Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Argentina - Data Protection Overview
Back

Argentina - Data Protection Overview

December 2020

INTRODUCTION

Convention 108 and 108+

Since June 2019, Argentina has been a part of the Convention for the protection of individuals with regards to the processing of personal data ('Convention 108'). The Convention 108 has been previously approved by Law No. 27,483 (only available in Spanish here).

On September 19, 2019, Argentina signed the Convention 108+ for the Protection of Individuals with Regard to Processing of Personal Data. However, there remain some necessary legislative and diplomatic processes for its effective entry into force.

1. GOVERNING TEXTS

1.1. Key acts, regulations, directives, bills

The right to personal data protection was incorporated in the Argentine legal system in 1994, through the new Article 43 of the National Constitution (only available in Spanish here). In 2000, the National Congress of Argentina ('the Congress') enacted the Personal Data Protection Act, Act No. 25.326 of 2000 ('the Act'), which sets forth the main principles and rules for the protection of personal data. Decree No. 1558/2001 Regulating Law No. 25.326 (only available in Spanish here) ('the Decree'), amended by Decree No. 1160/10 (only available in Spanish here) introduced additional rules for the implementation of the Act. The regulations issued by the Argentinian data protection authority ('AAIP'), formerly the National Directorate for Personal Data Protection ('PDP'), complement a creditable legal framework, which in 2003 allowed Argentina to be recognised by the EU as a country providing an adequate level of protection for personal data. All of the above are referred to as the Argentine data protection regulations ('the Regulations').

In addition, the National Criminal Code (only available in Spanish here), as amended by the Act and Law No. 26.388 of 2008 (only available in Spanish here), punishes offences related to data confidentiality, veracity, and integrity with fines and imprisonment.

Additionally, other regulations, which are not specifically related to personal data protection, nonetheless contain important rules that affect data protection. Article 52 and 1770 of the National Civil and Commercial Code (only available in Spanish here) ('the Code') protect the right to privacy. Moreover, Article 22 of Law No. 26.061 on the Protection of Girls, Boys and Adolescents (only available in Spanish here) protects minors' data.

It should be noted that the Regulations were drafted following European regulations. Since the Data Protection Directive (Directive 95/46/EC) has been replaced by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), in 2016 the AAIP started working on a draft bill (only available in Spanish here) ('the Bill') to replace the current Act. The final version of the Bill was submitted by the Executive Branch to Congress on 19 September 2018. Regarding its content, the Bill follows the main principles of the GDPR, although it is less precise in the specifications of its provisions and also presents some differences. However, the Bill was not passed as law and lost its parliamentary status in March 2020. Likewise, the AAIP has said off the record that they are currently working jointly with the Ministry of Foreign Affairs of Argentina in order to push for the Bill to be filed again to the Congress.

1.2. Guidelines

The AAIP issued guidelines for the processing of personal data for electoral purposes, setting basic guidelines to ensure the integrity and protection of personal data before election processes, by means of Resolution No. 86/2019 (only available in Spanish here). Resolution No. 86/2019 does not imply a change in existing Regulations, but recalls the general principles established by them, adapting the Regulations to the context of electoral campaigns. In this way, the guidelines for the processing of personal data for electoral purposes note that data that reveals political opinions and/or the affiliation to a political organisation is considered sensitive data, which can be treated legitimately with the data subject's consent. Resolution No. 86/2019 classifies its analysis into the following aspects:

  • fundamental principles of personal data protection;
  • registration;
  • rights of data subjects;
  • consent;
  • political opinions;
  • affiliation to a political organisation;
  • public data in social networks, forums, and web platforms;
  • electoral propaganda in social networks, messaging platforms, and other web services;
  • basic data;
  • provision of computerised services; and
  • security and confidentiality.

Moreover, by means of Resolution 4/2019, (only available in Spanish here), the AAIP also approved the guiding principles of best practices for the application of the Act in order for controllers and processors to make a correct interpretation and implementation of the Regulations. In this sense, the AAIP has covered the following matters:

  • data collection through video surveillance systems;
  • automated data processing;
  • data dissociation;
  • biometric data; and
  • data subject's consent, including the consent of children and adolescents.

Although not formally guidelines, the AAIP Resolution No. 47/2018 approved the Recommended Security Measures for the Processing and Conservation of Personal Data (only available in Spanish here) ('the Recommended Security Measures') in relation to computerised and non-computerised media and repealed Dispositions No. 11/2006 (only available in Spanish here) and No. 9/2008 (only available in Spanish here) of the PDP, eliminating the obligations of those responsible for the processing of personal data to adopt the security measures defined in the repealed provisions. These are discussed further under section 6. Finally, it is important to highlight that the AAIP issued a guide on privacy good practices for the development of applications, approved by Resolution No. 18/2018 of the PDP (only available in Spanish here) ('the Guide'), which provides guidelines and recommendations for software developers concerning personal data protection and privacy policies. In the Guide, the AAIP states that cloud storage is considered an international transfer of data.

Likewise, on 11 March 2020, the AAIP published guidelines for the processing of personal data due to Coronavirus (only available in Spanish here). In this connection, the AAIP reported that the processing of health information is an activity that must be carried out with special diligence, respecting the privacy of individuals, in accordance with the Act.

In this regard, the AAIP emphasises some of the fundamental principles of current regulation, stressing, among others, that the disclosure of the name of a patient suffering from Coronavirus requires his/her consent, and that the National Ministry of Health and the provincial ministries are empowered to require, collect, transfer to each other, or otherwise process health information without the patient's consent, in accordance with the explicit and implicit powers granted to them by law.

1.3. Case law

Salvador, Claudio v. Citibank N.A. - Chamber D of National Court of Appeals in Commercial Matters of 22 November 2005

Citibank N.A. had a 'privacy promise' outlining that Citibank could share its clients' data with third parties for direct marketing purposes.

Mr. Salvador filed a data action in order to:

  • access his personal data stored in Citibank's databases, and obtain information regarding the specification on the origin of the data, their assignors and/or concessionaires, and the particular uses and purposes for which they were stored; and
  • request that the defendant be ordered to keep his personal data confidential and prohibit any data transfers to third parties.

