This May 26, the sanctioning regime for those who violate the Personal Data Protection Act, which has been in force since May 2021, comes into force. Amidst the strong activity of banks and companies seeking processing permission from data owners. data before the said system comes into force.

These days, several bank clients have received messages for permission, before using mobile banking, and if they do not give it, the user cannot continue using the said service. There were other strategies like campaigns and promotions to get said permission.

The entry into force of the sanctioning system, which consists of the classification of minor and serious offenses, competent and responsible for data protection, as well as their sanctions, means that citizens who feel affected by the use of their data will now be able to complain to the competent authority, explains Lorena Naranjo, director of the master’s degree in digital law and innovation at UDLA and lawyer for Spingarn,

However, since the supervisor for the protection of personal data has not yet been elected, complaints can be submitted to the entity where the violation of rights was committed (banks, supermarkets, among others) or to supervisory bodies such as the Telecommunications Regulatory Agency. or the Supervisory Board of Banks.

This, says Naranjo, has already established a turning point when a violation would be committed, and later, when the body has already been selected and the corresponding entity has been created (supervisor and personal data protection supervisor), then sanctions can be imposed. executed.

As for the progress of the executive’s shortlist reconciliation, to select the branch’s powers, Naranjo said he learned that shortlist names were already being sought and that the executive was also working on an ordinance on the subject. “There is an interest of the executive branch to fulfill this issue,” he said.

Now, citizens must be more careful about possible misuse or handling of data. Typical examples that occur in this area are when we receive phone calls from companies or call centers to which we have not provided our information. However, it is important to determine whether we have consented to the delivery of our data at any time.

There are typical examples of misuse of data about people, and for example in 2015 it was learned that a public figure sold a database of addicts to financial entities so that they could use it in bank points. There are other flawed databases that are sold all over the place and are sometimes used to do credit analysis, Naranjo explained.

As for forcing users to accept data processing and otherwise lose the use of certain services, Naranjo commented that it could be indictable, but not automatically punishable. Explain it in a moment there is no real clarity around the issues, including consent. “We still need to mature as a society, we will gradually understand on these issues that consent is not required en bloc and that the client should be given the opportunity to say No”.

But what are the sanctions that come into force?

For minor offenses:

The body for the protection of personal data will impose administrative sanctions in the case of determining the commission of a minor offense:

For serious offences

In addition, the Authority for the Protection of Personal Data will determine the applicable fine based on the principle of proportionality, according to intent, repetition of the offense, damage caused, among others.