Data Protected - Argentina

Contributed by Allende & Brea

Last updated December 2017

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

The Data Protection Act of Argentina, Law 25,326 (the “DPA”) and then Regulation Decree 1558/2001.

Entry into force

The DPA entered into force on November 2, 2000.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

Agency for Access to Public Information (the “Agency”)
Julio A Roca 710 2nd Floor
Ciudad Autónoma de Buenos Aires
Argentina

www.jus.gov.ar/datos-personales.aspx

Notification or registration scheme and timing

Any personal database must be registered and the registration must be renewed annually. Registration requires the following information: (i) the name and domicile of the person in charge of that database; (ii) the characteristics and purpose of the database; (iii) the nature of the personal data contained in each file; (iv) the method of collecting and updating the data; (v) the recipients to whom such data may be transmitted; (vi) the manner in which the registered information can be interrelated; (vii) security measures; (viii) data retention period; and (ix) means for individuals to access, correct and update their data.

It is not possible to file a registration electronically. Filing has to be done by lodging hard copies with the Agency.

Annual renewal of database registrations is required when: (i) the total number of records exceed 5,000 and sensitive data are processed (unless such processing of sensitive data is required by an administrative regulation); and/or (ii) there has been a change to the detail in the registration form filed with the Agency.

The databases that are usually registered include human resources, suppliers, customers, call centres, marketing and video surveillance.

Exemptions to notification

Private persons holding personal databases for exclusively personal uses are exempt from registration.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

The DPA applies in the territory of Argentina and to any processing of personal data on the Internet.

Is there a concept of a controller and a processor?

The DPA applies to owners of databases of personal data (“data users”), a concept similar to that of controller. The DPA does not also have the concept of processor.

Are both manual and electronic records subject to data protection legislation?

Yes. The DPA applies to “personal databases”. These include any data file, register, database, data bank or organised set of personal data which is subject to processing, either electronically or otherwise, regardless of the mode of collection, storage, organisation or access.

Are there any national derogations?

The use of personal databases for journalism are excepted from the law. The right of correction is excepted in cases of national security.

_____________________________________________________________________ Top

Personal Data

What is personal data?

The DPA defines personal data as “information of any kind referring to certain or ascertainable physical persons or legal entities”. The person to whom the personal data relates is known as a “data owner”.

Is information about legal entities personal data?

Yes.

What are the rules for processing personal data?

The processing of personal data generally requires express consent from the data owner which must be accompanied by appropriate information, in a prominent and express manner, explaining the nature of consent sought.

However, consent to processing is not required where the data: (i) comes from a public source; (ii) is collected for the functions of the State; (iii) is collected under a legal duty; (iv) consist of lists limited to name, national identity card number, tax or social security identification, occupation, date of birth, and domicile; (v) arises from a contractual relationship; (vi) arises from a scientific relationship; or (vii) refers to the transactions performed by financial entities, and arises from the information received from their customers in accordance with the provisions of bank secrecy laws.

Additional restrictions apply to the disclosure of personal data. This is generally only permitted where it is in the legitimate interests of the database owner and the data owner has consented. This consent can be revoked. However, consent to the disclosure of personal data is not required where: (i) disclosure is provided for by law; (ii) one of the general data processing conditions (set out above) applies; (iii) the disclosure is directly between governmental agencies;(iv) the disclosure is for public health reasons and appropriate measures are used to hide the identity of individuals; or (v) the information is anonymised so individuals are not identifiable.

The recipient of the personal data will be subject to the same obligations as the person disclosing them and both parties are jointly and severally liable for any subsequent use.

Are there any formalities to obtain consent to process personal data?

Consent must be express and informed. It should be in writing or similar form depending on the circumstances. The DPA does not require any formality to obtain consent to process personal data. Moreover, the DPA permits obtaining consent online by clicking an appropriate icon, without the existence of any written form.

Are there any special rules when processing personal data about children?

No additional rules apply.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

Sensitive personal data includes all the standard types of sensitive personal data . However, there is some debate about whether this is an exclusive definition and whether, for example, it might also cover information that could be used for discriminatory purposes even though, on its face, it is not discriminatory (e.g. an address or zip code from a low income neighbourhood).

Are there additional rules for processing sensitive personal data?

No person can be compelled to provide sensitive personal data.

Sensitive personal data can only be processed: (i) where there are circumstances of general interest authorised by law; or (ii) for statistical or scientific purposes provided data owners cannot be identified from that information.

