On 21 February 2023, the Personal Data Protection Law (Ley 149) including provisions for cross-border data transfer comes into force 180 days after its publication in the Official Gazette. The Act outlines five specific reasons for data transfers outside the country. The cross-border data transfer is therefore only allowed in the case of international judicial cooperation, exchange of medical data when necessary for the treatment of the data subject, bank or stock exchange transfers about the relevant transactions, under applicable international treaties, and if the transfer of data is for the purpose of international cooperation in the fight against crime. Finally, the Act grants the authorities mentioned therein the competencies to authorise the international transfer of personal data, as outlined in Article 66.
Original source