab and give it a “superuser” account for databases, even if maintained or hosted by a third party.
The regulations also requires organizations to report data breaches within five days of becoming aware of the breach. Costa Rica intends to introduce additional data protection rules for the financial sector later this year.