The creation of personal databases that directly or indirectly reveal sensitive personal data is prohibited. However, the Catholic Church, religious associations, political parties and trade unions shall be entitled to keep a register of their members.

Are there additional rules for processing information about criminal offences?

 

Data referring to criminal offences can be processed only by competent public authorities for purposes established by law.

 

Are there any formalities to obtain consent to process sensitive personal data?

Consent must be express and informed. It should be in writing or similar form depending on the circumstances.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

There is no obligation to appoint a data protection officer under the DPA. However, the Disposition 3/2012, approved a new audit form that contains matters relating to data protection and security and requires a specific person to be designated to deal with those issues.

What are the duties of a data protection officer?

The DPA does not require a data protection officer, but it is common practise for companies to have one.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

No.

Are privacy impact assessments mandatory?

No.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

Whenever personal data is requested, the data owner must get express, clear and prior notification of: (i) the purpose for which the data shall be processed; (ii) the recipients or classes of recipients; (iii) the existence of the relevant personal database and the owner of that database; (iv) whether the provision of information is compulsory or discretionary; (v) the consequences of providing or refusing to provide data; and (vi) the data owner’s right of data access, rectification and suppression.

Rights to access information

Data owners are entitled to access their personal data where it is included in a public database, or in a private database intended for the provision of reports. Requests can be made free of charge and at six-monthly intervals unless there is a legitimate reason for more frequent access. The requested information must be provided within 10 calendar days. Where the personal data relates to a deceased person, their heirs shall be entitled to exercise this right, on behalf of the estate.

The information must be provided clearly with an explanation of any codes or terms used in language that can be understood by a citizen with an average level of education. A full copy of the information about that data owner must be provided, even if the request only refers to one item of personal data.

The information may be provided in writing or by electronic, telephonic, visual or other means adequate to communicate that information to the data owner.

Rights to data portability

None.

Right to be forgotten

None.

Objection to direct marketing and profiling

Personal databases may be created for direct marketing purposes where the personal data within them: (i) was publicly available; (ii) was provided by the data owners; or (iii) takes place with the data owners’ consent.

The data owner may exercise the right of access free of any charge and the data owner may at any time request the withdrawal or blocking of his name from any of the databases referred to above.

Other rights

Every person has the right to rectify, update, and, when applicable, suppress or keep confidential his or her personal data included in a personal database. A number of specific rules apply to this process. In particular, if the personal data has been transferred to a third party, that third party must be notified of any rectification or suppression of personal data within five days of such amendments being made.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

The security obligations in the DPA require  to use measures to detect any unauthorised access or amendment to personal data.

There is also a duty of confidentiality that applies to any persons processing personal data. Such duty continues even after the relationship with the owner of the database has expired. The duty is only released by an order of the court or for reasons relating to public safety, national defence or public health.

There are also some specific security obligations set out in resolutions N° 11/2006 and N° 9/2008.

Disposition 10/2015 of the Data Protection Authority regarding CCTV made it lawful to collect and process people’s digital images for security purposes. A security document is required and must be filed with the Agency on registration or the renewal of the databases.

Specific rules governing processing by third party agents (processors)

In addition to the duty of confidentiality (see above), any third party providing data processing services may: (i) only use the relevant personal data for the purposes specified on the corresponding service contract; and (ii) not disclose that personal data to any third party, even for storage purposes.

Once the service contract has been performed, the relevant personal data must be destroyed, unless the owner of that data gives clear instructions to preserve the personal data, in which case it may be stored securely for a maximum of two years.

Notice of breach laws

None.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

Disposition 60-E/2016 published in the Official Gazette on 18 November 2016 approves new rules for the international transfers of personal data. The Disposition has officially recognised a list of countries as having an adequate level of data protection. This includes member states of the European Union and the European Economic Area, Switzerland, Guernsey and Jersey, the Isle of Man, the Faroe Islands, Canada (only private sector), New Zealand, Andorra and Uruguay.

The transfer of any type of personal information to countries or international or supranational entities which do not provide adequate levels of protection is prohibited. However, the prohibition does not apply to disclosures made: (i) for international judicial cooperation; (ii) for healthcare or anonymised personal data for the purpose of an epidemiological survey; (iii) for stock exchange or banking transfers; (iv) when subject to an international treaty to which the Argentine Republic is a signatory; (v) for international cooperation between intelligence agencies in the fight against organised crime, terrorism and drug trafficking; or (vi) where the data subject has expressly consented to the assignment.

Consent is not required for transfers of data from a register that is legally constituted to provide information to the public and which is open to consultation either by: (i) the public in general; or (ii) any person who can demonstrate a legitimate interest, provided that the legal and regulatory conditions are met.

