The Third Division of the Court of Appeals in Civil and Commercial Matters of Rosario recently confirmed a decision of the lower court in a habeas data action, holding a company (data controller) responsible for not providing sufficient information to the plaintiff (data subject) upon request.
The controversy began when the claimant sought to exercise his right to access his personal data under Section 14 of the Argentine Data Protection Law No. 25,326 ("DPL"), and consequently sent a private letter to the company requesting access to any personal data related to him that may be available at the company's databases. Upon receiving what he considered to be 'insufficient information' from the company, he filed a habeas data action against the company. Habeas data is a constitutional remedy by means of which an Argentine citizen can request the access, rectification, actualization or even the destruction of the personal data held by any third party before a court, on an urgent basis.
In its defense, the company argued that (i) it had provided the information in a letter sent to the claimant in response to his out-of-court communication, (ii) it had again provided the information when the company responded to the judicial claim, and (iii) it should not have the burden of proving that it had provided sufficient information. Nevertheless, the Court of Appeals confirmed the lower court's decision, ruling that data subjects are entitled to resort to habeas data actions not only when an out-of-court request for access under the DPL has been denied or ignored, but also when it has been answered with insufficient information.
In sum, the Court of Appeals established that insufficient information is grounds for a habeas data action, contributing to discussions on how the right of access granted by the DPL operates in relation to the constitutional right to bring forward habeas data actions.