Lawful Personal Data Processing in El Salvador

Published on Apr 9, 2026

Our lawyers in El Salvador, experts in Data Privacy share this article on the legal bases for the processing of personal data under Salvadoran law. Their identification, application and proper documentation in practice are addressed clearly. A key element for regulatory compliance and risk management in data protection.

The protection of personal data has gained significant relevance in the daily operations of Salvadoran companies by virtue of the entry into force of the Law for the Protection of Personal Data (LPPD) in November 2024. This regulation establishes a clear framework on how and under what conditions personal data may be processed, imposing obligations on both private and public sector entities.

One of the fundamental aspects regulated by said law revolves around the need for all processing of personal data to have a legal basis that legitimizes it. In practice, this implies that companies, in their capacity as "Controller” of the processing, must carefully assess whether the personal data processing activities they carry out in their day-to-day operations, ranging from the collection of data from customers or employees to the use of information for commercial purposes or compliance with legal obligations, are duly supported by one of the legal bases provided for in the law.

In this article, we address the role of the legal bases established in the LPPD, highlighting the importance of their proper identification as an essential condition to ensure lawful processing of personal data.

Starting point: Principle of Lawfulness
Article 5 LPPD expressly recognizes this principle, establishing that the processing of personal data must be carried out in compliance with the law, for which at least one of the following conditions must be met:

  1. That the processing of the data is based on the express consent granted by the data subject for one or more purposes.
  2. That the processing is necessary for the performance of a contract to which the data subject is a party, or for the application of pre-contractual measures.
  3. That processing is necessary for compliance with a legal obligation on the part of the controller.
  4. That processing is necessary to protect the vital interests of the data subject or of another person.
  5. That the processing is necessary for the performance of a task carried out in the public interest or for the exercise of official authority vested in the controller.
  6. That the processing is necessary for the purposes of the legitimate interests pursued by the controller, provided that such interests do not prevail over the rights or freedoms of the data subject.

In practical terms, this implies that processing cannot be justified by a mere operational need of a company but must be based on one of the legal bases recognized by the LPPD.

However, it is not enough to identify a possible basis for the processing of data; it is necessary to determine which is the appropriate one for each specific purpose. Not all of them are applicable to any processing activity, nor can they be used interchangeably. An incorrect selection may leave the processing without sufficient legal grounds and expose the company, in its capacity as controller, to risks of non-compliance and potential sanctions, as the LPPD enables the imposition of fines derived from regulatory non-compliance, also including the possibility that the State Cybersecurity Agency may order additional protective measures to restore or correct any infringement and without prejudice to any civil or criminal liability that may arise. In this sense, more than a formality, lawfulness operates as the first essential filter in any governance and personal data processing strategy. Based on this framework, we can analyze the main legal bases that allow the justification of personal data processing.

Legal bases for the processing of personal data

a. Consent

Consent is one of the legal bases most used by companies. However, it is not always the most appropriate basis from a compliance perspective.

Article 4 LPPD defines consent as the free, specific, informed, express and individualized manifestation of the will of the data subject, by which they accept, either through a statement or a clear affirmative action, the processing of their personal data when there is no other legal basis for doing so.

On that sense, not every manifestation of will constitutes valid consent. For consent to be effective, it must comply with a series of conditions established in the law, the non-compliance with which it may completely invalidate it. In this regard, the necessary conditions are the following:

  • Free: it must be given without pressure; there must be no error, bad faith, deceit, physical or psychological violence or any other form of violence that may affect the manifestation of the will of the data subject.
  • Specific: it must refer to determined and concrete purposes that justify the processing. It is not valid to obtain a generic authorization for multiple indeterminate uses of the data. If the processing has several purposes, the data subject must be able to consent to each of them separately.
  • Informed: that the data subject has knowledge, prior to the processing, of what their personal data will be subjected to and the consequences of granting their consent.
  • Express: it must be unequivocal, in such a way that its granting can be demonstrated. Consent may be obtained by physical or electronic means.
  • Individualized: there must be at least one granting of consent by each data subject. This requirement reinforces the idea that consent is a direct manifestation of the will of the data subject, linked to their own data and circumstances, and not a generic authorization or one that can be considered collective.

