Data Protected - Argentina

Contributed by Allende & Brea

Last updated January 2024

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

The Data Protection Act of Argentina, Law 25,326 (the “DPA”) and then Regulation Decree 1558/2001. Convention 108 and Convention 108+.

Entry into force

The DPA entered into force on November 2, 2000.

The Regulation Decree entered into force on November 29, 2001.

Convention 108 was ratified on June 1, 2019.

Convention 108+ was ratified on April 17, 2023. 

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

Agency for Access to Public Information (the “Agency”)
Av. Pte. Gral. Julio A. Roca 710 – 3rd Floor
Ciudad Autónoma de Buenos Aires
C1067ABP

info@aaip.gob.ar

www.argentina.gob.ar/aaip/datospersonales

An English version of the Website is also available at the following link: https://www.argentina.gob.ar/aaip/english_version.

Notification or registration scheme and timing

Any personal database must be registered with the Agency. Registration requires the following information: (i) the name and domicile of the person in charge of that database; (ii) the characteristics and purpose of the database; (iii) the nature of the personal data contained in each file; (iv) the method of collecting and updating the data; (v) the recipients to whom such data may be transmitted; (vi) the manner in which the registered information can be interrelated; (vii) security measures; (viii) data retention period; and (ix) means for individuals to access, correct and update their data.

Registration of the database, and any modification or cancellation of the database must be processed online through the platform “Trámites a Distancia” (“TAD”) https://tramitesadistancia.gob.ar/tramitesadistancia/inicio-publico.

The databases that are usually registered include human resources, suppliers, customers, call centres, marketing and video surveillance.

Exemptions to notification

Private persons holding personal databases for exclusively personal uses are exempt from registration.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

The DPA applies in the territory of Argentina and to any processing of personal data on the Internet.

Is there a concept of a controller and a processor?

The DPA applies to owners of databases of personal data (“data users”), a concept similar to that of controller. The DPA does not also have the concept of processor.

Are both manual and electronic records subject to data protection legislation?

Yes. The DPA applies to “personal databases”. These include any data file, register, database, data bank or organised set of personal data which is subject to processing, either electronically or otherwise, regardless of the mode of collection, storage, organisation or access.

Are there any national derogations?

The use of personal databases for journalism are excepted from the law. The right of correction is excepted in cases of national security.

_____________________________________________________________________ Top

Personal Data

What is personal data?

The DPA defines personal data as “information of any kind referring to certain or ascertainable physical persons or legal entities”. The person to whom the personal data relates is known as a “data subject”.

Is information about legal entities personal data?

Yes.

What are the rules for processing personal data?

The processing of personal data generally requires express consent from the data subject which must be accompanied by appropriate information, in a prominent and express manner, explaining the nature of consent sought.

However, consent to processing is not required where the data: (i) comes from a public source; (ii) is collected for the functions of the State; (iii) is collected under a legal duty; (iv) consist of lists limited to name, national identity card number, tax or social security identification, occupation, date of birth, and address; (v) arises from a contractual relationship; (vi) arises from a scientific relationship; or (vii) refers to the transactions performed by financial entities, and arises from the information received from their customers in accordance with the provisions of bank secrecy laws.

Additional restrictions apply to the disclosure of personal data. This is generally only permitted where it is in the legitimate interests of the database owner and the data subject has consented. This consent can be revoked. However, consent to the disclosure of personal data is not required where: (i) disclosure is provided for by law; (ii) one of the general data processing conditions (set out above) applies; (iii) the disclosure is directly between governmental agencies;(iv) the disclosure is for public health reasons and appropriate measures are used to hide the identity of individuals; or (v) the information is anonymised so individuals are not identifiable.

The recipient of the personal data will be subject to the same obligations as the person disclosing them and both parties are jointly and severally liable for any subsequent use.

Are there any formalities to obtain consent to process personal data?

Consent must be express and informed. It should be in writing or similar form depending on the circumstances. The DPA does not require any formality to obtain consent to process personal data. Moreover, the DPA permits obtaining consent online by clicking an appropriate icon, without the existence of any written form.

Are there any special rules when processing personal data about children?

Yes, consent of persons under 18 years of age must be given by a parent or legal guardian.

Are there any special rules when processing personal data about employees?

No additional rules apply.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

Sensitive personal data includes all the standard types of sensitive personal data . However, there is some debate about whether this is an exclusive definition and whether, for example, it might also cover information that could be used for discriminatory purposes even though, on its face, it is not discriminatory (e.g. an address or zip code from a low income neighbourhood).

Pursuant to Convention 108+ and Resolution 255/2022 issued by the DPA on December 15, 2022, genetic data and biometric data are expressly included within the sensitive data category. 

Are there additional rules for processing sensitive personal data?

No person can be compelled to provide sensitive personal data.

Sensitive personal data can only be processed: (i) where there are circumstances of general interest authorised by law; or (ii) for statistical or scientific purposes provided data subjects cannot be identified from that information.

The creation of personal databases that directly or indirectly reveal sensitive personal data is prohibited. However, the Catholic Church, religious associations, political parties and trade unions shall be entitled to keep a register of their members.

Are there additional rules for processing information about criminal offences?

 

Data referring to criminal offences can be processed only by competent public authorities for purposes established by law.

 

Are there any formalities to obtain consent to process sensitive personal data?

Consent must be express and informed. It should be in writing or similar form depending on the circumstances.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

There is no obligation to appoint a data protection officer under the DPA. However, the Disposition 3/2012, approved a new audit form that contains matters relating to data protection and security and requires a specific person to be designated to deal with those issues.

What are the duties of a data protection officer?

The DPA does not require a data protection officer, but it is common practise for companies to have one.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

No.

Are privacy impact assessments mandatory?

No.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

Whenever personal data is requested, the data subject must get express, clear and prior notification of: (i) the purpose for which the data shall be processed; (ii) the recipients or classes of recipients; (iii) the existence of the relevant personal database and the owner of that database; (iv) whether the provision of information is compulsory or discretionary; (v) the consequences of providing or refusing to provide data; and (vi) the data subject’s right of data access, rectification and suppression.

Rights to access information

Data subjects are entitled to access their personal data where it is included in a public database, or in a private database intended for the provision of reports. Requests can be made free of charge and at six-monthly intervals unless there is a legitimate reason for more frequent access. The requested information must be provided within 10 calendar days. Where the personal data relates to a deceased person, their heirs shall be entitled to exercise this right, on behalf of the estate.

The information must be provided clearly with an explanation of any codes or terms used in language that can be understood by a citizen with an average level of education. A full copy of the information about that data subject must be provided, even if the request only refers to one item of personal data.

The information may be provided in writing or by electronic, telephonic, visual or other means adequate to communicate that information to the data subject.

Rights to data portability

None.

Right to be forgotten

None.

Objection to direct marketing and profiling

Personal databases may be created for direct marketing purposes where the personal data within them: (i) was publicly available; (ii) was provided by the data subjects; or (iii) takes place with the data subjects’ consent.

The data subject may exercise the right of access free of any charge and the data subject may at any time request the withdrawal or blocking of his name from any of the databases referred to above.

Other rights

Every person has the right to rectify, update, and, when applicable, suppress or keep confidential his or her personal data included in a personal database. A number of specific rules apply to this process. In particular, if the personal data has been transferred to a third party, that third party must be notified of any rectification or suppression of personal data within five days of such amendments being made.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

The security obligations in the DPA require data controllers and data processors to use measures to detect any unauthorised access or amendment to personal data.

There is also a duty of confidentiality that applies to any persons processing personal data. Such duty continues even after the relationship with the owner of the database has expired. The duty is only released by an order of the court or for reasons relating to public safety, national defence or public health.

In addition, the Agency approved a Resolution on the "Recommended Security Measures for the Processing and Conservation of Personal Data". This Resolution approved a set of recommendations for security measures to be implemented for the processing and conservation of personal data. The recommendations  related to: (i) the collection of data;(ii) control of access to data; iii) control of modifications; (iv) backup and recovery; (v) vulnerability management; (vi) information destruction; (vii) security incidents; and (viii) development environment.

Disposition 10/2015 of the Data Protection Authority regarding CCTV made it lawful to collect and process people’s digital images for security purposes. A security document is required and must be filed with the Agency on registration or the renewal of the databases.