Citibank answered the complaint and requested the rejection of the claim. The court issued a judgment ordering Citibank to safeguard and preserve the confidentiality of the data relating to the plaintiff that Citibank kept in its records, and ordered that the data not be transferred to third parties except by legal imperative, without the prior consent of the plaintiff.

In this respect, the plaintiff appealed and argued that his claim aimed at accessing his personal data held by the bank was not granted. It also claimed that the Act requires, in response to a request for access, that the controller provide the information in a clear, comprehensive manner and within the period stipulated in said regulation.

The defendant also appealed arguing, among other things, that the only data that it had shared with third parties was data of free circulation according to the Act, such as name, ID number, and address.

The court confirmed the judgment and stated, among other things, that the data shared with third parties differed in purpose for which it had been collected by the bank and, consequently, needed new prior, express and informed consent of the data subject and, in addition, that data included in the transfer was not only free circulation data, but also included implicit data (i.e. that the data subject was a client of Citibank), and such data is not free circulation data according to the Act.

AOL Argentina S.R.L. v GCBA - Court of Appeals in the Administrative and Tax Matters of the City of Buenos Aires, Chamber I of 29 December 2005 (only available in Spanish here)

Mr. Carlos Alberto Brizuela filed a complaint with the General Directorate of Consumer Protection and Defense of the Autonomous City of Buenos Aires ('the Directorate') against AOL Argentina S.R.L. Brizuela reported in his complaint that during September, the company had given him a CD so he could surf the internet for free for three months. He added that in order to access this service he had to register his personal data and his credit card number. He stated that, in mid-December, and after the free period had expired, he received two invoices to be debited from his credit card. In view of this situation, he contacted the company and agreed a new plan. He outlined that he had used the new plan alternatively until April, until the bank statement of his credit card registered an amount to be debited. The next day he called the company nine times and the company informed him that he had exceeded the plan's limit. In view of this, he requested the termination of the service and was told that he should request it 72 hours before the end of his term. He asked for an explanation and, in the absence of an answer, filed the complaint.

After the administrative phase, the Directorate, under provision 4335-DGDyPC-2003, imposed a fine of ARS 2,000 (approx. €21), considering AOL liable for infringing the information duty established in Article 4 of the Consumer Protection Law No. 24.240 (only available in Spanish here) ('the Consumer Protection Law').

In making its decision, the court made observations regarding the registration system chosen by AOL to inform consumers about the essential characteristics of the service provided, noting,

  • 'there is no way to guarantee that the registration process is carried out by the person who appears as the owner of the service;
  • there is no evidence that the registration process coincides with that which the consumer claims to have made; and
  • there is no evidence that the information that emerges from the documents provided by the company coincides with the information supplied to the complainant when registering.'

By virtue of this, it concluded that AOL had infringed Article 4 of the Consumer Protection Law. The plaintiff appealed the decision.

In his dissenting vote, Dr. Esteban Centanaro established, 'The contracting modality called 'click wrap agreement,' consisting of the expression of the agreement by clicking in a box that contains the general conditions, implies the existence of an agreement of wills between the parties, as it grants the possibility of previously checking the contracting conditions, constituting an electronic document. In electronic contracts, acceptance is subject to the possibility of the acquirer previously verifying the general contracting conditions. These general conditions and their acceptance thereof constitute an electronic document. To support its legitimacy, the modality of presenting them in an unavoidable or forced way for the user has been employed in order to prove that they have to read them before contracting. This will serve as documentary proof of the acceptance of the offer in the event that the client denies having seen the conditions to which he was subject. In this hermeneutical line, a court in California considered that the user is bound by the general conditions when clicking on the 'accept' button, after having had the opportunity to read them. That is, what is called the 'click wrap agreement' is used. It is a modality in which the agreement is expressed by clicking the mouse on the computer; in other words, when the internet user wishes to enter a website, he/she is presented with a text and a box that contains a list of general conditions (terms and conditions, usage agreement) with the option to accept or not. This is what, in my opinion, happened in the case under analysis, that the consumer acknowledges that in September 2000 he received a CD from AOL, which, according to the company's promotion, allowed access to a free internet connection for three months. In turn, it acknowledges that to enable the system and as a condition to use the internet service, he had to register his personal information and enter his credit card number. That is, the same consumer acknowledges that in order to access the service, he must have registered and entered his credit card. As we said above, the consumer had the possibility of being informed about the general conditions of the service provided by AOL. Consequently, and by virtue of the foregoing, I consider that in this case there was no infringement of the Consumer Protection Law, as it was proved that there was an agreement of wills between the parties, corresponding to revoke the appealed provision.'

Judges Horacio A. G. Corti and Carlos F. Balbín, adhered to the facts mentioned by Dr. Centanaro, but not to the solution he suggested. They considered that the plaintiff had to provide truthful, detailed, effective, and sufficient information, in accordance with Article 4 of the Consumer Protection Law. In the first place, it is proven that the user installed the company's software, registered, and surfed the internet for a few months. However, the terms and conditions of the electronic contract have not been duly evidenced, since there is no evidence that the documentation filed by the company at court is the same information as that which the user actually had in view at the time he gave his consent.

The importance of this case from a data protection standpoint is that in the dissenting vote, having to scroll down through the text of an electronic contract before clicking an accept button was considered as sufficient consent.

Unión de Consumidores y Usuarios v. Citibank N.A. – Chamber E of National Court of Appeals in Commercial Matters of 12 May 2006

Citibank N.A. sent a 'privacy promise' to its clients stating, among other things, that if they did not want their data to be shared and/or assigned to third parties for direct marketing purposes, they should make an express opposition.

The plaintiffs, the Union of Consumers and Users, claimed that the 'privacy promise' violated the Act and Citibank should be ordered to cease its conduct.

Citibank claimed, among other things, that habeas data actions cannot be filed as class actions.

The court ruled in favour of the plaintiffs, admitting the class action and, based on the rule of prior consent and the principle of purpose that govern all processing of personal information, established that the 'privacy promise' violated the Act.

