top of page
  • Writer's pictureMiguel Argüello Oviedo

What happens if I do not comply with the Personal Data Protection Law in my company?

The justice and sanctions

All companies in one way or another collect data from customers, suppliers, collaborators, partners, among others. No matter the size of the company, it can be large, medium or small, they all collect data for the operation of their activities. You can have an enterprise or you can be a person who provides certain services. But just by having an automated or manual database with third-party information, you are obliged to comply with data protection legislation and manage them in accordance with the applicable security regulations. In Central America, only three countries continue to have a Data Protection Law approved, published and implemented. I stop at the latter, because in Nicaragua, although it has been approved and published, it is not yet one hundred percent underway since the authority that will be in charge of the instance has not been appointed. In the case of El Salvador, Congress approved the Data Protection and Habeas Data Law in April 2021; however, the President of the Republic vetoed it. One year after its approval, there is still no response to the veto. Guatemala has had the law on hold. It has not been approved and continues in the legislative pipeline. Honduras has been the same as Guatemala with a preliminary project for 7 years.


Any law entails the provision that its compliance is mandatory. Most Political Constitutions and Civil Laws determine that we cannot allege ignorance of the law. I consider this too much, since the labyrinth of regulations with which we operate has become complex and it is difficult to have a knowledge of all of them. The fact that the rules are mandatory already says a lot. If we fail to comply, the infractions, penalties and fines that the rule determines must be applied; or, the one determined by the applicable legislation as the case may be. Watch out! It is not only to comply with the established rule, but not to violate it or the rights enshrined in the law, since there will be civil or criminal punishment depending on the case. Most people know that just the existence of a law already opens up the range of legal (normative) risks. Therefore, the need to evaluate, manage and treat them is established. In this regard, you can pass some of these scenarios and even others with the Data Protection Law or any other:

  1. That the Law has not been fully complied with

  2. That the Law began to be applied, but there is no management and follow-up

  3. The law applies, but some processes are improperly managed or not all are managed

  4. There is compliance with the Law and there is proper management and monitoring

In any case, what will happen when not complying with the Data Protection rule is that a sanctioning procedure is opened that can lead to infractions, penalties and fines. The sanctions are marked by the type of infraction according to Costa Rican law. In the case of Nicaragua there are only minor and serious infractions; but Panama and Costa Rica scale towards very serious or very serious infractions.



There is no amount established in the Law or in the regulations. But there are 3 sanctions that can be applied depending on the infraction (mild or serious) that has been generated without prejudice to other responsibilities:

  • Warning;

  • Suspension of operations related to the processing of personal data; and

  • Temporary or definitive closure or cancellation of personal data files

These other responsibilities, which I mentioned in the previous paragraph, indicate Nicaraguan legislation are:

  • Administrative responsibilities of those responsible or users of the files;

  • Liability for damages arising from non-compliance with the law;

  • Criminal sanctions

Costa Rica:

Article 28 of the Law:

  • For minor offenses, a fine of up to five basic salaries of the position of judicial assistant I, according to the Budget Law of the Republic. This means a little more than three thousand dollars.

  • For serious offenses, a fine of five to twenty basic salaries of the position of judicial assistant I, according to the Budget Law of the Republic. It means more or less between three thousand and thirteen thousand dollars.

  • For very serious offenses, a fine of fifteen to thirty basic salaries of the position of judicial assistant I, according to the Budget Law of the Republic, and the suspension for the operation of the file from one to six months. It means more or less between nine thousand and nineteen thousand dollars.


Law 81 of Panama clearly expresses some circumstances to be known; for example, Article. 36:

  1. Cases of complaint that are filed with the regulatory bodies, but that the sanctions for the offenses committed in such laws expressly typified are not found, the regulator to whom the complaint is filed must additionally apply the sanctions established in this Law.

  2. The National Authority for Transparency and Access to Information will fix the amounts of the penalties applicable to the respective offenses, according to the severity of the faults, which will be established from one thousand balboas (B/.1 000.00) to ten thousand balboas (B/.10 000.00) that are equivalent to the same in dollars.

So, why take risks ranging from fines, administrative sanctions and sanctioning processes if you can manage in time that your company has full compliance with data protection laws.

In these times you have to be well prepared, having the right management and strategy is vital, yes or no?



bottom of page