CRCS&Sbycc

1. Cyber law in Costa Rica.
2. From http://www.dataprivacylaws.com.ar/2013/03/19/costa-rica-enacts-regulatios-of-the-data-protection-act/#more-136
3.  
4. translation of the good parts (original doc is full of definitions and acronyms, so I did my best.)
5.  
6. This Regulation shall apply to personal data contained in automated or manual databases, public or private bodies, and any subsequent use of this data, as long as they have effects within the national territory, or are applicable to the Costa Rican legislation derived from the conclusion of a contract or in the terms of international law. The personal data protection regime established in these Regulations will not apply to databases maintained by natural or legal persons, public or private, for exclusively internal, personal or domestic purposes, provided that they are Are not in any way marketed. This Regulation will not apply to the data referring to the credit behavior that will be governed by the special regulations of the National Financial System.
7. Consent Article 4. Consent Requirements. Obtaining consent must be: a) Free: there should be no error, bad faith, physical or psychological violence or fraud, which may affect the manifestation of the will of the holder; B) Specific: refers to one or more specific and defined purposes that justify the treatment; C) Informed: that the holder has prior knowledge of the treatment, what will be submitted their personal data and the consequences of giving their consent. Also, to know who is responsible for the processing of your personal data, and your place or means of contact; D) Express: must be written and unequivocal, in a way that can be demonstrated in an undoubted way its grant. E) Individualized: there must be a minimum of consent of each holder of the personal data.
8. Article 5. Formalities of consent. Whoever collects personal data must, in all cases, obtain the express consent of the holder for the processing of personal data, with the exceptions established in the Law. Consent must be granted by the holder, in a physical or electronic document, in a manner Independent of any other document, and must be properly guarded by the person in charge of the database. Likewise, the document by which the author of the personal data extends its consent must be easily understood, free of charge and properly identified. Express consent shall not be required when: a) There is a substantiated order, issued by a competent judicial authority or agreement adopted by a special commission and investigation of the Legislative Assembly in the exercise of its position. B) It is personal data of unrestricted access, obtained from sources of general public access. C) The data must be delivered by constitutional or legal provision.
9. Article 6. Burden of proof of consent. In order to demonstrate the obtaining of consent, the burden of proof will, in all cases, fall on the person responsible for the database.
10. Article 7. Of the revocation. At any time, the owner may revoke his consent for the processing of his personal data, for which the responsible must establish simple, free and expeditious mechanisms that allow the owner to revoke their consent.
11. Article 8. Procedure for revocation. The person in charge of the database, upon submitting the request for revocation of consent, will have a period of five working days from the date of receipt, to proceed according to the revocation. Likewise, within the same period of five business days, it must inform them of those revocation to those natural or legal persons to whom it has transferred the data, which must proceed within five working days from the notice to execute the revocation of the feelingly. Revocation of consent shall not have retroactive effect.
12. Article 9. Term for the confirmation of the revocation. When the owner requests confirmation of the cessation of the processing of his data, the responsible person must respond free of charge, expressly within three working days, from the submission of said request.
13. Article 10. Negative to revocation. In the event of a refusal, expressed or implied by the person responsible, to process the revocation of consent, the owner may submit to the Agency the corresponding complaint referred to in the Law and these Regulations.
14. Article 11. Right to forget. The preservation of personal data, which may affect its owner, shall not exceed the term ten years, from the date of occurrence of the recorded events, unless otherwise provided by special regulations that establish another term or because the agreement of the parties has established a Term. In case it is necessary to preserve it, beyond the stipulated period, the personal data of the owner must be disassociated. Chapter III Rights of the Holders and their Exercise
15. Article 12. Self-determination information. It is the fundamental right of any natural person, to know what is said about it, its assets or rights in any database, of any nature, public or private, the purpose for which its personal information is being used or collected, and Such as requiring it to be rectified, updated, supplemented or deleted, when it is incorrect or inaccurate, or is being used for a purpose other than that authorized or can legitimately fulfill.
16. Article 13. Exercise of rights. The exercise of any right of access, rectification, modification, revocation or elimination of personal data by the owner does not exclude the possibility of exercising one or other, nor can it be a prerequisite for the exercise of any of these rights.
17. Article 14. Restrictions on the exercise of rights. The exercise of the rights mentioned in the previous article may be restricted for reasons of national security, provisions of public order and public health or to protect the rights of third parties, in the cases and with the scope provided in applicable laws in the matter , By resolution of the competent authority duly substantiated and motivated.
18. Article 15. Persons empowered to exercise the rights. The rights of access, rectification, modification, revocation or elimination, shall be exercised by the holder or his representative, after accreditation of ownership or representation.
19. Article 16. Means and forms for the exercise of rights. The responsible party shall make available to the holder the means and simplified forms of electronic communication or others that he considers relevant to facilitate the exercise of their rights.
