The Protection of Personal Data and its Impact on Labour Relations in El Salvador

Articles7 November 2025

With the entry into force of the Law for the Protection of Personal Data (LPDP) in November 2024, El Salvador takes a decisive step towards legal modernisation and privacy protection in the working environment.

In a highly digitalised business world, in which data has become a commodity in itself, El Salvador had a pending task to accomplish, which was to have a regulation that would regulate the use of personal information of all its citizens, especially as El Salvador is getting closer and closer to achieving the goal of becoming the digital business hub for the Central American region.

This pending task was accomplished with the entry into force of the Law for the Protection of Personal Data in November 2024, which represents a profound change in the Salvadoran legal landscape, from that date, Salvadorans have a regulation based on global standards for the protection of personal data, as well as a regulatory body, the State Cybersecurity Agency (ACE), which is also responsible for creating policies to make this new law operational and that we all have a guide to be able to comply with it.

This regulation not only affects the technological or digital sphere, but also alters the very structure of labour relations, by incorporating the protection of personal data as a new axis of compliance and corporate responsibility.

The Personal Data Performance and Handling Policies issued by the State Cybersecurity Agency (ACE) consolidate this trend, integrating the standards of ISO/IEC 27001:2022 into the organisational, technical and physical processes that all employers must apply, not only for the processing of their clients' or users' data, but also for the processing of their employees' data.

The employment relationship in the personal data processing environment.

The employment relationship involves the constant processing of personal information of employees working for an employer, from the recruitment phase, through the execution of the contract, to the termination of the contract.

Data on identification, health, performance, contact, payroll, social security, video surveillance and more form a continuous flow of processing within the organisation.

Think of all the information that is typically requested from an aspiring employee in the recruitment and selection process, such as address, full name, age, gender, answers to questions contained in aptitude and psychological tests, which help us to make a candidate profile, which is used to make a selection of who to hire. All of the above is classified in the LPDP as "Data Processing".

In this way, the employer becomes the "data controller" (art. 4, lit t. LPDP), and has the obligation to guarantee the lawfulness, legitimate purpose, confidentiality and security of all data collected and processed.

On the other hand, once the employee begins to perform his or her duties for an employer, he or she acts in a dual capacity, as the holder of his or her own personal data, and as a processor or processor of data of third parties (customers, suppliers, users) on behalf of his or her employer.

This duality raises new contractual, ethical and compliance obligations within Salvadoran companies, to which I will refer in this article.

Employer obligations under the Law for the protection of personal data and the ACE Policies.

All employers must implement organisational, technical and physical measures to ensure the protection of the personal data of their employees and third parties that they process. These include, but are not limited to

Appointment of the Data Protection Officer (DPDP);
Adoption of internal privacy policies;
Implementation of access controls, encryption and authentication;
Recording of processing activities and impact assessments (EIPD);
Periodic audits and ongoing training.

ACE considers ISO27001 as the reference standard. Personal data compliance should therefore be seen as part of an Information Security Management System (ISMS) that the employer must maintain, monitor and document.

Therefore the rules comprising this ISMS must be applied transversally in all company processes involving data processing, such as for example within the recruitment and hiring process.

Articles 26 and 27 of the LPDP impose the obligation to have the express consent of the data subject for any processing, with exceptions (art. 28 LPDP), so that in practice, all employers must inform candidates for employment at the time of initiating any recruitment or pre-selection process:

What data it collects,
Where and how it is stored,
For what purpose,
Who will have access,
And for how long it will keep it.

This is materialised in the labour privacy notice, a document that must be given to every employee or candidate, before the data collection process is carried out, or in the case of current employees of the Company, it should be done immediately, due to the entry into force of the LPDP and its policies since the month of September of this year.

Consent cannot be inferred from the employment contract, nor can it be considered tacit due to the legal subordination of the worker.

Article 17 of the Labour Code establishes that subordination implies obedience to the employer's orders, but does not eliminate fundamental rights, such as the right to the Protection of Personal Data, as defined in Art. 6 of the LPDP.

