Digital Governance — Unit 1 Study Guide

01 Data Protection & GDPR

Data Subject Consent Data Processing Data Transfer PRODHAB

GDPR – General Data Protection Regulation (EU, 2018). The international benchmark for personal data privacy law.
Data subject – the natural (living) person whose personal data is being processed.
Consent – must be freely given, specific, informed, and unambiguous. Easily withdrawable at any time.
PRODHAB – Costa Rica's Data Protection Agency (Agencia de Protección de Datos de los Habitantes), established by Law 8968.
Data processing – any operation on personal data: collection, storage, use, modification, or deletion.
Data transfer – sending personal data to third parties or across national borders; requires a legal basis.

02 Responsibilities & Governance

Criminal Civil Administrative Transparency Accountability

Criminal responsibility – cybercrime offenses (unauthorized access, digital fraud) punishable by state law.
Civil responsibility – obligation to compensate individuals harmed by misuse or breach of their personal data.
Administrative responsibility – sanctions issued by regulatory bodies such as PRODHAB for non-compliance.
Transparency – the duty to clearly inform users what data is collected, why, how it is used, and with whom it is shared.
Accountability – actively demonstrating compliance with data protection rules, not merely following them.
Risk management – identifying, assessing, and mitigating threats to data integrity, confidentiality, and availability.
Customer trust – the outcome of consistent transparency, security practices, and ethical behavior.

03 Ethics & Digital Citizenship

Ethical Commitment Digital Equity Global Citizenship Cyber-regulations

Ethical commitment – the moral principles and values that guide every action and decision in digital environments.
Global / planetary citizenship – collective responsibility for the global impact of digital actions and policies.
Digital equity – the principle that all people should have fair and equal access to technology and digital services.
Cyber-regulations – laws and norms that define rights, responsibilities, and permitted behavior in cyberspace.
Computer Law – the legal field governing the use of information systems, technology, and digital data in society.

1 / 12

tap to reveal

tap to flip back

Score: 0

Risk PRODHAB · Law 8968 Administrative liability

Case 1 — Data Breach at a Costa Rican Retail Company

A retail company exposes personal data of 50,000 customers due to a lack of encryption on their servers. The breach includes names, ID numbers, and purchase history. The company did not notify affected users or PRODHAB within the required 72-hour window.

Analysis: Administrative liability under Law 8968 for failing to implement appropriate security measures and for delayed breach notification. Potential civil liability for damages suffered by affected data subjects. The lack of encryption directly violates the principle of data security under GDPR and local law.

Implement encryption at rest, access controls, and a clear incident response plan with mandatory notification timelines.

Data Transfer Consent GDPR violation

Case 2 — Unauthorized Cross-Border Data Transfer

A Costa Rican app shares user behavioral data and contact information with a US-based advertising company without disclosing this in its privacy policy or obtaining explicit user consent. Users were never informed of the international transfer.

Analysis: Violates the consent principle under GDPR and Law 8968 — transfer requires a legal basis such as Standard Contractual Clauses (SCCs) and explicit informed consent from the data subject. The lack of transparency also breaches the accountability principle.

Before any cross-border data transfer, obtain explicit consent, establish SCCs, and clearly disclose the transfer in the privacy policy.

Ethical Commitment Digital Equity Civil responsibility

Case 3 — Biased AI in Employee Recruitment

A company deploys an AI system to screen job applications. After an internal audit, it is discovered that the algorithm systematically downranks applications from women and candidates from certain regions, resulting in discriminatory hiring patterns over two years.

Analysis: The company's ethical commitment is compromised. Digital equity is violated as the algorithm perpetuates real-world inequality. The company faces civil liability for discriminatory outcomes and reputational damage. Under GDPR, automated decision-making affecting individuals requires explainability and the right to contest decisions.

Conduct regular algorithm audits for bias, ensure explainability in automated decisions, and uphold digital equity as a governance principle.