El Salvador’s State Cybersecurity Agency (ACE) has published the Policies on the Handling and Management of Personal Data, which implement the Law on the Protection of Personal Data and establish a mandatory framework for all public and private entities that collect, store, process, or transfer personal data in the country, including international operations involving Salvadoran citizens.
Key obligations for companies and organizations
The policies, aligned with international standards such as ISO 27001, set forth the following requirements:
- Appoint a Data Protection Officer (DPDP) responsible for regulatory compliance.
- Establish the processing of personal data on a legitimate basis.
- Develop internal data protection policies and maintain a detailed record of processing activities.
- Train staff on secure information handling.
- Conduct Privacy Impact Assessments (PIA) to identify and mitigate risks.
- Implement mandatory technical measures such as access control, two-factor authentication, data encryption, backups, and penetration testing.
- Apply physical security measures such as restricted access to facilities, secure document storage, and certified data disposal.
- Report any security breach within 72 hours to ACE, the Office of the Attorney General, and the affected data subjects.
Penalties for non-compliance
Violations are classified as minor, serious, or very serious, with penalties ranging from warnings to significant fines (Arts. 56 and 57 LPDP). Non-compliance may expose companies not only to financial sanctions but also to severe reputational damage.
Oversight and enforcement
Companies must update their internal procedures to comply with these policies, which include annual compliance audits and the promotion of international certifications in privacy and data security. These provisions are already in effect and will be updated periodically to adapt to new regulations and digital threats.
