Top of page

Article El Salvador: Cybersecurity and Data Protection Laws Enacted

On November 12, 2024, El Salvador’s Legislative Assembly approved Decree No. 143, the Cybersecurity and Information Security Law, and Decree 144, the Law for the Protection of Personal Data. The two laws are intended to protect individuals’ information in cyberspace and in the custody of public and private institutions. They were published in the November 15, 2024, official gazette, and came into force November 23.

Cybersecurity and Information Security Law

The Cybersecurity and Information Security Law was enacted to create conditions for safeguarding information of the government, companies and individuals, and to combat threats to the confidentiality and integrity of the information. It establishes the legal framework, principles and policies to regulate and supervise information security measures taken by public institutions. (Decree 143, art. 1.)  The law applies to all public or private entities and individuals that administer, execute, or influence the public administration or critical infrastructure of the nation. (Art. 2.)

Establishment of the State Cybersecurity Agency

The Cybersecurity and Information Security Law creates an autonomous State Cybersecurity Agency (Agencia de Ciberseguridad del Estado, ACE). (Art. 7.) Among its many important functions, ACE will be responsible for preparing the National Cybersecurity and Information Security Policy, including guidelines, plans, and programs of action relating to cybersecurity, for approval by the president. The agency will create rules, protocols, and standards to enforce the law; establish a national registry of threats and cybersecurity incidents; and provide for qualification of operators of critical infrastructure (and withdrawal thereof) for ratification by the president. The agency will also be authorized to demand information on any threats or incidents against critical infrastructure from affected parties. (Art. 8.)

ACE will be led by a General Director and a Cybersecurity and Information Security Director, both of which will be appointed by the president for a period of three years with the possibility of extension. (Art. 9.)

Infractions and Sanctions

The Cybersecurity and Information Security Law imposes administrative sanctions for infractions against the law.

There are three categories of infractions: minor, serious and very serious. (Art. 18.) Among the minor infractions are the delay in submitting information requested by the agency unrelated to security incidents. (Art. 19.) Serious infractions include the failure to update information registries, delays in submission of operational plans, failure to enforce security plans, or noncompliance with regulations. (Art. 20.) Very serious infractions include the delay of submission of reports related to security incidents; omission of details on information requested related to the security of information; and disregard of the Cybersecurity and Information Security law or its protocols or guidelines. (Art. 21.)

Sanctions may range from a written warning to fines varying in value depending on the seriousness of the infraction. Sanctions can also include the removal of agency heads, and the banning of work in public administration for ten years. (Arts. 22-25.)

Data Protection Law

The new Law for the Protection of Personal Data was created to provide high levels of protection for individual personal information. It creates new procedures, rules and a normative framework for the collection, use, processing, and storage of personal data and any related activities to guarantee the right to privacy and self-determination of individuals.

Scope

The law applies to any individual or legal entity, public or private, that processes personal data. (Decree 144, art. 2.) Certain actions are exempted from this law, such as the processing of personal data in connection with credit history; information surrounding family or domestic life that will not be used commercially; the processing of personal data related to public security; the defense and security of the State; the prevention, detection and repression of crime; and any processing of personal information registered in public registries. (Art. 3.)

Public institutions are granted certain exemptions, allowing them to process personal data without express consent, provided they inform individuals about the purposes of data collection and their rights. (Art. 46.) However, data owners retain limited rights, including access, rectification, and opposition to processing.

The enforcement and supervision of the Cybersecurity Law and Data Protection Law are entrusted to the State Cybersecurity Agency, which is empowered to oversee compliance and impose sanctions for violations. (Arts. 50 & 56-59.)

ARCO-POL Rights for Data Owners

The Data Protection Law enshrines a set of rights for data owners, collectively referred to as ARCO-POL rights (Access, Rectification, Cancellation, Opposition, Portability, and Limitation). Among these, the right to personal data protection guarantees individuals the ability to know if their data is being processed and request corrections, deletion, or limitations on its use. (Art. 6.) Data owners also have the right to access their information, obtain copies, and learn about the purposes for which their data is collected, the recipients, and the security measures in place. (Art. 7.)

The right to rectification allows individuals to correct inaccuracies or update outdated information, while the right to deletion provides for the removal of data under specific conditions, such as when it is no longer necessary, or consent is withdrawn. (Arts. 9-10.) Exceptions to deletion include cases where removal would infringe on the legitimate rights of third parties or violate legal obligations. (Art. 10.) The law also establishes the “right to be forgotten,” enabling data owners to request the removal of outdated, inexact, or incomplete information, as well as the right to restrict processing under certain circumstances. (Art. 13.)

Informed Consent

The law requires entities processing personal information to verify the informed consent of the subject before such processing. (Art. 26.)

