Impact of guidelines on Argentina
On 11 November 2021, the Ibero-American Data Protection Network released for public comment a draft guide for the implementation of standard contractual clauses (SCCs) that can be used to validate international data transfers. The guide aims to set out the main aspects to be considered when international transfers of personal data are validated by means of SCCs.
This article comments on the guide's impact on Argentine data protection regulations.
The guide lists a number of recommendations and guidelines on the practical implementation of SCCs. It also proposes two set of SCCs: one for transfers between controllers and the other for controllers to processors transfers. These two sets are considered to be a preliminary step, as the network expects to create several other templates addressing other situations in the future.
Impact of guidelines on Argentina
The Argentine Personal Data Protection Law (No. 25,326) prohibits the transfer of personal data to countries that do not ensure an adequate level of protection. Argentina's data protection authority, the Agency for Access to Public Information (the Agency) has deemed the following jurisdictions to have that adequate level of protection:
- member states of the European Union and the European Economic Area;
- the United Kingdom;
- Northern Ireland;
- the Isle of Man;
- the Faeroe Islands;
- Canada (only the private sector);
- New Zealand;
- Israel; and
The transfer of personal data to non-adequate countries is permitted when:
- specific circumstances, which are provided for by law, apply to the case (such as international judicial collaboration and transfer of data under international treaties);
- the data subject consents to the transfer; or
- adequate levels of protection arise from:
- contractual clauses (as international data transfer agreements); or
- systems of self-regulation (as binding corporate rules).
The Agency's Rule No. 60-E/2016 approved two set of SCCs that can be used in cases of international data transfers (controller to controller and controller to processor transfers). Parties may freely use these templates or implement a different data transfer agreement, as long as this reflects the principles, safeguards and content related to the personal data protection contained in the standard model clauses. In the event that parties choose not to use these models and instead sign a data transfer agreement that does not reflect the principles, safeguards and content contained in the model clauses, such agreement will need to be submitted to the Agency for approval within 30 calendar days from the execution of the data transfer agreement.
The guide does not replace or repeal either the Argentine legislation, the Agency's provisions or Argentine SCCs. Indeed, the application of this guide and the use of SCCs shall follow the recommendations, provisions and regulations of the local data protection authorities and go hand in hand with local legislation. Thus, for the time being, companies may still rely on Argentine SCCs to validate cross-border data transfer to countries that were not deemed adequate by the agency.
For further information on this topic please contact Mariano Peruzzotti, Santiago Durañona or Antonella Balbo at Ojam Bullrich Flanzbaum by telephone +54 11 4549-4900 or email ([email protected], [email protected] or [email protected]). The Ojam Bullrich Flanzbaum website can be accessed at www.ojambf.com.