Argentina's Personal Data Protection Act (PDPA)

Argentina's Personal Data Protection Act (PDPA) is the country's main data privacy law. Enacted in October 2000, the Argentina PDPA sets out rules to guide how applicable organizations handle the personal data of Argentina's residents.

In this article, we'll examine Argentina's Personal Data Protection Act (PDPA), looking at who it applies to, what it requires, how to comply, and what penalties await businesses that fall short.

What is Argentina's Personal Data Protection Act (PDPA)?

The Personal Data Protection Act (PDPA) is the central privacy law in Argentina. It's officially known as Ley de Protección de los Datos Personales or Law 25.326.

As the name implies, Argentina's Personal Data Protection Act (PDPA) works to protect the privacy rights of Argentinians by regulating all activities performed on their personal data.

Here's how the legal text explains this initiative under Chapter 1:

Thanks to the PDPA, Argentina's data protection is considered similar to the EU's under the General Data Protection Regulation (GDPR). And its similarity made Argentina the first Latin American country to achieve EU adequacy decision status.

This means Argentina's data protection framework is (currently) considered "adequate" by EU standards. As such, data transfers between Argentina and the EU need no additional safeguards.

What are the Latest Developments with Argentina's Personal Data Protection Act (PDPA)?

Argentina was a privacy pioneer alongside the EU in the 2000s. But its data protection framework is now outdated thanks to recent revamps with other privacy laws (GDPR, Swiss nFADP, etc.).

For this reason, a new bill is being considered to strengthen the country's data protection framework. It was proposed by Argentina's data protection authority - the Agency for Access to Public Information (AAIP) - in September 2022.

Note: The new bill's full text is only available in Spanish

The new bill amends Argentina's Personal Data Protection Act (PDPA) by introducing several provisions to reflect modern privacy standards, such as:

• Extraterritorial application
• New rights for data subjects
• Privacy by design and by default
• New legal basis for data processing
• Data breach notification requirements
• Higher fines and penalties for violations

If approved, the new bill will take effect six months after publication in the official journal. However, the new penalties will become effective immediately after the law is published.

What are the Key Definitions Under Argentina's Personal Data Protection Act (PDPA)?

Like many laws, Argentina's Personal Data Protection Act (PDPA) defines specific terms used in its text to make its meaning clear. Let's see the most relevant ones.

Who is a Data Subject Under Argentina's PDPA?

Argentina's law defines a data subject as any natural or legal person in Argentina whose personal data is processed. That said, the new bill would revise this definition by excluding legal persons from its scope.

What is Personal Data Under Argentina's PDPA?

Under the law, personal data is "any information of any type referring to specific or determinable natural or ideal persons."

In other words, personal data is any information that can identify a real person. Common examples include but aren't limited to names, ID numbers, and mailing addresses.

What is Sensitive Data Under Argentina's PDPA?

Sensitive data is a more delicate type of personal data that, if mishandled, may invite discrimination or pose a high risk to data subjects. Under Argentina's law, it refers to data that reveals any of the following:

• Racial and ethnic origin
• Political opinions
• Religious, philosophical, or moral beliefs
• Union membership
• Health or sex life

The proposed new bill will broaden this definition to include any information relating to the private sphere of individuals, such as gender identity, genetic data, and biometric data that uniquely identifies a person.

What is Data Processing Under Argentina's PDPA)?

The law defines data processing as:

"Systematic operations and procedures, electronic or not, that allow the collection, conservation, organization, storage, modification, relationship, evaluation, blocking, destruction, and in general, the processing of personal data, as well as its transfer to third parties through communications, consultations, interconnections or transfers."

In other words, data processing is any and all action (electronic or manual) performed on personal data, including collecting, storing, sharing, and ultimately destroying it.

Examples include collecting email addresses to send promotional campaigns or sharing data with third-party advertisers.

