Argentina: Data Protection & Cyber Security

The In-House Lawyer Logo

This country-specific Q&A provides an overview to data protection and cyber security laws and regulations that may occur in Argentina.

This Q&A is part of the global guide to Data Protection & Cyber Security. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/practice-areas/data-protection-cyber-security/

  1. Please provide an overview of the legal framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the laws enforced)?

    In Argentina, the most comprehensive statutory regulation regarding the protection of personal data is the Data Protection Law No. 25,326 (the “Data Protection Law”), which is regulated by Decree No. 1558/2001. The legal framework also includes the complementary regulations issued by the Agency of Access to Public Information (the “Data Protection Authority”).

    The main purposes of the Data Protection Law are to guarantee (i) the complete protection of personal data; and (ii) the rights to good reputation, privacy and access to information, in accordance with Section 43 of the Argentine National Constitution, which safeguards the right to habeas data.

    The Data Protection Law will apply to any processing of personal data, including any disclosure, collection, storage, amendment assignment and destruction of personal data. The provisions of the Data Protection Law apply to personal data belonging to individuals, as well as to legal entities. In addition, they apply to both the public and the private sector, and to all industries and activities.

    The Data Protection Law is enforced by the Data Protection Authority, which has the duty of supervising the protection of personal data in order to guarantee the rights of good reputation, privacy and access to personal data. It is also afforded the powers to receive and handle complaints filed by data subjects, request public and private entities to provide information on the processing of personal data, and conduct inspections to verify compliance with the Data Protection Law.

    In 2018, the Argentine Executive Brach introduced before Congress a bill intended to replace the Data Protection Law (the “Data Protection Bill”). The Data Protection Bill is generally in line with many approaches proposed by the European General Data Protection Regulation (“GDPR”).

  2. Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?

    Under the Data Protection Law, any database containing personal data must be registered before the Data Protection Authority.

    Until recently, the registration procedure consisted of completing a form, submitting proper documentation and paying a fee. The form could be submitted online, but a hard copy still had to be sent to the Data Protection Authority. The registration had to be renewed annually.

    However, in 2018 Data Protection Authority Regulation No. 132/2018 established a new procedure for the registration and renewal of public or private databases. The most significant changes were that all proceedings must now be carried out online, are free, and are not subject to annual renewal. Instead, the data controller must inform any supervening modification by means of a sworn declaration to keep the registry updated.

  3. How do these laws define personally identifiable information (PII) versus sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?

    The Data Protection Law defines personal data as any kind of information referring to individuals or legal entities, whether identified or identifiable.

    Moreover, the Data Protection Law defines sensitive personal data as personal data revealing racial or ethnic origin, political affiliation, religious, moral or philosophical convictions, union activity or information related to health or sexual orientation.

    Among other definitions, the Data Protection Law also defines: (i) data subject, as any individual or legal entity with legal domicile, offices, or branches in Argentina, and whose data falls under the scope of the Data Protection Law; (ii) database, as any organized collection of personal data that is processed, electronically or otherwise, regardless of the means for its establishment, storage, organization or access; and (iii) data controller, as the individual or legal entity that is the owner of a database.

  4. Are there any restrictions on, or principles related to, the general processing of PII – for example, must a covered entity establish a legal basis for processing PII in your jurisdiction or must PII only be kept for a certain period? Please outline any such restrictions or “fair information practice principles” in detail?

    The Data Protection Law states that the gathering of personal data cannot be done through dishonest, fraudulent, or illegal means. The Data Protection Law also provides that personal data cannot be processed for different or incompatible purposes from those it was intended for when collected, and any personal data that is collected must be accurate and current.

    Furthermore, the general principle under the Data Protection Law is that any processing of personal data must be specifically consented to by the data subject (see question 5 below).

    Personal data may be held for as long as it is necessary or current for the purposes for which it was collected, after which it must be destroyed or deleted.

  5. Are there any circumstances where consent is required or typically used in connection with the general processing of PII and, if so, are there are rules relating to the form, content and administration of such consent?

    The general principle under the Data Protection Law is that any processing of personal data (including any disclosure, collection, storage, assignment, amendment and destruction of data) must be specifically consented to by the data subject.

    Such consent must be prior, given freely, based upon the information previously provided to the data subject (informed) and expressed in writing or by equivalent means, depending on the circumstances of the case. The data subject may revoke the consent at any time, but with no retroactive effect.

