Actualidad Argentina

Personal Data protection

Personal Data protection Law

On 19 September the Argentine Executive passed the new Personal Data protection Law, which replaces the 25.326 Act and its amending regulations, the 26.343 Act.

The regulation brings in many new features to adapt to the new international personal data protection environment and to bring it up to date with new technology. The areas with the greatest impact on regulated entities' governance systems are highlighted below:

Purpose and scope of application

The law provides complete protection over personal data to ensure that title owners can exercise their rights fully. The law excludes from its scope of application data processing when this is carried out by a natural person for purely private or family use and it does not protect legal persons, since these are not viewed as title owners of fundamental rights.

In line with the latest international trends, and in particular with the European Parliament and Council's General Data Protection Regulations, of 27 April 2016, the law is also applicable in those cases where the data processing controller is not located in national territory, thus giving title owners greater protection.

New concepts and principles

New concepts have been included, such as biometric data, genetic data, data anonymity and security incident with personal data, while some existing concepts, such as personal data*, sensitive data and database, have been redefined.

Special importance is given to the principles of accuracy, transparency, safety and conservation period of data, and to the principle of data processing permission, including a new focus on the principles of data minimization and of proactive responsibility. For these effects, it is worth drawing attention to:

  • Conservation period: personal data will not be stored beyond the time that is strictly necessary to satisfy the purpose of the processing. Data may be stored for longer periods provided that they are processed for the purposes of public interest archive, research or for statistical reasons.
  • Proactive responsibility: such actions as are necessary to comply with proactive responsibility are set out, among them: the obligation to adopt privacy policies or to adhere to binding self-regulation mechanisms. Adhesion to these mechanisms is voluntary and can be materialized in codes of conduct, good practice codes, binding company standards, trustmarks and certifications.
  • Permissions: the law contains exhaustive regulation on the data owner's consent although, unlike the latest European regulation, tacit consent is allowed in certain scenarios. There is also a specific provision for processing the data of minors; their consent is valid when it is applied to processing data linked to their use of online services that are specifically designed for them. In these cases, consent will be lawful if the minor is at least 13 years old. If not, processing will only be lawful if the consent is granted by the minor's parents or guardians.

Rights of title owners and obligations of data processing controllers

The law regulates the basic rights of access, rectification, objection and removal. It acknowledges the inclusion of the right to be forgotten as part of the right of removal, and considers the newly acquired right of data portability.

In terms of obligations, the law includes the data processing controller's duty to inform the data owner of the purposes of the processing, the identity and contact data of the processing controller, the means available to them to exercise the rights listed above, data transfers both domestic and potential international ones, the right to withdraw consent and file a complaint, among others.

The new provisions introduced by the law are:

  • Data protection by design and by default: the data processing controller must use technological and organizational means before and during data processing to guarantee, furthermore, that only such personal data as is necessary for each of the purposes of the processing is actually processed.
  • Carrying out an impact study: before processing data which, by its very nature and scope is likely to involve a high risk of affecting the rights of the data owners. This assessment will be obligatory for automated data processing or profiling and for processing sensitive big data or data relative to criminal convictions.

Data Protection Officer

In line with international trends, the Argentinian law introduces the figure of the data protection officer; this position must be filled when the data processing controllers are public-sector bodies, are processing sensitive data or data in bulk.

This figure, which can also be appointed on a voluntary basis, will carry out their functions with independent criteria and will report only to the highest level of the organization; the person must meet the vetting requirements and be shown to have the capability and specific skillset to perform their duties.

This law will not come into force until two years after its publication in the Official Gazette.

* Information of any kind referring to particular, or determinable, human beings, including biometric data. "Determinable" will be understood as the person who can be identified by means of an identifier or by one or several characteristic elements of their physical, physiological, genetic, psychological, economic, cultural or social identity.