Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


II. Surveillance policy

Statutory rules on privacy

El Salvador does not have a comprehensive law that establishes general data protection principles for the processing of personal data. The Regulation of the Penitentiary Law1 establishes rules protecting the privacy of inmates by adopting many of the principles and rights of the European Data Protection Directive. It provides that the penitentiary administration can only give the inmate's personal data to governmental institutions and public entities after getting the inmate's written consent, and with adequate justification of the usefulness of the data, the Attorney General's Office and judges being exempted.2 International transfers of personal data can only be carried out when they are needed for cooperation or assistance in law enforcement or judicial matters, pursuant to applicable international agreements. Inmates' political opinions, religious or philosophical beliefs, and health records, can only be disclosed or made public to persons, public or private institutions, national or international organizations, with the inmate's written consent, except for public interest reasons covered by law.3 The same Regulation contains data access and correction provisions.4 The penitentiary administration must adopt security measures to protect the integrity of the data and keep it confidential, even after the inmate has left the prison.5

The Telecommunications Law protects the right to the secrecy of communications. It makes the act of intentionally interfering with and intercepting phone communications a serious offense sanctioned with heavy fines.6
The Penal Code identifies as a crime the invasion of other people's privacy by taking possession (tomar posesin) of their confidential data of a personal or familial character that is contained in public or private databases, as well as the possession of written communications or any other document directed to them. The Code slightly sanctions the disclosure of data to third parties, and sanctions more severely if the data controller or data processor of the filing system commits the offense.7 The Code also sanctions with an imprisonment between six months and one year, the person who, with the purpose of intruding upon the privacy of others, intercepts, impedes or interrupts a telegraphic or telephone communication, or uses instruments or wiretapping devices to listen, transmit or record sounds, images or any other communication signs.8
Privacy case law
In Boris Rub Solorzano v. Dicom, CentroAmerica, S.A. de C.V.9 and General Automotriz, S.A. de C.V.,10 the Constitutional Chamber of the Supreme Court of Justice (Sala Constitucional de la Corte Suprema de Justicia) established an important precedent for privacy in El Salvador. It was the first time the Constitutional Court made a reference to the so called "right to informational self-determination" (derecho a la autodeterminaci informativa) as a manifestation of the right to privacy and which purpose is to protect the individual's information contained in public or private records, as well as, the right of access to one's own information to ask for the correction, update, modification and elimination of data. The Court reaffirms that the right to privacy in the field of computer science (en elmbito informtico) implies that: (a) every data subject has the right to access his personal information, especially the information stored in computer databases; (b) every data subject must have the possibility and the right to control, in a reasonable way, the distribution and transmission of any information that concerns him; and (c) the judicial system must have a procedure that provides effective means of redress. In the same case, the court also explained the right to be forgotten (derecho al olvido): every data subject's credit information stored in a public or private database should be eliminated from it a certain time after the information was created; and the use and handling of personal information must be justified.
Medical privacy
Women have very little privacy concerning their reproductive health in El Salvador, where abortion is a serious felony. Although abortionists may also face charges, their prosecution is much less common, as many abortions are performed by anonymous "back alley" services. In the course of investigating an alleged abortion, law enforcement officials often conduct interrogations of friends, family and neighbors of the accused, during which sensitive information concerning the woman’s health and pregnancy is both requested and revealed.11
Doctors are legally required to report abortions to police; however, this requirement conflicts with the doctor‚ duty to keep the patient's medical information confidential. Nurses are similarly required to report evidence of abortion in direct conflict with their ethical obligations. Many doctors report inconclusive evidence of abortion out of fear of having their non-disclosure reported by nurses. Other doctors refuse to ask questions that may explain physical evidence of reproductive trauma, seeing this as the only loophole to the reporting requirement.12 An abortion rights advocacy group recently released a study that concludes that post-abortion care providers who breach patient confidentiality endanger women‚ health and violate ethics. The report states that "although ethical and human rights standards oblige providers to respect patients‚ privacy, 80% of obstetrician-gynecologists mistakenly believed that reporting was required. Most respondents (86%) knew that women delay seeking care because of fear of prosecution, yet a majority (56%) participated in notification of legal authorities."13