Defining The Fundamental Right of Privacy in Nicaragua
Nicaragua’s Law on Personal Data Protection No. 787 of 21 March 2012 is a data privacy law that was passed in 2012. Prior to the passing of Nicaragua’s Law on Personal Data Protection No. 787 of 21 March 2012, data privacy regulations within Nicaragua were largely limited to laws pertaining to specific sectors of the nation’s economy, whether it be banking or healthcare. However, Nicaragua’s Constitution of 1987 does state that citizens of the country have the fundamental right to privacy. To this point, the Law on Personal Data Protection No. 787 of 21 March 2012 further defines this constitutional right by establishing the legal framework that data controllers and processors within Nicaragua must adhere to when processing personal data.
How are data controllers and processors defined?
Under Nicaragua’s Law on Personal Data Protection No. 787 of 21 March 2012, a data controller is defined as the “person responsible for the data files is any natural or legal person, whether public or private, that, in accordance with the Law, decides on the processing of personal data.” Conversely, the law does not provide a definition for the term data processor, as data controllers and their associated third parties are the only entities permitted to handle personal data under the law. Alternatively, the law defines personal data as “all the information relating to an individual or an entity which identifies them or makes them identifiable”, while sensitive personal data is defined as “information that reveals a person’s racial or ethnic origin, political affiliation, religion, philosophical or moral beliefs, union membership, as well as information related to health or sexual life, criminal or administrative offenses, or financial or credit history, or and any other information that could cause discrimination.”
What are the requirements?
Much like the EU’s General Data Protection Regulation or GDPR, Nicaragua’s Law on Personal Data Protection No. 787 of 21 March 2012 establishes various principles that data controllers within the country are required to follow when collecting, processing, using, disclosing, or transferring personal data. These principles include:
- Legality- Data controllers are responsible for collecting and processing personal data in accordance with the provisions set out in the Political Constitution of the Republic of Nicaragua, as well as other applicable laws.
- Legitimate purpose- Personal data may only be collected and processed in accordance with legitimate purposes, and said data must be adequate, proportionate, and necessary in relation to the purposes for which it is to be used.
- Transparency- Under the law, data controllers and required to provide data owners with certain details pertaining to the collection and processing of their data, among other things.
- Limitation of the conservation period- Under the law, data owners reserve the right “to request the social networks, browsers, and servers to delete and cancel the personal data that are in its files.”
- Security measures- Data controllers are responsible for implementing and maintaining technical and organizational security measures for the purposes of protecting all personal data in their possession.
- Confidentiality- Data controllers are responsible for maintaining the confidentiality of all personal data they collect or process.
What are the rights of Nicaraguan citizens under the Law?
Under the Law on Personal Data Protection No. 787 of 21 March 2012, Nicaraguan citizens are entitled to the following data protection and personal privacy rights:
- The right to be informed.
- The right to access.
- The right to erasure.
- The right to rectification.
- The right to object or opt-out.
In terms of the enforcement of the law, Nicaragua’s Law on Personal Data Protection No. 787 of 21 March 2012 did not establish a regulatory authority with the power to enforce the provisions set forth in the law. Nevertheless, the “law establishes administrative sanctions for those adding or providing false data into a file, registry or database, violating confidentiality and security systems, or disclosing information registered in such databases. The administrative sanctions are:”
- Issuing a warning notice;
- Suspending operations; and
- Closing the data files.
As data protection and personal privacy continue to become more pressing and relevant issues amidst our current digital climate, many countries around the world have taken legislative measures to ensure the data protection rights of their respective citizens. In the context of South America, Nicaragua joins the list of countries through the continent that have passed laws pertaining to data privacy in the last ten years, including Brazil’s General Data Protection Law or LGPD and Colombia’s Statutory Law 1581 of 2012 (October 17), among others. To this end, Nicaraguan citizens can rest assured that their personal data is protected whenever they provide said data for a specific purpose.