Napoli, Carlos Alberto v. Citibank N.A. - Supreme Court of Justice of the Nation of 8 November 2011

The Napoli case starts with a lawsuit filed by Mr. Napoli, a bank debtor, against Citibank N.A., with the aim of stopping its status as an 'irrecoverable debtor in situation 5' from being reported to the Central Bank of the Argentine Republic ('BCRA') and other credit reporting entities. He argued that Section 26(4) of the Act provides for a maximum five-year term to report debts that have not been cancelled, and that such period had expired.

The court, when revoking the decision of the court of first instance, granted the habeas data action brought by Napoli against Citibank under the terms of the Act, ordering Citibank to suppress the totality of the data referring to the debt of the plaintiff and to communicate such circumstance to the BCRA for the purpose of being eliminated from the central registry of debtors of the financial system. The defendant filed an extraordinary appeal, the denial of which initiated an appeal before the Supreme Court of Justice of the Nation.

The Supreme Court of Justice of the Nation upheld the ruling of Division III of the Federal Court of Appeals in Civil and Commercial Matters, arguing that it did not arise from the text of the Act, nor could it be inferred from its genesis, that the five year term must be postponed while the debt is due and while the statute of limitations has not yet passed. The intention of the legislator had been to consecrate a shorter period than the ten years proposed originally, which had been suggested as it coincided with the statute of limitations.

Pavolotzki, Claudio and others v. Fischer Argentina S.A. - Chamber IX of National Court of Appeals in Labour Matters of 10 July 2015 (only available in Spanish here)

Fischer Argentina appealed the decision of the court that gave rise to the claim through which their employees pursued the restoration of the previous working conditions, after the implementation of software that allowed the company to know, at any time, the geographical location of employees who were commercial travellers.

The Court of Appeals upheld the appealed decision, arguing that the installation of the software through which the employer had access, at all times and instantly, to the precise geographical location of employees, even outside of working hours, was unjustified and arbitrary in as much as it constituted an intrusion into the private sphere, since the use of the equipment was not subject to any type of restriction, whereby the claimants could use it to carry out personal communications, especially since they paid the expenses generated by the telephone equipment.

In addition, the Court of Appeals argued that knowing the geographical location of those who work as commercial travellers is arbitrary and unjustified, since it is highly sensitive information and, therefore, both lacks the reasonableness required by Sections 62 and 63 of the Contract of Employment Law No. 20.744 (only available in Spanish here) and breaches the provisions of the Act, especially as there is no concrete justification of the need for a data survey to such a magnitude and extent.

Yahoo de Argentina S.R.L. in re Security Incident – File Number EX-2016-04629409 – DNPDP#MJ of 6 June 2019

This is an administrative case wherein Yahoo de Argentina S.R.L. was penalised by the AAIP for a security incident affecting the personal data of eight million Argentines, which occurred in 2013.

The AAIP considered that:

  • the backup archives that had been affected did not have the appropriate encryption level in order to avoid the non-authorised copying or extraction of information;
  • the security copies were not encrypted by default and, despite including personal data; and
  • the company could not confirm the mechanics of the incident nor who had been involved in same.

The sanction was a fine of ARS 80,000 (approximately €822). This was the first sanction imposed by the AAIP for a security incident.

2. SCOPE OF APPLICATION

2.1. Personal scope

The Regulations apply to processors and controllers of databases, meaning all natural persons or legal entities, either public or private.

2.2. Territorial scope

The Regulations apply whenever personal data is processed in the territory of Argentina (Article 44 of the Act). Therefore, if an isolated action concerning personal data takes place in Argentina, the Regulations apply to that action, even when the rest of the data processing takes place abroad and is governed by a different law. As a result, if the controller has no presence at all in Argentina and performs all its activities abroad, it could be interpreted that it is out of the reach of Argentine authorities. However, Argentine authorities have jurisdiction over all the activities carried out locally (e.g. through a company representative or branch or even a local server).

This notwithstanding, it should be noted that the recent Resolution No. 69/2020 of the AAIP, which imposes a fine on Google Argentina and Google LLC, arguing that the Act applies not only to Google Argentina but also to Google LLC, since the AAIP and the federal courts have jurisdiction throughout the country over those data controllers responsible for interconnected databases that have inter-jurisdictional, national, or international scope, to the extent that data from Argentine data subjects is processed or that, in any other way, the processing of data connects with, or produces effects in, in Argentina (by interpreting Section 36.b of the Act). Please refer to section 9.1 Enforcement Decisions below.

2.3. Material scope

The Regulations apply to processors and controllers of databases in respect of any personal data processing that takes place in Argentina.

Processing is broadly defined as any systematic operation or procedure, either electronic or otherwise, which enables the collection, integration, sorting, storage, change, relation, assessment, blocking, destruction, disclosure of data, or transfer to third parties.

The Act protects personal data, which includes information of any kind that refers to individuals or legal entities, whether identified or identifiable by an associative process (Article 2 of the Act).

Argentine laws also protect sensitive personal data, defined as personal data that reveals an individual's:

  • racial and ethnic origin;
  • political opinions;
  • religious, philosophical, or moral beliefs;
  • union affiliation; and/or
  • information regarding health or sexual life.

Resolution 4/2009 of the AAIP states that biometric data that can identify a person will be considered sensitive data only when it can reveal additional data whose use could be potentially discriminatory for their owner (e.g. data revealing ethnic origin or information regarding health).

Likewise, regarding automated data processing, in the event that the data controller makes decisions based solely on the automated processing of data that produces pernicious legal effects to the data subject or negatively affect him/her, the data subject will have the right to request an explanation of the logic applied in that decision, in accordance with section 15, paragraph 1 of the Act.

Processing of anonymised data is exempted since it is not considered personal data.

3. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY

3.1. Main regulator for data protection

According to the terms of Article 19 of the Right of Access to Public Information Law No. 27,275 (only available in Spanish here), as amended by Article 11 of Decree N° 746/2017 (only available in Spanish here), the AAIP is the main supervisory authority of the Regulations.

3.2. Main powers, duties and responsibilities

The AAIP aims to 'supervise the comprehensive protection of personal data stored in files, records, databases, or other technical means of data processing, whether public or private, intended to provide information, to guarantee the right to honour and privacy of individuals and access to the information that is registered about them.' As a consequence, Article 2 of Decree No. 899/17 on Access to Public Information (only available in Spanish here) provided that any reference in the Regulations to the PDP should be considered as referring to the AAIP.