Therefore, every worker must grant free, specific and informed consent, so that the employer can process his/her data, however, the granting of this consent should not be considered as a requirement imposed as a condition of employment, even though the candidate must be emphatically warned that the selection process could not be carried out due to the lack of authorisation of the worker to process his/her data and this situation must be clearly explained to the worker.

The processing of the employee's personal data requires informed consent (arts. 26 and 27 LPDP), except for the exceptions provided for by law (contractual or legal obligations).

In practice, consent is materialised by means of:

Specific clauses in the individual employment contract,
Workplace privacy notices, and
Internal procedures that guarantee the exercise of ARCO-POL rights (access, rectification, cancellation, opposition, portability and limitation).

Subordination in labour-management relations implies obedience to legitimate orders, but does not authorise unlimited processing of information.

The employer must therefore balance his or her power of direction with the principles of proportionality, purpose and transparency, as mentioned above.

On the other hand, Art. 31, paragraphs 2 and 4 of the Labour Code establish the obligations of "obedience to the policies and instructions of the employer", "reserve" and "secrecy" of information owned by the employer as a business secret, as well as any other type of information whose disclosure could be detrimental to the company, which, in this case, would be the imposition of some kind of sanction or fine that the ACE imposes on the employer for not submitting an employee to the privacy and information protection policies to which he/she must submit as part of the ISMS implemented by an employer.

In the case of data processing of third parties carried out by an employee on behalf of his employer, he is limited by the authorisation that this third party has given for this purpose, consequently, he is for legal purposes (both administrative and criminal) directly responsible for his actions, provided that the employer can establish that he has been duly diligent in communicating to the employee about the limits for data and information processing established by said employer, hence the importance of creating mechanisms in which it is made evident that the employee has been informed about the Company's Personal Data Protection policies.

Consequently, with the entry into force of the Policies on performance and handling of personal data published in September this year by the ACE, it becomes a priority to conduct a comprehensive review of the various documents that are used mainly as the contractual legal framework in labour matters, all as part of the General Policy for the Protection of personal data of the company, especially if the standard to be used is ISO 27001.

Consequently, we suggest reviewing and updating the following documents, as well as taking the following actions:

Document	Action required	Purpose
Individual employment contract	Include consent clause and express reference to the LPDP and internal policies.	Formalise lawful processing and confidentiality.
Internal Working Regulations	Include a chapter on privacy, data protection and use of technologies.	Create the sanctioning and procedural framework.
Labour privacy notice	Communicate purpose, rights and security measures.	Guarantee transparency and traceability.
Confidentiality agreements (NDAs).	Extend scope to personal data and maintain post-contract validity.	Reinforce professional secrecy.
Human Resources and IT Manual	Establish protocols for access, disposal and incident response.	Align operational areas with legal compliance.

The power of direction (art. 31 numeral 1 of the Labour Code) gives the employer supervisory powers, but the LPDP imposes limits of proportionality and purpose.

Surveillance measures (cameras, GPS, mail monitoring) must be:

Necessary for a legitimate purpose (security or productivity control);
Adequate, without invading privacy;
Proportionate, avoiding excessive intrusions;
Transparent, with the employee being informed in advance.

These guidelines harmonise the employer's authority with the worker's right to privacy and dignity.

The policies published by the ACE require regular internal audits, complaint mechanisms and constant updating of policies, therefore, it is essential to have a Data Protection Officer (DPDP), who must work together with the Legal and Human Resources Department of the Employer, and also lead this process, acting as a liaison with the ACE.

Failure to comply with the obligations relating to Personal Data Protection can lead to administrative, civil or even criminal sanctions; therefore, the proactive approach to compliance (accountability) becomes essential: companies must demonstrate with documentation that they implement prevention, training and control measures.