In the case of minors, the principle of “progressive exercise of faculties” will be considered, meaning that rights granted to children and adolescents will be exercised on a gradient, and businesses catering minors need to take into account their development, faculties, conditions, and the direction of a responsible person who has the child’s custody. (Art. 5. J.)

Exceptions to the requirement for obtaining prior informed consent apply in instances where the information is publicly available, the owner is unable to provide consent, there is an emergency, the information is derived from a contract, or the information is part of a historical archive used for scientific or historical research. (Art. 28.)

Roles and Responsibilities of Data Protection Officers

Entities processing personal data are required to appoint a Data Protection Officer (DPO) to manage and resolve ARCO-POL rights requests, assist in compliance with data protection obligations, and advise on best practices. (Arts. 15-17.) The DPO must respond to requests within 20 business days, extendable by an additional 20 days if necessary, and ensure proper notification to third parties in cases of rectification. The law outlines specific exceptions where requests may be denied, such as when they conflict with third-party rights or legal obligations. (Art. 22.) Any denial must be accompanied by a reasoned resolution issued within three business days.

Regulations on Sensitive Data and International Transfers

The law for the Protection of Personal Data establishes that no one can be forced to give up their personal information. However, the information can be used if it is needed to save someone’s life, or when the information related to health is needed for the prevention of disease, medical diagnosis, sanitary assistance, or other medical treatments. (Art. 37.)

The law also establishes regulations for the processing of sensitive data, restricting its use to specific conditions such as public interest, dissociated statistical or scientific purposes, or legal mandates. (Art. 38.) The transfer of personal data is permitted only with the data owner’s prior consent and when aligned with legitimate interests. (Art. 40.)

For international transfers, the recipient country must provide adequate levels of data protection or comply with Salvadoran standards. Exceptions are made for transfers under Central American Integration Treaties. (Art. 44.)

Reactions

The Salvadoran Legislative Assembly recognizes the law as a necessary step toward modernizing the country’s data protection infrastructure, and its alignment with international standards. For example, Caleb Navarro, congressman, has stated that this law will improve the confidence of users in the digital space and the data protection rights will align with international standards, as well as promote foreign investment, and citizens to be able to correct and eliminate their personal data. Congresswomen Alexa Rivas said that this law will guarantee the right to privacy, which alienates with tights such as freedom of expression, and it will aid in preventing transgressions of the right to privacy.

However, critics from opposition parties and civil society fear the laws may be used for surveillance purposes and to suppress political opposition. Many civil society organizations worry about the broad powers granted to the state and the lack of sufficient safeguards to protect citizens’ rights. Human Rights Watch has voiced concerns that these laws may threaten freedom of expression and privacy rights. They argue that the legislation could give the government more power to monitor and control information, leading to potential misuse in curbing dissent or restricting freedom of speech.

For instance, Human Rights Watch has said the “right to be forgotten” may represent a threat to the freedoms of expression, of information, and of the press, because the principle of accuracy does not permit the publication of data that is inexact, incomplete, or outdated, which can pressure media to eliminate information of public interest that may be inexact or incomplete.

Stephania Alvarez, Foreign Law Specialist

Adriana Domingo Cabrera, Law Library Legal Research Fellow, under the supervision of Hanibal Goitom, Chief, Foreign, Comparative, and International Law Division I

Law Library of Congress, January 21, 2025

Read more Global Legal Monitor articles.

 

About this Item

Title

  • El Salvador: Cybersecurity and Data Protection Laws Enacted

Online Format

  • web page

Rights & Access

Publications of the Library of Congress are works of the United States Government as defined in the United States Code 17 U.S.C. §105 and therefore are not subject to copyright and are free to use and reuse.  The Library of Congress has no objection to the international use and reuse of Library U.S. Government works on loc.gov. These works are also available for worldwide use and reuse under CC0 1.0 Universal. 

More about Copyright and other Restrictions.

For guidance about compiling full citations consult Citing Primary Sources.

Credit Line: Law Library of Congress

Cite This Item

Citations are generated automatically from bibliographic data as a convenience, and may not be complete or accurate.

Chicago citation style:

Alvarez, Stephania. El Salvador: Cybersecurity and Data Protection Laws Enacted. 2025. Web Page. https://www.loc.gov/item/global-legal-monitor/2025-01-21/el-salvador-cybersecurity-and-data-protection-laws-enacted/.

APA citation style:

Alvarez, S. (2025) El Salvador: Cybersecurity and Data Protection Laws Enacted. [Web Page] Retrieved from the Library of Congress, https://www.loc.gov/item/global-legal-monitor/2025-01-21/el-salvador-cybersecurity-and-data-protection-laws-enacted/.

MLA citation style:

Alvarez, Stephania. El Salvador: Cybersecurity and Data Protection Laws Enacted. 2025. Web Page. Retrieved from the Library of Congress, <www.loc.gov/item/global-legal-monitor/2025-01-21/el-salvador-cybersecurity-and-data-protection-laws-enacted/>.