﻿Page 1 
Legal Norms of Nicaragua 
Link to the Regulation: 
Subject: Criminal, Constitutional and Other Fundamental Norms 
Rank: Laws 
- 
PERSONAL DATA PROTECTION LAW 
LAW No. 787, Approved on March 21, 2012 
Published in La Gaceta, Official Gazette No. 61 of March 29, 2012 
NATIONAL ASSEMBLY 
LAW No. 787 
The President of the Republic of Nicaragua 
To its inhabitants, know: 
What, 
THE NATIONAL ASSEMBLY 
CONSIDERING 
I 
The Nicaraguan State has the obligation to promote and guarantee the common good, assuming the task of promoting human development by protecting it from all types of exploitation, discrimination and exclusion. 
II 
Which are principles of the Nicaraguan nation: freedom, justice and respect for the dignity of the human person. 
III 
That Nicaraguans have the right, to their private life and that of their family, to the inviolability of their home, their correspondence and communications of all kinds, to respect for their honor and reputation, as well as knowing why and for what purpose you have personal information. 
IV 
That all the provisions indicated in this law find support in the existing international standards on data protection, and in a doctrinal and explanatory framework that already it has great solidity in the Latin American framework. 
V 
That a balance is necessary with other laws approved by the National Assembly, such as Law No. 621, "Law on Access to Public Information", preparing the way for an adequate qualification of Nicaraguan progress, through the implementation of the guarantees established in Article 26 of the Political Constitution of the Republic of Nicaragua. 
SAW 
That it is necessary to maintain the competitiveness of the country in commercial activities where the protection of personal data is a central concern. 
THEREFORE 
In use of your powers, 
Has dictated 
The next: 
PERSONAL DATA PROTECTION LAW 
Chapter I 
General definitions 
Article 1 Purpose 
The purpose of this law is to protect the natural or legal person against the processing, automated or not, of their personal data in public and private data files, for the purpose of guarantee the right to personal and family privacy and the right to informational self-determination. 
Art. 2. Scope of application 
The provisions of this law will be applicable to the processing of personal data found in public and private data files. 
Art. 3. Definitions 
For this law it is understood by: 
a) Informative Self-determination: It is the right that everyone has to know who, when, for what purposes and under what circumstances they come into contact with their personal data. 
b) Blocking : It is the identification and conservation of personal data once the purpose for which they were collected has been fulfilled, with the sole purpose of determining possible responsibilities in relationship with their treatment, until the legal or contractual limitation period of these. During said period, personal data may not be processed and after this, it will be will proceed to its cancellation in the data file in which they are found. 
c) Assignment or transfer: It is the transmission of personal data to a person other than its owner. 
d) Consent of the owner: It is any manifestation of will, free, unequivocal, specific and informed, by which the owner of the data consents to the processing of their personal data. e) Personal data: It is all the information about a natural or legal person that identifies or makes it identifiable. 
f) Personal computer data: These are personal data processed through electronic or automated means. 
g) Sensitive personal data: It is all information that reveals the racial, ethnic, political affiliation, religious, philosophical or moral, trade union creed, related to your health or sexual life, background criminal or administrative, economic and financial misconduct; as well as credit and financial information and any other information that may be grounds for discrimination. 
h) Data dissociation: It is all personal data processing so that the information obtained cannot be associated with a specific person . 
i) Data files: These are public and private files, registries, databases or databases that contain personal data in an organized manner, automated or not. 
j) Public access sources: These are files whose consultation can be made by anyone, without any requirement other than the payment of a consideration. They have the consideration of Public access sources: La Gaceta, Official Gazette, the media, the census, telephone directories in the terms provided by their specific regulations and directories of people belonging to groups of professionals that contain only the data of name, title, profession, activity, academic degree, address and indication of their membership in the group. 
k) Responsible for data files: It is any natural or legal person, public or private, who according to Law decides on the purpose and content of the processing of personal data. l) Third: It is any person, public or private, who carries out the processing of personal data at their discretion, either in their own data files or through connection with them. 
m) Owner of the data: It is any natural or legal person to whom the personal data concerns. 
n) Data processing : They are systematic operations and procedures, automated or not, that allow the collection, registration, recording, conservation, ordering, storage, modification, updating, evaluation, blocking, destruction, deletion, use and cancellation, as well as the transfer of personal data resulting from communications, consultations, interconnections and transfers. 
