What is PDPL Argentina?
The Personal Data Protection Law is Argentina’s data protection regulation, governing the way data is collected and processed. It entered into force in November of 2020 and at this time a draft Bill is being considered that would provide some updates considered necessary. It is not known yet whether this new Bill will come into effect, and if, when this would happen.
It includes both administrative and criminal sanctions for violations, the latter of which is incorporated from Argentina's Criminal Code, and for any “public, private file, registry, database or database intended to provide reports” the regulating authorities will create a Registry where your organization will have to register. Last but not least, Argentina is recognized by the EU Commission as an adequacy country.
What is Personal Information and what are other key definitions?
Argentina’s privacy law defines ‘personal data’ as any information that refers to either a natural person or, what a translated version of the text calls “person of ideal existence,” whether they are identified or identifiable. There is no clear definition as to what a person of ideal existence means, so that remains unclear, however it is commonly understood and implied that any data clearly identifying a natural person would be considered a personal data, while anonymised data or pieces of information non identifying a person is not covered by the PDPL.
The definition of ‘sensitive data’ is in line with other data privacy laws, seeing this type of data as the personal data of an individual that reveals about them details such as racial or ethnic origin, religious, political, or union affiliations, moral or philosophical convictions, or information about the individual’s health or sex life.
Under the text of the law, the data subject, named ‘data holder’ is defined in a translated version as any natural person or person of ideal existence “with legal domicile or delegations or branches in the country, whose data are the subject of the processing referred to in this law.”
There is no definition for a data controller under Argentine law and the data processor is here named ‘data user’ and defined as “any person, public or private, who processes data at their discretion, either in files, records or databases of their own or through connection with them.”
Who has to comply with the PDPL Argentina?
According to the text of the law, its rules “are of public order and applicable throughout the national territory,” with provinces being invited to adhere to it, if they so wish.
There is no mention of any other territorial scope, nor any mention of organizations located outside Argentina that would process the personal data of residents, which already explains the need for an update of the text of the law, and as far as its goal is concerned, the text states that it “aims at the comprehensive protection of personal data recorded in files, registries, data banks, or other technical means of personal data processing, whether public or private intended to give reports, to guarantee the right to honor and privacy of people, as well as access to information that is recorded about them, in accordance with the provisions of article 43, third paragraph of the National Constitution.”
One other applicability that the text mentions is that “as far as it is relevant,” the law also applies “to data relating to persons of ideal existence,” but still does not offer an explanation for this term, common understanding is that the law shall apply only when it is possible to determine a real person.
Who is excluded from PDPL Argentina compliance?
There are several exemptions mentioned in the case of PDPL Argentina, namely, databases or sources of information for journalistic purposes and individuals who hold personal databases for personal purposes, who are excluded from the requirement of registering with the Registry that this law creates.
As regards sensitive data, the law prohibits “the formation of files, banks or records that store information that directly or indirectly reveals sensitive data,” while also allowing “the Catholic Church, religious associations and political and trade union organizations” to keep a record of their members, and allows for the processing of criminal records by competent authorities “within the framework of the respective laws and regulations.”
How can I keep my organization PDPL Argentina compliant?
PDPL Argentina offers some general principles that relate to personal data protection in the second chapter, principles that resemble other privacy regulations.
Article 3 establishes the principles of lawfulness by mandating that data file formation has to be lawful and not for any purposes that are contrary either to laws or public morality.
In Article 4, while the text refers to this as a principle of personal data quality, we find several principles encased in this general one:
- the personal data collected has to be “true, adequate, relevant and not excessive in relation to the scope and purpose” for which it was obtained;
- it cannot be done by fraudulent means, nor can it be used for purposes other than those for which it was originally obtained, so purpose specification applies as a principle here;
- it has to be accurate and kept up to date, if there is any personal data that is inaccurate - whether partially or totally - it has to be either deleted or replaced, or, where possible, corrected, in line with data subjects’ right to correct their personal data;
- storing the personal data has to be done in such a way that individuals can exercise their right to access;
- last but not least, once it has exceeded its necessity or relevance, it has to be destroyed.