    Nonetheless, informed consent of the data subject is not necessary, among others, when:

    • The data is collected by the government pursuant to its legal authority or in its capacity as such.
    • The data is limited to name, identification number, tax or social security identification numbers, occupation, date of birth, and domicile.
    • The data derives from a contractual, scientific, or professional relationship with the data subject, provided that such data is necessary for the development and compliance with such relationship.
  6. What special requirements, if any, are required for processing sensitive PII? Are there any categories of PII that are prohibited from collection?

    With regard to sensitive data, the law provides for a more restrictive set of regulations.

    Under the Data Protection Law no person may be obliged to supply sensitive personal data, and such data may only be collected if authorized by law, and for a public interest purpose. However, in certain administrative decisions the Data Protection Authority has expressed that the consent of the data subject is sufficient basis for the processing of its sensitive data.

    Sensitive data also may be collected for statistical or scientific purposes, provided that the data subject cannot be identified. Setting up files, records, or databases which either directly or indirectly reveal sensitive data is forbidden. Despite this, the Catholic Church, religious associations, political organizations and unions can keep a registry of their members.

    Data related to criminal precedents may be collected solely by the relevant competent authorities, and within the scope of the applicable legislation.

  7. How do the laws in your jurisdiction address children’s PII?

    The general principles regarding minors are contained in the Argentine Civil and Commercial Code. The Code provides that individuals under the age of 18 are minors, and establishes the general rule that minors exercise their rights through their legal representatives (parents or guardians).

    Since there are no specific provisions in the Data Protection Law or any other privacy regulations, this general principle described above applies to data protection. Under the Data Protection Law, the processing of personal data must be specifically consented to by the data subject. If the data subject is a minor, the consent of his or her parent or guardian will be necessary for any data processing.

  8. Are owners or processors of PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.

    The Data Protection Law does not include a specific obligation to maintain internal records or establish internal policies. However, owners and processors of personal data must comply with certain obligations in connection with data security and confidentiality (see question 16).

  9. Are consultations with regulators recommended or required in your jurisdiction and in what circumstances?

    The Data Protection Authority accepts consultations, and will issue its opinion in response. However, consultations are not required by law. They could be advisable depending on the circumstances of a given case.

  10. Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?

    The Data Protection Law does not require or recommend conducting risk assessments regarding data processing activities.

    If approved, the Data Protection Bill (see question 1) would introduce an obligation for data controllers to conduct impact evaluations in those cases in which the nature, scope, context and purpose of the processing of data mean that there is a high risk of affecting data subjects’ rights.

  11. Do the laws in your jurisdiction require appointment of a data protection officer, or other person to be in charge of privacy or data protection at the organization? What are the data protection officer’s legal responsibilities?

    The Data Protection Law does not require the appointment of a data protection officer.

    If approved, the Data Protection Bill (see question 1) would introduce this requirement in certain cases. The Data Protection Bill includes an obligation to appoint a data protection officer in the case of public agencies, processing of sensitive data as a principal activity, or “big data”. The data protection officer would only answer to the highest ranking members of the public agency or company, and will carry out his duties without receiving any instructions

  12. Do the laws in your jurisdiction require providing notice to individuals of the business’ processing activities? If so, please describe these notice requirements (e.g. posting an online privacy notice).

    Under Argentine data protection regulations, the general basis for data processing is the informed consent of the data subject. As stated in question 5, consent must be prior, given freely, based upon the information previously provided to the data subject (informed) and expressed in writing or by equivalent means, depending on the circumstances of the case. Businesses processing data must comply with those requirements.

  13. Do the laws in your jurisdiction apply directly to service providers that process PII, or do they typically only apply through flow-down contractual requirements from the owners?

    The Data Protection Law specifically regulates certain aspects of the relationship between data controllers and data processing services providers.

    The Data Protection Law establishes the need for a data processing agreement when data processing services are provided. The data may only be used for the purpose provided in the agreement, and may not be assigned (even for its storage). Additionally, once the data processing services have been rendered, the data must be destroyed unless there an express authorization from the data controller, when it can be reasonably presumed that further services will be required. In that case, the data can be stored for 2 years.

  14. Do the laws in your jurisdiction require minimum contract terms with service providers or are there any other restrictions relating to the appointment of service providers (e.g. due diligence or privacy and security assessments)?

    Decree No. 1558/2001 provides that the data processing agreement must (i) detail the security measures established in the Data Protection Law; (ii) include the parties’ confidentiality obligations; (iii) establish that the data processor will only act as instructed by the data controller; and (iv) establish that the data processor is also bound by the Data Protection Law’s requirements in connection with the security of the data.