Art. 4. Creation of data files 
The creation of personal data files will be lawful when they are duly authorized and registered, with the consent of the owner, with exceptions to the law. The files of data may not have purposes other than those permitted by this law. 
Art. 5. Requirements for obtaining personal data 
To obtain personal data, the following is required: 
a) That they are adequate, proportional and necessary in relation to the scope and purpose for which they are collected; Y 
b) That it be done by lawful means that guarantee the right of every person to informative self-determination. 
Art. 6. Consent 
The owner of the data must give by himself or by his legal representative or attorney-in-fact the consent for the delivery of the data, unless the law provides otherwise within reasonable limits. 
Reasonableness must be considered by the Directorate for the Protection of Personal Data, if any controversy arises. The above, has both for the ownership data files public and private. 
Consent must be given in writing or by other suitable means, physical or electronic. Said consent may be revoked without retroactive effect, by any of the means allowed by law. 
Consent will not be necessary when: 
a) There is a reasoned order, issued by a competent judicial authority; 
b) Personal data are subject to a prior dissociation procedure; 
c) Has the purpose of fulfilling obligations derived from a legal relationship between the owner and the person in charge; Y 
d) The data is obtained from sources of unrestricted public access and in the case of lists whose data is limited to name, national identity document, and date of birth. Chapter II 
Of those responsible for the data files 
Art. 7. Obligation to inform when obtaining personal data 
The person responsible for the personal data files must previously inform the owners of the same expressly and clearly the following: 
a) The purpose for which they will be used and who may be their recipients or class of recipients; 
b) The existence of the electronic data file or of any other type, in question and the identity and address of its person in charge; 
c) The obligatory or optional nature of the answers to the questionnaire that is proposed, especially regarding the data referred to in the following article; 
d) The consequences of providing personal data, of the refusal to do so or of their inaccuracy; 
e) The guarantee to exercise by the owner the right of access, rectification, modification, deletion, complementation, inclusion, updating and cancellation of personal data; 
f) When the data comes from sources accessible to the public and is used to make advertising or promotional shipments, each communication addressed to the owner of the same will be informed the origin of the data and the identity of the person responsible for the treatment as well as the rights that assist him; 
g) The data can only be used for the purposes that motivated its treatment; and may not be used for other purposes; 
h) Inaccurate, incomplete data, or that are in disagreement with the reality of those that correspond to the person, will be rectified, modified, deleted, completed, including, updated or canceled as appropriate; 
i) Personal data must be stored in such a way as to allow the right of access of the owner to them; 
j) Personal data must be canceled when they are no longer necessary for the purposes for which they were processed; 
k) Personal data files that do not meet technical conditions of integrity, confidentiality and security are prohibited; Y 
l) The creation of personal data files that store sensitive data information is prohibited, except as provided by law. Notwithstanding this, the different mercantile companies and non-profit associations, can store data of their members. 
Art. 8. Categories of personal data 
Personal data includes information concerning identified or identifiable natural or legal persons and will have the following categories: 
a) Sensitive personal data: they can only be obtained and processed for reasons of general interest in the Law, or with the consent of the data subject, or ordered by court order. Also They may be processed for statistical or scientific purposes when their owners cannot be identified. Personal data relating to criminal records or administrative offenses only they can be dealt with by the competent public authorities, in the sphere of their competences; 
b) Personal data related to health, in hospitals, clinics, health centers and posts, public and private, and professionals linked to the health sciences: they can only be the relative to the physical or mental health of the patients who come to them or who are or have been under treatment of those, respecting professional secrecy; 
c) Personal computer data: These are personal data processed through electronic or automated means; 
d) Commercial personal data: the databases of clients, suppliers and human resources are sensitive data of the Companies, for advertising purposes and any other data that is consider commercial or business information fundamentally reserved for the free exercise of their economic activities. 
All personal data may only be disclosed by consent of the Data Owner, by express law of social interest or by court order. 
Art. 9. On the processing of personal data 
All processing of personal data will be subject to the consent of its owner, except for the exceptions provided in this Law. 
Personal data may only be processed, when they are adequate, proportional and necessary in relation to the scope and specific, explicit and legitimate purposes for which they are have requested. The rights of opposition, access, modification, deletion, blocking, inclusion, complementation, rectification or cancellation of the processed data will be exercised through written communication. 
No person who requests the provision or acquisition of goods and services is obliged to provide public and private institutions with more information or personal data than those who are adequate, proportionate and necessary for the provision of the same. 
