In Costa Rica, sending personal data to servers abroad without the data subject's express, unequivocal consent is not a minor slip: Law 8968 treats it as a most serious offense, carrying fines of 15 to 30 base salaries and — the part that actually stops a business — suspension of the database for one to six months. In the age of SaaS and cloud, when virtually every company transfers data abroad every single day, that sanction stopped being theoretical a long time ago.
And this is not a freshly published law waiting to take effect. Law 8968 — "Protection of the Person in the Processing of Their Personal Data" — has been in force since 2011, has its own implementing regulation, and an active authority: PRODHAB, the Agency for the Protection of Inhabitants' Data, attached to the Ministry of Justice and Peace. PRODHAB supervises, maintains the database registry, demands information, inspects databases, resolves complaints, and imposes sanctions. While the rest of the region watches the regulatory clock in Chile and Brazil, in Costa Rica the clock has been running for over a decade.
What the law demands, translated into artifacts
Read with operational eyes, Law 8968 and its regulation ask for concrete deliverables:
1. Database registration with PRODHAB. This is Costa Rica's distinctive trait. Databases administered for distribution, dissemination, or commercialization must be registered with PRODHAB's registry. It is not an internal record of processing activities like the ones other frameworks in the region require: it is a filing with the authority itself — an authority that also holds the power to inspect what you registered. The exact scope — which types of databases qualify — is worth confirming against the regulation with Costa Rican legal counsel: it is one of the areas where the law has been criticized for lack of clarity.
2. Action protocols. Depending on the type of database, an action protocol — the measures and procedures under which the database is administered — must be registered and, above all, followed. Having it written down is not enough; in an inspection, the protocol is the yardstick your actual operation gets measured against.
3. ARCO rights in five business days, free of charge. The law grants data subjects rights of access, rectification, deletion, and consent over transfers (ARCO), with a 5-business-day response deadline and at no cost to the data subject. On top of that: express and free consent as the basis of processing, and the figure of a Data Protection Officer.
4. Consent for international transfers. Article 14 requires express, unequivocal consent whenever data is transferred, and it applies especially to cloud providers and companies sending data to servers abroad. There is no strict data-localization mandate, but the combination of mandatory consent plus a most-serious-offense sanction makes it one of the region's toughest transfer regimes.
The distinct case: compliance that is more administrative than technical
Here is the structural difference with Chile or Brazil. In those frameworks, much of compliance is decided on technical evidence: where the PII lives, who touched it, how it gets deleted. In Costa Rica, the heart of compliance is administrative and process-driven: registering the database with the authority, keeping protocols filed and current, and answering ARCO requests within a five-day SLA.
It would be tempting to conclude that if the requirement is "more paperwork than engineering," you can outsource the filing once and archive the folder. That is exactly the wrong conclusion — and the reason is simple: every one of those artifacts describes something that changes every day.
Why a static document isn't enough
The PRODHAB registration is a photograph of a database: what it contains, what it is used for, how it is administered. But real databases don't sit still. Fields get added, new systems get connected, the commercial purpose shifts, a team copies the table into another environment. Six months later, the registered photograph and operational reality no longer match — and the inspecting authority doesn't compare your reality against your intentions; it compares it against what you filed.
The same goes for action protocols: a protocol nobody follows isn't compliance, it's evidence against you. And the ARCO deadline is the operational acid test: answering within five business days what data you hold about a person, correcting it or deleting it, requires knowing today — not finding out in two weeks — which systems that data lives in, who owns each one, and how a change propagates.
A static document answers none of that. A living program does.
How a governance program produces and maintains each artifact
This is the thesis: in Costa Rica, data governance doesn't replace the filing with PRODHAB — it is what keeps the filing true over time. Using a framework like DAMA-DMBOK, each discipline of the program feeds a specific legal artifact:
- Inventory and classification. Knowing which databases exist and which ones are administered for distribution, dissemination, or commercialization is the direct input to the registration. Without a living inventory, you don't even know what you were supposed to register. Classifying personal data is also what triggers the consent requirement on transfers.
- Ownership. Every registered database needs a named owner with a role who answers for it — to the Data Protection Officer and to the authority. The DPO cannot sustain compliance alone; they need a network of data owners reporting changes.
- Documented, operated processes. Action protocols are, in practice, versioned data-management processes: who accesses, how it's updated, how it's corrected, how it's deleted. A governance program turns them from an archived PDF into an operating procedure with an owner and execution evidence.
- Lineage and quality. Answering an ARCO request in five days means locating a person across every system where their data lives and propagating the rectification or deletion downstream. That is technical lineage plus data quality — without them, the SLA is a promise.
- Lifecycle. Deletion isn't fulfilled with an email: it's fulfilled with demonstrable retention and deletion per dataset.
The visibility layer that supports all of this is chosen to fit your infrastructure — your cloud's native catalog or an open-source one like OpenMetadata — but the tool is the least of it: what produces the artifacts is the program (culture, roles, processes), not the software.
What technology doesn't solve on its own
We would be poor advisors if we told you this gets solved by installing something. In the Costa Rican case, three things always sit outside any tool's reach:
- The filing is a filing. Registering with PRODHAB and filing protocols are acts before the authority: someone in your organization submits them, maintains them, and updates them when reality changes. Technology feeds that process with truthful information; it doesn't execute it.
- Legal counsel is non-negotiable. Law 8968 dates from 2011, has been criticized for its gray areas, and there have been signals of reform whose current status is worth validating with a Costa Rican data protection lawyer before making scope decisions. If you operate in the financial sector, also validate the sector-specific rules on cloud and outsourcing.
- Culture decides. An action protocol is fulfilled in the daily behavior of the teams that touch data — and that is built with training and ownership, not with a license.
Start by knowing where you stand
If your organization processes personal data in Costa Rica, the starting question isn't "which tool do I buy?" but: do you know which databases you have, which ones should be registered, who answers for each, and whether you could respond to an ARCO request in five business days — today? If you hesitated on any of those, that's the gap. A data maturity assessment gives you an honest starting point: what you have governed, what's orphaned, and how far your filing (or the one you should have made) sits from what is actually happening in your systems. And if the concept itself feels distant, start with what data governance is.
Sources: Law 8968 — full text (PGR/SCIJ) · Regulation to Law 8968 (PDF) · PRODHAB · IPANDETEC — personal data reform in Costa Rica
This article is general guidance, not legal advice. Validate regulatory details with a data protection lawyer in Costa Rica.