The AAIP has the right to make inspections with the aim of:

  • checking the activities of controllers of databases and the data they manage;
  • assessing compliance with the Regulations; and
  • making recommendations in order to improve their performance within the legal framework.

The AAIP is entitled, at its sole discretion, to carry out inspections so as to control compliance with the Regulations. In fact, Article 4 of the Decree expressly authorises the AAIP to apply the pertinent sanctions if legal principles are not fulfilled. In addition, if it is requested by data subjects or if the AAIP, at is sole discretion, considers it appropriate, it is entitled to verify:

  • the lawfulness of data collection;
  • the legality of exchanges of data and their transmission to third parties, as well as the interrelation between them;
  • the lawfulness of the transfer of data; and
  • the legality of both the internal and external control mechanisms for files and databases.

4. KEY DEFINITIONS

Data controller: The Act does not expressly define the concepts of data controller (it does provide a definition for 'person responsible for a database') and data processor. Nonetheless, it can be understood that data controllers are those that process data at their own discretion, defining the purposes and means of processing, and data processors are those that process data following data controllers' instructions.

Data processor: The Act does not expressly define the concepts of data controller (it does provide a definition for 'person responsible for a database') and data processor. Nonetheless, it can be understood that data controllers are those that process data at their own discretion, defining the purposes and means of processing, and data processors are those that process data following data controllers' instructions.

Personal data: Information of any kind referring to individuals or corporations, identified or identifiable by an associative process (Section 2 of the Act). 

Sensitive data: Data revealing racial and ethnic origin, political views, religious, philosophic or moral beliefs, union membership, and information referring to health or sexual life (Section 2 of the Act). According to Resolution 4/2019 of the AAIP, biometric data that identifies a person will also be considered sensitive data only when it can reveal additional data whose use may result in potential discrimination for its owner (e.g. biometric data that reveal ethnic origin or reference information to health). This is simply a sub-category of personal data that receives enhanced protection.

Health data: The Act does not define the concept of health data.

Biometric data: It is specifically defined as data obtained from a specific technical processing, relating to the physical, physiological, or behavioural characteristics of a person that confirm their unique identification (Resolution 4/2019 of the AAIP).

Pseudonymisation: The Act does not expressly refer to pseudonymisation, however, the Act defines 'data dissociation' as any processing of personal data in such a way that information cannot be associated with a particular person (Section 2 of the Act).

Person responsible for a data file, register, bank or database: The natural person or legal entity, whether public or private, that owns a data file, register, bank, or database. It can be assimilated to the data controller (Section 2 of the Act).

Processing: The Act does not define processing, however, Section 2 of the Act defines a 'data treatment' as any systematic operation or procedure, either electronic or otherwise, which enables the collection, integration, sorting, storage, change, relation, assessment, blocking, destruction, disclosure of data, or transfer to third parties.

Data User: Any person, whether public or private, performing at their discretion the processing of data contained in data files, registers, databases, or databanks, whether owned by them or to which they may have access through a connection (Section 2 of the Act). It can also be assimilated to the data controller.

5. LEGAL BASES

5.1. Consent

Prior consent of data subjects

According to Section 5 of the Act, personal data processing is only legal with the prior, express and informed consent of the data subject, except in the circumstances provided by the Act.

Consent to process personal data is not necessary when the data:

  • is obtained from unrestricted publicly accessible sources;
  • is collected to comply with state powers, or by virtue of a legal obligation;
  • consists of lists limited to name, identity document, taxpayer or pension identification number, occupation, date of birth, and domicile;
  • arises from a contractual, scientific, or professional relationship with the data subject, and is necessary for its development or fulfilment; or
  • refers to transactions performed by financial entities and the information they receive from their clients (protected by banking secrecy rules).

Moreover, consent is not necessary when the data:

  • is processed for marketing purposes, to the extent permitted by and in compliance of the requirements set forth by Article 27 of the Act and the Decree;
  • is transferred to a third-party service provider, to the extent permitted by Article 25 of the Act and the Decree; or
  • is processed for the provision of credit information services, to the extent permitted by Article 26 of the Act and the Decree.

Furthermore, consent is not necessary to process anonymous data. Personal data may be rendered anonymous by removing the information which allows the recipient to identify the data subject. Such information will consequently not be considered personal data, and therefore will not be shielded by the Regulations.

Consent should be expressed in writing or by other means that can be equated to writing. In view of this, means of collecting consent other than in writing should produce and record enough evidence that consent was actually given.

5.2. Contract with the data subject

As mentioned in 5.1. above, the data subject's consent is not required when the data arises from a contractual, scientific, or professional relationship with the data subject and is necessary for its development or fulfilment (Section 5.2.d) of the Act).

5.3. Legal obligations

Likewise, data subject's consent is not required when data is collected to comply with state powers or by virtue of a legal obligation (Section 5.2.b) of the Act).

5.4. Interests of the data subject

The Act does not foresee the interests of the data subjects as a legal bases for processing.

5.5. Public interest

The Act does not foresee the public interest as a legal bases for processing.

5.6. Legitimate interests of the data controller

The Act does not foresee the legitimate interests of the data controller as a legal bases for processing.

5.7. Legal bases in other instances

Data subjects' consent is also not required: (i) when the data is obtained from sources of unrestricted public access; (ii) in the case of lists whose data is limited to name, national identity document, tax or pension identification, occupation, date of birth, and address; and (iii) in the case of operations carried out by financial institutions and the information they receive from their clients in accordance with the provisions of Article 39 of Law 21,526 (in accordance with Section 5.2. of the Act).

Unlike the Act, which considers consent as the main legal base for processing personal data, with the only exceptions mentioned above, the Bill also introduced other legal bases for such processing, such as when the data processing is necessary to safeguard the vital interest of the data subject or of third parties, provided that the interests or rights of the data subject do not prevail over such interests, and the data subject is physically or legally incapacitated for giving consent; or when the data processing is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that the interests or rights of the data subject do not prevail over those interests, particularly when the owner is a child or teenager (Article 11 of the Bill).

