The Argentine Personal Data Protection Authority, the government authority in charge of overseeing Personal Data Protection Law 25,326, has issued three new rules governing aspects concerning inspection proceedings, the registration of databases and international personal data transfers.
1. Inspection proceedings
The Argentine Personal Data Protection Authority (“PDPA”)’s Rule 55- E/2016, published in the Official Gazette on November 18, 2016, replaces the former inspections regulatory framework implemented by means of the PDPA’s previous Rule 5/2008 as modified by PDPA’s Rule 3/2012 (see “Supervision and control rules of the Personal Data Protection Agency (Disposition No 5/2008)“ in Marval News # 73).
The most substantial changes introduced by this new Rule are the following:
- Compliance with Do Not Call Registry regulations (see “New Argentine “Do Not Call” Registry in Marval News #142 and “News About the “Do Not Call” Registry“ in Marval News #147) has been included as an aspect to be audited within the framework of the inspection.
- Unannounced inspections can be made whenever the PDPA deems it necessary or convenient. In all other cases, inspections will be made 15 working days after notice has been sent to the data controller.
- Notification can be omitted when such prior notice may affect the inspection being made.
- If infringements are detected, the PDPA will request the data controller to make the necessary adjustments within 15 working days under threat of initiating administrative proceedings and possibly applying a sanction to the inspected party. If, as a result of the proceedings, the inspected party proves to have fully met all legal conditions on personal data protection, the inspection proceedings will be closed.
2. Registration of databases
As a consequence of implementing a new IT system, the PDPA has decided to modify the forms used for the registration of databases established by PDPA’s Rules 2/2005 y 3/2005 (see ”Provision of the Argentine Registry of Data Bases” in Marval News # 37 and ”Argentine Registry of Data Bases - Reminder” in Marval News # 38). PDPA Rule 56 - E/2016 published in the Official Gazette on November 7, 2016, approved the new forms that will need to be used by data controllers and data processors when registering their databases.
Pursuant to the Personal Data Protection Law 25,326 (“PDPL”), the registration of databases is a legal duty which is mandatory for all local data controllers and data processors.
The new forms will be implemented by means of a PDPA’s order once the new IT system is set up. In the meantime, former forms and proceedings will still be available for the purpose of completing this registration proceeding.
3. Cross-border data transfers
PDPA Rule 60 - E/2016, published in the Official Gazette on November 18, 2016, set forth aspects concerning the international transfer of personal data. Pursuant to the PDPL, the transfer of personal data to countries that have not enacted adequate legislation on personal data protection is forbidden. Local authorities had never ruled before which countries met the adequacy condition before so this issue had remained unsettled for many years.
The new Rule provides that personal data can flow to the following countries without any further safeguard being necessary: member states of the European Union and the European Economic Area, Switzerland, Guernsey and Jersey, the Isle of Man, the Faeroe Islands, Canada (only private sector), New Zealand, Andorra and Uruguay. The PDPA has considered the EU Commission’s decisions on the adequacy of the protection of personal data in third countries to determine which jurisdictions are deemed adequate for the data transfer.
Furthermore, this Rule approved two sets of standard model clauses for data controller-data controller transfers as well as data controller-data processor transfers. Both model clauses were based on the EU Model Contracts for the transfer of personal data to third countries approved by Decision 2001/497/CE and 2010/87/UE.
In the event that the parties opt to use a different model for the data transfer to non-adequate countries or the agreement does not reflect the principles, safeguards and content related to personal data protection provided in the standard model clauses, then such agreement will need to be submitted to the PDPA for approval within the term of 30 calendar days from its execution. No approval was required before this Rule was issued.