1. Governing Texts

1.1. Legislation

Data protection is the area of law that protects personal data and that constitutes a set of rules that guide companies and organisations in the use of personal information which identifies individuals. In addition, it refers to the standards to be applied for the management of information about people, and the practices that must be followed to reach and maintain those standards. As such, all banks must comply with data protection rules.

The main regulations connected to the financial sector, and which are relevant to privacy and data protection matters are those related to bank secrecy. Argentine law has recognised the principle of bank secrecy consisting of both a bank's right to protect the privacy of its records and proprietary commercial information, as well as a customer's right to privacy.

The bank's duty of confidentiality was construed on the basis of the customers' constitutional right of privacy provided by Section 19 of the Constitution of the Argentine Nation and a combination of various other provisions in the Civil and Commercial Code (only available in Spanish here), the Criminal Code (only available in Spanish here), and the Civil and Commercial Procedural Code (only available in Spanish here). Currently, bank secrecy is provided in Section 39 of Financial Entities Act No. 21.526 (only available in Spanish here) ('the Financial Entities Act').

On the one hand, the Personal Data Protection Act, Act No. 25.326 of 2000 ('the Data Protection Act') regulates personal data collection and data processing, and assumes that data processing involves some risks for the data subject's rights. The Data Protection Act was regulated by Decree No. 1558/2001 Regulating Law No. 25.326 (only available in Spanish here) ('the Decree') and further complementary rules.

Recently, a new Argentine Data Protection Bill ('the Data Protection Bill') (only available in Spanish here), which follows the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), was introduced in the National Congress of Argentina. The Data Protection Bill may be approved in 2020/2021.

Section 26(1) of the Data Protection Act states that in the provision of credit information services, personal data related to economic solvency and credit can be processed when obtained from public sources, or from information provided by the interested party, or with his/her consent. At the same time, processing of personal data related to the fulfilment or non-fulfilment of obligations of patrimonial content provided by the creditor, or by whoever acts on his/her behalf, or interest is allowed.

In addition, Section 26(5) of the Data Protection Act provides that the provision of credit information services shall not require the prior consent of the data subject for the purpose of their transfer, nor the subsequent communication thereof, when they are related to business or credit activities of the transferor.

On the other hand, the Financial Entities Act addresses the duty of confidentiality applicable to banks (subject to exceptions). Specifically, Section 39 states that financial entities may not disclose the operations they carry out, or the information that they receive from their clients.

The Financial Entities Act governs all entities (both public and private) who act as intermediaries in the supply and demand of financial resources in Argentina, such as commercial banks, investment banks, mortgage banks, financial companies, savings, and loan cooperatives, etc.

It should be noted that, so far, there have been no specific sanctions against the financial sector in connection with privacy and data protection. However, the Argentinian data protection authority ('AAIP') recently fined Yahoo! Inc. for non-compliance with the Data Protection Act. In particular, the fine was imposed for maintaining databases, software, and equipment which contained personal data without the appropriate security conditions, and for not correctly informing any modifications to or cancellations of their databases to the National Registry of Databases (only available in Spanish here).

In addition to the above, on 2 July 2021 the Argentine Central Bank ('BCRA') published Communication 'A' 7319 ('the Communication') (only available in Spanish here) which seeks to incorporate reliable identity verification procedures for pre-approved bank loans.

The Communication establishes that entities must reliably verify the identity of the user (borrower) using positive identification techniques, that is, through identity verification and validation processes, that reduces uncertainty through the use of techniques complementary to those usually used. Among these are actions related to: personal identity verification, through holographic signature and presentation of identity document, through series of challenge questions with variable context, among others.

Likewise, it also specifically established that the contact details indicated by the user of financial services should not have had recent modification.

The Communication establishes the mandatory application of the requirement previously detailed, on all pre-approved credit operations carried out through all available electronic channels (automated teller machines ('ATMs'), TAS, BI and BM). This Communication will come into effect on 7 September 2021.

1.2. Supervisory authorities

Each one of the aforementioned regulations has its own particular supervisory authority.

The AAIP is the state body in charge of the application and compliance of the Data Protection Act and has the power and duty to dictate the rules and regulations that must be observed in the development of the activities regulated by the Data Protection Act. Section 29 of the Data Protection Act specifically determinates all functions and powers of the supervisory authority.

Likewise, the BCRA is the supervisory authority in charge of the application of the Financial Entities Act. According to Article 4 of the Financial Entities Act, the BCRA shall be in charge of the enforcement of the law. It shall direct the regulations that are necessary for the fulfilment of the Financial Entities Act, to which it shall establish regulations and differentiated requirements that weigh the class and legal nature of the entities, the quantity and location of their offices, the operating volume and the economic and social characteristics of the sectors served and dictate specific rules for credit unions. The BCRA shall also supervise the entities included therein.