Specific rules governing processing by third party agents (processors)

In addition to the duty of confidentiality (see above), any third party providing data processing services may: (i) only use the relevant personal data for the purposes specified on the corresponding service contract; and (ii) not disclose that personal data to any third party, even for storage purposes.

Once the service contract has been performed, the relevant personal data must be destroyed, unless the owner of that data gives clear instructions to preserve the personal data, in which case it may be stored securely for a maximum of two years.

Notice of breach laws

There is no legal obligation to notify any data breach to the regulator or the affected data subject under the Data Protection Act.

However, the Data Protection Authority issued the Resolution 47/2018 which establishes the recommendation to notify any data breach as a demonstration of good practices. The notification must be made in order to prevent or mitigate damages to the data subjects.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

Disposition 60-E/2016 published in the Official Gazette on 18 November 2016 approves new rules for the international transfers of personal data. The Disposition has officially recognised a list of countries as having an adequate level of data protection. This includes member states of the European Union and the European Economic Area, Switzerland, Guernsey and Jersey, the Isle of Man, the Faroe Islands, Canada (only private sector), New Zealand, Andorra and Uruguay. Recently, the Agency issued Resolution 34/2019 whereby the United Kingdom of Great Britain and Northern Ireland was admitted as a jurisdiction with adequate levels of protection for international data transfers.

The transfer of any type of personal information to countries or international or supranational entities which do not provide adequate levels of protection is prohibited. However, the prohibition does not apply to disclosures made: (i) for international judicial cooperation; (ii) for healthcare or anonymised personal data for the purpose of an epidemiological survey; (iii) for stock exchange or banking transfers; (iv) when subject to an international treaty to which the Argentine Republic is a signatory; (v) for international cooperation between intelligence agencies in the fight against organised crime, terrorism and drug trafficking; or (vi) where the data subject has expressly consented to the assignment.

Consent is not required for transfers of data from a register that is legally constituted to provide information to the public and which is open to consultation either by: (i) the public in general; or (ii) any person who can demonstrate a legitimate interest, provided that the legal and regulatory conditions are met.

Finally, an international data transfer agreement can be used to permit the transfer of personal data to a third country. In relation to this, The Disposition approved two standard model contracts for the transfer of personal data to countries that have not enacted do not have an adequate legislation on personal data protection. If the parties opt to use a different model agreement for the data transfer to non-adequate countries, or the agreement does not reflect the essential elements to provide an adequate level of protection provided in the standard model clauses, then such agreement will need to have the approval of the Agency within 30 days from its execution. In addition to the standard model contracts , the DPA issued Resolution No. 198/2023, which was published in the Official Gazette on October 18, 2023 and approved standard contractual clauses published by the Ibero-American Data Protection Network. The implementation of these clauses ensures that data flow complies with adequate protection standards set forth by the supervisory authorities which adopted them (such as Peru and Uruguay). These clauses do not replace but rather complement prior clauses set forth in the Disposition.

Notification and approval of national regulator (including notification of use of Model Contracts)

It is generally not necessary to notify or obtain approval from a national regulator for transborder dataflow.

However, as set out above, if the parties rely on an international transfer agreement, and the agreement is different to that set out in the Disposition, they will need the approval of the Agency.

Use of binding corporate rules

Resolution N° 159/2018 issued by the Agency, implies new guidelines and basic contents for binding corporate rules (“BCR”). The Resolution states that BCRs must be binding upon all members of the corporate group as well as employees, subcontractors and third-party beneficiaries. Every company that makes international data transfers to jurisdictions with non-adequate levels of protection, and relies on self-regulation rules in order to justify the transfer, must submit these rules to the Agency for approval.

_____________________________________________________________________ Top

Enforcement

Fines

Administrative sanctions can be applied by the Agency and consist of a warning, suspension, closure of a database or a fine of a maximum amount of ARS$15,000,000.

Sanctions are proportionate to the nature of the personal rights infringed, the volume of data processing, the benefits obtained as a result of the violation, the level of intentionality, the recurrence rate, the damages caused to third parties and interested persons, the number of data subjects affected and any other circumstances that can help to determine the seriousness and extent of the infringement.

