The Argentine Data Protection Authority recently issued a new regulation approving two sets of model contractual clauses (controller-to-controller and controller-to-processor) for the international transfer of personal data. Argentina’s Personal Data Protection Law No. 25,326 (PDPL) generally prohibits the transfer of personal data to countries that do not provide adequate levels of protection, unless certain narrow exceptions apply. The newly approved model clauses are deemed to guarantee an adequate level of protection for personal data. The clauses are based on the European Union (EU) model clauses with some modifications.
As in the EU, the Argentine DPA has recognized certain jurisdictions as providing adequate levels of protection. The list of adequate counties is set forth in the regulation and includes the majority of those countries deemed adequate by the EU (i.e., States of the EU and members of the European Economic Area (EEA), Andorra, Canada (with respect to the privacy sector), Switzerland, Faeroe Islands, Guernsey, State of Israel (with regard to automated processing of personal data), Isle of Man, Jersey, New Zealand, and the Eastern Republic of Uruguay). Notably absent from the list, however, is the United States and the U.S. Privacy Shield program.
What does the new regulation mean for companies that transfer personal data cross-border from Argentina to other jurisdictions? Companies must now ensure that:
- Personal data is only transferred to jurisdictions identified as adequate by the Argentine DPA;
- Non-conforming contractual clauses are submitted to the DPA for approval within 30 days; or
- Agreements are updated to include the new clauses.