Argentina PDPL

Who is excluded from PDPL Argentina compliance?

There are several exemptions mentioned in the case of PDPL Argentina, namely, databases or sources of information for journalistic purposes and individuals who hold personal databases for personal purposes, who are excluded from the requirement of registering with the Registry that this law creates. 

As regards sensitive data, the law prohibits “the formation of files, banks or records that store information that directly or indirectly reveals sensitive data,” while also allowing “the Catholic Church, religious associations and political and trade union organizations” to keep a record of their members, and allows for the processing of criminal records by competent authorities “within the framework of the respective laws and regulations.”

How can I keep my organization PDPL Argentina compliant?

PDPL Argentina offers some general principles that relate to personal data protection in the second chapter, principles that resemble other privacy regulations. 

Article 3 establishes the principles of lawfulness by mandating that data file formation has to be lawful and not for any purposes that are contrary either to laws or public morality. 

In Article 4, while the text refers to this as a principle of personal data quality, we find several principles encased in this general one: 

• the personal data collected has to be “true, adequate, relevant and not excessive in relation to the scope and purpose” for which it was obtained;
• it cannot be done by fraudulent means, nor can it be used for purposes other than those for which it was originally obtained, so purpose specification applies as a principle here;
• it has to be accurate and kept up to date, if there is any personal data that is inaccurate - whether partially or totally - it has to be either deleted or replaced, or, where possible, corrected, in line with data subjects’ right to correct their personal data;
• storing the personal data has to be done in such a way that individuals can exercise their right to access;
• last but not least, once it has exceeded its necessity or relevance, it has to be destroyed.  

Consent has to be “free, express, and informed” and it must also be recorded. There are exceptions to this, outlined in Article 5, such as when the personal data is available in what the law calls “sources of unrestricted public access.” Consent has to be obtained before personal data collection and data subjects have to be informed of its purpose(s), the existence of a data collection database (file, registration, data bank, etc.), as regards sensitive data the mandatory or optional nature of their expression of consent, the consequences resulting from their provision, refusal, or inaccuracy of data, and of the way they can exercise their data subjects rights of access, rectification, or deletion. 

Sensitive data provision cannot be made mandatory for data subjects and this type of data can only be collected and processed for reasons of general interest that have been authorized by law, or for statistical and scientific purposes if the data subjects cannot be identified. As mentioned above, there are some exemptions granted for religious, political, trade union, and criminal data.

Article 8 mandates that as regards health data, it can be collected and processed by health institutions or professionals that are linked to the health sciences, for either current or former patients, within the bounds of professional secrecy.

Articles 9 and 10 mandate that you are responsible for the security of the personal data you collect and of its confidentiality. With regards to security, you are required to adopt any technical or organizational measures in order to be able “to guarantee the security and confidentiality of personal data, in order to prevent its adulteration, loss, consultation or unauthorized processing, and that allow the detection of deviations, intentional or unintentional, of information, whether the risks come from human action or the technical means used,” and with regards to confidentiality, there is an obligation of professional secrecy mandated by the law for all the persons involved in any of the stages of personal data processing.

Articles 11 and 12 regulate the way local and international transfers have to be handled. Local transfers are only allowed “for the fulfillment of the purposes directly related to the legitimate interest of the assignor and the assignee and with the prior consent of the owner of the data, who must be informed about the purpose of the transfer and identify the transferee or the elements that allow it.” There are exceptions to consent being required, such as when consent is granted by the law, or when the data has been anonymised, to name a few. 

International transfers are only allowed in cases where an adequate level of protection is provided. Exceptions include international judicial collaborations, health data exchanges required for the treatment of the data subject, or following an international treaty to which Argentina is a party, among others. Argentina recognises the European Union, the United Kingdom, Northern Ireland, and some other countries as providing adequate protection. In addition to this, the Argentine Data Protection Authority has published Standard Contractual Clauses (module clauses) written based on EU model clauses. 

What data access rights does PDPL Argentina grant?

Argentina’s PDPL grants data subjects the following rights: 

• Right to be informed
• Right to access
• Right to correct inaccurate personal data
• Right to delete personal data

How to address data subject access requests under PDPL Argentina?

The law grants you five working days to reply to a request made under the right to correct or delete, and ten working days to reply to a request made under the right to access.. If you receive a right to information request, you are required to create a registry of the data that is public and free of charge. The same applies to the correction, updating or deletion of inaccurate or incomplete personal data in both public or private records. This has to be carried out free of charge.

Enforcement and penalties

The national supervisory authority is the Agency for Access to Public Information, whose duties, among other things, also include imposing administrative sanctions for violations of this law.

The administrative sanctions that the authority may apply consist of “penalties of warning, suspension, fine of one thousand pesos ($ 1,000.-) to one hundred thousand pesos ($ 100,000.-), closure or cancellation of the file, registration or data bank,” which would be the equivalent of between $53 and $5250, depending on the severity and extent of the violation, as well as the damages that arise from it.

As regards criminal sanctions, these are incorporated from Argentina’s Criminal Code and include a varying number of years of imprisonment, depending on the violation, as follows: 

• 1 month to 2 years for 
• knowingly falsifying data, 
• knowingly and illegitimately accessing a “personal data bank” or violating data security and confidentiality systems, 
• disclosing information recorded in a personal data bank that is protected by law.
• 6 months to 3 years for knowingly disclosing false data to a third party; 
• for violations that cause injury to an individual, the penalty increases by half of both the minimum and the maximum period of imprisonment;
• for violations committed by public officials while exercising their functions, they will be prohibited from holding public office for twice the imprisonment period.
  

Data Subject Rights - GDPR vs. PDPL