Skip to content
World Watch/Costa Rica/Data & Privacy

Data & Privacy · Costa Rica

Data protection & privacy law in Costa Rica (2026)

Comprehensive lawLaw No. 8968, Ley de Protección de la Persona frente al Tratamiento de sus Datos Personales (2011), with implementing Regulation (Executive Decree No. 37554-JP), enforced by the Agencia de Protección de Datos de los Habitantes (PRODHAB) under the Ministry of Justice and Peace.Country index 66 · B

Costa Rica shaded by its data & privacy status

Data protection in Costa Rica: comprehensive law, under Law No. 8968, Ley de Protección de la Persona frente al Tratamiento de sus Datos Personales (2011), with implementing Regulation (Executive Decree No. 37554-JP), enforced by the Agencia de Protección de Datos de los Habitantes (PRODHAB) under the Ministry of Justice and Peace..

Costa Rica has an omnibus, GDPR-precursor data-protection law in force since 2011 (Law 8968), making it one of the first Latin American countries to enact such a regime. It applies to automated and manual personal-data files in both the public and private sectors and is supervised and enforced by a dedicated authority, PRODHAB. A comprehensive reform bill (No. 23097) to modernize and align the law with the EU GDPR has been before the Legislative Assembly since 2022 but is not yet enacted.

Key points

Comprehensive law in force

Law 8968 was approved on 7 July 2011 and published in La Gaceta No. 170 on 5 September 2011; it guarantees the fundamental right to informational self-determination and regulates processing of personal data by any natural or legal person, public or private, operating in Costa Rican territory.

Supervisory authority (PRODHAB)

The Agencia de Protección de Datos de los Habitantes (PRODHAB) is the data-protection authority created by Law 8968 as a body of maximum deconcentration attached to the Ministry of Justice and Peace; it maintains the national database registry, investigates complaints, conducts inspections, and imposes sanctions, and can order precautionary measures.

Data-subject rights

The law grants rights of access, rectification, deletion/suppression, and the right to consent to (and revoke consent for) the transfer of one's personal data; controllers must respond free of charge, generally within five business days of receiving a request.

Controller obligations & database registration

Controllers must obtain the data subject's express consent to collect and process personal data; Article 21 requires registration with PRODHAB of public or private databases administered for distribution, dissemination or commercialization purposes, though databases of financial entities regulated by SUGEF are exempt.

Enforcement & sanctions

PRODHAB can impose administrative fines and, in serious cases, order a controller or processor to cease use of a database for one to six months; reported fine ranges run roughly from about USD 3,000 up to USD 18,000 depending on severity.

Pending GDPR-style reform (not yet in force)

Bill No. 23097, a comprehensive reform that would repeal Law 8968 and align Costa Rica with the EU GDPR, was introduced in May 2022; the Science and Technology Commission issued a report in January 2025, but the bill has not been enacted, so Law 8968 remains the governing regime.

Timeline - major decisions & events

Jan 1, 2025law
Science & Technology Commission Clears Bill 23097 for Plenary Debate

The Asamblea Legislativa's Science and Technology Commission issued a formal favorable report on Bill 23097, sending the proposed GDPR-aligned replacement for Law 8968 to the full chamber. The bill would introduce legitimate-interest processing, mandatory breach notification, data protection impact assessments, and a strengthened PRODHAB with dedicated budget.

INPLP / EuroCloud Europe
Mar 15, 2024decisionofficial
Council of Europe Bureau Notes Costa Rica's Internal Process Toward Convention 108+ Accession

At its 61st Bureau meeting, the Consultative Committee of Convention 108 formally noted the progress of Costa Rica's legislative procedures for acceding to the modernised Convention 108+, the only binding multilateral data-protection treaty. Accession would align Costa Rica with a global adequacy standard and ease cross-border data flows.

Council of Europe T-PD Bureau
May 8, 2022incident
President Declares National Emergency — First Ever for a Cyberattack

President Rodrigo Chaves declared a national state of emergency after the Conti ransomware group crippled approximately 30 government agencies and publicly leaked roughly 672 GB of stolen data containing personal information of Costa Rican citizens. The incident exposed the near-total absence of state cybersecurity and data-breach response frameworks.

Wikipedia / CCDCOE Cyber Law Toolkit
Apr 17, 2022incident
Conti Ransomware Campaign Begins Against Costa Rican Government Agencies

The Conti group launched a sustained ransomware campaign against nearly 30 Costa Rican state institutions, including the Ministry of Finance, MICITT, RACSA, and the Social Security Fund (CCSS), exfiltrating and publicly leaking sensitive personal and financial data. It was the most damaging cyberattack in Latin American government history and directly triggered debate about data protection adequacy.

CCDCOE Cyber Law Toolkit
Jan 1, 2020guidanceofficial
Council of Europe Publishes Evaluation of Costa Rica's Law 8968 vs. Convention 108+

The Convention 108 Consultative Committee released a formal accession-evaluation report comparing Costa Rica's data protection framework with Convention 108+ requirements, identifying material gaps — including insufficient coverage of biometric data, trade-union membership, and criminal-offense data — and recommending legislative reforms as prerequisites for accession.

Council of Europe T-PD
Oct 30, 2013lawofficial
Executive Decree 37554-JP — Implementing Regulation for Law 8968

The Ministry of Justice and Peace published the detailed implementing regulation for Law 8968, establishing mandatory database registration with PRODHAB, a 5-business-day data-breach notification window, specific cross-border transfer rules, and heightened requirements for sensitive-data processing. The regulation made PRODHAB fully operational.

SCIJ — Procuraduría General de la República
Jan 1, 1999decisionofficial
Sala IV (Constitutional Chamber) Decision 5802-99 — Informational Self-Determination Declared a Fundamental Right

The Constitutional Chamber of the Supreme Court held that autodeterminación informativa (informational self-determination) is an affirmative fundamental right under Article 24 of the Constitution, giving individuals the right to know what personal data exists about them, control its use, and demand correction or deletion. This ruling created the constitutional habeas data doctrine that underpins all subsequent data protection legislation.

Sala Constitucional — Poder Judicial de Costa Rica

Costa Rica - other topics

Data & Privacy in other countries

Last verified 5/25/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →