Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Trends and climate
Would you consider your national data protection laws to be ahead or behind of the international curve?
In Argentina, data protection is covered by the Data Protection Act (Law 25,326) and its amendments and regulatory decrees. The Data Protection Act was enacted on October 4 2000 and has been amended only once in order to address issues related to data protection and the Argentine 2001/2002 economic crisis. Thus, the Data Protection Act does not deal with existing legal issues that were not foreseen when it was enacted. Some new issues, such as drones and video surveillance, have been addressed by the National Data Protection Agency (DPAgency) through regulations issued after the enactment of the Data Protection Act. As a result, while the Data Protection Act may appear to be behind the international curve regarding current issues, the DPAgency takes steps to interpret the Data Protection Act in order to keep up with new legal issues.
Are any changes to existing data protection legislation proposed or expected in the near future?
At present, there are several proposals to amend different aspects of the Data Protection Act. However, none of these have been approved by the National Congress. The DPAgency has stated that it will focus on applying the Data Protection Act. However, in June 2016 the DPAgency opened a public consultation to discuss the amendment of the Data Protection Act in light of the changes in European regulation.
What legislation governs the collection, storage and use of personal data?
The Data Protection Act, its regulatory decrees, mainly Decree 1,558/2001, and the regulation enacted by the National Data Protection Agency (DPAgency).
Scope and jurisdiction
Who falls within the scope of the legislation?
According to the Data Protection Act, any party responsible for a database is subject to the Data Protection Act. The responsible party is any individual or legal entity, either public or private, which owns a data archive, data registry, database or databank. The Data Protection Act defines a ‘data archive, data registry, database or databank’ as any organised set of personal data subject to any kind of processing, whether electronic or not, without discriminating regarding the process for the formation, storage or organisation of, or access to, the personal data. As a consequence, the party responsible for a database must register it with the DPAgency.
What kind of data falls within the scope of the legislation?
All personal data is protected by the Data Protection Act. According to Section 2 of the act, personal data is any information regarding individuals and legal entities that could be used to identify the owner of the personal data. Moreover, Section 2 also states that some personal data will be considered as ‘sensitive data’, which is defined as personal data related to the ethnic or racial origin of an individual, his or her political opinion, religious, philosophical or moral beliefs, union affiliation and any other information related to his or her health or sexual preferences.
Are data owners required to register with the relevant authority before processing data?
Yes. According to Sections 3 and 21 of the Data Protection Act, registration with the DPAgency is required in order to consider the database lawful. If personal data is processed before the registration of the database, this implies that the collection is unlawful even if the owner gave proper consent.
Is information regarding registered data owners publicly available?
Yes. The DPAgency has a public record of the databases registered with it, which is available to the public on its website. The record lists:
- the person responsible for the database;
- the purpose for which the personal data has been collected;
- the person in charge of compliance with the access rights of the owners of the personal data; and
- the location of the database.
Is there a requirement to appoint a data protection officer?
No, there is no legal requirement to appoint a data protection officer. It is recommended that when the database is registered, the person in charge of compliance with the rights of the personal data owners be the same person as the owner of the database.
Which body is responsible for enforcing data protection legislation and what are its powers?
The DPAgency is in charge of the enforcement of the Data Protection Act. According to Section 29 of the act, the DPAgency has all the necessary powers to fulfil the objectives and purposes of the act. In particular, Section 29 gives the DPAgency the power to:
- assist and give advice to any party that requests help regarding the interpretation of data protection law and the legal procedures available to it for the defence of its rights under the Data Protection Act;
- issue regulations setting out the legal framework for compliance with the Data Protection Act;
- check that the integrity and security of database complies with the regulation;
- perform a census of the local databases and maintain a record of the registered databases;
- request information from the person responsible for a database related to the processing of personal data while maintaining the security and confidentiality of the information provided;
- impose fines and initiate criminal proceedings before the courts in case of violation of the Data Protection Act and its regulation; and
- check the compliance of databases that provide personal data reports under the Data Protection Act and its regulation.
Collection and storage of data
Collection and management
In what circumstances can personal data be collected, stored and processed?
The person responsible for a database must register it with the National Data Protection Agency (DPAgency). Once it has been registered, the responsible person should obtain consent from the owner of the personal data in order to process it.
In the case of sensitive information, the owner of the personal data cannot be obliged to provide it and the data can be collected only if there is legal authorisation to do so. Anonymised sensitive information can be processed for statistic and scientific purposes. Religious, political and union entities can maintain databases containing the sensitive information of members. Any other database of sensitive information is prohibited.
All personal data must be collected, stored and processed following the security standards set out in Disposition 9/2008 issued by the DPAgency.
