Which government agency controls access to fingerprint, face, and iris data in Paraguay?
Executive summary
Paraguay’s legal landscape for biometric data is in transition: the recently passed comprehensive data protection law establishes a National Agency for Personal Data Protection, housed within the Ministry of Information and Communication Technology (MITIC), as the primary supervisory authority for personal and sensitive data including biometric identifiers (fingerprint, face, iris) [1]. At the same time, operational custody and historical control of biometric repositories remain fragmented—most visibly with the National Police operating major identification databases and supplying biometric records to institutions such as the Electoral Court—while watchdogs and NGOs warn of regulatory gaps and overlaps [2] [3] [4].
1. Legal change creates a central supervisory body—but not yet a single operational owner
The new statute explicitly creates a National Agency for Personal Data Protection and assigns it broad supervisory and regulatory powers over data processing activities, situating that agency within the Ministry of Information and Communication Technology with the rank of a General Directorate [1]. That legislative text frames biometric data (including fingerprints, facial and iris data) as sensitive personal data and places responsibility for oversight, corrective measures, and binding regulations with the newly created agency [1].
2. On-the-ground control of biometric repositories remains dispersed and police-centric
Independent reporting and civil-society research document that, in practice, biometric databases have historically been created and maintained by multiple state actors; notably, the National Police’s identification departments have produced and supplied biometric databases to the Electoral Court’s Co-Directorate of the Electoral Registry for voting-related uses [2]. NGOs have criticized Paraguay’s continued configuration in which civil-document issuance remains linked to police agencies, a design that concentrates operational control of biometric enrollment and storage within security bodies rather than civil authorities [3] [4].
3. Civil society and privacy researchers flag regulatory gaps and risks despite the new law
TEDIC and other privacy advocates have repeatedly argued that Paraguay lacked a comprehensive data protection framework for biometric and digital identity systems, pointing to inadequate regulations, missing impact assessments, and weak transparency about access and correction mechanisms for biometric records [3] [4]. While the new agency is a statutory step, critics emphasize that regulations, procedural safeguards, and implementation details—such as who may access biometric datasets, under what conditions, and with what audit trails—must still be written and enforced [1] [3].
4. Conflicting signals from secondary sources about whether an authority already existed
Some reference materials published before or in parallel to reform note the practical absence of an independent national data protection authority in Paraguay, reflecting the country’s prior institutional gap on data governance [5]. That apparent contradiction reflects timing and evolution: recent legislation [1] establishes a formal supervisory body, but previous analyses and databases recorded that no such independent authority had previously existed [5]. Reporting must therefore be read as a snapshot across reform timing.
5. International cooperation and contractor roles complicate control and access
Paraguay’s biometric systems do not operate in isolation: international partnerships and contracts—such as cooperative agreements on biometric data sharing reported in diplomatic and agency releases—underscore that access to biometric records can involve foreign counterparts or contractors under government authority [6]. Legal and contractual safeguards for contractor handling of biometric data are invoked in comparative literature, but Paraguay’s own regulatory regime for such relationships has been questioned by local NGOs as insufficiently robust to prevent unauthorized access or misuse [7] [3].
6. Bottom line: supervisory control moves toward a national agency; operational custody remains multi‑actor
Formally, control over access rules, oversight and regulation of fingerprint, face and iris data now rests with the National Agency for Personal Data Protection created by the new law and placed within MITIC as a General Directorate [1]. Practically, many biometric datasets continue to be held, administered, and accessed by operational agencies—most prominently the National Police and electoral authorities—while civil-society groups press for clearer separation of civil registry functions from police custody and for strong implementing rules to prevent abuse [2] [3] [4]. Where sources disagree or are time‑bound, reporting reflects those temporal and institutional transitions rather than a single settled fact [5].