20. Article 17. Means to receive notifications from the holder. In the request for access, rectification, modification, revocation or elimination, for the purposes of the Law and these Regulations, means must be indicated for receiving notifications. In the event of failure to comply with this requirement, the automatic notification referred to in the Law Notices Act, Law No. 8687, dated December 4, 2008, published in La Gaceta No. 20 of January 29, 2009, and its amendments .
21. Article 18. Of the requests of the holder towards the person in charge. The responsible, must process any request for the exercise of the personal rights of the holder. The deadline for the request is five business days, From the day following that on which it was received by the responsible party, in which case the latter shall enter in the acknowledgment of receipt that he / she gives to the holder, the corresponding date of receipt. The deadline will be interrupted in case the responsible requires additional information to the holder.
22. Article 19. Requirement for additional information. In the event that the information provided in the application is insufficient or erroneous to attend to it, the responsible person may request the holder, once and within five working days of receipt of the request, to provide the necessary elements or documents To process the same. The holder will have a term of five working days, counted from the day after his reception, to attend the request. If no reply is received within this period, the corresponding request will be considered. In the event that the holder meets the request for information, the deadline for the person responsible to respond to the request will be five working days, which will begin to run the day after the owner has met the request.
23. Article 20. Response by the responsible. In all cases, the person responsible must respond to requests received from the owner, regardless of whether or not they include personal data in their databases, in accordance with the period established in the Law and these Regulations. The response of the responsible to the holder must refer to the entire register belonging to the holder, even if the request only includes an aspect of personal data, and must be presented in a readable, understandable and easily accessible format. In case of use of codes, acronyms or keys the corresponding meanings must be provided. This report may in no case disclose data belonging to third parties, even when they are linked with the applicant owner.
24. Article 21. Right of access to information. The holder has the right to obtain from the person responsible, the information related to his personal data, including the conditions, purpose and generalities of his treatment. It may carry out the information inquiries to the database, with a minimum interval of six months, unless in a reasoned manner the owner expresses to the data controller his reasons and evidence, for which he considers that there is a violation of his rights Protected in the Law and these Regulations. In the event that the data controller considers that the reasons are not for receipt and there is a possibility of abusive use of this right, within five working days of the request, he shall raise the matter with PRODHAB, who Will ultimately resolve, within a period of ten business days, upon receipt of said management. The responsible person must evacuate the information request within five working days of receipt of the request.
25. Article 22. Negative on the part of the responsible. The responsible person who denies the exercise of any management of the holder, must justify in writing his response. If the holder considers it relevant, he may go before the Agency according to Chapter VII "On the Protection of Rights to the Agency" of this Regulation.
26. Article 23. Right of rectification. The owner may at any time request the person responsible, to rectify his personal data that prove to be inaccurate, incomplete or confusing.
27. Article 24. Requirements for the exercise of the right of rectification. The request for rectification must indicate to which personal data it is concerned, as well as the correction that is requested to be made and must be accompanied by the relevant documentation or proof that covers the provenance of the requested. The responsible party shall offer mechanisms to facilitate the exercise of this right for the benefit of the holder.
28. Article 25. Right of suppression or elimination. The holder may at any time request the person responsible, the removal or total or partial elimination of the personal data of the holder, definitively.
29. Article 26. Exercise of the right of suppression or elimination. The owner may at any time request the person responsible, the removal or total or partial elimination of personal data, except in the following cases: a) The security of the State; B) The data must be maintained by constitutional, legal or judicial body resolution; C) Citizen security and the exercise of public authority; (D) The prevention, prosecution, investigation, arrest and repression of criminal offenses, or breaches of professional ethics in the professions; E) The operation of databases that are used for statistical, historical or scientific research purposes, when there is no risk of people being identified; F) The adequate provision of public services; G) Efficacy The regular activity of the Administration by the official authorities; H) Personal data of unrestricted access, obtained from sources of general public access; Chapter IV Treatment of Personal Data and Security Measures
30. Article 27. Procedures for treatment. The responsible person shall establish and document procedures for the inclusion, preservation, modification, blocking and suppression of personal data, on the site or in the cloud, based on minimum protocols of action and security measures in the processing of personal data . In addition, the responsible for the database must ensure the application of the principle of quality of information.
31. Article 28. Treatment conditions. It is the responsibility or responsibility of the person responsible for the dissemination, commercialization and distribution of said data, according to what determines the informed consent granted by the owner, even if these data are stored or hosted by a technological intermediary.
32. Article 29. Recruitment or subcontracting of services. The services of the technological intermediary or service provider may be contracted or subcontracted, as long as it does not involve the processing of personal data. The responsible person must verify that said intermediary or supplier complies with the minimum security measures that guarantee the integrity and security of the personal data.
