Data Protection Regulations:
- Constitution of the Dominican Republic.
- Law No. 172-13.
Link: https://sb.gob.do/regulacion/leyes/ley-no-172-13-proteccion-de-los-datos/
Regulatory purpose: The comprehensive protection of personal data held in files, public registers, data banks or other technical means of data processing for reporting purposes, whether public or private.
Parties:
- Data controller: Yes. It is any person, public or private, who is the owner of the personal data file and who decides on the purpose, content, means of processing and use of the information obtained from the processing of personal data.
- Data Processor: Yes. The natural or legal person, public or private, who carries out the processing of personal data on behalf of the controller.
- Data Protection Officer: No.
Supervisory Authority: No. At the financial sector level, there is the Superintendency of Banks.
Principles:
- Lawfulness of personal data files;
- Quality of the Data;
- Right to Information;
- Consent of the Data Subject;
- Data Privacy;
- Confidentiality obligations;
- Loyalty;
- Purpose of the Data
Obligations:
- Register of Processing Activities: No.
- Impact Assessments: No.
- Risk analysis: No.
- Technical and organisational security measures: Yes.
- Duty to inform: No.
- Data Protection Officer: Yes.
Data subjects’ rights:
- Right of Access: Yes.
- Right of rectification: Yes.
- Right of Suppression: Yes.
- Right to limitation: No.
- Right to portability: No.
- Right to object: Yes.
- Automated individual decisions, including profiling: No.
International transfers:
Prohibited, with exceptions. The international transfer of personal data of any kind to countries that do not ensure an adequate level of data protection is prohibited as a general rule. Transfers are permitted provided that there are mechanisms in place that provide adequate safeguards:
- Model Contractual Clauses (MCC)
- Binding Corporate Rules (BCR)
- Code of Conduct approved in accordance with applicable law.
- Certification mechanism.
- Legally binding and enforceable instruments between public authorities or bodies.
The law empowered the Superintendence of Industry and Commerce to pronounce on international data transfers, through the Declaration of Conformity. The Superintendent is empowered to request information and carry out the necessary steps to establish compliance with the requirements for the viability of the operation.
Sanctioning regime:
Serious or Repeated Violations – 10 to 100 Minimum Wages.