Finally, an international data transfer agreement can be used to permit the transfer of personal data to a third country. In relation to this, The Disposition approved two standard model contracts for the transfer of personal data to countries that have not enacted do not have an adequate legislation on personal data protection. If the parties opt to use a different model agreement for the data transfer to non-adequate countries, or the agreement does not reflect the essential elements to provide an adequate level of protection provided in the standard model clauses, then such agreement will need to have the approval of the Agency within 30 days from its execution.

Notification and approval of national regulator (including notification of use of Model Contracts)

It is generally not necessary to notify or obtain approval from a national regulator for transborder dataflow.

However, as set out above, if the parties rely on an international transfer agreement, and the agreement is different to that set out in the Disposition, they will need the approval of the Agency.

Use of binding corporate rules

Argentina does not recognise the use of binding corporate rules as a means to justify transborder dataflow.

_____________________________________________________________________ Top

Enforcement

Fines

Administrative sanctions can be applied by the Agency and consist of a warning, suspension, closure of a database or a fine of a maximum amount of ARG 5,000,000 (approx. USD 285,000).

Sanctions are proportionate to the nature of the personal rights infringed, the volume of data processing, the benefits obtained as a result of the violation, the level of intentionality, the recurrence rate, the damages caused to third parties and interested persons, the number of data subjects affected and any other circumstances that can help to determine the seriousness and extent of the infringement.

Imprisonment

There is a range of criminal penalties including: (i) imprisonment for up to two years for knowingly inserting false information in a personal database; (ii) imprisonment for up to three years for anyone who knowingly provides a third party with false information contained in a personal database; (iii) imprisonment for up to three years for hacking into a personal database; and (iv) imprisonment for up to three years for disclosing confidential information from a database. These penalties can be increased if harm is caused to a data owner or the offence is committed by a public official in the exercise of his duties.

Compensation

The DPA does not specifically provide for compensation. However, compensation may be available under general principles of tort law.

Other powers

The Agency may issue administrative injunctions.

Practice

Enforcement is relatively infrequent but there have been cases in which criminal complaints have been filed, for example against ChoicePoint for selling information about Argentinean citizens to the US government.

Between 2009 and 2017 the Agency conducted several audits of local companies including Internet companies, credit reporting agencies, supermarkets, home appliance stores, hotels, banks, pharmaceutical, Internet and insurance companies. Currently, the Agency is conducting approximately 3 to 7 company audits per week.

The Agency has provided the following information related to its enforcement activities: (i) more than 310 complaints against data users have been filed since 2003, and (ii) more than 30 sanctions have been imposed by the Agency to-date.

Most of these sanctions are for failure to register or renew registration of a Database. Others pertain to unauthorized data processing, to not provide access, rectification or suppression of the personal data of the data subject, to not provide notice of the purpose of data collection and not follow data protection rules. Additionally, there are a huge number of legal opinions issued every year by the Agency that help to shed light on how the Agency interprets data protection laws.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

There are no specific rules on ePrivacy matters.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

None.

Regulatory guidance on the use of cookies

None.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

Save as provided below there are no specific rules on direct marketing by e-mail. However, the sending of direct marketing by e-mail is subject to the general principles of the DPA.

Conditions for direct marketing by e-mail to corporate subscribers

Save as provided below there are no specific rules on direct marketing by e-mail. However, the sending of direct marketing by e-mail is subject to the general principles of the DPA.

Exemptions and other issues

When direct marketing e-mails are sent to someone, and the justification for sending that email is not consent, the e-mail must be prominently marked as advertising by including the word "publicidad" in the header. Marketing e-mails have to provide technical means to opt out and cite the provision of section 27 of the DPA.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

Save as provided below there are no specific rules on direct marketing by telephone. However, direct marketing by telephone is subject to the general principles of the DPA.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

Save as provided below there are no specific rules on direct marketing by telephone. However, direct marketing by telephone is subject to the general principles of the DPA.

Exemptions and other issues

A National “Do Not Call Registry” has been created to protect customers or authorised users of telephony services from abuses in the process of calling, advertising, offering, selling and giving of unsolicited goods or services through those telephony services (Law 26.951 and Regulation Decree 2501/2014). All consumers or authorised users can indicate their intention not to receive calls advertising, offering, selling or giving goods or services by signing up for the National “Do Not Call” Registry (which is free of charge). The DPA has imposed numerous sanctions for the infringement of this “Do Not Call” rule.

_____________________________________________________________________ Top