33. Article 30. Processing of data by the manager. The manager may only intervene in the processing of personal databases, as established in the contract with the person responsible and their indications.
34. Article 31. Obligations of the manager. The manager will have the following obligations in the treatment of personal databases: a) Only treat personal data according to the instructions of the responsible; B) Refrain from processing personal data for purposes other than those instructed by the responsible party; C) Implement the security measures and comply with the minimum protocols of action in accordance with the Law, these Regulations and other applicable provisions; D) To maintain confidentiality with respect to the personal data processed; E) Refrain from transferring or disseminating personal data, unless expressly instructed by the person responsible. F) Delete the personal data subject to treatment, once the legal relationship with the person responsible has been fulfilled or on the instructions of the person responsible, provided that there is no legal provision requiring the preservation of personal data.
35. Article 32. Of the minimum protocols of action. Those responsible must prepare a minimum protocol for action, which must be transmitted to the manager for their faithful compliance and where at least the following must be specified: a) Elaborate mandatory privacy policies and manuals within the organization of the person in charge ; B) Implement a training, updating and awareness-raising manual for staff on the obligations regarding the protection of personal data; C) Establish an internal control procedure for compliance with privacy policies; D) Establish agile, expeditious and free procedures to receive and answer doubts and complaints from the holders of personal data or their representatives, as well as to access, rectify, modify, block or delete the information contained in the database and revoke its feelingly. E) To create technical measures and procedures that allow to maintain a history of the personal data during its treatment. F) To constitute a mechanism in which the notifying party informs the receiver, the conditions under which the owner consented to the collection, transfer and processing of his data. These measures, as well as their subsequent modifications, must be registered with the Agency as minimum protocols for action.
36. Article 33. Faculty of verification. The Agency may verify, at any time, that the database is complying with the terms established in the minimum protocol of action.
37. Article 34. Of the security measures in the processing of personal data. The responsible person shall establish and maintain the administrative, physical and logical security measures for the protection of personal data, in accordance with the provisions of the Law and these Regulations. Security measures shall mean the control or group of controls to protect personal data. Likewise, the person responsible should ensure that the data controller and the technological intermediary comply with these security measures, in order to safeguard the information.
38. Article 35. Factors for determining security measures. The responsible person will determine the security measures, applicable to the personal data that he treats or stores, considering the following fActors: a) The sensitivity of the personal data processed, in the cases that the law allows; B) Technological development; C) The possible consequences of an infringement for the owners of their personal data. D) The number of personal data holders; E) The previous vulnerabilities occurred in the treatment or storage systems; F) The risk by the value, quantitative or qualitative, that could have the personal data; And g) Other factors resulting from other laws or regulations applicable to the responsible.
39. Article 36. Actions for the security of personal data. In order to establish and maintain the physical and logical security of personal data, the responsible person must carry out at least the following actions, which may be requested at any time by the Agency: a) To elaborate a detailed description of the type of personal data processed Or stored; (B) Create and maintain an updated inventory of the technological infrastructure, including computer equipment and software and its licenses; C) Indicate the type of system, program, method or process used in the processing or storage of data; D) Have a risk analysis, which consists in identifying hazards and estimating risks that could affect personal data; E) Establish security measures applicable to personal data, and identify those effectively implemented; F) Calculate the existing residual risk based on the difference of existing and missing security measures that are necessary for the protection of personal data; G) To elaborate a work plan for the implementation of the missing security measures, derived from the result of the residual risk calculation.
40. Article 37. Updates of security measures. Those responsible should update the security measures when the following events occur: a) Modify the security measures or processes for their continuous improvement, derived from the revisions to the responsible security policy; (B) Substantial changes in treatment or storage leading to a change in the level of risk; C) Modify the technological platform; D) The systems of processing or storage of personal data are violated, in accordance with the provisions of the Law and these Regulations; Or, e) There is an affectation to the personal data, different from the previous ones. In the case of sensitive personal data, when permitted by law, the responsible person must review and, if necessary, update the corresponding security measures, at least once a year.
41. Article 38. Security vulnerability. The responsible party must inform the owner about any irregularities in the processing or storage of his data, such as loss, destruction, loss, among others, as a result of a security vulnerability or that he has knowledge of the fact, for which he will have five days Skilled from the moment the vulnerability occurred, so that the owners of these personal data affected can take the corresponding measures. Within this same period, a comprehensive review process should be initiated to determine the magnitude of the affectation, and corrective and preventive measures that may be appropriate.
