García & Bodán

Data Protection Law: A Milestone for El Salvador’s Digital Ecosystem

On November 12, 2024, El Salvador’s Legislative Assembly approved the new Data Protection Law, published in the Official Gazette on November 15, 2024. This marks a significant step in modernizing and updating the country’s regulatory framework. From my perspective, this law is a critical milestone in developing El Salvador’s digital ecosystem.

The law serves as a timely tool to guarantee the right to informational self-determination, a right recognized and protected by the Constitutional Chamber through jurisprudence for nearly a decade. This right empowers individuals to decide who, when, where, and how their personal information is collected and processed.

Below, I highlight three key aspects of this law, which I believe represent a legislative update aligned with the best international standards, specifically inspired by the European Union’s General Data Protection Regulation (GDPR).

  1. Data Subjects’ Rights: ARSOPOL / ARCOPOL

The first notable aspect is the explicit recognition of the rights of individuals regarding their personal data. These rights, commonly known by their acronyms ARSOPOL / ARCOPOL, include:

Recognizing these rights is a fundamental guarantee for citizens, giving them greater control over their personal information.

  1. “Proactive Responsibility”

The second key aspect is the principle of “Proactive Responsibility”, referred to in Salvadoran legislation as “Verified Responsibility.” Simply put, this principle requires data controllers to demonstrate compliance with the law. Organizations and individuals collecting and managing personal data must implement appropriate technical and organizational measures to ensure information protection. Furthermore, they must be able to prove that their data processing complies with all legal requirements.

This principle is crucial as it places data controllers in a proactive role, mandating not only adherence to regulations but also the ability to provide evidence of compliance at all times.

  1. Data Protection Officer (DPO)

The final noteworthy aspect is the introduction of the Data Protection Officer (DPO), a key figure in implementing and overseeing compliance with the law. In Salvadoran legislation, the DPO is essential to ensuring proper personal data protection, playing a fundamental role in supervision and compliance assurance.

While the Salvadoran framework establishes a solid foundation for the DPO, El Salvador could benefit from adopting advanced standards like the GDPR. For instance, other regulations provide additional guarantees to strengthen the DPO’s independence, such as job stability, allowing them to perform their duties without fear of retaliation, and requiring direct reporting to the highest levels of the organization. These measures ensure that the DPO’s decisions are autonomous and free from external pressures.

Such additional guarantees could serve as an excellent starting point for further strengthening the DPO’s role in El Salvador, ensuring more robust regulatory compliance and greater protection of citizens’ personal data.

Conclusion

In summary, the three highlighted aspects—data subjects’ rights, verified responsibility, and the role of the Data Protection Officer—are key elements of implementing El Salvador’s new Data Protection Law. These elements reinforce regulatory compliance and contribute to creating a safer and more transparent environment for managing personal information.

Rodrigo Benítez 
rodrigo.benitez@garciabodan.com
Associate
García & Bodán
El Salvador