6. PRINCIPLES

Purpose proportionality

Personal data collected for processing must be relevant and not excessive in relation to the scope and purpose for which a data controller obtained it (Article 4(1) of the Act).

Transparency

Data collection cannot be performed using unfair or fraudulent means or in an unlawful manner (Article 4(2) of the Act).

Purpose restriction

Data must not be used for any purpose other than those for which it was collected (Article 4(3) of the Act).

Data accuracy

Personal data collected for processing must be correct and accurate. Data must be updated, corrected, or totally or partially deleted if necessary. Additionally, data subjects have the right to request rectification. (Article 4(4) and (5) of the Act).

Access right

Data must be stored in a way that enables data owners to exercise their right of access (Article 4(6) of the Act).

Data retention

Data must be destroyed when is no longer necessary or relevant for the collection's purposes (Article 4(7) of the Act).

Data security

Data controllers (and for instance, data processors) must adopt technical and organisational security measures to protect the data (Article 9 of the Act and Resolution 47/2018 of the AAIP).

Confidentiality

Data controllers must bind those responsible or involved in any part of the data processing by a duty of confidentiality (Article 10 of the Act).

Accountability

The AAIP has changed its view regarding compliance with the security duty of those who process and preserve personal data from the idea of compulsive compliance to that of accountability, in the terms of the GDPR. Therefore, compliance must be in line with the principle of proactive responsibility or accountability provided in the GDPR, which stipulates that organisations that process personal data implement the appropriate technical and organisational measures to guarantee their security and confidentiality, can demonstrate their actions and, likewise, prove the effectiveness of this when required. This change of view is part of steps taken by the AAIP in order to adapt Argentine legislation to the new principles established by the GDPR and to maintain the qualification of an adequate country by the EU.

The new Recommended Security Measures are adapted to the technological changes that have taken place in recent years since the now-repealed provisions were enacted. The Recommended Security Measures cover the entire cycle of processing and conservation of personal data, from its collection to its destruction, including access controls, actions aimed at backup and recovery, and the management of vulnerabilities and security incidents.

It should be noted that among the Recommended Security Measures there is a duty to report security incidents to the AAIP.

7. CONTROLLER AND PROCESSOR OBLIGATIONS

As discussed in section 4 above, the Act does not expressly define the concept of data controller. Nonetheless, since data controllers process data at their own discretion, data processors must comply not only with requirements under the Regulations but also with the instructions given by the data controller.

Section 9 of the Act sets forth that the person responsible for, or the user of, data files must take all the technical and organisational measures necessary to guarantee the security and confidentiality of personal data, in order to avoid their alteration, loss, unauthorised access, or processing. The Act prohibits the recording of personal data in files that do not meet the technical requirements of integrity and security.

The Recommended Security Measures, which were approved by Resolution 47/2018 of the AAIP and published in the Official Gazette on 25 July 2018 (only available in Spanish here), repealed Dispositions No. 11/2006 (only available in Spanish here), and No. 9/2008 (only available in Spanish here) issued by the PDP, which contained the mandatory security measures for the treatment and conservation of databases.

Moreover, it is no longer mandatory for those who process and preserve personal data to adopt the security measures defined in the repealed dispositions. However, while the generic security duty established in Section 9 of the Act must still be met, data controllers and processors may decide to adopt the Recommended Security Measures or, failing that, those that they consider sufficient to comply with the aforementioned duty of security of Section 9 of the Act.

7.1. Data processing notification

According to Sections 3 and 21 of the Act, databases are only lawful if they are registered with the National Registry of Personal Databases maintained by the AAIP.

It is important to point out that the AAIP does not require the disclosure of the content of the databases, but only certain general information about their creation and maintenance, and compliance with the Act's principles.

Following the AAIP's Resolution No. 132/2018 (only available in Spanish here), the registration process must be performed through the public online platform called 'Remote Procedures' (in Spanish, 'Trámites a Distancia'), which involves no official fees. There is still no obligation to record the data itself, but certain descriptive information regarding each database is required, which is less extensive than what was requested before Resolution No. 132/2018. In addition, controllers must now register themselves as such through the aforementioned platform.

It should also be noted that although Resolution No. 132/2018 does not establish the obligation to renew the databases annually, as was previously required in some cases, it is mandatory to report any update or modification in the data of the registrant and in the data of the databases, and it is up to the person responsible to comply with this duty, since registration amounts to an affidavit.

Databases of exclusive personal use are exempted from the obligation of registration (e.g. addresses of friends on personal computers, personal agendas, etc).

The lack of registration may give rise to sanctions such as warnings, suspensions, fines, closure, or cancellation of the data bases.

Notwithstanding the foregoing, the AAIP's criterion is that the duty to register databases is only applicable to companies that are registered with the General Inspection of Justice and that have local tax identification number. Therefore, the AAIP informs that the company that does not have a local tax identification number and domicile in Argentina cannot be registered in the registry. Consequently, foreign companies not registered in Argentina do not have a duty to register their databases.

7.2. Data transfers

Article 12 of the Act prevents the transfer of personal data of any kind to a country or international or supranational organisation that does not provide an adequate level of protection.

In 2016, the AAIP issued Regulation No. 60-E/2016 (only available in Spanish here). Regulation No. 60-E/2016 lists the countries that the AAIP considers provide an adequate level of data protection, such as EU Member States and members of the European Economic Area, Switzerland, Guernsey, Jersey, the Isle of Man, the Faroe Islands, Canada (only for the private sector), the Principality of Andorra, New Zealand, the Republic of Uruguay, the State of Israel (only for data that is processed automatedly), and the United Kingdom of Great Britain and Northern Ireland (according to Resolution No. 34/2019 – only available in Spanish here).

Likewise, Regulation No. 60-E/2016 officially approved the Standard Contractual Clauses that must be incorporated into international transfer agreements for the provision of services and the transfer of data to countries that, according to the AAIP, do not have an adequate level of data protection.

Regulation No. 60-E/2016 also provides that if data transfers are made to countries that do not provide an adequate level of data protection and the agreements used to regulate the transfer differ from those approved by the AAIP or do not contain the same principles and guarantees, a request for approval of such agreements must be submitted to the AAIP within 30 calendar days of their execution.

