On 4 January 2022, through Rule 1/2022, the National Registry of Persons (RENAPER, which is its acronym in Spanish) approved its personal data protection policy. The purpose of the policy is to safeguard and protect the right to privacy of individuals whose personal data is processed by this public body.
RENAPER's purpose is to collect, store, process and manage the data of individuals living in Argentina and of Argentine citizens living abroad. RENAPER is obliged to meet the provisions of personal data protection laws in any data processing activity conducted.
In October 2021, it was reported that RENAPER had suffered a security incident that could have compromised the personal data of Argentine citizens. The affected data could have been traded in clandestine markets, and it involved personal information such as photos, names, addresses and identity numbers, among other things. In view of the situation, RENAPER filed a criminal complaint before the Federal Criminal Court.
The new policy follows the guidelines of Resolution 40/2018 of the Argentine Agency for Access to Public Information (the Agency), which approved a model policy on personal data protection for the public sector. The main purpose of Resolution 40/2019 was to set forth basic guidelines to be used when drafting and implementing personal data protection policies.
The most important aspects of RENAPER's new policy are the following.
Appointment of personal data protection officer
RENAPER will appoint a personal data protection officer, who will ensure compliance with this policy and will advise those involved in the processing of personal data.
Data protection impact assessment
In cases where third parties in charge of data processing request access to the Agency's databases, RENAPER shall carry out a data protection impact assessment.
If a security breach is detected, the person in charge of information security shall report the incident to the Agency and to the National Cybersecurity Agency within 48 hours of becoming aware of the breach. The person in charge must follow the guidelines imposed by Administrative Decision 641/2021. The proper remediation and mitigating measures implemented and/or to be implemented must be reported as well.
Transfer of personal data
Personal data may be transferred to different state agencies directly to the extent that such transfer is required within the framework of their relevant tasks, roles and competences and provided that the processing is compatible with the purpose pursued by the transferee and the transferor. RENAPER shall ensure that the state agencies comply with this policy at the time of the transfer of personal data.
Privacy by design
RENAPER shall use all available technical and organisational measures to ensure, from the early stages of the design and development of any project involving the processing of personal data, that personal data protection rules and principles of this policy are properly addressed.
For further information on this topic please contact Mariano Peruzzotti or Mateo Darget at Ojam Bullrich Flanzbaum by telephone (+54 11 4549-4900) or email ([email protected] or [email protected]). The Ojam Bullrich Flanzbaum website can be accessed at www.ojambf.com.