    In connection with data processing services and international data transfers, please see question 15 below regarding Data Protection Authority Rule Number 60 - E/2016.

  15. Is the transfer of PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (for example, does cross-border transfer of PII require notification to or authorization form a regulator?)

    Under the Data Protection Law, the transfer of personal data to countries or to international organizations which do not grant an appropriate level of protection according to the Data Protection Authority’s criteria is forbidden. However, the transfer of personal data to non-adequate countries is permitted when: (i) the data subject consents to the transfer or (ii) when adequate level of protection arises from (a) contractual clauses (international data transfer agreements or (b) systems of self-regulation (as binding corporate rules).

    Rule Number 60 - E/2016, issued by the Data Protection Authority, establishes that personal data can be transferred with no further safeguards to member states of the European Union and the European Economic Area, Switzerland, Guernsey and Jersey, the Isle of Man, the Faeroe Islands, Canada (only the private sector), New Zealand, Andorra, and Uruguay. Moreover, very recently Resolution Number 34/2019 included the U.K. and Northern Ireland in the white list of adequate jurisdictions for the transfer of personal data.

    Furthermore, Rule Number 60 - E/2016 approved two sets of standard model clauses for data transfer agreements. In the event that parties choose not to use these models and sign a data transfer agreement that does not reflect the principles, safeguards, and content contained in the model clauses, their agreement will need to be submitted to the Data Protection Authority for approval within 30 days of its execution.

    Additionally, Resolution Number 159/2018 approved a set of guidelines for binding corporate rules as a self-regulating mechanism available for multinational companies to legitimize international data transfers within their group.

  16. What security obligations are imposed on PII owners and on service providers, if any, in your jurisdiction?

    The Data Protection Law states that the responsible person or user of a database shall adopt the necessary technical and organizational measures to guarantee the protection and confidentiality of personal data.

    In that connection, through Resolution No. 47/2018 the Data Protection Authority approved security measures for the processing and conservation of personal data that serve as a set of guidelines to comply with the security obligation described in the above paragraph. Annex I of this regulation includes recommendations for data stored through electronic means, in particular regarding: a) the collection of data; b) the control of access to data; c) the control of modifications to data; d) backup and recovery; e) vulnerability management; f) destruction of information; g) security incidents; and h) development environment.

    In addition, the data controller and any person who intervenes in any phase of the processing of personal data have a duty of professional secrecy. The duty will persist even after the relationship with the data subject is terminated. The duty of secrecy will be exempted if required by a judicial resolution or for public safety, national defense, or public health reasons

  17. Does your jurisdiction impose requirements of data protection by design or default?

    The Data Protection Law does not specifically address this issue. However, in 2015 the Data Protection Authority adopted Rule No. 18/2005, which sets out certain guidelines for software developers, who in most cases are not familiar with the principles of data protection of the Data Protection Law.

    If approved, the Data Protection Bill (see question 1) would require data controllers to implement measures to ensure privacy by design and by default.

  18. Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?

    The Data Protection Law does not address security breaches.

    However, Resolution No. 47/2018 of the Data Protection Authority (please see question 16) did approve certain measures in connection with security incidents. In particular, it recommends having a procedure in place to manage security incidents, and a person responsible for issuing a report on the incident.

  19. Under what circumstances must a business report security breaches to regulators, to individuals, or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator and what is the typical custom or practice in your jurisdiction?

    The Data Protection Law does not impose a general duty to notify either individuals or the Data Protection Authority of a data breach. However, even if it does not constitute a legal obligation, Resolution No. 47/2018 recommends reporting a security incident to the Data Protection Authority.

    If approved, the Data Protection Bill would introduce an express obligation to report certain security incidents to the Data Protection Authority and the data subjects.

  20. Do the laws in your jurisdiction provide individual rights, such as the right to access and the right to deletion? If so, please provide a general description on what are the rights, how are they communicated, what exceptions exist and any other relevant details.

    The data subject has the right to: (i) access any database containing his or her personal data; (ii) request information in connection with his or her data; and (iii) request the correction, deletion, updating or confidential treatment of his or her personal data.

    The right of data subject to access their data can be exercised free of charge every 6 months or in shorter periods if the data subject demonstrates a legitimate interest.

    Data controllers must inform the data subjects of their rights to access, rectify and suppress their personal data when obtaining consent to any data processing.

  21. Are individual rights exercisable through the judicial system or enforced by a regulator or both? When exercisable through the judicial system, does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances? Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury of feelings sufficient?

    Individual rights are exercisable through both the judicial system and the Data Protection Authority.

