• Home
  • Global privacy playbook

Global Privacy Playbook: data protection in Iberia and Latin America

We analyse in a comparative way the main regulatory frameworks on personal data protection, addressing data subjects' rights, organisations' obligations, compliance standards and regulatory approaches at the international level.

Privacy and compliance, country by country

The protection of personal data has become a strategic issue for organisations operating in increasingly digital, regulated and constantly changing environments. In Latin America, this challenge is intensified by the coexistence of evolving regulatory frameworks, with different levels of regulatory maturity and compliance requirements.

With the aim of offering a clear, practical and regional vision, our Global Privacy Playbook is a compilation of the comparative guides developed by the different offices of ECIJA. This document is accompanied by a systematised analysis of the regulations applicable in each of the jurisdictions, the main compliance duties and obligations of organisations, the rights of data subjects and the compliance standards applicable in each country. In this way, the Dossier is structured on the basis of a common methodology and organised around cross-cutting questions that allow for a clear, ordered and comparable reading of each of the regulatory frameworks.

Imagen panorámica de la ciudad con el Obelisco de Buenos Aires como figura central.

Argentina

In Argentina, personal data protection is governed by Law No. 25.326 and is constitutionally reinforced through the Habeas Data action. The law recognises the rights of access, rectification, updating and deletion, and imposes on companies obligations of confidentiality, security and transparency in the processing of data.

The processing of sensitive data generally requires the consent of the data subject, subject to legal exceptions. There is no explicit obligation to notify security incidents or to carry out impact assessments, although both practices are recommended by the supervisory authority. Non-compliance can lead to administrative and criminal sanctions, including the closure of databases.

Una vista panorámica de montañas y una ciudad al atardecer con un cielo anaranjado.

Brazil

In Brazil, personal data protection is governed by the General Data Protection Law (Law No. 13.709/2018) and is recognised as a fundamental right in the Constitution. The regulation guarantees extensive rights to data subjects - including access, rectification, portability and erasure - and imposes on companies a proactive accountability approach, aimed at security, transparency and legitimate use of data.

Processing of sensitive data requires specific consent, with limited legal exceptions. Record-keeping of activities, notification of security incidents when there is a relevant risk, and impact assessments for high-risk processing are mandatory. Non-compliance can lead to fines of up to R$50 million, as well as blocking or deletion of data.

La imagen muestra un rascacielos moderno iluminado al atardecer en una ciudad rodeada de montañas.

Chile

In Chile, personal data protection is governed by Law No. 19.628, as amended by Law No. 21.719, and is constitutionally guaranteed. The law recognises BARSOP rights (blocking, access, rectification, erasure, objection and portability) and imposes on companies enhanced obligations of transparency, secrecy, security and data protection by design and by default.

Processing of sensitive data requires explicit consent, with legal exceptions. Notification of security incidents and impact assessments are mandatory for high-risk processing, while logging of activities is not mandatory, although it is recommended as good practice. Non-compliance can lead to fines of up to 20,000 UTM, which can be increased in case of repetition.

Vista panorámica de la ciudad de Bogotá con sus edificios y montañas al fondo.

Colombia

In Colombia, personal data protection is governed by Law 1581 of 2012, applicable to the processing of data in public and private databases or files, in line with constitutional guarantees. The law recognises data subjects' rights such as access/knowledge, rectification, erasure and revocation/opposition, as well as the right to request proof of consent and to file complaints with the SIC. Companies must guarantee these rights, maintain security measures, properly manage data controllers and have an internal manual of policies and procedures, as well as report security incidents or breaches to the authority.

Processing of sensitive data requires express and strengthened authorisation, and no service can be made conditional on the provision of such data (e.g. biometrics). A register of activities (RAT) is not required, but registration of databases with the SIC is required. Breaches must be reported to the SIC within 15 working days of detection; informing data subjects is not mandatory, although it is good practice. Non-compliance can lead to fines of up to 2,000 minimum wages and measures such as suspension or closure of activities.