The purpose of processing the personal data of the user or buyer should be to facilitate the improvement, expansion, sale, billing, management, provision of services and acquisition of goods. 
The person responsible for the file and, where appropriate, the person in charge of the treatment must adopt the technical and organizational measures necessary to guarantee the security of personal data and prevent unauthorized access, use, alteration, loss, disclosure, transfer or disclosure. 
Art. 10. Right to be forgotten digital 
The owner of the data has the right to request the social networks, browsers and servers to delete and cancel the personal data found in their files. 
In the cases of data files of public and private institutions that offer goods and services and that for contractual reasons collect personal data once the relationship has ended. contractual, the owner of the same can request that all personal information that was registered while he was a user of a service or a buyer of a good be deleted and canceled. 
Art. 11. Security measures 
The person responsible for the data file must adopt the technical and organizational measures that are necessary to guarantee the integrity, confidentiality and security of personal data, to prevent its adulteration, loss, consultation, treatment, disclosure, transfer or unauthorized disclosure, and that allow detecting deviations, intentional or not, of private information, and Whether the risks come from human action or the technical means used. 
When the personal data refers to the members of the National Police or the Nicaraguan Army and the security measures referred to in the paragraph are failed or not observed. above, the person responsible for the data file must immediately inform the affected Institution of his position. 
Art. 12. Confidentiality in data processing 
The person responsible for the data file and the people who intervene in any phase of the processing of personal data are bound by professional secrecy with respect to them. Such The obligation will subsist even after the end of your relationship with the person responsible for the data file. 
The owner of the personal data processed in data files has the right to be informed about the privacy policies adopted by the person responsible for the file, and to be notified of any modification of the same. 
The obligated party may be relieved of the duty of secrecy by judicial resolution and when there are well-founded reasons related to national security, national defense, public security or health. public. 
Art. 13. Assignment and transfer of personal data 
Personal data may be assigned and transferred when the purposes are directly related to the legitimate interest of the assignor and the assignee and with the prior consent of the owner of the data. data, which must be informed about the purpose of the assignment and identify the assignee. 
The consent for the transfer is revocable, by written notification or by any other means that is equated, depending on the circumstances, to the person responsible for the data file. This not It may be required when provided by law, it is carried out between State institutions in the exercise of their powers, in the case of reasons of public health, social interest, national security or a data dissociation procedure has been applied, so that it cannot be attributed to a specific person. 
Art. 14. Prohibitions and exceptions for the transfer and transfer of data 
The assignment and transfer of personal data of any kind with countries or international organizations that do not provide adequate levels of security and protection is prohibited. 
The prohibition will not apply in cases of international judicial collaboration, exchange of personal data in health matters, when necessary for an epidemiological investigation, bank or stock transfers, in accordance with the legislation on the matter, when the transfer has been agreed within the framework of international treaties ratified by the State of Nicaragua and when the purpose of the transfer is international cooperation between intelligence agencies, in the crimes regulated in Law No. 735, “Law of Prevention, Investigation and Persecution of Organized Crime and the Administration of Seized, Confiscated and Abandoned Assets ”, published in La Gaceta, Official Gazette No. 199 and 200 of October 19 and 20, 2010 respectively, in Crimes Related to Narcotic Drugs, Psychotropics and other Controlled Substances, Crimes Against State Security and Crimes Against International Order typified in Law No. 641, “Penal Code”, published in La Gaceta, Official Gazette No. 83, 84, 85, 86 and 87 corresponding to May 5, 6, 7, 8 and 9, 2008. 
Art. 15. Procedure for the assignment and transfer of data 
For the transfer and transfer of personal data that are in public or private data files, the following procedure must be followed: 
a) The assignment and transfer of personal data will be made at the request of a legally authorized person; 
b) The request must contain the object and the purpose pursued with said information; 
c) The person responsible for the data file must comply with the security and confidentiality measures of personal data, verifying that the applicant complies with these in the same way measures; 
d) The person responsible for the personal data file must inform the person who owns the data, the transfer request and the purpose pursued, for their consent; with the exceptions contained in the previous article; 
e) The applicant and the person responsible for the data file must prevent the information supplied from being sent to third parties; Y 
f) The person responsible for the data file must inform the Personal Data Protection Department of the data transfer made. 
Chapter III 
Rights of the data owner 
Art. 16. Right to request information 
The data owner may request information from the Personal Data Protection Directorate, regarding the existence of personal data files, their purposes and the identity of their responsible. The record that is carried out for this purpose will be open to public consultation and free of charge. 
