Zang, Bergel & Viñes Abogados
What law(s) specifically govern personal data / information?
Personal data protection is regulated by the Personal Data Protection Law No. 25,326 (“PDPL”).
This regulatory framework is supplemented by other standards, such as:
- The Constitution of the Argentinian Nation in its Section 43, third paragraph.
- Decree No. 1,558/2001, and its modifications, regulatory of the Law of Personal Data Protection No. 25,326.
- Law No. 27,483: adherence to Agreement to the Protection of People in regard to the Automatic Processing of Personal Data from Strasbourg, France.
- Law No. 27,725: Right to Access to Public Information.
- Disposition No. E 60/2016, establishing requirements for the international transfers of personal data.
- Resolution No.159/2018: Guidelines and basic standards contents of binding corporate rules.
- Resolution No.47/2018: Recommended security measures for the treatment and conservation of personal data by informatic and non-informatic means.
- Resolution No. 4/2019: Guiding criteria and indicators of good practices in the application of Law No. 25,326, which annex refers to
- Systems of video surveillance;
- Data dissociation;
- Biometric data; and
- Consent.
- Law No. 26,951: Creation of the “Do not Call” National Registry.
- Additional Protocol No. 108+. Ratified by Law No. 27,699.
- Disposition No. 2/2023: Recommendations for a reliable Artificial Intelligence.
- Law No. 26,548: Genetic Data National Bank.
What are the key data protection principles in this jurisdiction?:
The protection of personal data is based on the principles of data quality, lawfulness of collection, respect for the stated purpose, consent and knowledge of the data subject and the existence of independent supervisory bodies.
What is the supervisory authority / regulator in charge of data protection?
Agency of Access to Public Information (AAIP).
https://www.argentina.gob.ar/aaip
The AAIP is a decentralised body within the reach of the Presidency of the Cabinet of Ministers, in the executive branch.
Is there a requirement to register with a supervisory authority / regulator?
Yes, there is an obligation to register databases and/or the ownership, processing, and use of them with the enforcement agency.
Any database that includes personal data must be registered with the Agency for Access to Public Information, in accordance with the information requirements set out in Section 21 of the PDPL. Data users are not permitted to hold personal data of a different nature than that recorded in the register. Failure to comply with these requirements may result in administrative sanctions imposed by the AAIP, as outlined in Section 29 of the PDPL.
Provision No. 2 - E/2005 implements the National Registry of Databases covered by the PDPL.
Is there a requirement to notify the supervisory authority / regulator?
Although there is no local legislation in force, in 2022 Argentina enacted Law No. 27,699, by which the Argentine Republic acceded to the Additional Protocol (Convention No. 108+) amending Convention No. 108.
Section 7 of the said Convention establishes that the data controller must notify, at least to the competent supervisory authority (AAIP), within the first 72 hours of becoming aware of an incident, those data breaches that may seriously affect the fundamental rights and freedoms of data subjects.
Although Argentina has ratified Convention 108+, its application is not yet enforceable because the minimum number of countries required for it to enter into force has not been reached.
Is it possible to register with / notify the supervisory authority / regulator online?
Step 1: Registering a private database controller. https://www.argentina.gob.ar/servicio/inscribir-un-responsable-de-bases-de-datos-personales-privadas
Step 2: Register private personal databases.
https://www.argentina.gob.ar/registrar-bases-de-datos-personales-privadas
For any queries regarding the National Register of Personal Databases, the e-mail address is: [email protected].
What are the key data subject rights under the data protection laws of this jurisdiction?
The PDPL states that the data subject has the following rights:
- Right to information and its content.
- Right of access.
- Right to update/correct.
- Right to erasure.
The rights of data subjects may be exercised in the following ways:
- Right to information and its content: Anyone may ask the AAIP for information on the existence of files, registers or personal data banks, on their purpose and on the identity of those responsible.
- Right of access for data subjects: The data subject has the right to request and obtain, after verification of their identity, information on their personal data included in public or private data banks intended for reporting purposes.
