This is how Costa Rica closes 2023 in terms of privacy and data protection


2023 has been a year of growth and learning for Costa Rica in terms of privacy. Two takeaways on local supervisory authority dynamics and a landmark controversy with political and social impact are introduced below.

The local supervisory authority remains busy despite its budget constraints.

Statistics from PRODHAB (local DPA) as of November 27, 2023 show that 55 formal complaints have been processed this year.  A total of 1,489 complaints since 2014, where the banking and financial, commercial and collection management sectors have received the highest number of complaints with 302, 262 and 253 respectively.  The main reasons for complaints from data subjects include (i) requesting the deletion of personal data (601 complaints); (ii) collect, store, transmit or use personal data without prior informed consent (256 complaints); and (iii) collect, store, transmit or use personal data for a purpose other than that previously authorized (235 complaints).

As in recent years, throughout 2023 PRODHAB has implemented a solid in-person and virtual training program on various privacy topics, sometimes aimed at the general public and other times at specific sectors or entities. The profiles and nationalities of the speakers continue to be diverse which benefits the debates.  "Gender violence and respect for privacy", "Processing of personal data in research and pharmaceutical work", and "OpenAI and ChatGPT in Public Policy and Management" are some topics of training activities recently promoted by PRODHAB on its official social networks.

Taking into account that citizens are becoming more informed about their privacy rights, it is likely that the number of formal complaints in 2024 will be equal to or greater than 2023.  Although sanctioning procedures initiated ex officio by PRODHAB are not yet a trend in Costa Rica, it is evident that local and multinational companies with a presence in the country are increasingly interested in aligning their operations and commercial initiatives with the applicable local regulations; among other reasons, to meet the requirements of its own suppliers and business partners, as well as reduce legal and reputational risks.

During the second half of the year, a milestone in terms of privacy occurred.

In line with the already mentioned prominence of the banking and financial sector as well as the growing and sustained exposure of Costa Ricans to privacy issues, a controversy began in August 2023:  The General Superintendent (highest position) of the General Superintendence of Financial Entities (SUGEF) would have been criminally denounced by the Central Bank of Costa Rica (BCCR) for the alleged crime of disobedience to authority. The reason: SUGEF decided not to respond to a request from the BCCR to share with the latter individualized and comprehensive data on credit operations and certain personal data of clients of supervised financial intermediaries, including public and private banks with operations in Costa Rica.  

A few days later, news spread that the BCCR had also made similar requests to public and private banks (some of which did respond to the BCCR's request) and to other public entities such as the Tax Authority and the Costa Rican Social Security Fund.

All this motivated different actors to join the discussion. PRODHAB, the Costa Rican Banking Association, the Costa Rican Union of Chambers and Associations of the Private Business Sector, the Deputy Attorney General's Office for Probity, Transparency and Anti-Corruption; the Financial Consumer Office and the Legislative Assembly were some of them.

The discussion is still active in some channels, such as the case of the Constitutional Chamber of Costa Rica, so it will undoubtedly bring learning and maturity to the country in terms of privacy and protection of personal data. 


Article provided by INPLP member: Fabian Solis (Aguilar Castillo Love, Costa Rica)



Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.