Rule No. 39/2015 of the Argentine Personal Data Protection Authority implements electronic inspection proceedings.
On August 10, 2015, Rule No. 39/2015 (hereinafter, the “Rule”) of the Argentine Personal Data Protection Authority (hereinafter, the “DPA”) was published in the Official Gazette. This Rule implements electronic inspection proceedings, aimed at facilitating communications between the DPA and the data controllers and users of databases.
As was previously informed (please see “Supervision and control rules of the Personal Data Protection Agency (Disposition No 5/2008)” in Marval News #73 of June 30, 2008) the DPA has the power to supervise and control the data controllers and/or users of databases in order to verify compliance with Argentine Personal Data Protection Law No. 25,326 and its complementary legislation. The Rule allows the DPA to conduct inspections through electronic means, particularly with respect to the communications and/ or notifications to data controllers. The main purpose of this Rule is to improve the DPA’s operational and control capabilities in order to develop its authority’s activities more effectively. Consequently, this Rule does not introduce substantial changes to the legislation on personal data protection but rather, it implements a new procedure for conducting inspections.
The Rule sets forth that the beginning of an electronic procedure must be notified through any of the regular formal means, for instance: a) direct access of the interested party to the respective administrative file, b) brief filed by the interested party acknowledging the notification of the relevant resolution, c) brief of notification issued by the relevant authority, d) certified telegram, f) certified letter, or any other means of notification that can ensure the reception date of the notification. Once the data controller is duly notified of the initiation of the inspection proceedings, he/she must answer the request within 10 (ten) administrative days providing the information requested and through electronic means to be determined.
Having complied with the request, the DPA will analyze all the information provided by the data controller. The DPA may also request additional information from the data controller, who will have to answer such new request within 10 (ten) administrative days as from the notification date.
Then the DPA will issue a final report attesting to the rate of compliance with the provisions of Law 25,326. This report will also be notified by electronic means. If any breaches are found, the DPA may start administrative proceedings against the data controller to impose a sanction.
Finally, failure to comply with any DPA request through the electronic inspection proceedings could be considered a serious infringement and may be sanctioned with up to 4 warnings, 1 to 30 days of suspension of the database and/or fines ranging from AR$ 25,001 to AR$ 80,000.