Biometric Data and Informational Self-Determination

By: María del Pilar López

Biometric Data and Informational Self-Determination in Resolution No. 029–2026–RF of Costa Rica’s Prodhab

Contact us

The Prodhab holds that the TSE may not commercialise its citizens’ biometric data without express statutory authorisation, yet the resolution is not free of weaknesses that merit examination.

In May 2026, the Agency for the Protection of Data of the Inhabitants (Prodhab) issued Resolution No. 029–2026–RF, upholding a complaint filed in December 2020 against the Supreme Electoral Tribunal (TSE). The case took more than five years to resolve — a circumstance that in itself deserves attention — and turned on two practices: the unrestricted public consultation of Civil Registry data on the TSE web platform, and the commercialisation of biometric data through its identity verification system. The resolution offers criteria of real interest for Costa Rican data protection law, but it also raises questions that it does not resolve with the necessary precision.

The problem of registry publicity without express authorisation

The TSE is constitutionally entrusted with keeping the Civil Registry and safeguarding the electoral process (Article 104 of the Political Constitution). To do so, it collects and stores the personal data of practically the entire population. For years, part of that information — name, marital status, polling place, registered children — was available for unrestricted consultation on its web platform, under a broad reading of the principle of registry publicity.

The Prodhab identified a substantive problem: neither the Electoral Code (Law No. 8765) nor any special rule determines with precision which Civil Registry data are subject to unrestricted access. In the absence of such authorisation, Article 9 of Law No. 8968 applies in full. Under the principle of legality governing public administration, State bodies may do only what the law expressly authorises them to do; an internal resolution of the TSE itself cannot fill that gap.

The resolution also warned that certain apparently neutral fields may be sensitive depending on context. The marriage field may reveal sexual orientation, sensitive data under Article 9(1) of Law No. 8968. The polling place allows the residential address to be inferred, which is excluded from unrestricted access. The list of children may

expose aspects of family life. Taken together, these data build a personal profile whose unrestricted disclosure lacks any legal basis. The Constitutional Chamber, since judgment No. 2000–01119, has repeatedly held that collected data must be destroyed or limited once the purpose justifying their collection has been fulfilled; allowing indiscriminate consultation runs counter to that mandate.

The commercialisation of the VID: a clearly identified deviation of purpose

Since 2015, the TSE has operated the VID system, which allows third parties — banks, retailers, financial institutions — to verify the identity of their customers through biometric matching against the Civil Registry database. The service was offered for a fee, under contracts with interested parties.

The TSE invoked Article 24 of the Electoral Code, which allows it to charge for electronic access to its information for commercial purposes. The Prodhab rejected that argument, relying on Opinion No. PGR–C–251–2021 of the Attorney General’s Office, which expressly concluded that the provision does not authorise the sale of biometric data, but only the charging of fees for non-essential services within the bounds of informational self-determination. Article 24 itself prohibits supplying confidential information, a condition that biometric data meet.

The strongest argument in the resolution is the deviation of purpose. Citizens handed their biometric data to the TSE for a specific constitutional purpose: identification for the exercise of the right to vote. Article 6 of Law No. 8968 and the principle of correspondence — also recognised in judgment No. 2008–017086 of the Constitutional Chamber — require that any subsequent use of the data be consistent with the purpose that justified their collection. Building and monetising a biometric verification infrastructure for the benefit of private third parties plainly exceeds that purpose.

The weak point: consent at the moment of verification

Here the resolution faces its greatest argumentative weakness, and it is worth pointing this out honestly.

The VID system does not operate on the data subject covertly. The person verifying their identity is the data subject: they voluntarily present their fingerprint to the third party, they are aware of the act, and they are the direct beneficiary of the transaction. The resolution treats this situation almost as if it were a clandestine collection, when in fact the data subject actively participates in each verification. That weakens the argument of a direct infringement of sensitive data at the moment of use.

