Transfers of personal data in early stages of technology transactions or M&As.

As part of negotiations, due diligence, preliminary reviews and analysis, a party may request or need certain information containing personal data of employees, customers, suppliers and/or business partners of other parties involved in the transaction. Below are some legal suggestions for controllers in accordance with Costa Rican legislation on privacy and protection of personal data.

  1. Validate whether there is indeed personal data involved in accordance with the data categories and terms indicated in local law.  As in other jurisdictions, the processing of sensitive personal data must comply with certain restrictions and special requirements.

  2. Validate if the specific scenario falls within the local term of transfer of personal data (this is a valuable filter to perform carefully): "action by which personal data of a controller is transferred to any third party other than said controller, its economic interest group, the processor or the service provider or technological intermediary, provided that the recipient does not use the data for its distribution, diffusion or commercialization" (Section 2.w of the Regulations to Law 8968).

  3. If data transfer applies, validate applicable local requirements for this transfer to be legal.  This step should not be a major obstacle if the transferring controller is aware of and complies with local privacy law.  Requirements that can be extracted from local regulations:

    (a) The transferring controller may only transfer data when the data subject has expressly and validly authorized said transfer.  This authorization is granted through a physical or electronic notice (informed consent) and must include a minimum content (Section 5.1 of Law 8968);

    (b) At the time of transferring data, controllers should be complying with the “minimum action protocols” described in local regulations (Sections 41 and 32 of the Regulations to Law 8968);

    (c) The transmitting controller should sign a contract with the receiving controller that establishes at least the same obligations that the transmitting controller has (Section 43 of the Regulations to Law 8968); and,

    (d) Even if not based in Costa Rica and the outcome of the transaction is uncertain, the receiving controller should also obtain the informed consent of the data subjects and once the transaction is closed, this controller should validate, among other things, if the content of the first notice would need some adjustment/updating.  Local informed consent must be specific, which means that it must refer to one or several determined and defined purposes that justify the processing (Section 4.c of the Regulations to Law 8968).

  4. Related violations to map and avoid:

    (a) Minor violation:  “Collect personal data for use in databases without providing sufficient and extensive information to the data subject, in accordance with the specifications of Section 5.1.” (Section 29.a of Law 8968)

    (b) Serious violation:  “Collect, store, transmit or in any other way use personal data without the informed and express consent of the data subject, in accordance with the provisions of the Law." (Section 30.a of Law 8968)

    (c) Serious violation:  “Collect, store, transmit or in any other way use personal data for a purpose other than that authorized by the data subject.” (Section 30.c of Law 8968)

    (d) Very serious violation:  "Transfer personal data of Costa Ricans or foreigners residing in Costa Rica to third countries, without the consent of the data subjects." (Section 31.f of Law 8968)


    Article provided by INPLP member: Fabian Solis (Aguilar Castillo Love, Costa Rica)



    Discover more about the INPLP and the INPLP-Members

    Dr. Tobias Höllwarth (Managing Director INPLP)