Privacy Law at Argentina
Argentina's Personal Data Protection Act (PDPA), officially known as Act 25.326, was enacted in 2000 to safeguard individuals' personal data and ensure transparency in data processing activities. Enforced by the Agency for Access to Public Information (AAIP), the PDPA aligns with international privacy standards, including the European Union's General Data Protection Regulation (GDPR).
📌 Key Provisions of the PDPA
Scope of Application:The PDPA applies to both public and private entities operating in Argentina that process personal data. It also extends to foreign entities that process data of individuals located in Argentina
Definition of Personal Data:Personal data encompasses any information related to identified or identifiable individuals, including sensitive data such as racial or ethnic origin, political opinions, religious beliefs, health information, and biometric data
Principles of Data Processing: The PDPA establishes several principles to guide data processing activities
Legality, Loyalty, and Transparency:Data must be processed lawfully, fairly, and transparently
Purpose Limitation:Data should be collected for specified, legitimate purposes and not further processed in a manner incompatible with those purpos
Data Minimization:Only data necessary for the intended purposes should be collected
Accuracy:Data must be accurate and kept up to date
Retention Limitation: Data should not be kept longer than necessary for the purposes for which it was collecte
Security: Appropriate technical and organizational measures must be implemented to protect data
Accountability:Data controllers are responsible for demonstrating compliance with these principles
🛡️ Rights of Data Subjects
Under the PDPA, individuals (data subjects) have several rights concerning their personal data:
Right to Access Individuals can request information about the existence of their personal data and access the data held by data controller.
Right to Rectification Individuals can request corrections to inaccurate or incomplete data.
Right to Deletion Individuals can request the deletion of their data when it is no longer necessary for the purposes for which it was collected.
Right to Object Individuals can object to the processing of their data under certain circumstance.
Right to Data Portability Individuals can request the transfer of their data to another data controller in a structured, commonly used, and machine-readable formal.
⚖️ Enforcement and Penalties
The AAIP is responsible for enforcing the PDPA and has the authority to impose sanctions for non-complianc. In 2022, Resolution 240/2022 was adopted, classifying offenses into three categorie:
Minor Offenses Fines ranging from ARS 1,000 to ARS 80,00.
Serious Offenses Fines ranging from ARS 80,001 to ARS 90,00.
Very Serious Offenses Fines ranging from ARS 90,001 to ARS 100,000 or a prohibition from processing data for one year. Additionally, the draft bill for the new Personal Data Protection Law proposes more stringent penalties, including fines up to 4% of a company's annual global turnover.
🔄 International Data Transfer
The PDPA permits international transfers of personal data to countries that provide an adequate level of protection, Argentina has been recognized by the European Union as providing adequate protection for personal data, facilitating data transfers between the two regios.
🆕 Proposed Refors
A new draft bill for the Personal Data Protection Law has been presented, introducing several significant chanes:
*Legal Bases for Processing: Shifting from a consent-based approach to include justifications such as legitimate interst.
*Expanded Rights: Introducing new rights for data subjects, including rights related to automated decisions and profilng.
**Data Protection Officer (DPO)*: Mandating the appointment of a DPO in certain cases.
**Data Protection Impact Assessments (DPIAs)*: Requiring DPIAs for high-risk processing activites.
*Extraterritorial Application: Applying the law to foreign entities that process data of individuals in Argentna.
*National Registry: Establishing a National Registry for Data Protecton.
RELATED Blog
0 comments