Costa Rica Data Privacy Laws: Ley 8968 and PRODHAB Compliance Guide (2026)

Costa Rica protects personal data under Ley No. 8968, a 2011 statute enforced by PRODHAB, the national supervisory authority. The law requires informed, express consent before any personal data may be collected or processed, grants individuals rights of access, rectification, and deletion, and authorizes fines of up to 30 base salaries for violations.

Costa Rica enacted Ley No. 8968 on July 7, 2011, making it one of the first Central American countries to adopt a comprehensive data protection statute. The law, formally titled the Ley de Proteccion de la Persona frente al Tratamiento de sus Datos Personales, rests on the constitutional right to privacy enshrined in Article 24 of the Constitucion Politica, and its implementing regulation, Executive Decree 37554-JP, has been in force since 2013.

Information last verified on 2026-05-19. This article has not yet been reviewed by a licensed lawyer. It presents general legal information about Costa Rica's data protection framework; it does not constitute legal advice for any specific situation.

Jurisdiction scope: This article covers Costa Rica's national data protection framework under Ley 8968 and Decree 37554-JP, administered by PRODHAB. It does not address the laws of other Central American or Latin American countries. For Costa Rica recording consent rules, see our guide to Costa Rica recording laws.

Quick Answer: Costa Rica Data Privacy in Plain Terms

Costa Rica protects personal data through Ley 8968, which the Agencia de Proteccion de Datos de los Habitantes (PRODHAB) enforces as the country's independent supervisory authority. The law requires informed, express consent before personal data may be collected or processed; grants individuals rights of access, correction, deletion, and objection; obligates most commercial data controllers to register their databases with PRODHAB; restricts cross-border data transfers to countries with adequate protections; and authorizes fines of up to 30 base salaries for violations. Constitutional Chamber Decision 5802-99 first recognized informational self-determination as a fundamental right under Article 24 of the Constitution, and Law 8968 translates that constitutional guarantee into operational obligations. A proposed replacement law (Bill 23097) that would align Costa Rica more closely with the EU General Data Protection Regulation has been under legislative debate since 2022 and remained pending as of May 2026.

Constitutional Basis: Article 24 and Informational Self-Determination

Costa Rica's data protection framework begins not in statute but in constitutional text. Article 24 of the Constitucion Politica de la Republica de Costa Rica provides:

"Se garantiza el derecho a la intimidad, a la libertad y al secreto de las comunicaciones. Son inviolables los documentos privados y las comunicaciones escritas, orales o de cualquier otro tipo de los habitantes de la Republica."

Translated: "The right to intimacy, freedom, and secrecy of communications is guaranteed. Private documents and written, oral, or any other type of communications of the inhabitants of the Republic are inviolable."

The Sala Constitucional (Constitutional Chamber of the Supreme Court) extended Article 24 beyond a passive shield against government surveillance. In Decision 5802-99, the Chamber recognized autodeterminacion informativa (informational self-determination) as an active constitutional right: individuals do not merely enjoy protection against unlawful disclosure of their data; they hold an affirmative right to know what personal information exists about them, to control how it is used, and to demand correction or deletion of inaccurate or illegitimately processed data.

This constitutional grounding distinguishes Costa Rica from many Latin American jurisdictions where data protection is entirely statutory. Because the right has constitutional rank, no ordinary law may eliminate it. Ley 8968 operationalizes the right; it does not create it. Any reform or replacement statute must preserve, not reduce, the constitutional floor.

The SCIJ database at pgrweb.go.cr hosts the official consolidated text of both Article 24 and Ley 8968.

Ley 8968: Scope, Definitions, and Core Principles

Ley 8968 applies to personal data held in automated and manual databases operated by any natural or legal person, public or private, within Costa Rican territory. It also applies to entities located outside Costa Rica that process data of individuals in the country where Costa Rican law governs the relationship.

Key Definitions

Article 3 of Ley 8968 establishes the working vocabulary:

Personal data (datos personales): any data concerning a natural person who is identified or identifiable.

Sensitive data (datos sensibles): data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, information concerning health or sexual life, and biometric data used for identification purposes. Sensitive data carries heightened consent requirements discussed below.