There is, however, a real problem that the Prodhab identifies but does not develop with sufficient precision: the informed consent required by Article 5 of Law No. 8968 is not exhausted by the specific consent given at the moment of verification. It comprises the duty to inform the data subject in advance of the existence of the system, its purpose, the recipients of the information and the type of processing to be applied. The citizen who obtained an identity card was never informed that their biometric data would be available on a commercial platform

accessible to private third parties, nor were they given any possibility of opting out. The absence of that prior information — and not the individual act of placing a finger on a scanner — is the infringement of Article 5.

The distinction matters as a legal matter. Consent at the point of use does not cure the failure to provide prior information about the architecture of the processing. The Regulation to Law No. 8968 (Decree No. 37.554–JP), in Articles 27, 32, 34 and 35, further requires every entity processing data to have minimum action protocols and security measures in place. The TSE did not demonstrate that it had them for the VID, nor had it updated its registration with the Prodhab to reflect the existence of the system, despite operating it since 2015, in breach of Article 54 of the same Regulation. These formal breaches are easier to sustain than the argument of infringement at the moment of verification.

What remains unresolved

The resolution suffers from other limitations that deserve mention. It does not determine which specific data must be removed from the TSE web platform: it orders an inventory, but defers the substantive decision. Nor does it rule on the legal status of VID contracts already in force, or on the data transferred under that scheme — questions that will generate controversy in the coming months.

The delay of more than five years in resolving the case is mentioned almost in passing, without any institutional consequence. The effectiveness of a supervisory authority is measured not only by the soundness of its decisions, but also by its capacity to act in good time. On that front, the Prodhab has an outstanding debt that this resolution does not address.

 

Overall assessment

Resolution No. 029–2026–RF consolidates in Costa Rican law three criteria that had remained blurred in local practice: that biometric data are sensitive data under Law No. 8968 even though the legislature does not name them expressly; that the purpose limitation principle operates as a real constraint on the commercial reuse of data collected for electoral purposes; and that registry publicity requires specific statutory authorisation, not expansive administrative interpretation.

Its strongest arguments are the deviation of purpose and the absence of prior information to the data subject. Its most vulnerable point is the equation of the use of the VID with a direct infringement of sensitive data, when the act of verification involves the active and voluntary participation of the data subject. The resolution identifies the correct problem — the architecture of the system and the lack of transparency about its existence — but does not always support it with the precision the point demands.

With those caveats, compliance with the orders issued will represent concrete progress in the protection of the personal data of the inhabitants of Costa Rica.

This article was originally published by the IAPP and can be consulted in its original Spanish version at the following link: https://iapp.org/news/a/datos-biom-tricos-y-autodeterminaci-n-informativa-en-la-resoluci-n-n-029-2026-rf-de-la-prodhab

What did Resolution No. 029–2026–RF of the Prodhab decide? It upheld a complaint against the Supreme Electoral Tribunal on two counts: the unrestricted public consultation of Civil Registry data on its web platform, and the commercialisation of biometric data through the identity verification system (VID), both of which lacked express statutory authorisation.

Are biometric data sensitive data in Costa Rica? Yes. The resolution confirms that biometric data are sensitive data under Law No. 8968 even though the legislature does not name them expressly, with the consequences that follow in terms of consent, purpose limitation and security measures.

What is deviation of purpose? It is the use of personal data for a purpose other than the one that justified their collection. Citizens gave their biometric data to the TSE in order to be identified in the electoral process, not to feed a commercial verification infrastructure serving private third parties.

Is the data subject’s consent at the moment of verification enough? No. Article 5 of Law No. 8968 requires prior information about the existence of the system, its purpose, the recipients and the type of processing. Consent at the point of use does not cure the absence of prior information about the architecture of the processing.

What does the resolution mean for companies? Any entity processing personal data in Costa Rica should verify the legal basis for its processing, inform data subjects in advance, keep its registration with the Prodhab up to date, and maintain demonstrable action protocols and security measures.

Tags: biometric data, Costa Rica privacy law, data protection Costa Rica, deviation of purpose, informational self-determination, Law 8968, personal data processing, Prodhab, registry publicity, Resolution 029-2026-RF, sensitive personal data, TSE, VID
Beyond Trade Mark Registration: How Customs Enforcement Is Strengthening the Fight Against Counterfeiting in the Caribbean

Share this article