In 2018, the AAIP issued Regulation No. 159/2018 (only available in Spanish here) which approves guidelines and basic contents for Binding Corporate Rules ('BCR'), which may be used by companies who transfer personal data from Argentina to companies of the same economic corporate group that are located in countries that do not provide an adequate level of data protection. BCRs must comply with the minimum content set forth by the AAIP. Otherwise, they must be submitted for approval by the AAIP within 30 days of the transfer. BCRs must be mandatory for all members of the same corporate group (through corporate resolutions that oblige them to comply with the BCR), as well as for their employees, subcontractors and third-party beneficiaries (through specific contractual clauses).

By virtue of the above, personal data transfers to countries that do not provide an adequate level of protection will be allowed when:

  • the data subject has expressly consented to such transfers;
  • when data is exported for outsourcing purposes, by means of an international transfer agreement which follows the Standard Contractual Clauses between the transferor and the transferee; and
  • the transfer is among companies of the same economic group, if the companies have put BCRs in place with the minimum content set forth by the AAIP or approved by the AAIP.

Moreover, please note that the Regulations also establish that: (i) the sharing of personal information with companies from the same group is the same as sharing information with absolutely independent third parties; and (ii) cloud storage is considered an international data transfer of data (Provision No. 18/2015 of the PDP).

7.3. Data processing records

Though not mandatory, the Recommended Security Measures include certain data processing records such as:

  • an inventory of computer assets that store or manage personal data;
  • a record of access to the systems;
  • a record of system use;
  • a record of physical accesses (identifying day, time, entrants, and reason);
  • a record of the verifications and/or tests carried out to ensure the integrity, availability, and confidentiality of the data;
  • a record of recovery tests carried out identifying: type of information recovered, place and date where recovery tests were carried out, result of the recovery tests, person responsible for carrying out the recovery tests, personnel involved in the recovery tests, and notification to the data manager; and
  • an inventory identifying the backups, their actual location, and the physical medium.

7.4. Data protection impact assessment

A Data Protection Impact Assessment ('DPIA') Guidelines was published on 28 January 2020 by the data protection authorities in Argentina and Uruguay. This guideline aims to guide public organisations and private companies to identify and minimise potential risks in the treatment of personal data that may occur in their usual activities from an early stage (only available in Spanish here).

The DPIA Guidelines aims to serve as a didactic manual to evaluate how data processing is performed in each organisation, identifying the risks, their probability of materialisation, and the possible impacts. In addition, it establishes patterns to measure the levels of each risk and the execution of an action plan to mitigate each risk.

The assessment seeks to know, in a complete way, the specific relationship that exists between the organisation and the data subjects. Consequently, the following must be considered, among others:

  • the reasonable expectations of privacy of the data subjects involved;
  • the influence that the organisation's activity has on society; and
  • how and why the organisation makes certain decisions, and which are their main objectives.

Likewise, the process of development of the DPIA involves the following phases:

  • identification of participants and documentation of the processes of development of the evaluation assessment: the purpose of this phase 1 is to determine the participants of the preliminary analysis and the evaluation assessment and define the processes for documentation;
  • analysis of the applicable laws: the purpose of phase 2 is to analyse the regulations applicable to the processing carried out in order to understand their application to the different stages of that processing;
  • preliminary analysis: the purpose of phase 3 is to carry out a preliminary analysis of several factors that affect the need for a subsequent evaluation assessment, can be omitted if the evaluation assessment is mandatory by the current regulations;
  • processing context: the purpose of phase 4, and the first effective phase of the DPIA, is to analyse all instances of processing to be carried out from a personal data protection standpoint;
  • risk management: the purpose of phase 5 is to carry out a risk analysis in each of the stages of the processing context established in the previous stage, for an adequate management of these risks; and
  • risk treatment plan: the purpose of this phase 6 is to carry out an adequate treatment plan for the risks determined in the previous stage.

Finally, the results of the DPIA must be included into the management of the project or the regular management of the organisation's activities that have been analysed.

The DPIA Guidelines were proposed as a reference not only for public organisations and private companies in Argentina and Uruguay, but also for the entire region.

7.5. Data protection officer appointment

There is currently no obligation to appoint a data protection officer ('DPO'). However, the Bill does include such a requirement.

7.6. Data breach notification

As discussed in section 6 above, the Recommended Security Measures reach the entire cycle of processing and conservation of personal data, from its collection to its destruction, passing through access controls, actions aimed at its backup and recovery, the management of vulnerabilities, and security incidents.

In connection with this last point, it is important to highlight that the Recommended Security Measures include a new protocol for reporting security incidents, again approaching the provisions of the GDPR.

Section G.1.3. of Annex I and Annex II, attached to Resolution 47/2018, which contain the Recommended Security Measures in the electronic and non-electronic context, respectively, states that, in case of a security breach, controllers and processors must notify the AAIP of the incident accompanying a report of the security incident that contains as a minimum:

  • the nature of the violation;
  • the category of affected personal data;
  • an identification of affected users; and
  • the measures taken by the person responsible to mitigate the incident and measures applied to avoid future incidents.

However, it should be noted that the Recommended Security Measures.

7.7. Data retention

Section 4(7) of the Act provides that data must be destroyed whenever it is no longer necessary or relevant for the purposes for which it has been collected. Pursuant to this general principle, the applicable time limit must be determined on a case-by-case basis depending on the necessity and relevance of the data.

The Act also provides two particular rules on this issue, applicable to outsourcing and credit report operations:

  • in the case of third-party processors, upon compliance with the contractual covenant, processed personal data must be destroyed, except when there is express authorisation to retain it on behalf of the person to whom such services are delivered, or if future services are reasonably expected, in which case data may be stored under proper security conditions for a maximum two-year period (Article 25(2) of the Act); and
  • in the case of credit reporting agencies, only personal data relevant to assessing the economic and financial worthiness of an individual during the last five years may be kept on file, recorded, or reported (such a term may be reduced to two years if the debtor pays the debt and provides evidence of such payment) (Article 26(4) of the Act).

Likewise, there is some specific data which could or could not be personal data that should be stored for a minimum period of time according to other regulations. In tax matters, Section 48 of Decree 1397/79 sets forth a period of 10 years for the conservation of certain documentation such as invoices and receipts, among others. Similarly, Section 328 of the Code sets forth a period of 10 years for the conservation of accounting documentation.