Consent has to be “free, express, and informed” and it must also be recorded. There are exceptions to this, outlined in Article 5, such as when the personal data is available in what the law calls “sources of unrestricted public access.” Consent has to be obtained before personal data collection and data subjects have to be informed of its purpose(s), the existence of a data collection database (file, registration, data bank, etc.), as regards sensitive data the mandatory or optional nature of their expression of consent, the consequences resulting from their provision, refusal, or inaccuracy of data, and of the way they can exercise their data subjects rights of access, rectification, or deletion.
Sensitive data provision cannot be made mandatory for data subjects and this type of data can only be collected and processed for reasons of general interest that have been authorized by law, or for statistical and scientific purposes if the data subjects cannot be identified. As mentioned above, there are some exemptions granted for religious, political, trade union, and criminal data.
Article 8 mandates that as regards health data, it can be collected and processed by health institutions or professionals that are linked to the health sciences, for either current or former patients, within the bounds of professional secrecy.
Articles 9 and 10 mandate that you are responsible for the security of the personal data you collect and of its confidentiality. With regards to security, you are required to adopt any technical or organizational measures in order to be able “to guarantee the security and confidentiality of personal data, in order to prevent its adulteration, loss, consultation or unauthorized processing, and that allow the detection of deviations, intentional or unintentional, of information, whether the risks come from human action or the technical means used,” and with regards to confidentiality, there is an obligation of professional secrecy mandated by the law for all the persons involved in any of the stages of personal data processing.
Articles 11 and 12 regulate the way local and international transfers have to be handled. Local transfers are only allowed “for the fulfillment of the purposes directly related to the legitimate interest of the assignor and the assignee and with the prior consent of the owner of the data, who must be informed about the purpose of the transfer and identify the transferee or the elements that allow it.” There are exceptions to consent being required, such as when consent is granted by the law, or when the data has been anonymised, to name a few.
International transfers are only allowed in cases where an adequate level of protection is provided. Exceptions include international judicial collaborations, health data exchanges required for the treatment of the data subject, or following an international treaty to which Argentina is a party, among others. Argentina recognises the European Union, the United Kingdom, Northern Ireland, and some other countries as providing adequate protection. In addition to this, the Argentine Data Protection Authority has published Standard Contractual Clauses (module clauses) written based on EU model clauses.
What data access rights does PDPL Argentina grant?
Argentina’s PDPL grants data subjects the following rights:
- Right to be informed
- Right to access
- Right to correct inaccurate personal data
- Right to delete personal data
How to address data subject access requests under PDPL Argentina?
The law grants you five working days to reply to a request made under the right to correct or delete, and ten working days to reply to a request made under the right to access.. If you receive a right to information request, you are required to create a registry of the data that is public and free of charge. The same applies to the correction, updating or deletion of inaccurate or incomplete personal data in both public or private records. This has to be carried out free of charge.
Enforcement and penalties
The national supervisory authority is the Agency for Access to Public Information, whose duties, among other things, also include imposing administrative sanctions for violations of this law.
The administrative sanctions that the authority may apply consist of “penalties of warning, suspension, fine of one thousand pesos ($ 1,000.-) to one hundred thousand pesos ($ 100,000.-), closure or cancellation of the file, registration or data bank,” which would be the equivalent of between $53 and $5250, depending on the severity and extent of the violation, as well as the damages that arise from it.
As regards criminal sanctions, these are incorporated from Argentina’s Criminal Code and include a varying number of years of imprisonment, depending on the violation, as follows:
- 1 month to 2 years for
- knowingly falsifying data,
- knowingly and illegitimately accessing a “personal data bank” or violating data security and confidentiality systems,
- disclosing information recorded in a personal data bank that is protected by law.
- 6 months to 3 years for knowingly disclosing false data to a third party;
- for violations that cause injury to an individual, the penalty increases by half of both the minimum and the maximum period of imprisonment;
- for violations committed by public officials while exercising their functions, they will be prohibited from holding public office for twice the imprisonment period.
Data Subject Rights - GDPR vs. PDPL
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
- Right to be informed
- Right to access
- Right to correct inaccurate personal data
- Right to delete personal data
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.