Use the Lexology Navigator tool to compare the answers in this artilce with those from other jurisdictions.
Collection and storage of data
Collection and management
In what circumstances can personal data be collected, stored and processed?
The person responsible for a database must register it with the National Data Protection Agency (DPAgency). Once it has been registered, the responsible person should obtain consent from the owner of the personal data in order to process it.
In the case of sensitive information, the owner of the personal data cannot be obliged to provide it and the data can be collected only if there is legal authorisation to do so. Anonymised sensitive information can be processed for statistic and scientific purposes. Religious, political and union entities can maintain databases containing the sensitive information of members. Any other database of sensitive information is prohibited.
All personal data must be collected, stored and processed following the security standards set out in Disposition 9/2008 issued by the DPAgency.
Finally, all personal data collected must be true, adequate, related and non-excessive for the purpose for which it was collected. The purpose is key because the Data Protection Act states that personal data cannot be used for any purpose different from that which the owner was told about when it was collected. Collection must not be carried out through any procedure that is against the Data Protection Act or its spirit. If the personal information changes, the data must also be changed if necessary. If the personal data is inaccurate or incomplete, the person responsible for the database must modify or destroy it on notice. Once the purpose for which the data was collected has been completed, the data will be destroyed.
Data storage must be carried out in a way that allows data subjects to exercise their right of access.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
According to Section 4.7 of the Data Protection Act, once personal data is no longer needed for the purpose for which it was required, it must be destroyed. Section 16.7 of the act also states that personal data must be kept for the term set out in the applicable regulation, as well as the term agreed on by the person responsible for the database and the owner of the personal data.
Do individuals have a right to access personal information about them that is held by an organisation?
Yes. Under Section 14 of the Data Protection Act individuals and corporations have the right to access the personal data held by a public database or a private database that allows it. In order to exercise the right to access, the individual should file a request (in any manner that he or she deems proper) and provide identification. On receipt of the request, the person responsible for the database has 10 business days to provide the information. If the request is not answered, the individual can file a claim of habeas data. The individual can exercise this right every six months free of charge or sooner if there is a valid purpose for the request. In the case of a deceased person, his or her heirs can exercise this right.
Do individuals have a right to request deletion of their data?
Yes. Under Section 17 of the Data Protection Act individuals and corporations have the right to request deletion of their data. The right is exercisable only if the personal data is wrong or false. The owner of the personal data must file a request with the person responsible for the database, which must reply within five working days. If the personal data was wrong or false and it was subject to a data transfer, the person responsible for the database must notify the measure taken to the party to which the data was transferred in order to replicate the suppression of the data within five working days of the deletion. This right does not apply if the deletion could cause harm to third parties or there is a mandatory duty to keep the data. While the responsible person is analysing the request, the information under review should be blocked.
Is consent required before processing personal data?
Consent is required for the processing of personal data. According to Section 5 of the Data Protection Act, consent should be given in writing or in an equivalent form.
Consent is considered valid if it was given freely and expressly, and the person giving consent was informed about the conditions under which the personal data will be processed.
If consent is not provided, are there other circumstances in which data processing is permitted?
Consent is not required if the personal data:
- was collected from public databases;
- was collected during the exercise of government authority or a regulation that allows the collection of personal data;
- if it is limited to name, identification, fiscal identification, job, date of birth and address;
- was provided under a contractual, scientific or professional relationship and the personal data is necessary for its performance; or
- is related to the information that financial entities are entitled to provided freely.
What information must be provided to individuals when personal data is collected?
Before any personal data is processed, the person responsible for the database should provide the individual with the information set out in Section 6 of the Data Protection Act:
- the purpose of processing;
- information regarding the registration of the database;
- whether it is mandatory to provide the personal data;
- the consequence if the personal data is not provided; and
- how the rights of access, modification and suppression will be exercised.
In the event that consent is given among other declarations, this information should be stated before the clause where the individual provides his or her consent.
Data transfer and third parties
Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?
Section 12 of the Data Protection Act and the application sections of Decree 1558/2001 regulate international data transfers.
Are there restrictions on the geographic transfer of data?
In order to perform an international transfer of data, the target destination must have adequate levels of protection; otherwise, the transfer is prohibited by the Data Protection Act.
If the target destination does not offer an adequate level of protection, the prohibition can be lifted if one of the following applies:
- international judicial cooperation;
- exchange of medical data (provided that the sensitive information is anonymised), for the treatment of the patient or epidemiologic research;
- a banking or stock market-related transfer;
- an international treaty to which Argentina is a signatory state; or
- international cooperation between intelligence agencies for the war on crime, terrorism and drugs.
According to Decree 1558/2001, the National Data Protection Agency can propose the designation of certain jurisdictions as “adequate” in terms of international data transfers and suggest to the executive the issuance of decrees setting out the level of protection. If a decree is issued, the transfer will be valid.
Decree 1558/2001 also allows for international data transfers if the owner of the personal data has given his or her consent for such action or the target destination involves a public database. Moreover, the adequacy level of the protection can be guaranteed with an agreement between the parties involved in the data transfer setting out their commitment to provide the necessary level of protection for the personal data involved.
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?
In the event that personal data is transferred to a third party for processing, there should be an agreement between the person responsible for the database and the third party. According to Section 25 of the Data Protection Act, the data transferred cannot be used for any purpose other than the purpose set out in the agreement or assigned to other parties for any purpose, including storage. On performance of the requested processing, personal data should be destroyed unless the third party believes that further processing of the personal data could be requested; in such case, data can be stored for up to two years.
Click here to view the full article.