Data protection & privacy laws in Dominican Republic (2026)

Law No. 172-13, promulgated 13 December 2013, is a general statute on the 'comprehensive protection of personal data' contained in public or private files, registries and databases. It applies to any natural or legal person, public or private, engaged in processing personal data.

The regime rests on Article 70 of the 2010 Constitution, which guarantees the right to habeas data — allowing individuals to access, correct, update or delete their personal data held in registries or databases.

Unlike GDPR-style regimes, there is no dedicated, independent national data-protection authority overseeing private-sector processing generally. This is a recognized structural gap in the framework.

A large portion of Law 172-13 regulates credit-information companies (SIC), whose constitution and operation are supervised by the Superintendency of Banks, which sanctions data infringements by credit bureaus. Pro Consumidor (consumer-protection agency) handles data-protection compliance in consumer matters.

The law grants rights of access, rectification, deletion/cancellation and objection, and conditions processing on prior, informed consent (written/express consent for credit reports), with heightened protection for sensitive data.

Authorities and practitioners acknowledge the need to modernize Law 172-13 to align with the EU GDPR and Ibero-American standards and to create an independent authority; reform discussions/draft proposals were ongoing as of 2026 but no new law has been enacted. Separately, the new Penal Code (entering into force August 2026) adds offenses for misuse of personal data, including corporate criminal liability.