There is no specific administrative entity in charge of privacy matters. Most likely privacy cases will be decided in court and such entity will determine any applicable precautionary measures depending on the specific case.
The Law of Data Processing Crimes provides for civil sanctions that range from 200 tax units to 600 tax units. Currently, a tax unit is equivalent to Bs. 127 (which equals to USD 2.43 at the SICAD 2 official exchange rate of 52.10 per USD), subject to subsequent annual adjustments made by the Tax Administration normally within the first quarter of each year and according to the inflation of the preceding year. Furthermore, in case of a civil judicial procedure, the court will determine the indemnification to be awarded to a plaintiff if damages are proven.
Failure to comply with the provisions of the Law Protecting the Privacy of Communications, subjects the offender to sanctions of imprisonment that range from a minimum of three months up to a maximum of five years. Failure to comply with provisions of the Law of Data Processing Crimes, results in imprisonment sanctions ranging from two years up to a maximum of six years.
Selected Enforcement Actions / General Comments
The regulations contained in Venezuelan law in connection with data privacy and the transfer of personal data are limited to few provisions contained in (i) the Constitution of the Bolivarian Republic of Venezuela and, (ii) special laws which sanction certain conducts related with the violation of the right to data privacy. As stated, it is very likely that any matter concerning privacy matters will be decided by a court. Some examples of recent enforcement action in Venezuela:
- In a decision issued by the Supreme Court on March 14, 2001, the Court set forth an interpretation of Articles 28 (right to access official records) and 60 (right to the protection of privacy) of the Constitution. This leading decision (a) determined the privileged information that is protected under constitutional standards; and (b) established a habeas data process and the information that may be subject to such process (the “Decision”). In this respect, the Decision indicated that privileged information subject to constitutional protection is such information contained in one or more registries that combined could create a complete or partial profile of the individual whose data is included in such registry.
- Based on the foregoing, under this decision it could be interpreted that an employer database complies with Constitutional standards, if from the information of the database one is not able to assert a complete profile of a registered person, i.e. an employee. It is important to indicate that the decision does not clearly define what should the expression “complete or partial profile” should mean.
- I Furthermore, on August 4, 2011, the Constitutional Chamber of the Supreme Tribunal issued Decision No. 1318 (“Decision 1318”), which is the first court decision that discusses the principles contained in Article 28 of the Venezuelan Constitution. Pursuant to Decision 1318, the main principles that regulate data privacy in Venezuela are the following:
- I The Autonomy of Will Principle – Any person whose data are included in a database is entitled to be informed about: (i) the collection of his or her data; (ii) the entity responsible for her or her data; (iii) the purposes for which the data was gathered; and (iv) the manner in which he or she may exercise the right of self-determination. All these are subject to the existence of a “prior, free, informed, unequivocal and revocable consent” by the party affected, in the event the organization that is responsible for the data needs to disclose them.
- I Legality Principle – The right to “information self-determination” can only be limited by means of rules having the rank of law, provided that this is justified by the public interest, and such rules must be interpreted restrictively. In this regard, the Chamber makes it clear that the information gathered (i) cannot be used for purposes that are contrary to the principles set forth in the decision under analysis or to constitutional guarantees; or (ii) processed by illegal or unfair methods.
- I Purpose and Quality Principle – The organizations that wish to compile personal data of individuals must do so in strict compliance with the constitutional and sectorial laws and regulations, and this must be done with a clear purpose, reason or cause. This principle is deemed to be essential in order for the individual’s consent to be valid. According to this principle, the gathering and use of personal data of individuals must follow the principle of good faith and proportionality, for only the data that is adequate, pertinent and not excessive for the purpose sought can be gathered.
- I Temporality and Preservation Principle – Based on the right to protection of data, intimacy and to update the information contained in databases and in files of public and private persons, the Chamber held that the information contained in such systems must be updated regularly in order to avoid impairment to individuals as a result of obsolete data. In addition, the Chamber adopted the decisions adopted by Colombian courts regarding the “right to oblivion,” which is the right of all individuals to have their personal data updated once a default or tardiness incurred has been remedied.
- I Accuracy and Self-Determination Principle – The personal data must reflect the true condition of the individual. In this regard, the data must not only be up-to-date, but accurate and complete as well. In order to achieve the efficacy of this principle, clear and expedite procedures must be set-up in order to ensure that the individuals have access to and knowledge about the data kept by public and private institutions about them. This also implies the right of individuals to demand the rectification or cancellation of incomplete, inaccurate, inadequate and excessive data, and to be advised of their correction.
- I Foresight and Integrality Principle – Technological advances require an analysis of the storage, compilation and use of personalized data jointly with other databases or records in which the individual’s personal data is stored, since if shown as a whole, they may be prejudicial to the individual or his or her interests or rights.
- I Safety and Confidentiality Principle – All entities that handle the compilation, storage and use of databases have the obligation to keep the required security regarding such data, and to prevent the modification thereof by unrelated third parties. This obligation remains even after the termination of the relationship between the entity and the relevant person. Additionally, the Chamber stated that this principle includes the prohibition to transfer the contents of databases to other states that do not have rules that guarantee the protection of the individuals’ information.
- I Protection Principle – Judicial protection is not sufficient. It is necessary to have public entities with jurisdiction to prepare and implement models based on technical standards whereby the information in these databases is protected.
- I Responsibility Principle – Any infringement of the right to protection of data will give rise to civil, administrative and criminal penalties. The liability for the breach of this right will not only fall on the officer in the banking sector, but also extends to any other sector in charge of information system.