Dominican Republic Law 172-13

Ley 172-13 sobre Protección Integral de los Datos Personales

Flag of DO
Dominican RepublicOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
December 13, 2013
Enacted
December 13, 2013
Enforcing Authority
No dedicated DPA — enforcement gap. Bank Superintendency handles credit bureau violations only.
Consent Model
Opt-in
Applies To
Any entity processing personal data in the Dominican Republic

Overview

The Dominican Republic's Law 172-13 provides a comprehensive framework inspired by European data protection standards, but the absence of a dedicated supervisory authority creates a significant enforcement gap. Criminal sanctions are available but practical enforcement remains limited.

What This Means for Your Website

  • Consent is required for data collection and processing of Dominican visitors
  • Data subject rights include access, rectification, erasure, portability, and objection
  • Criminal sanctions of 6 months to 2 years imprisonment are available for violations
  • The lack of a dedicated DPA means enforcement is primarily complaint-driven

Key Requirements

No dedicated DPA exists — the Bank Superintendency only handles credit bureau violations. Penalties range from 10-100x national minimum wage. Criminal sanctions of 6 months to 2 years imprisonment are theoretically available. A DPO is required for large-scale or sensitive data processing.

How ConsentStack Handles This

ConsentStack applies consent-based processing for Dominican Republic visitors, ensuring compliance with the law's requirements despite the enforcement gap.

Penalties

10-100x national minimum wage (~$3,385-$33,856 USD). Criminal sanctions: 6 months to 2 years imprisonment.

Key Requirements

  • Consent required for data collection and processing
  • Data subject rights: access, rectification, erasure, portability
  • DPO required for large-scale or sensitive processing
  • Data Protection Impact Assessments for high-risk activities
  • Security measures: physical, technical, administrative safeguards
  • Breach notification obligations

Notable Provisions

  • No dedicated DPA — significant enforcement gap
  • Criminal sanctions (6 months to 2 years)
  • Bank Superintendency only enforces for credit bureaus
  • Comprehensive rights framework but limited practical enforcement

Other Latin America & Caribbean Regulations

LGPDBrazil
Brazil's LGPD is modeled after the GDPR with extraterritorial scope. Requires explicit consent with separate authorization per processing purpose. Non-essential cookies require prior consent per ANPD guidance. Penalties include publicization of the infraction, creating reputational risk beyond fines.
Colombia Law 1581Colombia
Colombia's comprehensive data protection law with active SIC enforcement. Requires prior, express, and informed consent for all processing including cookies. The SIC has broad investigative powers including on-site inspections. Authorization logs are required for cookies, and a pop-up must inform users about privacy and cookie management.
LFPDPPPMexico
Completely new data protection law enacted March 2025, replacing the 2010 version. The INAI was dissolved and replaced by Transparencia para el Pueblo. Introduces criminal penalties, specialized federal data protection courts, and doubled fines for sensitive data violations. Express consent required for sensitive data; implied consent available for non-sensitive.
Chile Law 21.719Chile
A complete overhaul of Chile's data protection framework replacing the 1999 law. Creates a new dedicated Data Protection Agency, introduces tiered penalties, and explicitly prohibits pre-ticked consent boxes. The agency must issue cookie guidelines. Takes effect December 2026 after a 24-month implementation period.
Argentine PDPAArgentina
One of the earliest comprehensive data protection laws in Latin America, granting Argentina EU adequacy since 2003. The law is increasingly outdated, and reform bills submitted in 2025 would introduce GDPR-aligned penalties of up to 4% of turnover. Current penalties under the original law are low.
Peru Law 29733Peru
Peru's data protection law was significantly strengthened in 2025 with updated regulations introducing phased DPO requirements, extraterritorial scope, and the tightest breach notification timeline in the region. Foreign companies serving Peruvian individuals must appoint local representatives. Maximum penalty is 10% of annual net income.

Frequently Asked Questions

Does the Dominican Republic have a data protection authority?

No dedicated DPA exists, creating a significant enforcement gap. The Bank Superintendency handles only credit bureau violations.

Are there criminal penalties for data protection violations?

Yes. Criminal sanctions of 6 months to 2 years imprisonment are available under Law 172-13.

What are the financial penalties?

10-100x national minimum wage, approximately $3,385-$33,856 USD.

Stay compliant with Dominican Republic Law 172-13

ConsentStack helps you implement Opt-in consent for Dominican Republic automatically.

Get started free