Art. 17. Rights of the data owner 
The owner of personal data has the right to the following: 
a) To request and obtain information on their personal data processed in the public and private data files; 
The report that is rendered in response to the request of the owner of the personal data, must guarantee access to the personal information object of treatment by a public data file or private, the way in which your data was collected and the reasons that motivated its collection, and the transfers or assignments that were made. The proof of your shipment must be kept and reception; 
b) To be allowed to rectify, modify, delete, supplement, include, update or cancel their personal data; 
c) The report must be provided within ten business days of receipt of the request; Once the term has expired without the report having been rendered, the interested party can promote the action protection of personal data provided for in this Law; 
d) The exercise of the right to which this article refers in the case of data of deceased persons will correspond to their universal successors, after accreditation; Y e) Not to be obliged to provide personal data of a sensitive nature, except for the exceptions established in this Law. 
Art. 18. Information requirements 
The information must meet the following requirements: 
a) Be clear and simple, accessible to the knowledge of the population and owner of personal data; 
b) Be broad and belong to the owner, even when the request only includes one aspect of the personal data. Data related to third parties may not be disclosed, even when they are linked to that; Y 
c) It may be provided in writing, electronic, telephone, image means, or by any other that the interested party determines, at the option of the owner, and according to the technical capacity of the data file manager. 
Art. 19. Rights to modify data 
Everyone has the right to: 
a) To request the rectification, modification, deletion, complementation, inclusion, updating and cancellation of the personal data of which it is the owner, which are included in a file of data. 
Personal data will be canceled when they are no longer necessary or relevant for the purpose that gave rise to their treatment. The cancellation of the data does not proceed by reasons of social interest, national security, public health or for affecting the rights of third parties, in the terms provided by law; 
b) That the person responsible for the data file, proceed to rectify, modify, delete, complement, include, update or cancel the personal data of the owner, within five business days of received the request of the owner of the same, informing him in writing, or by any other means that is equated according to the circumstances, in a complete, clear and simple way the treatment done; 
c) That if the person responsible for the data file does not comply with the obligation imposed by the previous paragraph, the owner can exercise the data protection action provided for in this Law; 
d) In the event that the information has been transferred, the person responsible for the data file must communicate the rectification, modification, deletion, complementation, inclusion, updating and cancellation of the personal data to the assignee, within the following five business days in which the corresponding treatment has been resolved; 
e) During the procedure to verify and rectify the error or falsehood of the personal data concerning the owner, the person responsible for the data file must block the data subject of the request or consign when providing the relative information that a procedure is processed with a certain purpose; Y 
f) To keep the personal data for five years or for the term that the contractual provisions between the parties agree, as well as when they have ceased to be 
adequate, proportional and necessary for the scope and purposes that were requested. 
Art. 20. Exceptionality for the modification of the data 
Those responsible for data files, can deny the rectification, modification, deletion, complementation, inclusion, updating and cancellation of the personal data requested, when there is a judicial resolution that determines the non-modification. Those responsible for data files must inform the owner of the personal data about said resolution. I know must guarantee access to the owner of the personal data that concern them in the data files, at the time they have to exercise their right of defense. 
Art. 21. Gratuity of data modification 
The rectification, modification, deletion, complementation, inclusion, updating and cancellation of inaccurate or incomplete personal data found in data files will be carried out carried out free of charge for the holder. 
Chapter IV 
Files and managers of personal data files 
Art. 22. Obligatory nature of registration in the registry of data files 
Any person responsible for the data file must register in the Register of data files that the Personal Data Protection Directorate enables for this purpose and wait for a period of thirty days the resolution of your registration. 
The data file registry must collect the following information: 
a) Name and address of the person in charge, whether natural or legal person with all the description of the company name, date of incorporation, purpose and legal representative; b) Nature of the personal data contained in each data file; 
c) Form, time and place of data collection and updating; 
d) Destination of the data and natural or legal persons to whom they can be transmitted; 
e) How to interrelate the registered information; 
f) Means used to guarantee data security, detailing the name and address of the people involved in the collection and processing of the data; 
g) Data conservation time; Y 
h) Form and procedures in which people can access personal data files to rectify, modify, delete, supplement, include, update and 
cancellation of the same as concerns. 
In the files, no person may possess personal data of a nature other than those declared, any modification to the information contained in the personal data files must be communicated by the person in charge to the Directorate of Personal Data within the following five business days in which it took place. Failure to comply with these requirements will result in sanctions provided for in this Law. 
