| Home DIL | Español |


International Law


Juridical Committee

Sec. for Legal Affairs


Organization of American States

Department of International Law
Data Protection

Bigger text (+) | Smaller text (-)



Principles on Privacy and Data Protection

In June 2011 the Department of International Law introduced the document Principles and Recommendations on Data Protection, prepared in accordance with the resolution AG/RES. 2514.


Back to Introduction


The OAS Member States had the opportunity to express comments pursuant to the project. The Draft of Principles and Recommendations was made with the participation of the Legal Committee, and the Department of Modernization.

The project provides a brief analysis on the differences of data protection in Europe, in the U.S., and in Latin America. The European view to the right to privacy covers every aspect of the individual’s life. Based on this expansive view to the right to privacy, privacy legislation in Europe covers both the processing of personal data by the government and private organizations. The U.S. system provides for self-regulation by industry of the personal data handled by private organizations. As such, industries in the United States are mostly self-regulated, including most private corporations, data-mining businesses, personal data repositories and internet-based social-networking sites, among others. Finally, in some Latin American countries follow the concept of Habeas Data, which allows people to access their own personal data and gives them the right to correct inaccurate information.

The project provides a detailed report on the principles and recommendations on data protection, summarized below:

Processing Requirements: Personal data should be processed in accordance with the regulations and applicable law, fairly, for a “specific purpose, explicit and legitimate”; and is limited to personal information needed to accomplish a specific purpose. The processing of personal data should be transparent.

Processing Purposes: The processing of personal data of the individual is permitted by a contractual agreement, if necessary to comply with an obligation imposed by a governmental authority; or held by a data processor, such as a public entity, in the legitimate exercise of his authority.

Data Processor Responsibilities: The data processor must ensure that all personal data are confidential, and it must provide reasonable technical and organizational measures to ensure the integrity of personal data. The processor is responsible for taking all necessary measures to follow the steps of processing personal data imposed by national legislation and applicable authority.

Third Party Processors: A person in possession of personal data may contract a third party in order to process such personal data, without such employment is deemed a disclosure to a third party, as long as the original processor ensures that the third party offers at least the same level of protection required by national legislation and the agreement of the parties.

Cross-border Transfers: International transfers of personal data should only be performed if the recipient of these offers the same level of protection, using the following factors: 1) the nature of data, 2) the country home, 3) the recipient country, 4) the purpose for data processing, and 5) the security measures established for the international processing and transfer. Personal data can be transferred to a recipient that does not afford the same level of protection of personal data only when there is a contractual agreement that the transfer process and meet the level of protection required.

Habeas Data: People can exercise the right of access, rectification, withdrawal and objection to the processing of personal data. The right of access is the individual’s right to request and obtain information about their personal data held by the processor of data. The individual has the right to request correction or deletion of data when they are “incomplete, inaccurate, unnecessary or excessive.” The individual may object to the processing of personal data when there is a legitimate reason, as an “unwarranted and substantial damage or distress to create” the individual.

Enforcement: OAS Member States must have a guarantor body or independent supervisory authority to ensure enforcement with the rights of people and provide a judicial remedy for violations and failure of the processor. This authority should have the technical capacity, self sufficient and adequate resources to carry out investigations and audits to ensure enforcement.

Finally, the project recommends proactive measures and cooperation in the area through which States should develop training programs, education and public awareness to foster understanding of the legislation, procedures and rights for the protection of personal data; data standard operating procedures for data controllers to prevent, detect and contain potential security breaches, and also to promote cooperation between national authorities responsible for the protection of personal data, nationally and internationally to promote the protection.

About Us | Index site | Contact Us | Home DIL | Español

© 2021 Secretariat for Legal Affairs, Organization of American States. All rights reserved.