It is important to bear in mind that consent should not be used as a "catch-all” basis. Whenever there is another more appropriate legal basis, such as the performance of a contract or compliance with a legal obligation, it should be prioritized. An inappropriate use of consent, especially when it does not meet the requirements established by law, may weaken the validity of the processing and generate regulatory contingencies for companies.

b. Performance of a contract or pre-contractual phase

The legal basis of performance of a contract enables the processing of personal data when it is necessary to comply with a contract to which the data subject is a party or for the adoption of pre-contractual measures at their request. It is a basis closely linked to the legal relationship itself between the parties, in which the processing of data is justified insofar as it allows the agreed performance to be carried out.

A determining element of this basis is the criterion of necessity, since the law establishes that "(…) the processing is necessary for the performance of a contract (…)”. It is not sufficient for the processing to be related to the contract or to facilitate its performance; it must be objectively indispensable to fulfill its main purpose. In other words, the contract could not be properly performed without the specific processing of the personal data in question.

To determine whether this basis is applicable, it is advisable to verify that a contract is indeed being or will be performed, the validity of said contract under the applicable law and that the processing is objectively necessary for its performance. This last element will require companies to be able to demonstrate that the contract could not be fulfilled without the specific processing of the personal data in question.

Finally, when resorting to this basis, the principle of data minimization recognized in Article 5 LPPD becomes particularly relevant, by virtue of which companies must ensure that they process only the data strictly necessary to comply with the contract, avoiding excessive collection or uses incompatible with the contractual purpose.

c. Compliance with legal obligations

This allows the processing of personal data when such processing is necessary for the controller to comply with a mandate imposed by the legal system. In simple terms, it applies when the processing is not optional, but rather a direct consequence of a legal requirement.

To invoke this basis, it is relevant that the processing responds to a clear and foreseeable legal obligation, derived from a regulation applicable to the controller. One area where this basis becomes particularly relevant is the prevention of money laundering, for which Obligated Subjects in this matter have the duty to implement due diligence, monitoring, and reporting measures that necessarily involve the processing of personal data.

For example, the identification and verification of customers ("know your client”), transaction monitoring, record retention and the reporting of suspicious transactions to the competent authorities are activities that find their legal basis in compliance with legal obligations. In these cases, the processing does not depend on the consent of the data subject, nor on a contractual relationship in the strict sense, but rather on a regulatory mandate that seeks to protect relevant public interests.

d. Protection of vital interests

This basis enables the processing of personal data when it is necessary to protect essential interests for a person’s life. It can be understood as a basis of exceptional and restrictive application, reserved for situations in which the life or physical integrity of the data subject or a third party is at stake.

The central element of this basis is, again, the criterion of necessity, but in a particular context: processing must be indispensable to prevent harm to a person’s vital interests. Therefore, its use should be limited to emergency scenarios, where it is not possible to resort to other legal bases, such as consent.

e. Performance of a task in the public interest or exercise of official authority

This basis allows the processing of personal data when it is necessary for the performance of a function that responds to the general interest or to the exercise of an authority conferred by law on the controller of the processing.

This basis is formed around two scenarios: when the processing is necessary to carry out a task in the public interest or when it responds to the exercise of public powers attributed to the controller. In both cases, the common element is that the activity has a prior legal basis; that is, that it derives from a function, competence, or mandate recognized by the legal system.

As with other legal bases, determining criterion is a necessity. The processing must be an appropriate, proportionate measure specifically aimed at fulfilling the identified public purpose. If there are reasonable and less intrusive alternatives to achieve the same objective, this basis will not be applicable.

A key aspect is that the task or function must be established by law or be clearly foreseeable for the data subjects. Unlike other bases, its application does not depend exclusively on the nature of the entity (public or private), but on the nature of the function being exercised. Although this basis may be used by public sector entities, it may also be applicable to private entities when they perform functions of public interest or exercise powers conferred by law.

f. Legitimate interests

This basis allows the processing of personal data when it is necessary for the satisfaction of a legitimate interest of the controller or of a third party, provided that these do not infringe the rights and freedoms of the data subject.