- Right to update, rectify and delete: Everyone has the right to rectify, update and, if necessary, delete or make private the data concerning them that are included in a database.
- Action for the protection of personal data or habeas data: The legitimacy, procedural forms, requirements and other information for the exercise of this action are provided in Chapter VII "Action for the protection of personal data" of the PDPL.
The PDPL also refers to the possibility of lodging a complaint with the AAIP in the event of a lack of response or incomplete information from the person responsible for the database when exercising these rights. In this regard, section 33 of the PDPL provides for an action for the protection of personal data or habeas data, which will proceed as follows:
- To be informed of the personal data stored in public or private files, registers or databases and of the purpose of their use;
- In cases where it is presumed that the information in question is false, inaccurate or outdated, or the processing of data whose registration is prohibited by law, to demand its rectification, cancellation, confidentiality or updating.
Is there a requirement to appoint a data protection officer (or equivalent)?
The law does not require the appointment of a data protection officer.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Not required by the PDPL. However, the AAIP, together with the Regulatory and Personal Data Control Unit of Uruguay, has produced a guide to impact assessment for the processing of personal data. In order to provide a reference document for companies and public entities on the concept, context and methodology of an impact assessment in relation to data protection ("EIPD").
Does this jurisdiction have any specific data breach notification requirements?
Although there is no local legislation in force, in 2022 Argentina enacted Law No. 27,699, by which the Argentine Republic acceded to the Additional Protocol (Convention No. 108+) amending Convention No. 108.
Section 7 of the said Convention establishes that the data controller must notify, at least to the competent supervisory authority (AAIP), within the first 72 hours of becoming aware of an incident, those data breaches that may seriously affect the fundamental rights and freedoms of data subjects.
Although Argentina has ratified Convention 108+, its application is not yet enforceable because the minimum number of countries required for it to enter into force has not been reached.
What restrictions apply to the international transfer of personal data / information?
The transference of personal data of any kind to countries or international/ supranational bodies that do not provide proper protection levels is forbidden in the PDPL. However, this prohibition does not rule if the data subject has expressly consented the transfer. On the other hand, through Disposition No. 60 - E/2016 published in the Official Gazette on November 18, 2016, the National Directorate of Personal Data Protection (now AAIP) regulated aspects related to the transfer of personal data. According to the PDPL, transfer to countries not considered adequate in regard to personal data protection is forbidden. The Disposition establishes the countries that meet the adequate legislation in regard to personal data protection. States members of the European Union and members of the European Economic Area, Switzerland, Guernsey, Jersey, Isle of Man, Faroe Islands, Canada solely the private sector, New Zealand, Andorra, and Uruguay. I.e., the statements of adaptation issued by the European Union have been considered. The Disposition approves two contract models to employ in the international transfer of data to non-adequate countries both for data transference as well as the rendering of services. These models follow in many ways the guidelines in the contractual model clauses the EU established in Decision No. 2001/497/CE and Decision No. 2010/87/ UE.
Through Resolution No. 159/2018 the AAIP adopted Binding Corporate Rules in order to be considered in the designing of documents related to self-regulation rules in corporations’ part of the same economic group for the international transfer of personal data.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
The PDPL regulations do not mention extraterritorial application in an explicit way, but its application intends to protect data subjects residing in Argentina. So, if an overseas Controller collects data of Argentinian data subjects, the LPDP will apply to them.
What rules specifically deal with marketing?
Decree 1558/01, which regulates Article 27 of Law 25.326, establishes that "data may be collected, processed, and transferred for advertising purposes without the consent of the data subject when intended for the formation of specific profiles, which categorise similar preferences and behaviours of individuals, provided that the data subjects are identified solely by their belonging to such generic groups, along with the individual data strictly necessary to formulate the offer to the recipients."
Additionally, any communication for advertising purposes made by mail, telephone, e-mail, Internet, or other remote means must expressly and prominently indicate the possibility for the data subject to request the removal or blocking, in whole or in part, of their name from the database. Upon request by the data subject, the name of the data controller or database user who provided the information must be disclosed.
