Electricity provider
Medical institution
Financing entity
Financial trust
Internet and satellite TV service provider
The Agency of Access to Public Information (AAPI) recently imposed penalties on various organisations for violations of the Personal Data Protection Law No. 25,326 (PDPL). This article comments on each of these cases (for further details please see "Latest penalties imposed by Agency for Access to Public Information").
In a case brought before the AAPI, the claimant requested an electricity provider to remove his personal data, as the company had reported a debt that the claimant had challenged. There was no business relationship between the parties. As the claimant did not receive a positive response, he filed a complaint with the AAPI.
Consequently, the AAPI requested the company to:
- confirm that it had provided a response to the claimant in due time;
- remove the claimant´s personal data, if applicable; and
- register the databases with the national registry.
The electricity provider informed that the claimant had registered no debt. The AAPI forwarded the response to the claimant, who did not raise any concern or objection. Nevertheless, as the company had not complied with the obligation to register its databases, a fine of 80,001 Argentinian pesos (approximately $707.97 at the current exchange rate) was imposed.
In another case, the claimant asked a medical institution to remove her personal data. In view of the lack of response, she filed a complaint with the AAPI, which in turn requested the company to inform whether:
- it had proceeded with the removal of the personal data belonging to the claimant;
- it had registered its databases with the national registry.
The medical institution informed that it had removed the personal data and that the company's databases were already registered with the AAPI. The claimant additionally challenged the transfer of personal data to the relevant health insurance provider. However, the AAPI considered that the transfer was lawful under the terms of the PDPL, as in this case the consent of the data subject was not required.
As the organisation had not completed the database registration process, the AAPI penalised the company with a fine of 80,001 Argentinian pesos (approximately $707).
The claimant sent an email to the financing entity, requesting the update of her credit information, which was held in the company's records. As she received no reply, she filed a complaint with the AAPI. The AAPI requested the company to:
- inform whether it had given a response to the data subject in due time;
- proceed with the update of the relevant credit records, if applicable;
- report this modification concerning the individual's credit profile to the Central Bank and Equifax Argentina, if applicable; and
- comply with the registration of its databases with the AAPI.
As a consequence of not receiving a proper reply, the AAPI considered that the company committed the following infringements:
- failure to provide the requested information; and
- failure to comply with the request for access, rectification or removal of personal data.
Regarding the registration of its databases, the AAPI could verify that the company had complied with the obligation in due time. Thus, the AAPI imposed a fine of 40,001 Argentinian pesos (approximately $354).
In this case, the claimant requested a financial trust to inform them about an alleged debt that the company had claimed insistently. As there was no response, the claimant filed a complaint with the AAPI. Consequently, the AAPI ordered the company to:
- inform whether it had answered the claimant's petition;
- remove the relevant personal data or inform the reasons for the refusal, if applicable;
- cease with any communication addressed to the claimant or her relatives requesting the payment of the debt, if applicable;
- comply with the obligation of registering the database with the AAPI.
The AAPI considered that the company committed the following violations:
- failure to provide the information requested; and
- failure to comply in due time with the request for access, rectification or removal of the personal data.
The AAPI realised that the company had complied with the registration obligation before being served notice of these charges. Since the company did not answer the notifications, the AAPI imposed a fine of 60,000 Argentinian (approximately $530). In the following case, the AAPI imposed a penalty for breaching the provisions of the do-not-call registry regime.
Internet and satellite TV service provider
The AAPI received 724 complaints against a company for alleged abuse of contact, advertising, offer, sale and gift of unsolicited goods or services by telephone. This conduct could constitute an infringement to the Do Not Call Registry Law No. 26,951. Consequently, the AAPI requested the company to provide information about the case and submit its defences.
The company's arguments were dismissed and the AAPI imposed a fine of 3 million Argentinian pesos ($26,548) for committing the following infringements:
- failure to provide the requested information in due time; and
- contacting 724 telephone lines that were duly registered with the do-not-call registry.
For further information on this topic please contact Mariano Peruzzotti or Belen Sorrentino at Ojam Bullrich Flanzbaum by telephone +54 11 4549 4900 or email ([email protected] or [email protected]). The Ojam Bullrich Flanzbaum website can be accessed at www.ojambf.com.