There are very little data protection rules in Bolivia and the minimal reference to data protection is covered in just one article of the bylaw to Law 164, which is regulation for the telecommunications sector but could be invoked by analogy in certain cases.
The Constitution does refer to data protection but it does from a procedural stand point to establish the right of an individual to request access to its own information; object or amend it from any physical, magnetic or informational support mechanism, especially, when the individual feels this information affects their right to privacy but, obviously the Constitution does not regulate data protection.
The general principles of law that, by extension, relate to data protection, are those that protect information by way of affording the rights to privacy, honor and dignity to individuals.When, as a result of a data breach, an individual feels damage to its privacy or honor has occurred then it will have access to legislation regarding protection to privacy rights but these norms are not about data protection as such.
The sole article in bylaw to Law 164, that deals with data protection, establishes that handling personal data, whether in the process of collecting, keeping, processing, blocking or transferring it, requires the consent of the individual, which needs to be in writing.
This article also states that when information is collected from an individual, the collecting party needs to previously disclose the purpose of the data collection; reveal the identity of the third party to whom the information will be forwarded and; the individual’s right to correct, update, object or revoke the right to use the information.
Finally, this provision requires entities that collect information, always addressing the telecommunications sector, that they adopt the necessary technical and organizational measures to guarantee the security of the information received to prevent its loss or unauthorized use and access.
This is the only regulation and reference that exist in relation to data protection.
In Depth Analysis
Is it mandatory to register databases containing personal data? No, due to the basically non-existing regulation on data protection there is no provision that makes it mandatory to register databases containing personal data.
Data Protection Authority (DPA)
Is there a specific authority responsible for supervising data protection regulations in Bolivia? There is no specific authority responsible for supervising data protection regulations.
If there is a data protection issue involving an entity subject to Law 164 (a telecommunications entity), then the Telecommunications Agency can address the matter, which will be merely from an administrative point of view.
There is no Data Protection Authority (DPA), however, that is appointed to deal with data protection issues nor would it have a set of regulatory provisions to enforce.
What is the legal basis for data processing? Article 56 of bylaw to Law 164, the sole specific data processing article, provides that when dealing with it, the receiving entity must observe the following code of conduct:
Uphold the constitutional provisions relating, in general, to the right to privacy, dignity and honor. The entity receiving information must keep this in mind as a general rule when handling private data.
Request the party’s consent to receive its information, which must be granted in writing or in a similar manner according to the specific circumstances. Consent should be understood as the informed and willful decision of a party to give its data to the collecting entity.
Consent can be revoked with no retroactive effect.
Inform the party giving its information the treatment that the same will be given; the purpose for collecting the information; who will receive or process the information and the possibility to access, correct, update, object or revoke the information. The purpose for which the information is being collected cannot be changed.
The collected information cannot be shared or transferred to a third entity unless prior consent has been obtained.
The necessary technical and organizational measures to ensure protection, avoidance of data loss or non-authorized uses must be in place.
Is there a definition of sensitive data in your jurisdiction? There is no definition of sensitive data. Medical records or the like do not have a special ‘sensitive’ category. All personal information should be treated alike and, for practical purposes, should be deemed ‘sensitive’ as if there is a breach then it can possibly become a privacy issue rather than the breach of protection of a specific type of data.
Data subject’s rights
What rights do data subjects have in relation to their personal data and how are such rights exercised? The scarce telecommunications law provision states that subjects have the following rights in relation to their personal data:
To access its information;
To amend it;
To update it;
To cancel it;
The consent given for the collection of data can be revoked but said revocation will not have retroactive effects.
If an entity refuses to act on a subject’s petition, as listed above, then it may ask a court to order the collecting entity to grant his petition. If the court were to refuse such a petition then the subject can have access to a constitutional recourse to address the issue.
What information must be provided to the data subject, prior to the processing of his or her personal data?
The information provided to individuals prior to processing it is:
How or what will be done with the information being collected;
The object for which the information is being collected;
Who will be the potential users or processors of this information;
The possibility to access this information at any time and also rectify, update, object and revoke the information given.
Special regimes – Are there special rules that have been established for certain sectors related to data protection (such as employment, insurance, health, telecommunications, finance)? There is no specific Data Protection Law as such and let alone one that creates special regimes. Since there is only one law that has a reference to data protection (Telecommunications Law), the telecommunications sector could be deemed to have special rules regarding data protection.
