Argentina: An overview of Vendor Privacy Contracts
1. Governing Texts
- Personal Data Protection Act, Act No. 25.326 of 2000 ('the Act')
- Decree No. 1558/2001 Regulating Law No. 25.326 (only available in Spanish here) ('the Decree'), amended by Decree No. 1160/2010 (only available in Spanish here) which introduced additional rules for the implementation of the Act
- Resolution No. 47/2018 which approved the Recommended Security Measures for the Processing and Conservation of Personal Data (only available in Spanish here) ('the Recommended Security Measures')
1.2. Regulatory authority guidance
The Argentinian data protection authority ('AAIP') has issued the following guidance:
- Resolution No. 4/2019 on the application and interpretation of the Act (only available in Spanish here).
1.3. Regulatory authority templates
The AAIP has issued the following resolution:
- Resolution No. 159/2018 (only available in Spanish here).
The Ministry of Justice and Human Rights ('the Ministry') issued the following:
- Resolution 60–E/2016 on model clauses for international transfers of personal data (only available in Spanish here) ('the International Transfers Resolution').
Data controller: There is no definition of 'data controller' within the Act. However, Section 2 of the Act defines 'the person responsible for a data file, register, bank or database' as the natural person or legal entity, whether public or private, that owns a data file, register, bank or database. Moreover, 'data user' is defined as any person, whether public or private, performing at their discretion the processing of data contained in data files, registers, databases, or databanks, whether owned by them or to which they may have access through a connection.
Data processor: There is no definition of 'data processor' within the Act. However, Section 10(1) of the Act states that those responsible for and all persons taking part in any stage of the processing of personal data have a professional duty of secrecy in respect of the said data. Such duty must subsist even after the relationship with the data file owner has expired.
3.1. Are there requirements for a contract to be in place between a controller and processor?
The Act states that the processor cannot use the data for any purpose other than the one appearing on the corresponding contract for the provision of the services, nor can it disclose the data with other parties, not even for storage purposes (Section 25(1) of the Act).
The Decree notes that the carrying out of processing on request must be regulated by a contract that binds the person in charge of the processing with the person responsible or user of the processing (Section 25 of the Decree).
3.2. What content should be included?
The Act notes that once the corresponding contractual obligations have been performed, the service provider must destroy the data, except when the database controller foresees the possibility of future assignments and so instructs the service provider to keep the data (for a maximum additional term of two years) (Section 25(2) of the Act).
The contract mentioned under Section 25 of the Decree must include:
- that the person in charge of the processing only acts following instructions of the person in charge of the processing;
- that the obligations of Section 9 of the Act are also incumbent on the data controller.
4.1. Are processors required to assist controllers with handling of data subject requests?
Where data is being transferred or shared, the person responsible for the processing or the user of the data bank must notify the third party of such suppression within five business days of the data processing being affected (Section 16(4) of the Act).
For further information see Argentina – Data Subject Rights.
5.1. Are processors required to keep records of their processing activities?
Private and public files, registers, databases, and databanks that are intended to provide reports are required to register with the AAIP's registry (only available in Spanish here) (Article 21(1) of the Act).
For further information on these notification/registration requirements, see Argentina – Data Processing Notification.
6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?
The Act does not provide information on processors being required to implement specific security measures. However, Annex 1 and 2 respectively of the Recommended Security Measures provides for the security of both computerised and noncomputorised personal data, in regards to the following:
- data collection;
- access control;
- change control;
- backup and recovery;
- vulnerability management;
- destruction of information;
- security incidents;
- development environments; and
- information retention (in regards to noncomputorised personal data).
7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?
The Act does not provide information on processors being required to notify controllers in the event of a breach.
For further information see Argentina – Data Breach.
8.1. Are subprocessors regulated? If so, what obligations are imposed?
The Act does not provide information on subprocessors being regulated.
9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?
The Act prohibits the cross-border transfer of personal data from Argentina to other countries if these countries do not provide an adequate level of protection, unless (Section 12 of the Decree):
- the data subject has consented to such international transfer;
- there is an agreement regulating the data transfer; or
- the parties have self-regulated the transfer by establishing binding corporate rules.
The International Transfers Resolution of the Ministry approves two sets of model clauses either for the assignment of personal data or for outsourcing activities outside of Argentina.
For further information see Argentina – Data Transfers.
10.1. Are processors required to assist controllers with regulatory investigations?
The Act does not provide information on processors being required to assist controllers with regulatory investigations.
11.1. Are processors required to appoint a DPO / representative?
The Act does not provide information on processors being required to appoint a data protection officer ('DPO').
For further information see Argentina – Data Protection Officer Appointment.
12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?
According to the Act, recipients are subject to the same regulatory and legal obligations as the person responsible for data file, and the latter must respond jointly and severally for the observance of such obligations (Section 11(4) of the Act).
Authored by OneTrust DataGuidance
DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.