    Individuals can report any infringement of the Data Protection Law to the Data Protection Authority, which is charged with enforcing its provisions. The Data Protection Authority can impose sanctions and fines (see question 22 below). However, it does not have the authority to award damages or costs.

    Additionally, individuals can file civil actions before the courts. The Data Protection Law states that if data controllers fail to comply when data subject exercise their rights (see question 20), they may file an habeas data action before the courts to obtain redress.

    Data subjects are also entitled to claim damages before the courts, under general civil law principles contained in the Argentine Civil and Commercial Code. In order to obtain compensation, the data subject will have to prove an effective damage as a result of a breach of the Data Protection Law, and establish a causation relationship with the data controller.

    In some cases, an infringement of the Data Protection Law could also constitute a crime to be pursued before the criminal courts. In particular, the Argentine Criminal Code punishes with imprisonment from one month to three years those who: (i) illegally insert information in a database; (ii) illegally gain access to databases; (iii) disclose personal data protected by duty of confidentiality pursuant to law; or (iv) knowingly supply false information stored in a database to a third party.

  22. How are the laws governing privacy and data protection enforced? What is the range of fines and penalties for violation of these laws? Can PII owners appeal to the courts against orders of the regulators?

    The Data Protection Authority may apply the following administrative penalties in the event of violation of the Data Protection Law:

    • Observation;
    • Suspension;
    • Fines of between ARS 1,000 and 100,000;
    • Business closure; or
    • Cancellation of the file, record or database.

    The Data Protection Authority Rule No. 9/2015 lists offenses and violations and classifies them as minor, serious, or very serious, with corresponding ranges of sanctions. One example of minor offense, for instance, is not to timely comply with a request issued by the Data Protection Authority to provide certain documents or information, while transferring personal data to a foreign country without complying with local regulations would be considered a very serious offense.

    In addition, Data Protection Authority Rule No. 71 E/2016 capped fines applicable for various infringements encompassed by the same administrative proceeding. In the same administrative proceeding, such fines may not exceed ARS 5,000,000.

  23. Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.

    The Data Protection Law defines personal data as any kind of information referring to individuals or legal entities, whether identified or identifiable. Therefore, anonymized data which cannot be linked to an individual or entity will fall outside of the scope of the Data Protection Law.

    In addition, section 1 of the Data Protection Law provides that the provisions of the law cannot affect the sources of journalistic information.

  24. Please describe any restrictions on monitoring or profiling in your jurisdiction including the use of tracking technologies such as cookies – how are these terms defined and what restrictions are imposed, if any?

    Section 27 of the Data Protection Law provides that personal data may be used to determine consumer profiles for marketing purposes, provided that such data is gathered from sources accessible to the public or the data subject voluntarily provided the information or consented to its use.

    However, Decree No. 1158/01 allows for the collection, processing and assignment of personal data for marketing purposes without the consent of the data subject as long as the data subject is identified only by their belonging to groups based on their preferences or behavior and the personal data is limited to that which the marketer needs to make an offer.

    Moreover, Rule No. 4/2009 of the Data Protection Authority requires the following:

    • Data subjects must be able to opt-out of this type of communication, and be expressly and clearly informed of their right to do so.
    • The communication must contain a clear and visible notice to the effect that it is an advertisement, and a transcription of provisions of the Data Protection Law and Decree No. 115/01. In the case of an email its heading must contain the term “Advertisement” (in Spanish, “Publicidad”).
    • The owner of the database must have a mechanism in place that allows for the exercise of the data subject’s right to opt out.
  25. Please describe any laws addressing email communication or direct marketing?

    Section 27 of the Data Protection Law provides that personal data may be used to determine consumer profiles for marketing purposes, provided that such data is gathered from sources accessible to the public or the data subject voluntarily provided the information or consented to its use.

    However, Decree No. 1158/01 allows for the collection, processing and assignment of personal data for marketing purposes without the consent of the data subject as long as the data subject is identified only by their belonging to groups based on their preferences or behavior and the personal data is limited to that which the marketer needs to make an offer.

    Moreover, Rule No. 4/2009 of the Data Protection Authority requires the following:

    • Data subjects must be able to opt-out of this type of communication, and be expressly and clearly informed of their right to do so.
    • The communication must contain a clear and visible notice to the effect that it is an advertisement, and a transcription of provisions of the Data Protection Law and Decree No. 115/01. In the case of an email its heading must contain the term “Advertisement” (in Spanish, “Publicidad”).
    • The owner of the database must have a mechanism in place that allows for the exercise of the data subject’s right to opt out.