7.8. Children's data

The Act does not contain any express provision regarding minors nor establishes under which circumstances the consent of a minor would be valid. However, the AAIP has established the 'Guiding criteria and indicators of best practices in the application of the Act' ('the AAIP Criteria') (Resolution 4/2019 mentioned above) which match the Code's criteria.

In this connection, the Code presumes that minors (children under 18 years old) lack the capacity to exercise their rights, but it distinguishes between minors under 13 years old (non-adolescents) and over 13 years old (adolescents). While the former lack discernment and consequently cannot perform voluntary rightful acts (irrebuttable presumption), the latter may perform voluntary acts permitted by law if they are mature enough. The Code also sets forth that daily life's small-value contracts entered into by minors are presumed to be entered into by their parents. The scholars assert that the presumption encompasses both adolescents and non-adolescents.

In the same vein, the AAIP Criteria states that minors may give informed consent for the processing of their personal data considering their psychophysical characteristics, aptitude, and development. If the minor does not have sufficient capacity to provide informed consent, his/her guardian must give consent. In such case, the data controller (person or entity who receives the consent) must make reasonable efforts to verify that the consent was given by the holder of parental responsibility, taking into account the possibilities to do so.

Additionally, it is worth mentioning that the Bill considered that in relation to the offer of information society services specially designed or suitable for a child, the processing of the personal data of a child should be lawful where the child was at least 13 years old.

7.9. Special categories of personal data

Section 7.4 of the Act states that 'data regarding criminal or contraventional records can only be processed by the competent public authorities, within the framework of the respective laws and regulations.'

However, this categorical prohibition has been softened by some resolutions issued by the AAIP. In this sense, the AAIP has argued that, 'for the creation of a database with the characteristics intended by the plaintiff [i.e., a database regarding criminal records], it will be necessary to obtain the express consent of each one of the informed or the existence of a law supplying that consent' (Disposition 05/2003 of the PDP).

The AAIP has also maintained said criteria in Resolution 159/2018, which approved the 'Guidelines and basic contents of binding corporate rules' for international transfer among companies of the same economic group. Among the basic content to be included in the corporate rules, it is mentioned the principle of non-conformation of criminal and/or contraventional records, 'except with the express consent of the owner of the data.'

In view of the above, it can be considered that, under the Regulations, the controller can process criminal data with the condition that the data subject has provided its prior, express, and informed consent to such processing.

As for the retention period of the data, the Act states that data shall be destroyed whenever it is no longer necessary or relevant for the purposes for which it has been collected. It can be deemed that this general principle also applies regarding criminal records data. Thus, in case of criminal record data of employees, it can be reasonably considered that the data can be kept during the existence of the contractual relationship and, after that, until the legal prescription period is expired. After said term, data should be destroyed. 

7.10. Controller and processor contracts

Although the Act does not expressly state so, it is generally agreed that the processing of personal data can be outsourced to third-party service providers without requesting the prior consent of the data owners. However, the controller and the processor must execute an agreement which states, in particular, that the processor can only process the data following the instructions of the controller and that the processor must comply with the security and confidentiality obligations set forth by the Act.

Section 25 of the Act states that the processor cannot use the data for any purpose other than the one appearing on the corresponding contract for the provision of the services, nor can it disclose the data with other parties, not even for storage purposes.

According to Section 11 of the Act and Disposition No. 60/2016 (only available in Spanish here), the controller and the processor will respond jointly and severally for the observance of the legal and regulatory obligations before the AAIP and the owner of the data. However, the processor may be totally or partially exempt from liability if it proves that the cause of damage cannot be attributed to them.

Once the corresponding contractual obligations have been performed, the service provider must destroy the data, except when the database controller foresees the possibility of future assignments and so instructs the service provider to keep the data (for a maximum additional term of two years).

8. DATA SUBJECT RIGHTS

8.1. Right to be informed

According to Section 6 of the Act, data subjects must be informed in an express and clear manner about:

  • the purposes for which data will be processed and any possible third-party addressees or types of addressees;
  • the existence of the relevant database and the identity and address of its controller;
  • whether providing the information is mandatory or voluntary and the consequences of refusing to provide information or providing false information; and
  • the possibility to access, update, correct, and delete their data, and the mechanism to do so.

8.2. Right to access

Section 14 of the Act provides that data subjects have the right to request and obtain information about their personal data held in databases. According to Section 4(6) of the Act, data must be stored in a way that enables data subjects to exercise their right of access. The data controller or data user must provide the requested information within ten calendar days from the request.

8.3. Right to rectification

On the other hand, Section 16(1) of the Act establishes that data subjects have the right to require the rectification, update, and, where applicable, the suppression or confidentiality of their data stored in databases. The data controller or data user of such databases must take all the relevant measures within a maximum of five business days, following the receipt of the data subject's claim or gaining knowledge of the error (Section 16(4) of the Act).

8.4. Right to erasure

Not applicable.

8.5. Right to object/opt-out

Not applicable.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

According to Resolution 4/2019, in the event that the data controller makes decisions based solely on the automated processing of data that produce pernicious legal effects to the data subject or negatively affect him/her, the data subject will have the right to request an explanation of the logic applied in that decision, in accordance with section 15, paragraph 1 of the Act.

8.8. Other rights

If the above requests are not duly fulfilled, the data subject is entitled to file a special judicial claim for the protection of personal data or habeas data, as set forth under Sections 33 to 43 of the Act.

In the case of transfer or assignment of data, the data controller must notify the transferee of the rectification or deletion within the fifth business day after the data has been processed.

The right to suppression proceeds in case of falseness, inaccuracy, outdated information, or when the processing of data is prohibited by the Act (Section 33 of the Act).

The suppression does not proceed when it could cause damage to the rights or legitimate interests of third parties, or when there is a legal obligation to keep the data.

9. PENALTIES

According to Article 31 of the Act and Regulation No. 7/2005 (only available in Spanish here), as modified by Regulation No. 9/2015 (only available in Spanish here), on the classification of infringements and the gradation of penalties to be imposed in cases of data protection violations, the AAIP may impose administrative sanctions consisting of warnings, suspensions, fines from ARS 1,000 to ARS 100,000 (approx. €10 to €1,028), closure, or cancellation of the database.

