El Salvador's New Data Protection Law

24.04.2025

El Salvador's Legislative Decree No. 144, known as the "Personal Data Protection Law" (the "Law"), came into effect on November 23, 2024. This law applies to both the public and private sectors, marking the country's first specific legislation on this matter after President Nayib Bukele vetoed a similar initiative in May 2021. The Law shares structural and thematic similarities with other Latin American data protection laws, covering data collection and processing, data subject rights, and cross-border data transfers. However, it also includes unique aspects that must be considered when implementing business initiatives in this Central American country.

Key Differentiators of the Law

Unlike Brazil and Ecuador, which have specific provisions on territorial application (and even extraterritorial reach in certain scenarios), El Salvador's new law does not include such provisions. It also lacks specific requirements for database registrations, unlike Nicaragua and Peru.

While the Law introduces the role of the data processor, it does not list specific duties or requirements for them, unlike Colombia and Costa Rica. It also omits the need for impact assessments, which are required by Uruguayan and Chilean laws.

Other unique aspects of El Salvador's new law include:

  1. Special emphasis on processing personal data of children, adolescents, and disadvantaged groups such as people with disabilities, the elderly, and indigenous populations.
  2. The requirement for a data protection officer, who plays a crucial role in managing privacy rights requests.
  3. In the event of security incidents, controllers must notify the supervisory authority, affected data subjects, and the Attorney General's Office.


All the above is structured around fundamental principles, including:

  1. Data Minimization: Collect only the data strictly necessary for the established purpose.
  2. Consent and Purpose: Ensure all data collection and processing have the explicit consent of the data subject and a clear, legitimate purpose.
  3. Lawfulness: Data processing must comply with current regulations and have a valid legal basis.
  4. Transparency: Inform data subjects clearly and accessibly about how their data will be used, avoiding technical jargon or fine print.
  5. Accuracy: Ensure data is precise, complete, and up to date to prevent errors that could affect data subjects.
  6. Security: Implement measures to protect data from unauthorized access, loss, or alterations.

 

New Supervisory Authority

The new supervisory authority responsible for enforcing the Law is the "State Cybersecurity Agency" (the "Agency"), established by Legislative Decree No. 143, the "Cybersecurity and Information Security Law." Both Decrees No. 143 and No. 144 were published in the same issue of the Official Gazette on November 15, 2024.

The Agency will be led by a Director General, who has yet to be appointed, and currently lacks an assigned budget. Once operational, the Agency must issue policies, measures, guidelines, and any other necessary provisions for the Law's implementation within three months of its effective date. Specific pending documents include policies for data controllers on personal data handling and security measures for data protection. Data controllers will have three months from the issuance of these provisions to comply.

The Law also sets a six-month deadline from its effective date to establish mechanisms for data subjects to exercise their rights.

Current National Context

The Law's enactment comes amid a positive national outlook. Real and encouraging facts and statistics about El Salvador can be found on the official website of the Investment and Export Promotion Agency – “Invest in El Salvador”, in the "Tourism Doing Business in El Salvador" report by UN Tourism and CAF dated November 15, 2024, and in the “2024 Investment Climate Statements: El Salvador” by the U.S. Department of State. The Law brings modernization, strengthens constitutional principles, and provides confidence and security to both local and foreign investors. An educational challenge now begins to ensure that citizens, government entities, and local and foreign companies understand and correctly apply the Law's content.

 

Article provided by INPLP member: Fabian Solis (Aguilar Castillo Love, Costa Rica) with the special collaboration of Flor de María Cortez and Bryan Guevara (Aguilar Castillo Love, El Salvador).

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.