Data & Privacy · Costa Rica
Data protection & privacy law in Costa Rica (2026)
Costa Rica shaded by its data & privacy status
Data protection in Costa Rica: comprehensive law, under Law No. 8968, Ley de Protección de la Persona frente al Tratamiento de sus Datos Personales (2011), with implementing Regulation (Executive Decree No. 37554-JP), enforced by the Agencia de Protección de Datos de los Habitantes (PRODHAB) under the Ministry of Justice and Peace..
Costa Rica has an omnibus, GDPR-precursor data-protection law in force since 2011 (Law 8968), making it one of the first Latin American countries to enact such a regime. It applies to automated and manual personal-data files in both the public and private sectors and is supervised and enforced by a dedicated authority, PRODHAB. A comprehensive reform bill (No. 23097) to modernize and align the law with the EU GDPR has been before the Legislative Assembly since 2022 but is not yet enacted.
Key points
Law 8968 was approved on 7 July 2011 and published in La Gaceta No. 170 on 5 September 2011; it guarantees the fundamental right to informational self-determination and regulates processing of personal data by any natural or legal person, public or private, operating in Costa Rican territory.
The Agencia de Protección de Datos de los Habitantes (PRODHAB) is the data-protection authority created by Law 8968 as a body of maximum deconcentration attached to the Ministry of Justice and Peace; it maintains the national database registry, investigates complaints, conducts inspections, and imposes sanctions, and can order precautionary measures.
The law grants rights of access, rectification, deletion/suppression, and the right to consent to (and revoke consent for) the transfer of one's personal data; controllers must respond free of charge, generally within five business days of receiving a request.
Controllers must obtain the data subject's express consent to collect and process personal data; Article 21 requires registration with PRODHAB of public or private databases administered for distribution, dissemination or commercialization purposes, though databases of financial entities regulated by SUGEF are exempt.
PRODHAB can impose administrative fines and, in serious cases, order a controller or processor to cease use of a database for one to six months; reported fine ranges run roughly from about USD 3,000 up to USD 18,000 depending on severity.
Bill No. 23097, a comprehensive reform that would repeal Law 8968 and align Costa Rica with the EU GDPR, was introduced in May 2022; the Science and Technology Commission issued a report in January 2025, but the bill has not been enacted, so Law 8968 remains the governing regime.
Timeline - major decisions & events
The Asamblea Legislativa's Science and Technology Commission issued a formal favorable report on Bill 23097, sending the proposed GDPR-aligned replacement for Law 8968 to the full chamber. The bill would introduce legitimate-interest processing, mandatory breach notification, data protection impact assessments, and a strengthened PRODHAB with dedicated budget.
INPLP / EuroCloud Europe ↗At its 61st Bureau meeting, the Consultative Committee of Convention 108 formally noted the progress of Costa Rica's legislative procedures for acceding to the modernised Convention 108+, the only binding multilateral data-protection treaty. Accession would align Costa Rica with a global adequacy standard and ease cross-border data flows.
Council of Europe T-PD Bureau ↗President Rodrigo Chaves declared a national state of emergency after the Conti ransomware group crippled approximately 30 government agencies and publicly leaked roughly 672 GB of stolen data containing personal information of Costa Rican citizens. The incident exposed the near-total absence of state cybersecurity and data-breach response frameworks.
Wikipedia / CCDCOE Cyber Law Toolkit ↗The Conti group launched a sustained ransomware campaign against nearly 30 Costa Rican state institutions, including the Ministry of Finance, MICITT, RACSA, and the Social Security Fund (CCSS), exfiltrating and publicly leaking sensitive personal and financial data. It was the most damaging cyberattack in Latin American government history and directly triggered debate about data protection adequacy.
CCDCOE Cyber Law Toolkit ↗The Convention 108 Consultative Committee released a formal accession-evaluation report comparing Costa Rica's data protection framework with Convention 108+ requirements, identifying material gaps — including insufficient coverage of biometric data, trade-union membership, and criminal-offense data — and recommending legislative reforms as prerequisites for accession.
Council of Europe T-PD ↗The Ministry of Justice and Peace published the detailed implementing regulation for Law 8968, establishing mandatory database registration with PRODHAB, a 5-business-day data-breach notification window, specific cross-border transfer rules, and heightened requirements for sensitive-data processing. The regulation made PRODHAB fully operational.
SCIJ — Procuraduría General de la República ↗The Constitutional Chamber of the Supreme Court held that autodeterminación informativa (informational self-determination) is an affirmative fundamental right under Article 24 of the Constitution, giving individuals the right to know what personal data exists about them, control its use, and demand correction or deletion. This ruling created the constitutional habeas data doctrine that underpins all subsequent data protection legislation.
Sala Constitucional — Poder Judicial de Costa Rica ↗Costa Rica - other topics
Data & Privacy in other countries
Last verified 5/25/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →