DOMINICAN REPUBLIC Law and Practice Contributed by: Sarah de León Perelló, Elizabeth Silfa Micheli and Naomi Rodríguez Manzueta, Headrick Rizik Álvarez & Fernández
a detailed or segregated manner that could reveal the identity of their customers or account holders; and • a confidentiality obligation, which prohib - its banking entities from releasing personal banking data, except for the reasons provided for under the Law. Additionally, the Dominican Republic՚s legal system has, in writing, some of the general principles instituted by the General Data Pro - tection Regulation (GDPR), using consent as the justification for the processing of personal data. Hence, it is important to point out that the Dominican Republic is a consent-based market with respect to the processing of personal data. 8.2 Geographical Scope Even if processing of information is carried out abroad, if a foreign company targets customers in the Dominican Republic, there is a risk that customers may claim the collection of data takes place in the Dominican Republic and, accord - ingly, the provisions of Law No 172-13 would apply to the collection and treatment of data in the Dominican Republic. The “treatment of personal data” is defined as: • any operations or processes that allow for personal data processing, such as the col - lection, creation, storage or organisation of personal data; • the evaluation or analysis of such personal data; or • the transmission of such personal data. Law No 172-13 applies to all data controllers that collect information in the Dominican Repub - lic and is of public order (ie, mandatory, and the parties may not opt out of its provisions). The definition of treatment is considerably broad
under Law No 172-13 and includes operations and procedures that entail the collection of infor - mation as well as its processing per se. Personal data may only be transferred interna- tionally if the owner of the data expressly author - ises such transfer. The processing and transfer of personal data is unlawful when the owner of the data has not given their free, explicit and conscious consent, which shall be in writing or by other means to equate to it. Said consent must appear expressed in a provable way. 8.3 Role and Authority of the Data Protection Agency Data Protection Authority The Dominican Republic does not have a nation - al data protection authority. However, Law No 172-13 provides that databases and registries, whether public or private, intended to provide credit reports (ie, credit bureaus) are subject to the inspection and supervision of the Superin - tendency of Banks. Hence, save for the Super - intendency of Banks of the Dominican Republic, which regulates personal data matters in con - nection with banking matters, there is no data protection authority that supervises compliance with the legal framework. Habeas Data In that sense, most of the claims must be resolved utilising the general or common pro - cedures that Dominican courts have instituted. The Constitution of the Dominican Republic pro - vides any person with the opportunity to initi - ate a “habeas data” claim. A habeas data claim is a legal action through which any person can confirm the existence of their personal data in registries, as well as the content of said data. Through habeas data, in the event of falsehood or discrimination, the person may also request
224 CHAMBERS.COM
Powered by FlippingBook