Another entity worth mentioning is the Argentine Financial Information Unit ('UIF'). The UIF is a financially autonomous body in charge of the analysis, processing, and transmission of information for the purpose of preventing and deterring money laundering and the financing of terrorism. All parties are bound to comply with the provisions and resolutions issued by the UIF (which are determined by Section 20 of Law No. 25.246), and must report any suspicious activities or operations.

2. Personal and Financial Data Management

The collection, processing, and transfer of personal financial data on behalf of financial entities is governed by the Data Protection Act. In this sense, financial entities are bound to comply with the Financial Entities Act, in addition to the Data Protection Act. This creates a difference or disadvantage for financial entities as compared to financial technology ('Fintech') companies, which are bound only by the Data Protection Act.

2.1. Legal basis for processing

According to the Argentine data protection regulations, data processing is lawful when the data subject has given his/her free, express, and informed consent. In other words, the data subject's consent is the legal basis for data processing. However, Section 5(2) of the Data Protection Act states certain exceptions in which data can be processed without consent.

With respect to this particular topic, the relevant exceptions to waive consent are the following:

• when data processing arises from a contractual relationship; and
• in operations carried out by financial entities regarding the information they receive from their customers in accordance with the provisions of Section 29 of Financial Entities Act.

The Decree has developed the meaning of 'financial entities' and established that this term includes persons covered by the Financial Entities Act, credit card issuers, financial trusts, former financial entities liquidated by the BCRA, and those subjects expressly included by the control body of this law.

Once the Data Protection Bill is approved, it will considerably amplify the exceptions to consent for data processing.

2.2. Privacy notices and policies

Even though there are not any sector-specific requirements for financial entities to provide customers with notice of the entities' privacy policies and practices, both financial entities and Fintech companies are bound to meet the privacy requirements established by the Data Protection Act and complementary regulations.

Section 6 of the Data Protection Act states that when personal data is collected, the data subjects must be expressly and clearly informed in advance about the following:

• the purpose for which data will be processed and who its recipients are;
• the existence of any database or databank in which data will be stored;
• the mandatory or optional nature of the replies to questionnaires, specifically in matters related to sensitive data;
• the consequences of providing the data, of refusing to provide the data, or of the inaccuracy of the data; and
• the possibility for the data subject to exercise rights of access, rectification, and deletion of the data.

Simultaneously, it is advisable that privacy policies follow Disposition No. 3/2012 (only available in Spanish here) which contains the basic guidelines for a privacy policy.

2.3. Data security and risk management

In relation to data security, the Data Protection Act determines, in Section 9(1), the obligation for the controller and the processor responsible for a database to adopt the necessary technical and organisational measures to guarantee the security and confidentiality of personal data, in order to avoid its alteration, loss, unauthorised consultation, or processing, to detect the deviations, intentional or not, of information, and whether the risks derive from human action or the technical means.

In this sense, the AAIP issued Resolution 47/2018 (only available in Spanish here) ('the Security Resolution') which established security measure recommendations for the processing and storage of personal data. The Security Resolution allows processors and controllers to adopt the measures that they think are correct, as long as they are consistent with the principles established in the Security Resolution.

The Security Resolution indicates all the measures that should be taken into account to comply with data security obligations, instead of imposing specific actions, pre-established formats, or technologies that may or may not be the most appropriate.

In addition, Communication 'A' 6209 (only available in Spanish here) from the BCRA provides financial entities with the minimum operational requirements and the procedures that must be carried out for the development and control of information systems. These must be designed to provide a reasonable degree of security in relation to meeting the objectives set out in Communication 'A' 6209.

2.4. Data retention/record keeping

Section 4(7) of the Data Protection Act stipulates that all data should be destroyed when it is no longer necessary or relevant to the purposes for which it was collected. Therefore, there is no specific data retention period mandated by law, and data can be kept for as long as it is relevant for the purpose for which it was collected.

As a common practice, data records are usually kept for five years, taking into consideration that the Argentine Civil and Commercial Codes determine the generic statute of limitation term for five years.

On the other hand, Resolution 30-E/2017 (only available in Spanish here) ('the Anti Money Laundering Resolution'), issued by the UIF, determines in Article 17(2) that entities must preserve all documents accrediting the operations carried out by clients, for a period of no less than ten years, starting from the date of the operation. Also, client and owner/beneficiary documentation collected through due diligence processes, documents obtained for analysis, and any other documentation obtained and/or generated in the application of due diligence measures, should be retained for a period of no less than ten years, starting from the date of the termination of the client/customer relationship.