Database (base de datos): any organized set of personal data allowing access according to specific criteria, whether centralized, decentralized, or distributed in functional or geographic terms.

Data processing (tratamiento de datos): any operation performed on personal data, including collection, recording, storage, organization, adaptation, modification, consultation, use, communication by transmission or dissemination, alignment or combination, and blocking or erasure.

Responsible party (responsable de la base de datos): the natural or legal person who decides the purpose and content of a database and the manner in which data is processed.

Data processor (encargado del tratamiento): the natural or legal person who processes data on behalf of the responsible party under a contractual relationship.

Exemptions from the Law

Article 2 of Ley 8968 excludes from its scope:

• Databases maintained by natural persons for exclusively private or domestic purposes
• Databases established for national security purposes under specific legal frameworks
• Journalistic databases used exclusively for the purposes of media activity
• Files containing data whose processing is governed by special legislation

Core Principles

Decree 37554-JP articulates the principles governing all processing activities:

1. Purpose limitation (principio de finalidad): data must be collected for a specific, explicit, and legitimate purpose, and not further processed in a manner incompatible with that purpose.
2. Data quality (calidad de los datos): personal data must be accurate, complete, current, and relevant to the declared purpose.
3. Security (seguridad): the responsible party must adopt technical and organizational measures appropriate to the risk of the processing.
4. Confidentiality (confidencialidad): persons with access to personal data must keep it confidential, including after their role ends.
5. Consent (consentimiento): processing requires the prior, informed, express, and free consent of the data subject, except where a legal derogation applies.

Legal Bases for Processing

Consent is the dominant legal basis under Ley 8968, but Article 5 of the law recognizes several grounds that authorize processing without consent:

Unlike the EU GDPR, Ley 8968 does not include "legitimate interests" as a standalone ground. A controller relying on publicly available data must still process that data consistently with the purpose for which it was disclosed and with Law 8968's general principles.

Consent Requirements

Consent under Ley 8968 must satisfy three cumulative requirements: it must be informed, express, and free.

Informed means the data subject has received, before giving consent, clear information about: (a) the identity and contact details of the responsible party; (b) the specific purpose for which data will be processed; (c) any third parties to whom data may be transferred; and (d) the data subject's rights under the law.

Express means consent cannot be implied from silence, pre-ticked boxes, or inaction. The data subject must take a positive act evidencing agreement.

Free means consent must not be conditioned on acceptance of other terms where the processing is not necessary to the performance of a service the data subject is seeking. Coercion or deception invalidates consent.

Elevated Standard for Sensitive Data

Processing sensitive data requires written consent under Article 9 of Ley 8968. Written consent must specify the categories of sensitive data involved and the purpose of processing. Verbal consent or an unsigned electronic acknowledgment does not satisfy this requirement for sensitive categories.

Written consent for sensitive data may be dispensed with in three situations:

1. Processing required by law for reasons of general interest (for example, mandatory public health reporting)
2. Medical or health care processing where the data subject is physically or legally unable to give consent
3. Processing by a non-profit body with respect to its own members, provided data is not disclosed outside the organization without separate written consent

Withdrawal of Consent

Data subjects may withdraw consent at any time. Withdrawal does not retroactively render prior processing unlawful, but the responsible party must cease processing from the moment withdrawal is communicated, subject to any overriding legal obligation to retain data.

Data Subject Rights

Chapter IV of Ley 8968 enumerates the rights individuals hold over their personal data. These rights are exercised first against the responsible party, and if that party fails to respond or the data subject is dissatisfied, the data subject may escalate to PRODHAB.

Right of Information (Derecho de Informacion)

Any person may query any public or private entity to learn whether that entity holds a database containing their personal data, what data it contains, the purpose of the database, and the identity of the responsible party. This right applies regardless of whether the data was provided by the data subject or collected from third parties.

Right of Access (Derecho de Acceso)

Data subjects may request a full copy of their personal data held in any database. Under Article 7 of Ley 8968 and Article 22 of Decree 37554-JP, the responsible party must respond within five business days of receiving a complete and properly identified request. The response must include the data in intelligible form. No fee may be charged for a first access request within a 12-month period.

