In Spain, an employee at a fruit shop took a customer's number from the database and contacted her to ask her out on a date. The result? A €300 fine (approximately US$370) for the employee and invaluable damage to the company's reputation. The customer had provided her details for commercial purposes only, not to be asked out. obtener una cita.
In this case, the company was not penalized because the Spanish Data Protection Agency (AEPD) considered that the employee, not the organization, was responsible for the misuse of the data. However, there could have been consequences for the business if, for example, a failure in data custody and protection had been detected.
Let's now consider a similar case in Guatemala. What would happen in the event of an unauthorized data leak or sale? At first glance, it seems that nothing would happen as there is no law or specific authority to which such a situation could be reported. However, the Constitution itself and rulings by the Constitutional Court (CC) have interpreted the scope of basic constitutional protection and defined important concepts relating to data protection.
The Constitution and its Interpretation
The Constitutional Court, in several rulings, has referred to the right to informational self-determination of the individualIn short, this gives the person control over all their data and guarantees its protection against misuse and use for profit by third parties.
In addition, they affirm that the possibility of commercialization must be voluntarily authorized by the individual, who must be guaranteed the right to update, rectify, or delete such data. Failure to comply with this may entail liability for both the entities that provide such data and those that use it[1].
Taking this into account, companies that collect, store, or process personal data in Guatemala have an obligation to guarantee user privacy. Consequently, to manage the risks arising from this, prior to requesting any personal and/or sensitive information from third parties, our experience has shown us the importance of doing the following:
- Obtain informed consent from users. An example is when digital content platforms require users to download and read the terms and conditions before they accept them.
- Implement, update, and frequently review security measures in computer systems to prevent unauthorized access.
- Notify users of security breaches.
- Appoint a data protection officer with sufficient capacity for this role. This role could even be performed by a compliance officer if one is in place.
- Guarantee users' rights of clarification, rectification, correction, and erasure through an efficient procedure.
- Limit the use of data to the purpose authorized and expressly consented to by users.
Pending legislation
Since 2009, the Guatemalan Congress has registered six initiatives related to the protection of personal data and its use by third parties, but to date, none have been approved.
The latest, announced on July 8, 2025, by the Cabal party, seems to be in line with European legislation, as it proposes, among other things, the creation of an authority to which complaints can be made. According to Congressmember Julio Héctor Estrada, the aim is to give the population control over their data so that they can correct it, delete it, or refuse to allow it to be used when they so wish. In addition, fines of up to 1,000 minimum wages are to be imposed for non-compliance.
Remember that, even though the reporting procedure is unclear and there is no specific data protection law, failure to comply with the obligations already recognized by the CC may result in legal liability, including criminal, civil, and administrative penalties, as well as invaluable reputational damage to companies.
If you have any questions about the subject, please do not hesitate to contact us.