The records of such documents must be protected against unauthorised access and must contain sufficient information to allow the reconstruction of the transaction.

In addition, the BCRA stated in its Communication 'A' 6110 (only available in Spanish here) that financial entities may, under their sole responsibility, opt for the procedures and terms they deem most convenient for the conservation, custody, or filing of the receipt related to their operations.

3. Financial Reporting and Money Laundering

The Data Protection Act does not contain specific provisions in relation to financial reporting and money laundering. Security measures and obligations are all the same for any processor and/or controller of any kind of database. However, Section 26 of the Data Protection Act regulates the provision of financial information services.

Conversely, there are specific financial dispositions issued by the BCRA and the UIF, which aim to regulate all legal requirements on the collection, processing, and storage of data in relation to financial reporting and money laundering.

On the one hand, BCRA issued Communication 'A' 6639 (only available in Spanish here) which regulates bank accounts. As a financial entity, the bank is required to identify, in detail, the bank account holders and the persons authorised to operate the accounts. Also, Section 1.4.1 of Communication 'A' 6639, states that entities shall adopt internal rules and procedures aimed at preventing the accounts from being used in connection with the development of illicit activities.

On the other hand, the Anti Money Laundering Resolution of the UIF establishes the entities' obligations to know your customer ('KYC'), as well as the obligation to keep the documents that accredit the operations carried out by their clients for a specific term.

Article 21 of the Anti Money Laundering Resolution states that, 'the entity must have policies and procedures that allow it to acquire sufficient, timely and updated knowledge of all clients, verify the information provided by them and carry out adequate monitoring of their operations. Due diligence stages will be carried out taking into account the Risk Profiles assigned to each client.'

4. Banking Secrecy and Confidentiality

Argentine regulations stipulate banking secrecy/confidentiality obligations, particularly in Section 39 of the Financial Entities Act. In this sense, Section 39 prohibits financial entities to reveal passive operations they carry out. In other words, these entities are not allowed to disclose their client's financial information related to passive operations.

Notwithstanding the foregoing, the confidentiality duty does not apply when the disclosure is requested by:

• a court, in a judicial proceeding;
• the BCRA;
• the tax authorities; and
• other banks and financial entities (with the BCRA's prior authorisation).

In addition, Section 39 of the Financial Entities Act states that the bank's personnel are prohibited from disclosing any information about the bank's customers.

In addition, Section 40 of the Financial Entities Act establishes that any information received or collected by the BCRA, in the performance of its duties, which are linked to passive operations, must remain strictly confidential.

5. Insurance

There are no specific provisions for the purpose of collecting and processing personal data related to the insurance industry. This type of data must be collected and processed under the standards and obligations imposed by the Data Protection Act.

When collecting and processing insurance personal data, it is really important to take into consideration what type of data is being processed. Due to the characteristics of the insurance activity, sensitive personal data might be involved. In this sense, data controllers and processors of sensitive data must follow specific obligations given by the Data Protection Act.

Section 2 of the Data Protection Act defines sensitive data as 'personal data revealing racial and ethnic origin, political opinions, religious, philosophical or moral beliefs, labour union membership, and information concerning health conditions or sexual habits or behaviour.' According to the academic opinion, the term 'sensitive data' includes all data that could, in any way, cause discrimination.

6. Payment Services

Even though there is no specific legislation that regulates payment service providers, financial entities are required to comply with certain provisions that, simultaneously, make payment service providers comply as well.

In this sense, financial entities are subject to Communication 'A' 6017 (only available in Spanish here) which contains the minimum requirements for the management, implementation, and control of risks related to IT, information systems, and associated resources for financial entities.

For example, Communication 'A' 6017 extends to financial entities involved in the provision, by themselves or by third parties on their behalf, of financial services through electronic channels, such as:

• ATMs;
• self-service terminals;
• mobile banking;
• telephone banking;
• internet banking;
• points of sale; and
• mobile payment platforms.

In this way, the security requirements established in Communication 'A' 6017 must be adopted by financial entities. Furthermore, financial entities must ensure the compliance of payment services providers who work on behalf of said entities with Communication 'A' 6017.

In addition to the above, financial entities are required to comply with Communication 'A' 6885 ('the PSP Rules') (only available in Spanish here) issued by the BCRA, which provide further regulations for the activity of payment service providers ('PSP'), their definition, and mandatory operating conditions.

In this sense, the BCRA defines PSP as, 'all legal entities that, without being financial institutions, carry out at least one function within a retail payment scheme, within the overall framework of the Argentine payment system, such as offering payment accounts.' Payment schemes are systems of commercial, technical, and/or operational rules that enable transfers of funds or payments involving at least three parties: a payer, a receiver, and one or more PSP.