La imagen muestra una plaza con una fuente ornamental y una iglesia al fondo, rodeada de árboles y un cielo despejado.

Ecuador

In Ecuador, personal data protection is guaranteed by the Constitution (art. 66.19) and is regulated by the LOPDP, its Regulation and the resolutions of the SPDP. The regulation recognises ARCO+ rights (information, access, rectification, updating, deletion, opposition, suspension, portability and the right not to be subject to automated decisions), and allows data subjects to consult the National Registry of Personal Data Protection. Companies must comply with the applicable principles and adopt technical, organisational and legal measures commensurate with the risk, incorporating data protection by design and by default.

Sensitive data require, as a general rule, explicit consent, with limited exceptions. The use of processors requires a contract and, at the end of the assignment, data must be returned or destroyed within 5 days. The ARP is mandatory for controllers with 100 or more employees or where processing is not occasional and/or involves risk or special categories. Breaches must be notified to the SPDP and ARCOTEL within 5 days and, if there is a risk to data subjects, to inform them within 3 days; in addition, a PIA is required for risky processing (e.g. automated profiling, biometrics or large scale). Fines can be up to 1% of the previous year's turnover.

Una estatua de caballo con un jinete frente a dos torres bajo un cielo azul.

El Salvador

In El Salvador, personal data protection is regulated by Decree No. 144, which contains the Law for the Protection of Personal Data, which establishes the requirements for the legitimate processing of data and the applicable regulatory framework. The regulation recognises the ARCO-POL rights(access, rectification, cancellation, opposition, portability and limitation), which must be exercised before the Data Protection Officer, with a period of 20 working days to respond, extendable for another 20.

Companies must treat data in accordance with legal principles and apply technical, organisational and security measures that guarantee confidentiality, integrity, availability and resilience throughout the life cycle of the information. Sensitive data require explicit and unambiguous consent, with limited exceptions (protection of life, medical purposes, general interest or legal mandate). A Register of Processing Activities is not mandatory, although it is recommended as a good practice. Security breaches must be notified to the State Cybersecurity Agency, the Attorney General's Office and affected data subjects within 72 hours. Failure to comply can lead to fines of up to 40 monthly minimum wages in the commercial sector.


Vista panorámica de la ciudad de Madrid al atardecer con edificios emblemáticos.

Spain

In Spain, personal data protection is regulated by the GDPR and Organic Law 3/2018 (LOPDGDD), which guarantees digital rights in accordance with the Constitution. The regulation recognises the rights of access, rectification, deletion, limitation, portability, opposition and not to be subject to automated decisions, with a general deadline of one month for the controller to respond to requests.

Companies must apply the GDPR principles, conduct risk analyses, adopt adequate security measures and, where appropriate, appoint a Data Protection Officer. The processing of special categories of data is generally prohibited, subject to legal exceptions. It is mandatory to have a Register of Processing Activities in certain cases, to notify security breaches to the AEPD within 72 hours and to carry out impact assessments in high-risk processing. Penalties can reach €20 million or 4% of annual global turnover.

Una vista panorámica de un paisaje montañoso con flores rojas y edificios blancos al atardecer.

Honduras

In Honduras, there is still no specific law on personal data protection, although it is currently under legislative discussion. However, certain aspects are regulated in a dispersed manner in existing norms such as the Law on Transparency and Access to Public Information, the Law on the National Registry of Persons and, at the constitutional level, Article 76, which guarantees the right to honour, personal and family privacy and one's own image. In addition, the right to habeas data allows data subjects to access, update and rectify their information contained in public or private databases.

Companies should act in accordance with good practices, protecting the privacy and honour of data subjects, bearing in mind that improper disclosure of personal information can lead to criminal liability. There is no specific regulation on sensitive data, data processors, activity logging, breach notification or impact assessments, so it is recommended to adopt international standards, such as the GDPR, as a reference. Currently, there are no administrative sanctions or specific fines for data protection breaches.