Finally, all personal data collected must be true, adequate, related and non-excessive for the purpose for which it was collected. The purpose is key because the Data Protection Act states that personal data cannot be used for any purpose different from that which the owner was told about when it was collected. Collection must not be carried out through any procedure that is against the Data Protection Act or its spirit. If the personal information changes, the data must also be changed if necessary. If the personal data is inaccurate or incomplete, the person responsible for the database must modify or destroy it on notice. Once the purpose for which the data was collected has been completed, the data will be destroyed.
Data storage must be carried out in a way that allows data subjects to exercise their right of access.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
According to Section 4.7 of the Data Protection Act, once personal data is no longer needed for the purpose for which it was required, it must be destroyed. Section 16.7 of the act also states that personal data must be kept for the term set out in the applicable regulation, as well as the term agreed on by the person responsible for the database and the owner of the personal data.
Do individuals have a right to access personal information about them that is held by an organisation?
Yes. Under Section 14 of the Data Protection Act individuals and corporations have the right to access the personal data held by a public database or a private database that allows it. In order to exercise the right to access, the individual should file a request (in any manner that he or she deems proper) and provide identification. On receipt of the request, the person responsible for the database has 10 business days to provide the information. If the request is not answered, the individual can file a claim of habeas data. The individual can exercise this right every six months free of charge or sooner if there is a valid purpose for the request. In the case of a deceased person, his or her heirs can exercise this right.
Do individuals have a right to request deletion of their data?
Yes. Under Section 17 of the Data Protection Act individuals and corporations have the right to request deletion of their data. The right is exercisable only if the personal data is wrong or false. The owner of the personal data must file a request with the person responsible for the database, which must reply within five working days. If the personal data was wrong or false and it was subject to a data transfer, the person responsible for the database must notify the measure taken to the party to which the data was transferred in order to replicate the suppression of the data within five working days of the deletion. This right does not apply if the deletion could cause harm to third parties or there is a mandatory duty to keep the data. While the responsible person is analysing the request, the information under review should be blocked.
Is consent required before processing personal data?
Consent is required for the processing of personal data. According to Section 5 of the Data Protection Act, consent should be given in writing or in an equivalent form.
Consent is considered valid if it was given freely and expressly, and the person giving consent was informed about the conditions under which the personal data will be processed.
If consent is not provided, are there other circumstances in which data processing is permitted?
Consent is not required if the personal data:
- was collected from public databases;
- was collected during the exercise of government authority or a regulation that allows the collection of personal data;
- if it is limited to name, identification, fiscal identification, job, date of birth and address;
- was provided under a contractual, scientific or professional relationship and the personal data is necessary for its performance; or
- is related to the information that financial entities are entitled to provided freely.
What information must be provided to individuals when personal data is collected?
Before any personal data is processed, the person responsible for the database should provide the individual with the information set out in Section 6 of the Data Protection Act:
- the purpose of processing;
- information regarding the registration of the database;
- whether it is mandatory to provide the personal data;
- the consequence if the personal data is not provided; and
- how the rights of access, modification and suppression will be exercised.
In the event that consent is given among other declarations, this information should be stated before the clause where the individual provides his or her consent.
Data security and breach notification
Are there specific security obligations that must be complied with?
According to Section 9 of the Data Protection Act, the registration of personal data in a database is forbidden if the technical conditions for the integrity and security of the data are not met. The responsible person must adopt all the organisational and technical measures necessary to guarantee the confidentiality and security of the personal data in a manner that it prevents non-authorised modifications, loss, access or processing, or it allows for the detection of information deviations, whether the risks arises from human interaction or the technical infrastructure.
Section 10 of the Data Protection Act imposes a confidentiality duty on the responsible person and every person involved in the processing of personal data, even after the relationship with the data subject has ended. This duty can be lifted only by a judicial writ based on a national security, public safety or public health matter.
Are data owners/processors required to notify individuals in the event of a breach?
Are data owners/processors required to notify the regulator in the event of a breach?
Electronic marketing and internet use
Are there rules specifically governing unsolicited electronic marketing (spam)?
Section 27 of the Data Protection Act deals with spam and other kinds of unsolicited electronic marketing. Under this section, it is possible to process personal data in order to create specific profiles for promotional, commercial or advertising purposes or to establish consumer patterns, provided that the personal data is available to the public or has been provided with the consent of the owner of the personal data.
Decree 1588/2001 provides that consent will not be required in the case of consumer profiling, provided that the consumer is identified only by belonging to a certain category of consumers and the personal data necessary to send the marketing material to him or her. It also establishes that all communication carried out over the Internet should state clearly that the owner of the personal data can request to opt out or block – either totally or partially – its name from the database. On request, the person responsible for the database must provide information on the source of the information.