Section 2 of the PSP Rules established that PSP offering payment accounts should register in the 'Registry of Payment Service Providers Offering Payment Accounts of the BCRA, within 30 calendar days after 1 March 2020.

Finally, Section 3 of the PSP Rules establishes certain conditions for the operation of PSP, which are involved with the following subjects:

• administration of funds;
• reporting and monitoring regime;
• transparency regime; and
• transfers to funds sent from and received into payment accounts.

7. Data Transfers and Outsourcing

There are no specific financial provisions with regards to the transfer of financial data, and all national and international transfers must be regulated by the requirements set by the Data Protection Act.

Data transfers and outsourcing services carried out by financial entities are subject to the Data Protection Act.

In this sense, Sections 11 and 12 of the Data Protection Act regulate data transfers within the country and to other jurisdictions. In particular, Section 11(1) of the Data Protection Act states that personal data may only be transferred for the purposes directly related to the legitimate interest of the transferor and the transferee, and with the prior consent of the data subject. In addition, the data subject must be informed about the purpose of the transfer and identify of the transferee or the elements that allow the performance of the transfer. However, there are several exceptions that allow the data transfer without the prior data subject's consent, which amongst others includes the following (Section 11(3) of the Data Protection Act):

• when a law provides;
• in the events provided in Section 5(2) of the Data Protection Act; and
• when information has been dissociated, in a way data subjects are unidentifiable.

Regarding international data transfers, Section 12(2) of the Data Protection Act prohibits such transfers to jurisdictions that do not provide adequate levels of protection in the light of Argentine regulation.

However, the Decree enables transfers to jurisdictions with non-adequate levels of protection with the prior data subject's consent. At the same time, Disposition 60/2016 (only available in Spanish here) allowed international data transfers to non-adequate jurisdictions without the data subject's consent as long as the parties enter into a data transfer agreement that ensures personal data security. Disposition 60/2016 also introduced the model clauses for such agreements.

Finally, Resolution No. 159/2018 (only available in Spanish here) introduced the guidelines and basic contents of binding corporate rules ('BCRs'), by which international data transfers may be performed by group companies that adopt BCRs to ensure the security of personal data. Therefore, both consent and the data transfer agreement can be waived. Those companies that transfer personal data outside Argentina must file their applicable BCRs to the supervisory authority for approval within 30 days of the transfer.

With regards to outsourcing, Section 25 of the Data Protection Act states that whenever personal data processing services are provided on behalf of third parties, they may not be used for a purpose other than that which is stated in the agreement, and must not be transferred to other persons, even for the storage purposes.

In addition, Article 25 of the Decree orders that agreements with service providers must contain the levels of security provided for in the Data Protection Act.

8. Breach Notification

In relation to data breach notification rules, the AAIP issued the Security Resolution which establishes security measures recommendations for the processing and storage of personal data. In this sense, Subsection E of the Security Resolution refers to security incidents that may affect personal data, their detection, evaluation, containment, and treatment, and establishes recommendations and guidelines on how to act in the event of a security incident.

Argentine data protection regulations do not establish the duty to notify regulators, clients, or consumers of a data breach, and neither does specific financial regulation.

The Security Resolution is not mandatory and is seen as a recommendation from the AAIP.

9. Fintech

On 9 January 2020, the BCRA issued Communication 'A' 6859 (only available in Spanish here) to establish greater regulatory control over Fintech companies by requiring greater transparency from PSPs particularly in regards to having systems in place to identify and isolate the funds held on virtual wallets by their clients.

10. Enforcement

The AAIP is empowered to impose administrative sanctions for violations of the provisions of the Data Protection Act.

These may include warnings, suspensions, fines of up to a maximum amount of ARS 100,000 (approx. €869), and closure or cancellation of the file, register, or database. The Data Protection Act also establishes criminal penalties for the violation of any of the rights protected by law.

In addition, the infringing party may face responsibility for damages arising for the non-compliance of the Data Protection Act. The AAIP exhibits in its website a Registry of Infringers to the Data Protection Act (only available in Spanish here) with the corresponding dates, type of sanctions, and status of payment.

In relation to violations of bank secrecy, the BCRA is empowered by the Financial Entities Act to impose the corresponding administrative sanctions. There are no specific amounts determined by law as a penalty for these cases. Also, pursuant to Section 4 of the PSP Rules, non-compliance with the regulations issued by the BCRA will carry the sanctions set forth in Section 41 of the Financial Entities Act.

11. Additional Areas of Interest

Due to the fast and constant evolution of technology, Fintech companies and financial entities are in the midst of numerous changes. For this reason, in the near future, it is likely that many regulatory changes will occur.

Pablo Palazzi Partner
[email protected]
Allende & Brea Abogados, Buenos Aires