Personal data protection in El Salvador

The Law for the Protection of Personal Data (LPDP) , approved by Legislative Decree No. 144 in November 2024, represents a structural change in El Salvador, moving from a fragmented regulatory framework to a comprehensive one that recognizes informational self-determination as a fundamental right . This legal framework seeks to guarantee the privacy of individuals regarding the processing of their information by public and private entities, promoting a secure digital environment that facilitates investment and sustainable economic development.

The central objective of personal data protection in El Salvador is to regulate the collection, use, processing and storage of personal data to ensure respect for the physical and moral integrity of citizens.

This regulation defines personal data as any information that identifies or makes a person identifiable, and gives special protection to sensitive data , whose misuse could generate discrimination.

The Law is based on ARCO-POL rights, which allow data subjects to exercise control over their personal information in the following way:

• Access (A): To know what data is being processed and for what purpose.

• Rectification (R): Correct inaccurate, incomplete or outdated data.

• Cancellation (C): Request the deletion of data when the processing is unlawful or no longer necessary.

• Opposition (O): To cede the processing of data for specific purposes such as marketing.

• Portability (P): Receiving data in a structured format to transmit it to another responsible party.

• Right to Forget (O): Request the deletion of data published in electronic environments and search engines.

• Limitation (L): Temporarily suspend the use of data while its accuracy or legality is being verified.

Impact of personal data protection on the business sector in El Salvador

The LPDP imposes a series of strict obligations on companies that collect or process information from Salvadoran citizens, requiring them to adopt a model of demonstrated accountability . The main operational implications include:

1. Designation of the delegate (DPO/DPDP): Organizations must appoint a person in charge of managing ARCO-POL requests and monitoring internal compliance.

2. Informed consent: Data processing must be based on freely given, specific, informed, and explicit authorization. For sensitive data , consent must be in writing with a handwritten signature or equivalent.

3. Transparency: Companies must publish clear Privacy Notices that inform about the purpose of the processing, the use of cookies and the mechanisms to exercise rights.

4. Security measures: Implementation of technical (encryption, access control), organizational (manuals, activity logs) and physical controls to protect the integrity, confidentiality and availability of the data.

5. Breach notification: In the event of any security breach, the responsible party has a maximum period of 72 hours to notify the State Cybersecurity Agency (ACE), the Public Prosecutor's Office and the affected parties.

Advances in information security and confidentiality

The regulations position El Salvador as a competitive destination for digital businesses by aligning standards with international regulations such as the European GDPR . Among the most significant advances are:

• Governing Entity (ACE): The State Cybersecurity Agency assumes supervision, auditing and sanctioning power, issuing policies of action consistent with global standards such as ISO 27001 .

• Burden of proof: In case of controversy, the responsibility to demonstrate that consent was obtained or that the law was complied with rests exclusively with the company.

• Cross-border flow: International data transfers are strictly regulated, allowing them only to countries that guarantee an adequate level of protection.

• Sanctioning regime: Non-compliance may result in significant fines based on the minimum wage in the trade sector: minor (up to $3,650), serious (up to $14,600), in addition to possible criminal liability.

This legal advancement ensures that citizens' information is not sold or used illegally, compelling companies to view data protection not as a burden, but as a strategic tool for building trust and sustainability in the interconnected market. This positions El Salvador at the forefront and in a competitive position within an international and digitalized market.