The telecommunications law has been relatively recently enacted to include regulation about new technologies (e-commerce; digital signature; value of email communications, etc.) and among those provisions, bylaw to Law 164 has included one article referring to data protection but this is not a comprehensive law about data protection.
Are there special rules applicable to the processing of children’s data? There are no special rules applicable to processing children’s data that come from any data protection law. There are general provisions regarding children and the protection of their identity that come from different statutes but this has to do more with the protection of their privacy rather than the actually dealing with the processing of children’s data.
Are there special rules regarding whistleblowing? No, there are no special rules regarding whistleblowing.
Are there special rules regarding email scanning, or Internet and video monitoring? There are no special rules regarding email scanning, or Internet and video monitoring in the limited data protection provisions included in bylaw to Law 164.
In general, it is clear that email scanning or Internet usage surveillance by any means is not permitted. Any of these actions amount to privacy violation, which, of course, may come from a data breach. Any instrument containing information, such as correspondence, including email or Internet navigation, cannot be violated by any means, be it scanning, copying, etc..
Are there special rules regarding cookies and advertising or marketing communications? There are regulations regarding advertising and marketing communications directed at the telecommunications sector. Bylaw to Law 164 establishes that marketing and advertising communications have to:
Clearly state how the recipient of the marketing or advertising email can opt out of the same;
Clearly identify the sender and also identify the person or entity on whose behalf the email is being sent, if different than from the sender;
Make available a subscription for opting in to receive publicity and advertisements. When an advertising email takes the recipient to an interactive website, the registration to access such site, if any, does not imply any commercial link or authorization of any kind. If the sender wants to create a marketing link with the recipient of the email or visitor of the redirected page then a specific subscription must be filled and be explicitly accepted by the recipient.
Exactly match the product characteristics;
Offer a clear explanation of what the promotion is about and include all the details of the same. The specific promotion needs to have complied with the promotional permits and regulations as established in the appropriate laws.
Are data processing requirements different when related to historical, statistical or scientific purposes? Since there is no Data Protection Law governing all the relating issues, there is nothing regarding the processing requirements of data for historical, statistical or scientific purposes.
Data processing requirements would likely be different when relating to statistical, historical or scientific data depending on how it affects the privacy issue. Statistical data could be processed differently as it would cease to be personal data and would become general diluted information where the original private information is no longer identifiable.
Depending on the nature of the historical and scientific data, as long as the information does not expose or reveal private information, it may be processed differently.
Are there special rules regarding the use or processing of personal data by mobile apps? No, there are no special rules regarding the use or processing of personal data by mobile applications.
Does Bolivia have a consumer protection regulation? Does it include data protection rules? Yes, Bolivia has a consumer protection regulation but it does not include data protection rules.
International Data Transfer
How is international data transfer treated? Are there specific requirements or prohibitions regarding this type of data transfer? There is no specific international data transfer requirements. The same is not regulated and, therefore, is not prohibited.
Are data transfer agreements mandatory in your jurisdiction? Are Binding Corporate Rules valid in your jurisdiction? Data transfer agreements are not mandatory in this country, which should not be confused with the need to have the consent of the owner of the information for the transfer of its data.
Binding Corporate Rules or similar (safe harbor) do not exist and are not regulated.
Has Bolivia been recognized by another country or body as providing an adequate level of protection for the international transfer of data? This jurisdiction has not been recognized by any third country or body as providing an adequate level of protection for international transfer of data.
Has the DPA rendered any decision regarding the validity or impact of the Safe Harbor and/or Privacy Shield? There is no DPA or similar that could have issued any decision regarding the validity of the international transfer of data.
No Safe Harbor or Privacy Shield act or similar provision that relates to the international transfer of data exists.
Security incidents and Data Breach
Are there any requirements regarding security measures for the protection of personal data? The requirements that exist, and that could be applied by analogy to certain cases, derive from article 56 of bylaw to Law 164 and the same are broad. This provision stipulates that a telecommunications entity, responsible for treating personal data, should adopt the necessary technical and organizational measures to guarantee the security of the data and prevent its alteration, loss, and unauthorized access. The provision states that the security measures should adapt to the state of the art; the nature of the data stored and; the risks to which the data are exposed.