42. Article 39. Minimum information. The responsible officer shall inform the owner and the Agency, in the case of security vulnerabilities, of at least the following: a) The nature of the incident; B) Personal data compromised; C) Corrective actions carried out immediately; And, d) The media or the place, where you can get more information about it. Chapter V On the Transfer of Personal Data
43. Article 40. Conditions for transfer. The transfer involves the commercialization of personal data by the sole and exclusive part of the person who transfers the person responsible for receiving the personal data. Such transfer of personal data will always require the express and informed consent of the owner, unless legal provision to the contrary, also that the data to be transferred have been collected or collected lawfully and according to the criteria that the Law and this Regulation dispose. Any sale of data from the file or the database, partial or total, must meet the requirements established in the previous paragraph.
44. Article 41. Compliance with the minimum protocols for action. Transfers of personal data by those responsible will be subject to faithful compliance with the minimum protocols of action duly registered with the Agency.
45. Article 42. Burden of proof. In order to demonstrate that the transfer of personal data was done in accordance with the Law and these Regulations, the burden of proof will lie with the person responsible.
46. Article 43. Contract for the transfer of data. The responsible for And the transfer of personal data must establish a contract with the responsible receiver, which provides, at least, the same obligations to which the person responsible for transferring said data is subject. Chapter VI Registration of Databases and Files to the Agency
47. Article 44. Registration of the database record. Individuals or legal entities that own personal databases, in accordance with the Law and these Regulations, must register with the Agency a registry of such databases, providing the following information: a) Request of the physical or legal owner, duly authenticated Notarially or confronted the signature. In the case of a legal entity, a legal entity in force must be filed no later than one month after it has been issued; B) Appointment of the person in charge of the personal database to the Agency and to third parties, indicating the means and place of contact. As well as letter of acceptance of the position and the responsibilities inherent thereto. C) Identification of the managers, including their contact details, location of the data, and a certified or confronted copy of the contract signed between them and the responsible party; D) Names of the databases and their physical location; E) Specification of intended purposes and uses; (F) Types of personal data processed in such databases; G) Procedures for obtaining, according to the informed consent, the personal data, as well as the system of treatment of these; (H) a technical description of the security measures used in the processing of personal data, in accordance with the provisions of this Regulation; I) The recipients of transfers of personal data; J) Certified or confronted copy of the minimum protocols of action; K) List of global contracts and sales of current files, as well as indication of the pecuniary estimate of each of these contracts. L) The superuser that the responsible person will assign to the Agency. M) Fax or e-mail to receive notifications from the Agency. Likewise, the manager must keep the database register, at all times, updated to the Agency, as established in this Regulation.
48. Article 45. Superuser. The responsible party shall provide the Agency with a superuser with a consultation profile, even if the data is being processed by a manager. The creation and commissioning of this superuser must be designed and financed by the person responsible for the personal database and must operate from the registration of the registry of the database before the Agency. The Agency may at any time and ex officio consult the database without restriction, when there is a complaint filed with the Agency or there is evidence of a mismanagement of the database or information system. For these purposes, the Agency shall establish guidelines that guarantee the proper fulfillment of professional or functional secrecy, and for all cases, keep a logbook containing at least the reason, accesses and consultations made, as well as the assigned official that the Perform.
49. Article 46. Finding of possible infractions. The Agency may carry out administrative inspections ex officio, in order to verify if there are possible violations of the Law or these Regulations. In this case, the assigned official must record the inspection by drawing up a record.
50. Article 47. Manual databases. The Agency may at any time and ex officio access the manual databases without any restriction, when there is a complaint filed with the Agency or there is evidence of a mismanagement of the database or information system. For these purposes, the Agency shall establish guidelines that guarantee the proper fulfillment of professional or functional secrecy, and for all cases, keep a logbook containing at least the reason, accesses and consultations made, as well as the assigned official that the Perform. Article 48. Registration procedure. Starts with the presentation of the application for registration of the personal database register with the Agency. Said application shall contain the requirements of this Regulation. The Agency will have a period of twenty working days, counted from the presentation of the request, to verify the requirements of form and background presented. Article 49. Rectification of defects and filing of the application. If the application for registration of the submitted database register does not comply with the requirements of this Regulation, the Agency shall require the applicant to remedy the omission within ten working days. After the maximum period, without the applicant having complied
51.  
52.  
53.  
54.  
55. addendum
56. http://www.coha.org/costa-ricas-cybercrime-law-censorship-or-a-reasonable-law/
57. Article 230 states that a person “shall be punished with imprisonment of three to six years if they impersonate a person in any social network, website, electronic or information technology medium.”
58. criminalizes “spreading false news,”
59. In addition to targeting impersonators, another controversial part of the law seeks to combat espionage. Espionage, under Costa Rican law, had been defined as the improper procurement or obtainment of secret political information or state security policies, which carried a punishment of one to six years in prison. Under the new law, which carries a five to ten-year sentence, espionage includes the use of computer manipulation, malicious software,or information and communication technology.