Una vista de una avenida en la Ciudad de México con el ángel de la independencia al fondo.

Mexico

In Mexico, the protection of personal data held by private parties is regulated by the LFPDPPP, reformed in 2025, which develops the constitutional right to privacy and recognises ARCO rights(access, rectification, cancellation and opposition), whose exercise must be enabled through clear mechanisms defined in the privacy notice.

Companies must comply with legal principles and apply administrative, technical and physical security measures commensurate with the risk. Sensitive data require express written consent, with legal exceptions. The relationship with handlers should be formalised by contract and logging of activities, although not mandatory, is a good practice. Security breaches must be notified to data subjects when they may significantly affect their rights. Penalties can reach 320,000 UMA, with increases for use of sensitive data and recidivism.

Una vista de un edificio amarillo con cúpulas rojas y banderas, en un entorno urbano.

Nicaragua

In Nicaragua, personal data protection is governed by Law No. 787 (2012), which protects natural and legal persons against the processing of data in public and private files, in development of the constitutional right to personal and family privacy. The law recognises broad rights of the data subject - including access, opposition, rectification, erasure, blocking and cancellation -which must be exercised in writing and resolved within 10 working days, and includes the right to digital oblivion.

Companies must process data only for the stated purposes, implement technical and organisational security measures and guarantee the exercise of the data subject's rights. The processing of sensitive data is restricted and is only permitted in specific cases (general interest with consent, court order or anonymised statistical/scientific use), and the creation of sensitive data files is prohibited unless legally authorised. Processing by data processors requires a contract and security measures. An ARP is not mandatory, although it is recommended. Incidents must be reported to DIPRODAP (not operational in practice). DPIs are not mandatory, but recommended. Sanctions include warnings, suspension of operations and closure or cancellation of files.

La imagen muestra una vista panorámica de una ciudad moderna al atardecer, con rascacielos y palmeras en primer plano.

Panama

In Panama, personal data protection is regulated by Law 81 of 2019 and its Executive Decree No. 285/2021, which establish the principles, rights and obligations for the processing of data with respect to privacy. The regulation recognises unwaivable rights of access, rectification, erasure, objection and portability, which must be exercised in accordance with principles of lawfulness, purpose, proportionality, security, transparency and confidentiality.

Companies must process data lawfully, fairly and securely, guaranteeing the exercise of the rights of data subjects. Sensitive data are governed by the same legal bases as ordinary data, although consent must be prior, express and unequivocal. The relationship with data processors requires a mandate with protocols and technical and organisational measures. The ARP is not expressly regulated, but the documentation of processing operations is, especially if there are transfers to third parties. Breaches must be notified to ANTAI and to data subjects within 72 hours. EIPDs are not expressly regulated. Penalties can reach 10,000 balboas, including closure of databases and suspension or disqualification of the activity.

Una plaza iluminada al atardecer con una hermosa arquitectura de fondo en Cusco, Perú.

Peru

In Peru, personal data protection is regulated by Law No. 29.733 and its Regulation (updated in 2024), which develop the constitutional right to data protection. The regulation recognises rights such as access, information, rectification, cancellation, opposition and portability, and requires data controllers to facilitate their exercise through clear procedures.

Companies must comply with legal principles, implement security measures and, in certain cases, appoint a Personal Data Officer. Sensitive data require written consent, subject to legal exceptions. An ARP is not mandatory, but recommended. Serious breaches must be notified to the authority within 48 hours and to the data subjects. Penalties can reach 100 UIT or up to 10% of the previous year's net income.

Una vista panorámica de la ciudad con edificios coloridos a la orilla del agua bajo un cielo despejado.

Portugal

In Portugal, personal data protection is regulated by Law No 58/2019, which adapts the application of the GDPR to the Portuguese legal system. The regulation recognises the rights under the GDPR - access, rectification, erasure, limitation, portability, opposition and the right not to be subject to automated decisions -and requires data controllers to provide channels for their exercise and to respond within one month, which can be extended.