Is there a requirement to provide formal notice of a data breach or security incident? No, since there are no specific personal data protection laws, there are no statutory requirements that regulate the provision of a formal notice of any data breach or security incident nor is there any set threshold that would trigger notification.
What are the remedies available to individual victims in the event of a data breach? Are they entitled to monetary damages or compensation? If yes, please explain how individuals exercise may these rights. From the perspective of an individual who has had his data breached due to, say, a cyber-attack to an entity that has collected the data there are no statutory remedies available. This is because there are no data protection laws and thus, the matter is not regulated. At most, entities falling under Law 164 could be subjected to an administrative penalty if they did not comply with the minimum security requirements but since there are no specific standards, it is highly unlikely.
From the perspective of an individual who knows who perpetrated a breach, it is possible to seek remedy using the general and constitutional provisions of the law in the ordinary jurisdiction as they relate to a privacy violation. The individual may seek the cease of the breach and also obtain monetary compensation for the damages caused which are generally linked to the violation itself of the privacy and eventually for damages to his reputation or honor.
There is no cyber security insurance available in this jurisdiction.
Outsourcing & Due Diligence process
Are there any regulations regarding disclosure/transfer of personal data in the context of an outsourcing agreement and due diligence process? Yes, bylaw to Law 164 establishes that if personal data is going to be transferred or disclosed to an outsourced party, then the owner of the information needs to give its consent for said transfer or disclosure of information to the third party.
The data so transferred cannot be used for a different end than for what it was collected initially.
As mentioned throughout, this law is directed to the telecommunications sector only but it could be used by analogy in certain situations.
Data Protection Impact Assessment
Does Bolivia request a data protection impact assessment or audit to verify compliance with the regulations? No, there are no requirements for data protection impact assessment to verify compliance with regulations.
Data Protection Officer
Does your country require a company to appoint a data protection officer? No, this jurisdiction does not require a company to appoint a data protection officer.
Enforcement, fines and sanctions
What fines and sanctions, if any, are provided in the general applicable data protection legislation? There is no general data protection legislation.
If the privacy of a person is violated due to a security breach that person can, in the ordinary jurisdiction, request a monetary compensation or seek other sanctions against the attacker for the damages caused but not against the entity who had the information breached or otherwise affected.
Please explain any judicial remedies available to data subjects regarding infringement of their rights, including the possibility of instituting data protection class actions. Judicial remedies available to data subjects who have had their rights infringed would be in the ordinary and constitutional spheres mainly. A subject who knows who perpetrated the data breach could seek monetary compensation, for example, against the perpetrator for the damage to his privacy.
No judicial remedy would exist, however, against the entity suffering the breach, at no fault of it. It must be kept in mind that in this jurisdiction there are no data protection provisions and its contractual or tort system is based on a at-fault responsibility and not, like other systems based on pure liability responsibility, thus an entity having had a data breach would not be subjected to responsibility for these two reasons.
Class actions would not be an option.
Are privacy and data protection treated differently? Yes, privacy is regulated and data protection really is not.
Privacy is a concept that finds some protection in general law, namely, civil and constitutionals areas.
Data protection is a concept that is rudimentarily treated in one article of bylaw to Law 164 (Telecommunications law) but it has not really been addressed..
Since data violation may often entail privacy violation, as these are intertwined concepts, some remedies may be obtained for both but only because of the privacy violation itself and not because of the actual data protection failure.
Privacy regulations provide for the ceasing of the violation. Also, it is possible to seek compensation for the damages suffered although the assessment and quantification on these types of issues (violation to privacy, damage to reputation, etc.) require a consequential showing of the damage, which has to be actual and direct and the courts seldom find satisfactory showings of these requisites.
Privacy & Data Protection landmark decisions
Have there been any significant judgments regarding privacy and data protection? Are the courts familiar with data protection and privacy in general? As of July 2018, there have not been significant judgments regarding data protection.
Courts are not familiar with data protection and they mostly deal with cases relating to the traditional breach of privacy.
Foreign administrative or judicial decisions
To what extent are your national courts willing to consider, or bound by, the opinions of other national or foreign courts that have handed down decisions in similar cases? National institutions are not very willing to consider let alone bound by the opinions of other national or foreign courts that have handed down decisions.
Importantly, there is no data protection legislation to which facts can be applied.