Art. 23. Public and private data files 
The public and private data files can only be created, modified or extinguished through the provisions established in this Law. 
The provisions of the previous paragraph must indicate: characteristics and purpose of the data file; people with respect to whom it is intended to obtain data and the optional or mandatory nature of its supply by them. 
In the provisions that are issued for the deletion of personal data files, the destination of the same or the measures adopted for their destruction will be established. 
Art. 24. Exceptionality in the use of personal data 
The personal data files that, due to being collected and processed for administrative purposes, must remain for five years and will be subject to the general regime of this law. 
The collection and processing of personal data for the purposes of national security and defense or public security by the intelligence bodies of the National Police and the Army of Nicaragua, without the consent of the owners, is limited to what is necessary for the strict fulfillment of the legally assigned missions for national security, national defense, public security or for the investigation of crimes in accordance with the provisions of the Political Constitution of the Republic of Nicaragua and laws on the matter. 
The data files, in such cases, must be specific and established for this purpose, and must be classified by categories, depending on their degree of reliability. The personal data obtained for Police purposes will be canceled when they are not necessary for the inquiries that led to their registration. 
Art. 25. Of the data files destined to the sending of publicity, promotions, offers and direct sale of products, goods and services 
The data files for the sending of advertising, promotions, offers and direct sales of products, goods and services or other similar activities can only include personal data with the consent of the owner of the same, when it has provided them, or when the data is obtained from sources accessible to the public. 
The owner of the data may exercise the right of access without any charge, and at any time may request its deletion of the data files referred to in this article. 
Art. 26. Of the sending of publicity 
The sending of advertising and promotions, through electronic means, must offer the possibility to the recipient who owns personal data to express their refusal to continue receiving shipments. advertising and promotional products and services or, where appropriate, revoke your consent in a clear and free way. 
Companies or institutions that are engaged in electronic marketing, advertising and promotional shipments must be protected by means of a contract that establishes that the data personal data contained in a data file have been obtained with the unequivocal and informed consent of the owners or that these have been obtained from publicly accessible sources. 
Art. 27. Data relating to surveys 
The rules of this Law will not apply to opinion polls; scientific or medical research, and similar activities. 
The foregoing is applicable when the personal data have been obtained with the express consent either in writing, by electronic, optical means or by any other technology, or by unequivocal signs of the owner and intended exclusively for the fulfillment of the purpose for which they were requested. These data can only be transferred with the prior consent of the owner. Chapter V 
Of the Directorate of Protection of Personal Data 
Art. 28. Creation of the Personal Data Protection Directorate 
Create the Personal Data Protection Directorate attached to the Ministry of Finance and Public Credit, which will have a Director appointed by the highest administrative authority of said Ministry and whose objective is the control, supervision and protection of the processing of personal data contained in data files of a public and private nature. 
Art. 29. Functions of the Personal Data Protection Directorate 
The following functions correspond to the Personal Data Protection Directorate: 
a) Advise natural and legal persons that require it about the content and scope of this Law; 
b) To dictate the administrative rules and provisions necessary for the realization of its object within the scope of its competence; 
c) Dictate and monitor that the rules on confidentiality, integrity and security of personal data are respected and applied by the owners of the corresponding data files; 
d) Request the information that it requires for the fulfillment of its object to the public and private entities that own the data files, guaranteeing in any case the security, integrity and confidentiality of information; 
e) Impose the administrative sanctions that correspond to the violators of this Law; 
f) Formulate and present complaints for violations of the provisions of this Law before the corresponding authority; 
g) Verify that the personal data files have the necessary requirements for their registration in the data file registry to proceed; 
h) Accredit the inspectors for the supervision and surveillance of those responsible for the personal data files; 
i) Promote self-regulation models, when possible, and as an additional mechanism to guarantee the right to informational self-determination of every person, as long as These models represent an added value in their content with respect to the provisions of this Law and its Regulations, contain or are accompanied by elements that allow measuring their level of effectiveness in terms of compliance and level of protection of the person against the processing of their personal data and measures are foreseen in case of non-compliance with the models self-regulatory; 
j) Give their opinion on all bills and regulations that may have an impact on the validity and guarantee of the right to informative self-determination; 
k) Disseminate the content and extension of the right to informative self-determination to the population and to the rest of the Powers and institutions of the State; Y 
l) Cooperate with other data protection authorities at the international level to comply with their powers and generate bilateral and multilateral cooperation mechanisms to assist each other and provide due mutual assistance when required; 
Art. 30. On the registration of data files 
The Directorate for the Protection of Personal Data, will enable the registration of personal data files in order to have updated and complete personal data files 
public and private. Those responsible for personal data files must provide the information established in this Law. 