Unlike other bases, its application is not predetermined by a specific situation (such as a contract or a legal obligation), but requires a case-by-case analysis, structured on the basis of a balancing exercise. According to the development that this legal basis has had in jurisdictions with greater maturity in matters of data protection, the legitimate interest must meet the following requirements:

  • It must be lawful, clear, real and present.
  • The processing must be necessary to pursue specific interests.
  • The legitimate interest must consider individuals’ rights. This implies that the controller must balance its legitimate interest against the rights or freedoms of the data subjects. This balancing test must be carried out in the light of the specific circumstances in which the processing would take place.

In practice, this basis offers flexibility but also requires a higher level of analysis and documentation on the part of the controller, who must be able to justify, at all times, the reasonableness of the processing.

How to choose the appropriate legal basis?
The choice of the legal basis does not respond to a single formula but depends on the specific purpose of the processing and the context in which it is carried out. In practical terms, the key question that should guide the analysis is: why are we processing this data and what is the legal basis that best fits that purpose?

A recommended starting point is to identify whether the processing responds to any of the situations more clearly defined by law. For example, when data are processed to comply with a legal obligation, perform a contract, protect vital interests, or exercise functions of public interest, the applicable basis is usually more evident. In these cases, the analysis focuses on verifying compliance with the necessity criterion.

In other scenarios, particularly when the processing is not directly linked to a regulatory or contractual obligation, the choice is usually between consent and legitimate interests. This is where the analysis requires greater depth, as both bases present different implications from the perspective of the control of the data subject and the responsibility of the controller.

In this regard, consent may be appropriate when seeking to grant the data subject a greater degree of control over their data, allowing them to decide freely on its processing. On the other hand, legitimate interest may be a valid alternative when the processing responds to a legitimate operational or commercial need, is proportionate and remains within the reasonable expectations of the data subject, with the controller bearing the burden of justifying such choice.

Finally, given the technical and legal complexity that may be involved in correctly identifying and applying the legal basis, it is advisable to have specialized legal advice and support for the person designated by the company as Data Protection Officer. An expert analysis not only makes it possible to mitigate risks of non-compliance but also ensures that data processing is carried out consistently with the regulatory framework and the principles of personal data protection.

How to document the legal basis used?
Identifying the appropriate legal basis is only the first step. The principle of accountability requires companies not only to comply with the regulations, but also to be able to demonstrate them. In this context, properly documenting the legal basis of each processing activity becomes a key obligation.

This implies that the organization must record which legal basis it uses for each processing purpose, as well as the justification supporting such choice. There is no single or predetermined format for doing so; what is relevant is that the documentation is sufficient to demonstrate that the decision was properly analyzed and that the processing has a valid legal basis.

This traceability not only allows compliance with legal requirements, but also facilitates other obligations, such as the preparation of clear and consistent privacy notices, the handling of data subject rights, and the defense against potential regulatory contingencies.

The main tool to comply with this obligation is the Record of Processing Activities (RoPA). This tool sets out, in a structured manner, among other aspects, how an organization collects, uses, stores, and the period for which it retains personal data under its responsibility, and constitutes a fundamental compliance tool in matters of data protection.

Within the RoPA, the legal basis must be clearly identified for each processing activity, together with its specific purpose. This makes it possible to verify that there is consistency between the legal basis used and the operations actually carried out.

Finally, in specific cases such as the use of consent or the application of legitimate interest, the documentation must be more robust. For example, it may be necessary to retain evidence of the consent granted or to develop internal assessments that justify the application of legitimate interest as a legal basis for data processing. In this context, for the preparation of the RoPA it is necessary to have specialized legal advice, in order to ensure the correct identification and substantiation of the legal bases used.

In conclusion, the correct identification and application of legal bases is not only a legal requirement, but a central element for properly managing the risks associated with the processing of personal data. Beyond formal compliance, adopting a structured approach in the selection and documentation of these bases allows companies to make more informed decisions, strengthen their internal processes and generate greater trust among their customers, employees and even before the State Cybersecurity Agency.



The information provided by ARIAS® is presented for informational purposes only. This information is not legal advice and is not intended to create, and does not constitute, an attorney-client relationship. Readers should not act upon this information without seeking advice from professional advisers.