Copyright © 2024 Arias
All rights reserved.
Fernando Montano
SV | Partner
+503 2257-0945
fernando.montano@ariaslaw.com
On November 12, 2024, the Salvadoran Congress approved the Personal Data Protection Law and the Cybersecurity and Information Security Law.
The Personal Data Protection Law aims to establish specific regulations for the protection of personal data, understood as information concerning an identified or identifiable natural person. Thus, the law determines the essential requirements for the legitimate and informed processing of such data and the regulatory framework to be followed in its collection, use, processing, storage, and other data processing activities, including those related to sensitive personal data and data transfers. The foregoing is intended to guarantee the right to privacy and self-determination of personal information.
The law shall apply to any natural or legal person, public or private, that carries out activities related or related to the processing of personal data, manually, partially or fully automated or through third parties. Furthermore, the law establishes the guiding principles for the protection of personal data and recognizes the rights of data subjects and the manner of their exercise.
Furthermore, the law establishes the obligation for the obligated subjects to appoint a Data Protection Officer. Likewise, the powers of the State Cybersecurity Agency are established as the entity responsible for the application and supervision of the law. Finally, the sanctioning regime for violations of personal data protection is established, one of the very serious offenses being the processing of personal data without the prior consent of the data subjects, or the carrying out of international transfers of personal data without the consent of the data subjects.
On the other hand, the Cybersecurity and Information Security Law aims to establish, among other aspects, the principles, regulatory framework, guidelines, and protection policies that allow for the structuring, regulation, monitoring, and oversight of cybersecurity measures and the security of information in the possession of public institutions.
Said law shall apply to all government bodies, their dependencies, autonomous official institutions, municipal authorities or any other entity or organism, regardless of its form, nature or legal status, that administers public resources, State assets, that carries out acts of administration or that have an impact on the critical infrastructures of the nation, so that within this category may be included entities in the private sector.
The law establishes the obligations that the obligated subjects must comply with, among which the obligation to develop an information security strategy in accordance with national and international standards or reference frameworks may be highlighted. In addition, the State Cybersecurity Agency is created, which will be in charge of the application and supervision of the law. Finally, a sanctioning regime is established for non-compliance with the obligations provided for in the law, which includes dismissals/removals to the imposition of fines whose amount will depend on the seriousness of the infraction.
These instruments, once sanctioned by the President of the Republic, shall enter into force eight days after the date of their publication in the Official Gazette.
If you have any questions, please do not hesitate to contact our lawyers for assistance.
The information provided by ARIAS® is presented for informational purposes only. This information is not legal advice and is not intended to create, and does not constitute, an attorney-client relationship. Readers should not act upon this information without seeking advice from professional advisers.