A fundamental part of any internal regulatory system of an organisation is its ability to ensure that it does not remain a dead letter, but that compliance can be carried out in full, through what is known as Enforcement, or the ability to enforce these regulations so that in the event of non-compliance, there can be sanctions; the challenge lies in how to carry out this process, without going over the rights of workers.

Legal basis for the power of enforcement in labour matters.

The Labour Code grants the employer powers of direction, organisation and discipline, including the power to regulate, which allows the employer to dictate internal rules for the proper functioning of the company.

This power includes the ability to:

Issue internal regulations, policies and codes;
Establish disciplinary measures;
Enforce them under penalty (as long as they comply with the law and are proportionate).

In that sense, privacy, confidentiality and information security policies are a legitimate part of the internal compliance framework, and their enforcement is fully within the employer's powers.

Incorporation into the Internal Labour Regulations.

Article 303 of the Labour Code provides that the Internal Labour Regulations must contain rules regulating working conditions, obligations and applicable sanctions.

Every employer can and should incorporate within its internal work regulations a specific Chapter on Personal Data Protection, including:

Duty of confidentiality regarding personal information of employees, clients and third parties.
Obligation to abide by security policies and protocols.
Prohibition to disclose or use information outside the work environment.
Disciplinary procedure for non-compliance.

These regulations, duly approved by the Ministry of Labour, become the legal basis for internal enforcement.

Sanctions and disciplinary measures.

Pursuant to Article 31, paragraphs 4 and 12 of the Labour Code, a breach of data protection policies, once they have been incorporated into the internal work regulations, may be qualified as a serious offence when:

The employee improperly discloses or uses confidential information;
Accesses systems or databases without authorisation;
Removes or manipulates digital records;
Disregards security instructions issued by the company.

In these cases, the employer can apply proportionate sanctions, ranging from written warnings to termination of the contract without liability, always guaranteeing internal due process.

The legal basis for enforcement is clear: the employer has not only the right, but also the obligation to ensure the security and confidentiality of personal data processed within the company.

Negligence or tolerance of privacy violations could even compromise the employer's liability before the ECA or the data subjects.

Complementary enforcement mechanisms.

In addition to sanctions, companies should implement preventive compliance mechanisms:

Mandatory training and annual data protection assessments.
Signing of individual confidentiality commitments.
Technological controls (access blocking, log audits, incident monitoring).
Disciplinary reports to the Data Protection Officer.

These mechanisms strengthen the traceability of compliance and the individual responsibility of the employee.

Balance with fundamental rights.

Internal enforcement should not become a tool for abuse or excessive surveillance.
Any sanction or control measure must respect the principles of legality, necessity and proportionality, avoiding unnecessary intrusions into the worker's private life.

The aim is to foster a culture of shared responsibility, not punishment.
Enforcement should be based on education, awareness and organisational coherence, rather than disciplinary repression.

The new Salvadoran regulatory framework - comprising the Law for the Protection of Personal Data and its policies and the Labour Code - redefines the balance between productivity, corporate control and fundamental rights.

The protection of personal data becomes a two-way duty: the employer as guarantor and the worker as custodian.

Internal enforcement of privacy policies is part of the employer's legitimate powers, provided it is exercised with transparency, proportionality and respect for due process.

In this way, the company not only complies with the law, but also strengthens its ethical culture and corporate reputation in an era where digital trust is the new reputational capital.

Both lead an interdisciplinary team specialising in:

Labour Corporate Law,
Diagnosis and audit of compliance with the LPDP and its Policies;
Documentary adaptation (contracts, regulations, internal policies and confidentiality clauses);
Implementation of ISO 27001 systems;
Legal advice on cybersecurity incidents and breach management.

How can ECIJA help your company?

The new Salvadorian framework imposes specific obligations: any organisation that processes employee, customer or supplier data must have internal policies, records, security protocols and ARCO-POL channels.

Article written by Carlos Gil, partner of ECIJA El Salvador Corporate Law Department.

Una noria blanca parcialmente visible en un día nublado y neblinoso.

What are you looking for?