Art. 31. Of the inspectors 
The Personal Data Protection Directorate must have qualified personnel who perform the function of inspectors. 
Art. 32. Of inspection procedures 
The inspection procedures for both public and private data files are visit, verification and control activities, through which the inspectors duly 
identified, are empowered to review the data files according to the visit program, and that are operating in the data storage, be these public and private 
within the national territory in order to establish the degree of compliance with the regulatory standards of this activity or to provide the authorities of the Data Protection Directorate Personal major elements of judgment for the adoption of a resolution affecting third parties or not. 
Art. 33. File inspector accreditation requirements 
To carry out their work, every inspector must carry the official document issued by the Directorate for the Protection of Personal Data, which certifies it as such. The requirements of the identification will be indicated in the Regulations of this Law. 
Art. 34. Of the responsibilities and powers of the inspector 
The responsibilities and powers of the inspector in the exercise of his function will be: 
a) Be duly accredited by the Personal Data Protection Directorate; 
b) Carry out inspections by complaint or ex officio, by means of competent judicial authorization; 
c) To duly and timely attend to the matter (s) entrusted to it; 
d) Inform their superiors of any anomaly or circumstance that makes it difficult to carry out their work; 
e) Not to exceed the attributions that are entrusted to him for the inspection of identifying himself in advance and duly before the inspected; 
f) Direct inspections when they are carried out in coordination with other institutions; 
g) Clarify to the inspected the reason for the inspection; 
h) Carry out the necessary tours and draw up the inspection report; 
i) Present within a period of three business days, after the inspection is completed, the respective certificate with the full report of its findings to the Directorate of Protection of Personal Data for that he knows and decides according to law, with the support of the public force or other competent authorities, if applicable; Y 
j) Request authorization from the competent judicial authority to inspect properties, equipment, tools, programs for capturing and processing personal data. As well as accessing the information and places used for the processing of personal data and the display and delivery of documents and data, for their corresponding verification in the place where they are deposited. 
A rt. 35. Obligations regarding the inspection requirement 
The natural or legal persons whose activities are subject to inspection, will have the following obligations when requested by the inspectors: 
a) Allow access to its data files by the presence of duly accredited inspectors and with competent judicial authorization; 
b) Facilitate and provide the necessary collaboration in the inspection; 
c) Provide the requested information and documents, such as: certificate of registration and authorization to operate as a data file, name and general laws of the person responsible for the file of data, updated legal documents of the legal person, security measures adopted and others that are requested to verify their legality; 
d) Allow the review of the equipment in its case; Y 
e) Any other activity required by the inspector to meet the inspection objectives in accordance with this Law and its Regulations. 
Art. 36. On the content of the inspection report 
Once the inspection has been carried out, the inspector will draw up the corresponding inspection report in the format designed for this purpose and stating at least the following: a) Indication of the place, date and time in which the inspection is carried out; 
b) Brief reference of the inspection order in the event of a complaint issued by the competent authority and that motivates the performance of this activity, stating that a copy of it was given to the inspected; 
c) General data with whom the inspection was coordinated, be it the person in charge, administrator, manager, legal representative of the company, or similar; Y 
d) The detail of the findings of the inspection regarding actions, or omissions, that constitute compliance with the rules and regulations of the activity or on the contrary that presume flagrant or simulated infractions and offenses, describing them with the greatest detail and precision possible. 
Art. 37. Of the verification of infractions 
If, at the time of the inspection, the existence of serious infractions or events that may constitute crimes is detected and verified, the inspector must take the necessary preventive measures in the presence of the person with whom it was presented to do the inspection, the foregoing must be recorded in the corresponding inspection report and immediately communicated to their superior immediate to proceed in accordance with the Law. 
Art. 38. Of the duration of the inspection 
In the event that the inspection has to be extended for more than one day, or has to be carried out in two or more places, partial minutes must be drawn up, which must be added to the final minutes of the inspection. inspection. 
Art. 39. Of the test 
The minutes of the inspectors, unless a challenge proven by falsehood, constitutes evidence for all purposes of the administrative process. The refusal of the agents to allow or collaborate with the inspection in accordance with these provisions, will constitute a presumption of responsibility before the charges made against it, ex officio or by complaint. 
