1. APPLICABLE REGULATORY FRAMEWORK AND SUPERVISORY AUTHORITY
In Argentina, since the constitutional reform of 1994, the protection of personal data is a right with constitutional hierarchy and the processing of such data is basically regulated by the Personal Data Protection Act 25.326 (hereinafter, the “PDPA”), and its Regulatory Decree No. 1558/2001.
The PDPA was executed in 2000 to help protect the privacy of personal data, and to give individuals access to any information stored in public and private databases and registries. The Argentine Agency of Access to Public Information (hereinafter, the “AAPI”) within the Chief of Ministries’ Cabinet is responsible for enforcing this law.
Article 2 of the PDPA defines Personal Data as “information of any kind relating to individuals or legal entities that are determined or determinable”.
In turn, the same article defines the Processing of Personal Data as the “Systematic operations and procedures, electronic or not, that allow the collection, conservation, arrangement, storage, modification, relation, evaluation, blocking, destruction, and in general the processing of personal data, as well as its transfer to third parties through communications, consultations, interconnections or transfers”.
The PDPA establishes that the protection system established in this law reaches all files, records, data banks or other technical means of data processing, both public and private, intended to provide information and aims to guarantee the right to honor and privacy of individuals, as well as access to the information recorded about them.
3. GENERAL PRINCIPLES
The essential obligations that confer legitimacy to the processing of personal data are based on some main guidelines, which will be developed below.
(i) Data quality:
The personal data collected for processing must be true, adequate, relevant and not excessive in relation to the purpose for which it was collected, which cannot be done by unfair or fraudulent means or in violation of the PDPA.
The data collected and stored must be accurate and updated if necessary; in case of inaccuracy, lack of detail or error, they must be deleted and replaced or, if necessary, corrected by the person responsible for the file or database.
Likewise, the data must be stored in such a way as to allow the holder to exercise his right to access them and to demand rectification, updating or deletion.
(ii) Consent of the Data Owner:
As a general principle, for the storage and processing of Personal Data to be legitimate, the granting of informed consent by the data subject is essential, except in those cases not required by the PDPA.
For the informed consent to be considered valid and its effects to be full, it must be considered that the information provided to the data subject must be complete and that the data to be collected must be in accordance with the informed purpose.
(iii) Registration of the database:
As established in sections 3 and 21 of the PDPA and in the same sections of its Regulatory Decree, “every public and private file, registry, database or database existing in Argentina must be registered” in the National Registry of Databases.
Otherwise, the formation and preservation of these databases in our country will not be considered lawful. Only databases for exclusively personal use are exempted from the obligation of registration.
(iv) Security and confidentiality obligation:
Every person responsible for personal databases has the duty to adopt the necessary measures to ensure the security and confidentiality of the personal data stored, in order to avoid its adulteration, loss, consultation or unauthorized processing and to detect deviations, intentional or not, of information, whether the risks come from human action or from the technical means used.
By Resolution 47/2018 of the AAPI, in July 2018, the document called “RECOMMENDED SECURITY MEASURES FOR THE PROCESSING AND CONSERVATION OF PERSONAL DATA IN COMPUTERIZED MEDIA” was approved, which introduces guidelines and directives to be considered.
(v) International Data Transfers:
With regard to the transfer of data to other countries or international or supranational organizations, Article 12 of the PDPA establishes that such transfers are prohibited when the foreign countries involved do not provide adequate levels of protection, except in the cases expressly provided for in the PDPA.
Provision 60 – E/2016 of the AAPI establishes which countries have adequate protection for personal data.
Notwithstanding the fact that as a general principle it is not possible to transfer data to countries that do not have an adequate level of protection, Provision 60 – E/2016 of the AAPI approved the standard contractual clauses for international transfers in order to ensure an adequate level of protection of personal data in those data transfers that have as destination countries without adequate legislation, both for the case that the transfer is made on the occasion of the transfer of data (Annex I) or the provision of services (Annex II).
4. EUROPEAN STANDARDS
The PDPA aligns with the European legislative model for protecting data privacy (hereinafter, the “GDPR”). In 2003, the European Union adopted a decision positioning Argentina as a country with adequate level of protection for personal data, in compliance with the terms of the Directive 95/46/EC.
Thus, since the enactment of the GDPR, Argentina began a process of updating the personal data regime. Among this process, it is worth mentioning the accession to Convention 108, the fact that a project to amend the current Law No. 25.326 on Personal Data Protection is under consideration by the National Congress and the issuance of new regulations by the AAPI.
While the PDPA backs to more than 20 years of existence, its has been updated through supplementary regulations issued by the AAPI.
Should you require assistance on the subject, please consult your usual contact in Abeledo Gottheil, or otherwise to our email email@example.com.
Notice: This article is a brief comment on legal news in Argentina; it does not purport to be an exhaustive analysis or to provide legal advice.