Moreover, Disposition 4/2009 of the National Data Protection Agency provides that every communication must state that the owner of the personal data can request to opt out or block – either totally or partially – its name from the database, as well as the mechanism in place to exercise those rights. Further, it should include a transcript of Section 27.3 of the Data Protection Act and Section 27(3) of Appendix I of Decree 1558/2001. It also requires that communication sent is labelled as “advertising” – in particular, in the case of spam, the subject must include the word ‘advertising’.
No specific provisions in the Data Protection Act or any related regulation deal with cookies. However, as information requires some kind of relationship with an individual or entity in order to be considered personal data, cookies are not regarded as personal information.
Data transfer and third parties
Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?
Section 12 of the Data Protection Act and the application sections of Decree 1558/2001 regulate international data transfers.
Are there restrictions on the geographic transfer of data?
In order to perform an international transfer of data, the target destination must have adequate levels of protection; otherwise, the transfer is prohibited by the Data Protection Act.
If the target destination does not offer an adequate level of protection, the prohibition can be lifted if one of the following applies:
- international judicial cooperation;
- exchange of medical data (provided that the sensitive information is anonymised), for the treatment of the patient or epidemiologic research;
- a banking or stock market-related transfer;
- an international treaty to which Argentina is a signatory state; or
- international cooperation between intelligence agencies for the war on crime, terrorism and drugs.
According to Decree 1558/2001, the National Data Protection Agency can propose the designation of certain jurisdictions as “adequate” in terms of international data transfers and suggest to the executive the issuance of decrees setting out the level of protection. If a decree is issued, the transfer will be valid.
Decree 1558/2001 also allows for international data transfers if the owner of the personal data has given his or her consent for such action or the target destination involves a public database. Moreover, the adequacy level of the protection can be guaranteed with an agreement between the parties involved in the data transfer setting out their commitment to provide the necessary level of protection for the personal data involved.
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?
In the event that personal data is transferred to a third party for processing, there should be an agreement between the person responsible for the database and the third party. According to Section 25 of the Data Protection Act, the data transferred cannot be used for any purpose other than the purpose set out in the agreement or assigned to other parties for any purpose, including storage. On performance of the requested processing, personal data should be destroyed unless the third party believes that further processing of the personal data could be requested; in such case, data can be stored for up to two years.
Penalties and compensation
What are the potential penalties for non-compliance with data protection provisions?
The Data Protection Act stipulates that violations to the act will be determined by the National Data Protection Agency. Potential penalties include a written warning, suspension, a fine of between Ps1,000 and Ps100,000 and closure of the database.
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?
Section 31 of the Data Protection Act provides that any individual or legal entity can file a claim for damages due to breach or non-compliance with the act.
Cybersecurity legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?
The Criminal Code lists certain actions that could be considered as cybercrime. The Data Protection Act and the Cybercrime Law (26,388) amended certain sections of the code in order to introduce several cybercrimes under existing criminal actions.
What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?
Argentina asked to join the Budapest Convention on Cybercrime in 2010; however, as yet it has not been accepted as a member state, despite having adopted several convention provisions into national legislation.
Which cyber activities are criminalised in your jurisdiction?
The Criminal Code criminalises the following activities:
- the online distribution of child pornography;
- illegal email access;
- illegal access to a secure computer system;
- the online publication of private emails;
- the online publication of secrets;
- illegal access to a database;
- the illegal publication of personal data that is secret under certain regulations;
- the introduction of false persona data into a database;
- damage to computers, databases and software;
- denial of service attacks, hacking and modification; and
- the theft, hiding and destruction of digital evidence.
Which authorities are responsible for enforcing cybersecurity rules?
The judiciary and the attorney general are in charge of dealing with cybercrime. The entity in charge of the investigation, prosecution or assessment of cybercrime activities considers several factors, such as the place where the crime was committed and the victim.
Cybersecurity best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?
Are companies required to keep records of cybercrime threats, attacks and breaches?
Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?
Are companies required to report cybercrime threats, attacks and breaches publicly?
There is no legal obligation to report cybercrime under data protection legislation. However, certain companies, such as those which publicly offer securities, may be obliged to report them if they trigger certain reporting duties.
Criminal sanctions and penalties
What are the potential criminal sanctions for cybercrime?
The penalty depends on the kind of cybercrime committed. Penalties can range from fines to imprisonment.
What penalties may be imposed for failure to comply with cybersecurity regulations?
The penalty depends on the kind of cybercrime committed. Penalties can range from fines to imprisonment.