Right of Rectification (Derecho de Rectificacion)

Where personal data is inaccurate, incomplete, or outdated, the data subject may request correction. The responsible party has five business days to make the correction and to notify any third parties to whom the erroneous data was previously disclosed.

Right of Deletion (Derecho de Supresion)

Data subjects may request deletion of their personal data when:

• The data is no longer necessary for the purpose for which it was collected
• The data subject withdraws consent and no other legal basis applies
• Processing violates Ley 8968 or other applicable law

The right of deletion does not apply where the data must be retained to comply with a legal obligation or to establish, exercise, or defend legal claims.

Right of Objection (Derecho de Oposicion)

Data subjects may object to processing of their personal data when they have legitimate grounds related to their particular situation, even where the processing is otherwise lawful. The responsible party must evaluate the objection and suspend processing if the data subject's grounds prevail.

Timeframe Summary

Watch out: The five-business-day deadline runs from receipt of a complete, properly identified request. Responsible parties frequently delay by treating incomplete or ambiguous requests as not yet received. Data subjects should submit written requests with full identification and a clear description of the data at issue to start the clock clearly.

PRODHAB: Structure, Powers, and Enforcement Record

The Agencia de Proteccion de Datos de los Habitantes (PRODHAB) was created by Chapter VI of Ley 8968. It operates as an organo de desconcentracion maxima attached to the Ministry of Justice and Peace, exercising regulatory, investigative, and sanctioning functions with technical and operational independence from the ministry's general hierarchy.

Core Functions

Registration and registry management: PRODHAB maintains a public registry of databases subject to the registration requirement. The registry is searchable, allowing data subjects to identify which entities hold data about them.

Inspection and audit: PRODHAB may conduct inspections of registered databases on its own initiative or following a complaint. Inspectors may review documentation, interview staff, and examine security measures.

Complaint handling: PRODHAB receives and investigates formal complaints from data subjects. Since becoming operational, PRODHAB has processed over 1,489 formal complaints through the end of 2023. The sectors generating the highest complaint volumes are banking and financial (302 complaints), commercial (262), and collection management (253). The most common complaint grounds are: requests for data deletion (601 complaints), collection or processing without informed consent (256 complaints), and unauthorized secondary use of data beyond the original authorization.

Guidance and codes of conduct: PRODHAB issues binding technical guidelines and approves voluntary codes of conduct for specific sectors. Compliance with an approved code is a mitigating factor in sanction proceedings.

Sanctioning: PRODHAB may impose the graduated sanctions described in the Penalties section below. Sanction proceedings follow an adversarial administrative procedure in which the accused party may present evidence and argument before a final resolution is issued.

A March 2026 press investigation noted that PRODHAB lacks clear internal controls over case duration, and some complaint proceedings have taken more than a year to resolve. This institutional capacity gap is among the improvements targeted by the proposed reform legislation under Bill 23097.

Database Registration Requirement

One distinctive feature of Ley 8968 compared to the EU GDPR is the mandatory registration of certain databases with PRODHAB before processing begins.

Who Must Register

Registration is required for any natural or legal person, public or private, that maintains a database of personal data for the purposes of distributing, disclosing, or commercializing that data. This covers data brokers and list providers, marketing and advertising databases, credit reporting agencies, and companies that sell or license access to personal data.

Who Is Exempt

Two important exemptions apply under the law and its regulation:

1. Internal-use databases: entities that maintain databases of personal data solely for their own internal operational purposes (for example, HR records, customer service records, or supplier registers used exclusively by the data controller) are not required to register.
2. SUGEF-regulated financial institutions: entities subject to the control and regulation of the Superintendencia General de Entidades Financieras (SUGEF) are exempt from PRODHAB registration for data processed under SUGEF's supervisory framework.

Registration Information Required

A registration application must include: full identity and contact details of the responsible party; name and description of the database; purpose and categories of data subjects; types of personal data processed; intended recipients; description of cross-border transfers if any; security measures; and retention period or criteria.

The annual registration fee is USD 200. Failure to register when required is a serious infraction under Ley 8968.

Retention Limit

An amendment to Decree 37554-JP introduced a 10-year maximum retention period for personal data held in registered databases. Data must be deleted or anonymized at the end of that period unless a specific legal obligation requires longer retention.