Imprisonment

There is a range of criminal penalties including: (i) imprisonment for up to two years for knowingly inserting false information in a personal database; (ii) imprisonment for up to three years for anyone who knowingly provides a third party with false information contained in a personal database; (iii) imprisonment for up to three years for hacking into a personal database; and (iv) imprisonment for up to three years for disclosing confidential information from a database. These penalties can be increased if harm is caused to a data subject or the offence is committed by a public official in the exercise of his duties.

Compensation

The DPA does not specifically provide for compensation. However, compensation may be available under general principles of tort law.

Other powers

The Agency may issue administrative injunctions.

Practice

Fines: On June 6, 2019, the Agency penalized YAHOO! DE ARGENTINA S.R.L for not informing it of modifications or cancellations of their databases (ARS$105,000) and for maintaining local databases, programs or equipment which contained personal data without proper security conditions (ARS$80,000).

On September 9, 2021, the Agency sanctioned an important supermarket chain for not informing their clients that they were victims of a data breach involving their personal data caused by malware, and the subsequent sending of spam emails (phishing). The Agency concluded that CENCOSUD S.A. did not comply with the principle of security and confidentiality set forth in the DPA, and imposed a fine of (ARS$290,000).

In addition to the sanctions referred to above, the Agency publishes all the resolutions it issues, whether they are communications or recommendations on the interpretation of local personal data regulations, as well as other sanctions the Agency imposes. You can access this portal through the following link.

Other enforcement action: Enforcement is relatively infrequent but there have been cases in which criminal complaints have been filed, for example against ChoicePoint for selling information about Argentinean citizens to the US government.

Between 2009 and 2022 the Agency conducted several audits of local companies including Internet companies, credit reporting agencies, supermarkets, home appliance stores, hotels, banks, pharmaceutical, Internet and insurance companies. Currently, the Agency is conducting approximately 3 to 7 company audits per week.

At the end of 2022, the Agency drafted an Annual Performance Report, through which they disclose statistical data about different aspects of its activity, such as complaints received, fines applied, among others.

Most of these sanctions were issued due to failure to register or renew registration of a Database. Others pertain to unauthorized data processing, to not provide access, rectification or suppression of the personal data of the data subject, to not provide notice of the purpose of data collection and non-compliance with other data protection rules. Additionally, there were several fines imposed by the Agency due to non-compliance with the National “Do Not Call Registry” law, as explained in “Article XVII. Marketing by Telephone”.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

There are no specific rules on ePrivacy matters.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

None.

Regulatory guidance on the use of cookies

None.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

Save as provided below there are no specific rules on direct marketing by e-mail. However, the sending of direct marketing by e-mail is subject to the general principles of the DPA.

Conditions for direct marketing by e-mail to corporate subscribers

Save as provided below there are no specific rules on direct marketing by e-mail. However, the sending of direct marketing by e-mail is subject to the general principles of the DPA.

Exemptions and other issues

When direct marketing e-mails are sent to someone, and the justification for sending that email is not consent, the e-mail must be prominently marked as advertising by including the word "publicidad" in the header. Marketing e-mails have to provide technical means to opt out and cite the provision of section 27 of the DPA.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

Save as provided below there are no specific rules on direct marketing by telephone. However, direct marketing by telephone is subject to the general principles of the DPA.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

Save as provided below there are no specific rules on direct marketing by telephone. However, direct marketing by telephone is subject to the general principles of the DPA.

Exemptions and other issues

A National “Do Not Call Registry” has been created to protect customers or authorised users of telephony services from abuses in the process of calling, advertising, offering, selling and giving of unsolicited goods or services through those telephony services (Law 26.951 and Regulation Decree 2501/2014). All consumers or authorised users can indicate their intention not to receive calls advertising, offering, selling or giving goods or services by signing up for the National “Do Not Call” Registry (which is free of charge). In 2023, the DPA imposed 24 monetary sanctions for infringing this “Do Not Call” rule, totalling ARS$66,000,000. For example, on May 5, 2023 the Agency applied a ARS$3,000,000 sanction to DirecTV and, on December 14, 2023, Telefónica was penalised with ARS$100,000 for contacting phone lines that were duly registered in the Do Not Call Registry.

_____________________________________________________________________ Top