All questions

Data protection

i Requirements for registration

Pursuant to the Data Protection Act (Act No. 25,326), its complementary regulations and the interpretation of these regulations by the Data Protection Agency, all databases must be registered with the Agency, with the exception of databases maintained for personal rather than business reasons.

Even though not expressly established in the relevant regulations, the Data Protection Agency recommends that employers register the database containing their employees' information with the Agency. In order to register a database, companies must fill out a form, stipulating, among other things, the number of employees and the personal information to be provided. As employers are required by law to collect and store personal as well as sensitive data, no notification or consent is necessary.

In the context of their activities, companies are entitled to disclose who their employees are as well as the necessary information, but must avoid disclosing information that is not necessary or is sensitive. In general terms, Act No. 25,326 establishes that companies should adequately protect information, but it does not specify the manner in which this protection should be granted. In 2018, the Data Protection Agency issued some non-mandatory technical recommendations regarding protection, for example only allowing certain authorised individuals in the company to access the database. In case of a breach, companies who have followed these recommendations are likely to be treated more favourably by the Agency.

ii Cross-border data transfers

No regulation requires the registration of transfer of data.

Transfer of personal data (any kind of information, including full name, address, ID number) to countries or international organisations that afford adequate levels of protection does not require notification or consent. The transfer of personal data to other countries or international organisations that do not afford adequate levels of protection is, in principle, prohibited, unless the employee consents to the transfer or the employer and the foreign third party agree, in writing, with terms and conditions for the transfer set forth by the Data Protection Agency. Also, if a company follows the Guidelines for Binding Corporate Rules issued by the Data Protection Agency, the international transfer of personal data to companies of the same economic group in countries that do not afford adequate levels of protection is allowed.

iii Sensitive data

Sensitive data can only be collected when there are reasons of general interest provided by law; however, no person is obliged to provide such information. Sensitive data is, among other things, personal data related to an individual's ethnic or racial origin; political opinions; religious, philosophical or moral beliefs; trade union registrations; sexuality; and health or medical background. This data cannot be transferred, even with the consent of the employee.

iv Background checks

It is not unlawful to conduct background, credit or criminal record checks. However, the prospective employer should carry out these checks discreetly, out of respect for the candidate, and in a non-discriminatory manner. Employers are prohibited from making enquiries about a candidate's religious or political beliefs, union membership, or aspects related to his or her private life.