New personal data protection regime in the Dominican Republic

May 14, 2024
By Gabriela Beltré Acosta

.

Although the constitutional guarantee of Habeas Data was first expressly enshrined in the Dominican Constitution of January 26, 2010, the right to informational self-determination was already protected by the previous Constitution and by the General Law on Free Access to Public Information, No. 200-04, of February 25, 2004.

Recently, the Dominican Republic's Congress approved the Organic Law on Personal Data Protection, which repeals Law No. 288-05 of August 18, 2005, which regulates credit information and data protection companies.

It provides a system of guarantees for citizens when their personal data is processed by public administrations and private entities.

This legislative piece, which awaits promulgation by the Executive Branch, establishes a model of authorization, supervision and sanctions 1 regarding the activity of Credit Information Companies, whose purpose refers to the conservation and processing of personal data of a financial and commercial nature. These companies must submit, prior to the beginning of their operations,
operations, to the examination and authorization of the Monetary Board, as well as to the supervision of the Central Bank of the Dominican Republic, established as a control body.

It is worth noting that the bill excludes from its scope of application files of personal or domestic data, files established by investigative and intelligence agencies of the Dominican Republic, files referring to deceased persons and files
of data referring to private entities.

Companies whose activity consists of the automated or computerized processing of personal data must implement security systems in order to safeguard the right to privacy and the honor of the owners of said data, avoiding its alteration, loss, treatment,
unauthorized consultation, transfer or access.

The same should be required of official bodies that process data concerning citizens' private lives. While the State needs access to its citizens' data to implement tax, social, and redistributive operations, citizens have the right to benefit from data processing systems that meet quality and security standards.

For these purposes, the possibility of creating the Dominican Data Protection Agency had been considered as the governing body for data protection policies.

Unfortunately, it was not included in the final proposal.

The Organic Law on the Protection of Personal Data provides special protection for so-called "sensitive data"—data that reveals a person's racial and ethnic origin, political opinions, religious, philosophical, or moral beliefs, union membership, and information regarding their physical or mental health, as well as their sexual life.

According to the proposed law, every person has the right to access, rectify, erase, or object to data held about them or their assets in official and private registries, and users of these registries or databases will be obligated to comply with any legitimate request from the data subject.

If the request is not granted, the data subject may file a Habeas Data 2 action; this must be filed in accordance with the amparo procedure before the Court of First Instance of the domicile of the defendant entity. This action allows the data subject to be aware of the existence of such data in official or private records and, in the event of falsification, inaccuracy, or discrimination, to demand the deletion, rectification, updating, and confidentiality of such records. All of this is without prejudice to compensation for damages suffered under common law. The Habeas Data action, which means "here is the data" or "here is the information," derives from the right of citizens to informational self-determination, which is based on the principles of legality, transparency, finality, accuracy, protection of the citizen's privacy, the duty of secrecy, and the data subject's consent, except in the case of military, police, judicial, or state intelligence archives.

Therefore, the use made of information must be consistent with its intended purposes, and personal data must be destroyed or deleted once the purpose for which it was collected has been fulfilled, the latter under the right to be forgotten.

Ultimately, the electronic processing of personal data is a prerequisite for the development of a democratic society and must, therefore, strengthen the rights and guarantees of citizens.