The amount of the sanction is determined according to the nature of the rights affected, the volume of the data processing, the benefits obtained, the degree of intentionality, the recidivism, the damages caused to the interested persons and to third parties, as well as any other relevant circumstances.

Sanctions are grouped into three different categories:

  • basic level, or minor infringements, which includes up to two warnings and a fine from ARS 3,000 (approx. €31) to ARS 25,000 (approx. €257);
  • mid-level, or serious infringements, which includes up to four warnings and/or suspension from one to 30 days and a fine from ARS 25,000 (approx. €257) to ARS 80,000 (approx. €823); and
  • critical level, or very serious infringements, which includes up to six warnings and/or suspension from 31 to 365 days and/or closure or cancellation of the file, register or databank, and a fine from ARS 80,000 (approx. €823) to ARS 100,000 (approx. €1,028).

In December 2016, the AAIP issued Regulation No. 71-E/2016 (only available in Spanish here) to set limits to the sanctioning system created by Regulation No. 7/2005 and its amendments. Regulation No. 71 - E/2016 establishes that when a condemnatory administrative act includes more than one pecuniary sanction for identical conducts, the following caps can apply:

  • for minor infringements penalties, up to ARS 1,000,000 (approx. €10,290);
  • for serious infringements penalties, up to ARS 3,000,000 (approx. €30,880); and
  • for very serious infringements penalties, up to ARS 5,000,000 (approx. €51,460).

Criminal penalties

Article 117-bis(2) of the Argentine Criminal Code Law No. 11.179 ('the Criminal Code') (only available in Spanish here) sets forth that any person who knowingly furnishes to a third party false information contained in any given personal data record may be imprisoned for six months to three years. Article 117-bis(3) of the Criminal Code establishes that the sentence may be increased by half the minimum sentence and half the maximum sentence if any person sustains damage as a result.

Article 156 of the Criminal Code, on the other hand, states that penalties of ARS 1,500 to ARS 90,000 (approx. €15 to €926) and suspension from six months to three years, can be imposed on employees who gain access to confidential information, the disclosure of which could generate damages, and disclose it without authorisation and/or legal or justified cause.

Finally, Article 157-bis of the Criminal Code sets forth that imprisonment of one month to two years may be imposed on anyone who:

  • knowingly and unlawfully or in violation of data confidentiality and security systems, accesses in any way a personal databank;
  • unlawfully provides or discloses to third parties' information registered in a personal databank which should be kept confidential in accordance with the law; or
  • unlawfully inserts data in a database, or has it inserted.

Habeas data and liability for damages

Additionally, individuals affected by unlawful data processing may file a specific civil lawsuit called habeas data (Article 33 to 43 of the Act). In addition to the specific habeas data action, the data subject may also file a general claim for damages. However, as in any claim for damages, the success of the claim is subject to four basic requirements, which must be proven by the claimant:

  • illegality of the damaging action;
  • real and actual damage;
  • cause-effect relationship between the action and the damage; or
  • negligence, wrongful misconduct, or objective liability.

Local courts have, however, repeatedly assumed the existence of moral damage in cases of inaccurate credit reports without the need for any evidence.

9.1 Enforcement decisions

Resolution No. 69/2020: Sanction against Google for denying the right to access (only available in Spanish here)

On 13 April 2020, through Resolution No. 69/2020, the companies Google Argentina SRL and Google LLC were sanctioned by the AAIP for failing to comply with the Act, after not allowing a user to access her own personal data.

The AAIP filed an investigation based on a request regarding the right to access of an individual who requested access to the information in her Gmail account and related applications. She claimed that an unauthorised third party changed her passwords and that the company denied her request for the right to access.

The Resolution issued by the AAIP was based on the following grounds:

  • The Act, imperative rule of public order, territorial application: By means of the Resolution, the AAIP emphasised that the Act contains provisions that are imperative rules of public order that apply to the entire territory of the Argentine Republic (according to Section 44 of the Act). Additionally, the Resolution reasserts that the AAIP and the federal courts have jurisdiction throughout the country over those databases' controllers responsible for interconnected databases that have inter-jurisdictional, national, or international scope, to the extent that data from Argentine data subjects is processed or that, in any other way, the processing of data connects with, or produces effects in, in the Argentine Republic (by interpreting Section 36.b of the Act).
  • Google LLC's acknowledgment with respect to the mandatory application of the Regulations and Argentine jurisdiction: It was highlighted that Google LLC did not challenge the jurisdiction of the Argentine federal courts nor the mandatory application of the Act but only challenged the competence and authority of the AAIP. In this regard, Google LLC opposed the AAIP's requirement arguing that a court order issued by a competent court should relieve Google LLC of its confidentiality obligation under the Act.
  • Disregard of the Wrong Entity Argument: The AAIP held Google Argentina liable with regards to the administration of the Gmail service provided by Google LLC as a related company and recognised Google Argentina' passive procedural standing in the complaint and action filed, due to the economic interdependence between the two companies. In this regard, the AAIP indicated that the advertising services provided by Google Argentina, which operates as platform for advertisements or as tools to extract personal data from users that facilitate advertising microtargeting and makes the collection and processing of personal data carried out by Google LLC profitable, are strictly related to the services provided by Google LLC and depend on their existence and availability.
  • Notice and summons to Google LLC in Google Argentina's domicile: The AAIP indicated that Google Argentina represents Google LLC within the territory of the Argentine Republic for the purposes of its notification and location in the procedure.
  • Data subject's rights: The AAIP concluded that none of Google's arguments were sufficient to prove an exception to the right to access. Also, it was stated that the Act prescribes that the personal data should be stored in a way that allows the exercise of the right of access of the data subject, so it was considered inadmissible that Google Argentina did not deal with a request to access referring the claim to Google LLC located in the US.

Likewise, it was considered unacceptable that Google LLC did not contemplate alternative mechanisms to the standard mechanism that is available on its website for the recovery of account or information since both Google Argentina and Google LLC were in a position to provide additional technical assistance, either at their offices in Buenos Aires or through some telecommunication mechanism.