Cross-Border Data Transfers

Article 11 of Ley 8968 governs international transfers of personal data. Costa Rica adopts an adequacy-based model, structurally similar to the EU GDPR approach.

Adequacy Standard

Personal data may be transferred to another country or international organization only if PRODHAB has determined that the recipient jurisdiction provides an adequate level of data protection. PRODHAB maintains and publishes an adequacy list. EU member states and countries holding EU adequacy decisions are generally treated as adequate given the alignment between Ley 8968's framework and the GDPR.

Derogations for Transfers to Non-Adequate Countries

When adequacy has not been established, a transfer may proceed only if one of the following derogations applies:

1. The data subject gives express consent to the specific transfer after being informed of the absence of an adequacy determination
2. The transfer is necessary for the performance of a contract between the data subject and the responsible party
3. The transfer is necessary for the conclusion or performance of a contract in the interest of the data subject between the responsible party and a third party
4. The transfer is necessary or legally required on important public interest grounds or for the establishment, exercise, or defense of legal claims
5. The transfer is necessary to protect the vital interests of the data subject

Practical Compliance Points

Organizations transferring personal data from Costa Rica should verify PRODHAB's current adequacy list before each transfer program; obtain express, documented consent when transferring to non-adequate countries; maintain records of the legal basis for each category of international transfer; and ensure that data processors in recipient countries are contractually bound to the same level of protection required by Ley 8968.

Penalties and Enforcement

Chapter VII of Ley 8968 establishes a graduated administrative sanction regime. Articles 33 and 34 classify infractions by severity and set the corresponding sanctions.

Infraction Categories

Minor infractions (faltas leves) include failure to provide a data subject with required information about a database, failing to apply adequate security measures, and technical or procedural violations of the registration process.

Serious infractions (faltas graves) include collecting or processing personal data without the required consent, failing to register a database subject to mandatory registration, transferring data to unauthorized third parties, and failing to respond to a data subject access, rectification, or deletion request within the statutory five-business-day deadline.

Very serious infractions (faltas muy graves) include processing sensitive data without required written consent, making cross-border transfers to non-adequate countries without a valid derogation, processing data for purposes incompatible with those for which consent was obtained, and continuing to process data after a PRODHAB order to cease.

Sanction Scale

The base salary (salario base) used to calculate these fines is the judicial base salary established annually by the Superior Council of the Judicial Power. For 2026, this figure is 462,200 colones, per Circular No. 246-2025, unchanged from 2025. At 30 base salaries, the maximum administrative fine is 13,866,000 colones (approximately USD 25,500 at mid-2026 exchange rates).

PRODHAB may also order temporary suspension of data processing operations (one to six months), permanent cancellation of a database registration in the most serious cases, and publication of the sanction in the official gazette (La Gaceta).

Aggravating and Mitigating Factors

PRODHAB considers the following when calibrating sanctions within a band: severity and duration of the infraction; number of data subjects affected; whether the responsible party took voluntary corrective action before proceedings concluded; whether the party complied with a PRODHAB-approved code of conduct; degree of cooperation with the investigation; whether the violation was intentional or negligent; and the economic capacity of the responsible party.

Pending Reforms and Legislative Developments

Costa Rica's data protection framework has attracted sustained reform pressure since approximately 2019, driven by OECD membership requirements, EU bilateral trade relations, and the domestic recognition that Ley 8968 predates the GDPR and lacks several features now considered standard.

Bill No. 23097: Proposed New Personal Data Protection Law

The most significant pending reform is Proyecto de Ley No. 23097, submitted to the Asamblea Legislativa in May 2022. The bill proposes complete repeal of Ley 8968 and its replacement with a new statute aligned with the EU GDPR, including:

• A "legitimate interests" legal basis for processing (absent from current law)
• Mandatory data breach notification obligations (currently absent)
• Data protection impact assessments (DPIAs) for high-risk processing
• Accountability obligations including data protection officers for large-scale processors
• A strengthened PRODHAB with greater autonomy and dedicated budget
• A raised maximum fine ceiling above the current 30-base-salary limit
• Data portability rights for data subjects
• Provisions governing automated decision-making and profiling
• A 12-month transition period after enactment

The Science and Technology Commission of the Asamblea Legislativa issued a formal report on Bill 23097 in January 2025, and the bill was prepared for plenary debate. Observers anticipated passage in the first half of 2025. As of May 2026, passage has not been confirmed. Businesses should monitor the Asamblea Legislativa's legislative tracking system for current status.