Art. 40 Of the initiation of the inspection 
The inspection may be initiated ex officio for preventive verification in compliance with the regulatory provisions of the activity of personal data processing or when there are indications of non-compliance with this Law and its Regulations. 
Art. 41. Inspection by complaint 
The inspection by complaint may begin when a third party, directly or through the entity that receives the complaint, be it the Public Ministry or the National Police, has given well-founded notice to the Personal Data Protection Directorate, or authorities delegated for the regulation of this personal data protection activity, of a fact that may constitute a violation or infringement of the regulatory norms established in this Law and its Regulations. 
Art. 42. Content of the complaint 
For the purposes of the preceding article, the complaint must be made in writing, containing at least the following information:
a) Names and surnames, with the general laws of the complainant; 
b) Names and surnames, with the general law of the accused, when it is a natural person; 
c) Business name of the entity and location, when the defendant is a legal person; 
d) The list of the facts that constitute the infraction or infractions; 
e) The appointment of an address of the complainant for notifications in the administrative process, as the case may be; Y 
f) Place and date where the complaint is made and the signature of the complainant. 
Art. 43. On the content of the inspection order 
Once the complaint is admitted, the Directorate for the Protection of Personal Data or the delegated authority will issue an inspection order, which must contain: 
a) The name of the owner or company, attorney-in-fact or legal representative; 
b) Address or location; 
c) Rationale and motivation for the inspection; 
d) Objectives and scope of the inspection; 
e) Request for support and facilities to the inspected; 
f) Full name of the commissioned inspector or inspectors; 
g) Name and signature of the authority ordering the inspection; Y 
h) Place and date. 
The details of procedures, formalities and formalities of administrative acts and inspections, related to the processing of personal data will be established by Regulation to the present Law. 
Chapter VI 
Infringements and sanctions 
Ar t. 44. Minor offenses 
The following are minor infractions of this law: 
a) Processing personal data without the express consent either in writing, by electronic, optical means or by any other technology, or by unequivocal signs of its owner, as the law so demand; 
b) Omit the inclusion, complementation, rectification, updating, deletion or blocking, cancellation, ex officio or at the request of the owner, of the personal data found in data files public and private; 
c) Failure to comply with the instructions issued by the Personal Data Protection Directorate; 
d) Obtain personal data through forms or other forms, without the warnings that will be used to create files appearing in them, in a clearly legible way; Y 
e) Send advertising through electronic means, to holders who have expressly stated their refusal to receive it. 
Art. 45. Serious offenses 
The following are serious infractions of this Law: 
a) The processing of personal data by fraudulent means or that violate the provisions contemplated in this Law; 
b) Prevent or obstruct the exercise of the right to informative self-determination to the owner of personal data, as well as unjustifiably deny the requested information; c) Violate the professional secrecy that must be kept by provision of this Law; 
d) Repeat minor offenses; 
e) Maintain files of data, buildings, equipment or tools without the minimum conditions of security, integrity and confidentiality required by the applicable provisions; Y f) Obstruct the inspections carried out by the Personal Data Protection Directorate. 
Art. 46. Administrative sanctions 
Without prejudice to the administrative responsibilities of those responsible or users of the public data files; of the responsibility for damages and losses derived from the non-observance of this Law, and the criminal sanctions, the Personal Data Protection Directorate is responsible for applying the administrative sanctions of: 
a) Warning; 
b) Suspension of operations related to the processing of personal data; Y 
c) Closure or cancellation of personal data files temporarily or permanently. 
In the case of minor infractions of this law, the corresponding sanction will be applied to the offender, depending on the circumstances of the case, the damage caused and the conditions of the offender himself. according to literals a) and b) of this article. 
In the case of serious infractions, the corresponding sanction will be imposed on the offender depending on the circumstances of the case, the damage caused and the conditions of the offender himself. according to literal c) of this article. 
The Regulation will establish the procedure for the application of the foreseen sanctions. 
Chapter VII 
Of the actions of protection of personal data 
Art. 47. Protection through administrative channels 
The owner of the data may file the action for the protection of personal data, in the administrative way in accordance with the provisions of this chapter. 
Art. 48. Action for the protection of personal data 
The Personal Data Protection Directorate is the body in charge of knowing and resolving the personal data protection action through a complaint filed by the owner in relation to the processing of personal data that violate any of the rights contemplated in this Law. 
