Mariano Peruzzotti December 23 2022 New regulations by Argentine Data Protection Authority Ojam Bullrich Flanzbaum | Tech, Data, Telecoms & Media - Argentina Mariano Peruzzotti Tech, Data, Telecoms & Media Registration of databases of foreign data controllersAmendments to sanctions regimeGenetic dataCommentThe Argentine Agency for Access to Public Information (the agency), which is the controlling authority for the Argentine Personal Data Protection Law No. 25,326, has recently been very active on implementing different changes to several aspects of the data protection legal framework. This article explains how foreign data controllers will now be allowed to report their data processing activities in Argentina. Moreover, the data protection sanction regime was recently amended.Registration of databases of foreign data controllersOn 29 November, the agency, released a web form to be used by foreign individuals or legal entities that process personal data of Argentine data subjects to comply with the obligation of registering databases.According to the current legislation, data controllers must report their data processing activities with the National Registry of Databases of the agency.Before the implementation of this new form, the National Registry was only available to Argentina-based data controllers.Amendments to sanctions regimeResolution 240/2022On 5 December, 2022, the agency's Resolution 240/2022 was published in the Official Gazette. Resolution 240/2022 introduces some modifications to the regime on data protection infringements and sanctions as established in Rule No. 7/2005 of the former National Directorate for Personal Data Protection.Resolution 240/2022 includes two annexes that set forth a new sanctions regime. It also provides for new parameters for infringements to the Personal Data Protection Law and the Do Not Call Law.Annex I of Resolution 240/2022 introduced several modifications to the different conducts that are classified as minor, serious and very serious infringements to the data protection regime.Annex II modified the fines as follows:For minor infringements, there are now fines ranging between 1,000 and 80,000 Argentine pesos (approximately $5,6 and $450,70 at the official exchange rate of 12 December 2022).For serious infringements, there are now fines ranging between 80,000 and 90,000 Argentine pesos (approximately $450,70 and $507).For very serious infringements, there are now fines ranging between 90,000 and 100,000 Argentine pesos (approximately $507 and $563).Resolution 244/2022On the other hand, the agency's Resolution 244/2022 published on the Official Gazette on 6 December 2022, amended the maximum number of fines that can be imposed in case of infringements.When an infringement includes more than one pecuniary sanction for an identical conduct that constitutes a violation within the same classification of infringement set forth in Resolution 240/2022 (minor, serious or very serious), the following rules will apply:For minor infringements, there are now fines up to 3 million Argentine pesos ($16,901).For serious infringements, there are now fines up to 10 million Argentine pesos ($56,338).For very serious infringements, there are now fines up to 15 million Argentine pesos ($84,507).Genetic dataAs a consequence of the recent approval of Convention 108+ by the Argentine Congress, the agency has just released a guideline on the processing of genetic data.Pursuant to the agency's Resolution 255/2022, "genetic data" is defined as the inherited or acquired features of a natural person which provide information about their physiology or health.Genetic data will be deemed to be sensitive personal data where it uniquely identifies a natural person and can reveal information concerning health or the physiological pattern of a data subject or might lead to any act of discrimination.Where genetic data is considered to be sensitive data, stricter security and confidentiality measures must be implemented pursuant to section 9 of the Personal Data Protection Law and the agency's Resolution No. 47/2018.These guidelines are compulsory for controllers and processors that are subject to the terms of the Personal Data Protection Law.CommentThe agency has been very active on regulating aspects of the law imposing fines on organisations that violated the provisions of the Personal Data Protection Law or the Do Not Call Law. It is expected that this trend will continue in the future.For further information on this topic please contact Mariano Peruzzotti at Ojam Bullrich Flanzbaum by telephone +54 11 4549 4900 or email ([email protected]). The Ojam Bullrich Flanzbaum website can be accessed at www.ojambf.com.