Bill No. 23667: Biometric Data Amendment

A separate and narrower proposal, Proyecto de Ley No. 23667, introduced in April 2026, would amend Ley 8968 specifically to define "biometric data" and establish explicit consent requirements for biometric recognition technologies, reflecting growing commercial deployment of facial recognition, fingerprint scanning, and voice identification systems.

OECD Accession Alignment

Costa Rica joined the OECD on May 25, 2021. OECD membership has accelerated alignment with international privacy standards, including the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (revised 2013). These guidelines are reflected in PRODHAB's current guidance and in the reform proposals under Bill 23097.

Council of Europe Convention 108+ Process

Costa Rica participated in a Council of Europe evaluation process regarding potential accession to Convention 108+ (Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, as modernized in 2018). Convention 108+ accession would bring Costa Rica into a binding international treaty framework with substantive protections aligned with the GDPR. The accession process was ongoing as of May 2026.

Post-2022 Cybersecurity Context

Costa Rica's reform urgency increased following the April-May 2022 ransomware attacks attributed to the Conti group, which disrupted multiple government ministries and prompted a national cybersecurity emergency declaration. Those incidents exposed gaps in cybersecurity posture and data breach response capabilities. The absence of a mandatory breach notification requirement in Ley 8968 was widely identified as a significant deficiency; Bill 23097 addresses this directly.

Regional Role

Costa Rica participates in the Red Iberoamericana de Proteccion de Datos (RIPD), facilitating regulatory cooperation across Spanish- and Portuguese-speaking jurisdictions. PRODHAB has contributed to RIPD working groups on AI governance, cross-border transfer mechanisms, and supervisory cooperation.

Business Compliance: Practical Checklist

For businesses operating in or transferring data to or from Costa Rica, Ley 8968 imposes the following core obligations:

Audit your databases: Identify which databases contain personal data. Determine whether each is subject to the registration requirement (commercial distribution or disclosure purpose) or falls within an exemption (internal use; SUGEF-regulated institutions).

Register applicable databases: Submit a registration application to PRODHAB before beginning commercial use of any database subject to the requirement. Budget USD 200 per database per year.

Draft compliant consent notices: For each processing activity, prepare a notice identifying the responsible party, stating the specific purpose, identifying any third-party recipients, explaining data subject rights, and describing how consent may be withdrawn.

Adopt written consent for sensitive categories: If your processing touches health data, political opinions, religious beliefs, biometric data, or other sensitive categories, obtain written signed consent that specifically identifies the data categories and processing purpose.

Respond to data subject requests within five business days: Build an internal workflow that flags, acknowledges, and responds to access, rectification, deletion, and objection requests on time. Failure to respond is itself a serious infraction.

Conduct cross-border transfer analysis: Before personal data leaves Costa Rica, confirm whether the recipient country is on PRODHAB's adequacy list. If not, document the applicable derogation and obtain express consent where required.

Implement security measures: Decree 37554-JP requires technical and organizational measures appropriate to the risk, including access controls, encryption for sensitive data in transit and at rest, and documented incident response procedures.

Begin gap analysis for Bill 23097: If the proposed replacement law is enacted, a 12-month transition period is expected. Start assessing gaps against GDPR-aligned obligations in the bill (DPIA requirements, legitimate interests basis, DPO appointments, breach notification) now.

Frequently Asked Questions

Disclaimer

This article presents general legal information about Costa Rica's data protection framework under Ley No. 8968 and Executive Decree 37554-JP, verified as of May 19, 2026. It does not constitute legal advice and does not address the specific situation of any individual or organization. Laws and regulations change, and the pending reform legislation described above may alter the obligations discussed here. Persons and businesses with specific questions about data protection compliance in Costa Rica should consult a lawyer licensed to practice Costa Rican law.

Authorities Cited