The personal data protection action proceeds: 
a) To learn about the personal data that have been processed in data files; 
b) When the guarantees of confidentiality, integrity and security in the processing of personal data have been violated; 
c) In the cases in which the falseness, inaccuracy, outdated, omission, total or partial, or illegality of the information in question is presumed, to demand its rectification, updating, modification, inclusion, deletion or cancellation; 
d) When some of the principles that govern the quality of the processing of personal data, in the public and private sphere, are injured; 
e) To access information that is in the possession of any public and private entity that generates, produces, processes or possesses personal information, in files, studies, opinions, opinions, statistical data, technical reports and any document that the public administration or private entities have in their possession; Y 
f) To demand the rectification, updating, modification, inclusion, supplementation, deletion, blocking or cancellation of personal data processed in data files of public entities or of private institutions that provide service or access to third parties, either manually, mechanically or informally, when false, inaccurate, outdated, total or partial omission is presumed or the illegality of the information in question. 
Art. 49. Active legitimacy 
The action of protection of personal data may be exercised by the owner, their guardians and the successors of natural persons, by themselves or through a proxy. When the action is exercised by legal persons, it must be filed by their legal representatives or proxies designated by them for this purpose. 
Art. 50. Passive legitimation 
The action proceeds with respect to those responsible and users of the public and private personal data files. 
Art. 51. Of the exceptions 
Those responsible for the data files cannot claim confidentiality of the information that is required of them, except in the case that sources of journalistic information are affected or it is of exceptions provided for in this Law. 
Art. 52. Protection through jurisdictional channels 
Once the administrative route has been exhausted, by means of a resolution issued by the Directorate of Protection of Personal Data, the owner of the data can make use of the jurisdictional route, through Amparo, established in Law No. 49, “Amparo Law”, consolidated text published in La Gaceta, Official Gazette No. 212 of November 4, 2008. The Amparo Resource will be used while not there is a specific regulation that develops the protection of personal data in the jurisdictional way. 
Those responsible for the data files may challenge all administrative acts derived from this law, in accordance with the procedures established in Law No. 290, “Law of Organization, Competence and Procedures of the Executive Power ”published in La Gaceta, Official Gazette No. 102 of June 3, 1998, its amendments and its Regulations. Administrative procedure exhausted They may make use of the corresponding jurisdictional means. 
Chapter VIII 
Transitory dispositions 
Art. 53. Obligation to register in the registry 
Those responsible for the data files, existing at the time of publication of this Law and its Regulations, must register in the Register of Data Files of the Directorate of Protection of Personal Data within a period of six months. 
Art. 54. Limitations of the scope of application 
The information obtained, managed and regulated by the National Microfinance Commission (CONAMI), by the Superintendency of Banks and Others is excluded from the application of this Law. Financial Institutions (SIBOIF) and the entities authorized, supervised and regulated by these Institutions, as well as the information subject to reciprocal exchange agreements for the purpose of supervision between national entities, national or foreign supervisors and the Private Risk Centers that handle credit information, as regulated in their respective Laws and prudential regulations issued by the Boards of Directors of the aforementioned Institutions. All of the above is without prejudice to the general principles, the rights of the data holders, as well as the limitations established in this Law. 
Chapter IX 
Final provisions 
Art. 55. Regulation 
This Law will be regulated in accordance with the provisions of paragraph 10 of Article 150 of the Political Constitution of the Republic of Nicaragua, within sixty days after its validity. 
Art. 56. Validity This Law shall enter into force as of its publication in La Gaceta, Official Gazette. 
Given in the city of Managua, in the Hall of Sessions of the National Assembly of the Republic of Nicaragua, on the twenty-first day of the month of March of the year two thousand twelve. Ing. René Núñez Téllez, President of the National Assembly. Lic. Alba Palacios Benavidez, Secretary of the National Assembly. 
Therefore. Take it as the Law of the Republic. Publish and Execute. Managua, March twenty-seventh of the year two thousand eleven. DANIEL ORTEGA SAAVEDRA, PRESIDENT OF THE REPUBLIC OF NICARAGUA. 
- 
National Assembly of the Republic of Nicaragua. 
Carlos Núñez Téllez Legislative Complex. 
General Augusto C. Sandino Pedestrian Avenue 
Benjamin Zeledón Building, 7mo. Flat. 
Direct Telephone: 22768460. Ext .: 281. 
Send your comments to: Legislative Information Division 
Note : Any difference between the Text of the Law printed and the one published here, we request that it be communicated to the Legislative Information Division of the National Assembly of Nicaragua.