Financial Crime World

Data Protection and Privacy Laws in Honduras

Overview of Current State

Honduras has an Information Access and Data Protection Agency (IAIP) that oversees data protection. However, the country’s laws and regulations are still evolving.

Key Provisions

Data Registration

  • Article 61 of the Draft Law requires persons or entities handling personal databases to register with IAIP.
  • Detailed information about the database must be provided upon registration.

Data Transfers

  • There are no specific policies regarding international data transfers, except for sharing patients’ medical histories with consent.
  • This implies that data controllers may freely transfer data outside of Honduras without additional regulations or oversight.

Lack of Provisions

Data Processing Records and DPIA Requirements

  • No obligation exists for data controllers and processors to maintain records of data processing.
  • There are no requirements for conducting a Data Protection Impact Assessment (DPIA).

Data Protection Officer Appointment and Breach Notification

  • There is no requirement to appoint a Data Protection Officer (DPO).
  • A data breach must be notified only if it involves sensitive information or trade secrets.

General Provisions

Data Retention and Children’s Data

  • The general provision for keeping records is five years, which applies more to documental archives than digital databases.
  • Specific provisions do not exist for the processing of children’s data.

Special Categories of Personal Data and Controller-Processor Contracts

  • No specific provisions exist regarding special categories of personal data.
  • There are no specific provisions available in the Honduran legal framework regarding controller and processor contracts.

Rights of Data Subjects

Right to Be Informed, Access, Rectification, Erasure, Object/ Opt-Out, Data Portability, and Automated Decision-Making

  • Recognized rights include:
    • Right to be informed (limited)
    • Right to access
    • Right to rectification
    • Right to erasure (only applies if information is wrong or inaccurate)
    • Right to object/opt-out (exists for personal confidential data only)
    • Right to data portability (limited to mobile numbers between service providers)
  • Not recognized rights include:
    • Right not to be subject to automated decision-making

Penalties

Penalties vary from termination of employment to imprisonment and fines.