Provision 4/2009, in turn, establishes the obligation to inform the person receiving the advertisement of the option to exercise the right of withdrawal or blocking provided for in Section 27, Subsection 3, of Law 25.326. This option must be included in any communication made for advertising purposes, along with the mechanism provided for its exercise.
Do different rules apply to business-to-business and business-to-consumer marketing?
The rules regarding the processing of personal data are the same for both business-to-business and business-to-consumer marketing. All activities must comply with the principles and guidelines established under the PDPL.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
There are no additional rules beyond those outlined in the response to the question, “what rules specifically deal with marketing?”
What rules specifically deal with cookies?
In Argentina, there is no specific law that regulates cookies in relation to privacy and personal data protection. However, it is important to note that the current regulations define "personal data" as any information related to an identified or identifiable individual.
What are the consequences of non compliance with data protections laws (including marketing laws)?
The PDPL provides for various types of sanctions, which are listed below.
- Administrative sanctions (Section 31): which may consist of:
- Warning;
- Suspension of the file, registry or database;
- Fine (in the text of the law 25326, the maximum fine is established at $100.000 pesos argentinos,
- Closure of the file, registry or database; or,
- Deletion of the file, registry or database.
These sanctions are graduated according to the seriousness and extent of the violations and the damage caused by them, thus guaranteeing the principle of due process.
In the same way, the AAIP publishes on its official website the list of the most important sanctioned companies, which also triggers a reputational damage to be taken into account, together with the corresponding resolutions of the AAIP containing the details of the sanctioned infringement.
- Criminal sanctions: the possibility of applying the sanctions provided for in the National Criminal Code. This means that the criminal courts may impose criminal sanctions such as imprisonment from 1 month to 3 years, depending on the specific data protection offences.
It should be noted that the National Criminal Code provides for the following offences related to personal data (without including in its definition the modality by which they are committed)
- Intentional inclusion of false information in a database of personal data.
- Intentional communication to a third party of false information contained in a database of personal data.
- Knowingly and unlawfully breaking into a database or otherwise violating the confidentiality of data and data security systems (unauthorised access).
- Disclosure of confidential information in a personal data database that is required by law to be kept secret.
- Civil sanctions: Sections 33 of the PDPL regulate the habeas data action, also referred to in the National Constitution, which allows civil claims for damages caused by a violation of the PDPL.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
The PDPL applies to any processing of personal data conducted within Argentine territory, regardless of the location of the data controller or processor. Therefore, if a multinational organisation processes data of individuals in Argentina, it is subject to this regulation, even if its operations are conducted from abroad.
One of the fundamental principles of PDPL is the requirement for prior, free, express, and informed consent of the data subject. This means that any collection, storage, or use of personal data must be based on the explicit consent of the individual, except for specific exceptions provided by law.
Organisations must register their databases with the National Registry of Databases administered by the AAIP. This is mandatory and applies to any database containing personal information of residents in Argentina.
Data can only be transferred to countries that offer adequate levels of data protection, unless there is explicit consent from the data subject or appropriate measures are taken to ensure such protection.
Data Subject Rights: Organisations must be aware of the rights granted to data subjects by law, such as the right to access, rectify, update, and delete their personal data. It is crucial for organisations to establish effective mechanisms for individuals to exercise these rights.
Take into account the penalties that can be applied for non-compliance with the PDPL.
What upcoming data protection developments should multinational organisations be aware of?
On June 30, 2023, the National Executive Power submitted to Congress Message No. 87/2023, containing the final version of the draft Personal Data Protection Bill aimed at modernizing Law No. 25,326. However, this initiative ultimately lost parliamentary standing at the end of 2024. More recently, two new comprehensive reform bills—introduced by Deputy Pablo Carro and Senator Martín Doñate—have been lodged in Congress to update the legal framework in line with international standards such as the GDPR and Brazil ’s data protection law, and both are inspired by the prior AAIP‑led draft that had lapsed.