Companies must comply with the principles of the GDPR, implement appropriate technical and organisational measures and guarantee confidentiality. The appointment of a Data Protection Officer is mandatory for large-scale processing or processing of sensitive data. Processing of sensitive data requires explicit consent or legal authorisation. The relationship with processors must be formalised by contract and the Register of Processing Activities (RAT) is mandatory for companies with more than 250 employees and in other risk scenarios. Breaches must be notified to the CNPD within 72 hours and a PIA must be carried out for high-risk processing. Penalties can reach €20 million or 4% of annual global turnover.


Una colorida calle con edificios de diferentes tonalidades y plantas en los balcones.

Puerto Rico

In Puerto Rico, personal data protection is regulated sectorally, through specific local laws and US federal legislation, without a uniform catalogue of rights, relying on the constitutional right to privacy and applicable industry standards.

Companies must implement reasonable security measures, prevent unauthorised disclosures and notify breaches to the Department of Consumer Affairs within 10 days, as well as inform affected data subjects. Information of minors requires the express consent of the minor and his or her legal representatives. A RAT or EIPD is not mandatory for the private sector, although they are recommended as good practice. Penalties can reach USD 50,000 at the local level and up to USD 1,500,000 for federal violations.

Vista aérea de una hermosa playa con palmeras y un hotel cercano.

Dominican Republic

In the Dominican Republic, the protection of personal data is governed by Law No. 172-13, in development of the constitutional right to privacy and honour (art. 44). The law protects data contained in public or private files and databases and recognises ARCO rights(access, rectification, cancellation and opposition), as well as habeas data and the right to compensation for damages.

Companies must comply with legal principles, maintain secrecy, implement security measures and use data only for the stated purposes. Sensitive data require express written consent, with exceptions (health and certain entities). ARP, breach notification and DPIs are not regulated, although they are recommended as good practices. Penalties can reach 150 minimum wages and, for individuals, prison sentences; from 2026, the new Criminal Code provides for criminal liability of legal persons, with mitigation if prevention programmes are in place.


Vista aérea de una ciudad costera al atardecer con edificios y barcos en el agua.

Uruguay

In Uruguay, personal data protection is regulated by Law No. 18.331 (2008) and its amendments, which recognise this right as inherent to the human person in accordance with the Constitution. The regulation recognises broad rights of the holder, such as information, access, rectification, updating, inclusion, communication, deletion and challenge of personal assessments, which must be dealt with within 5 working days.

Companies must comply with data protection principles, implement technical and organisational measures, ensure privacy by design and by default, manage and report security incidents, and conduct impact assessments where required (mandatory, for example, in biometric processing). Sensitive data require explicit and documented consent, with legal exceptions. Logging of activities and registration of databases with the URCDP is mandatory. Breaches must be notified within 72 hours to the authority and affected data subjects. Penalties can reach 500,000 indexed units and the suspension or closure of databases.

Conclusion

A comparison of data protection frameworks in Iberia and Latin America shows a generalised advance towards greater privacy protection, although with important differences in the degree of development and regulatory requirements between countries. While some jurisdictions have consolidated systems aligned with international standards, others are still in transition phases or with partial regulations.

In this scenario, data protection is consolidating as a strategic element for organisations, especially in cross-border contexts. ECIJA's Global Privacy Playbook offers a clear and comparative vision that allows you to understand the key obligations, anticipate risks and design effective compliance strategies adapted to each jurisdiction.

Download the full report
Una vista desde abajo de una estructura circular con luces que emanan de las paredes en un patrón radial.

Privacy and Data Protection

We advise companies leading the digital transformation in data, privacy and artificial intelligence, combining legal expertise, strategic vision and a deep understanding of highly regulated technology environments.

Learn more about the area
SIGN UP
Get the latest trends in your inbox.
Subscribe to our Newsletter