Who Must Comply With Argentina's Personal Data Protection Act (PDPA)

Argentina's Personal Data Protection Act (PDPA) applies to all organizations that process personal data within the country's territory:

While the law makes no mention of applying outside Argentina, the new bill proposes expanding its scope beyond the country's borders.

Under the new bill, you're covered if:

1. Your business is based in Argentina, regardless of where data processing happens, or

2. Your business isn't based in Argentina, but one of the following is true:

   • You process the data of individuals residing in Argentina,
   • You offer goods/services to Argentinians or monitor their behavior, actions, or interests (including profiling), or
   • You operate in a jurisdiction where Argentinian law applies (such as via international agreements or contractual obligations)

Are There Exemptions to Argentina's Personal Data Protection Act (PDPA)?

While Argentina's law provides some exceptions in areas like international data transfers, the law doesn't highlight any broad exemptions for specific industries or organizations.

That said, if your business isn't based in Argentina and doesn't process the personal data of Argentinians, you're exempt from the scope of the law.

How Does Argentina's Personal Data Protection Act (PDPA) Affect Consumers?

Thanks to the Personal Data Protection Act (PDPA), Argentina's residents have several rights over how businesses handle their personal data.

Specifically, Chapter 3 of the law outlines consumers' right to:

• Access their data upon request, including details about where it is stored and the purpose of processing it
• Update or correct inaccurate or incomplete details in their data
• Suppress (or erase) their data under certain conditions, such as when the data is no longer necessary or data processing is unlawful

As mentioned, the proposed new bill will expand data subjects' rights under the law by giving them additional rights to:

• Object to broader data processing activities, not just direct marketing
• Get a copy of their data and easily transfer it to another service provider in a commonly used, machine-readable format
• Request limitations on processing their data for specific purposes
• Not be subject to decisions based solely or partly on automated processing that significantly impacts them

The new bill will give businesses 10 working days to respond to data subjects' access requests. Note that all responses must be free of charge.

What's more, the new bill empowers data subjects to seek compensation for damages caused by any breach of their rights.

How Does Argentina's Personal Data Protection Act (PDPA) Affect Businesses?

Businesses covered by Argentina's Personal Data Protection Act (PDPA) must fulfill a number of data protection obligations to comply with the law.

Among other requirements, businesses would have to maintain a transparent Privacy Policy.

We'll look more closely at these requirements below.

How Do You Comply with Argentina's Personal Data Protection Act (PDPA)?

Complying with Argentina's Personal Data Protection Act (PDPA) means taking action on its requirements and regularly assessing your standing with the law.

Note: Most of the requirements addressed below aren't included in the current text of the law but are proposed under the new bill. That said, most of them are best practices to observe regardless of legal obligations.

Without further ado, here's our list of compliance steps under Argentina's law.

Process Data Only When You Have a Lawful Basis

Under the current text of Argentina's Personal Data Protection Act (PDPA), data processing is lawful only when you've obtained prior, express, and informed consent (i.e., opt-in) from data subjects. Exceptions are provided when you:

• Process data for certain marketing purposes
• Obtain data from publicly accessible sources
• Process data to fulfill a contractual or professional obligation
• Process data to comply with legal obligations or state powers

Here's how the legal text presents this:

The new bill, however, abandons this approach by making consent one of six legal bases under which you can process data lawfully. Adding it all up, the legal bases under Argentina's law are as follows:

• Consent
• Exercise of state powers
• Legal obligations
• Contractual or pre-contractual obligations
• Vital interests
• Legitimate interests

Publish a PDPA-Compliant Privacy Policy

While Argentina's law doesn't explicitly require a Privacy Policy, its transparency requirements can be satisfied by having a Privacy Policy with key disclosures.

Under Article 6, Argentina's Personal Data Protection Act (PDPA) requires you to clearly disclose the following information before collecting personal data:

• Why you collect data and with whom you might share it (e.g., partners, authorities)
• Whether you maintain any database and the identity and contact details of the person responsible
• If providing data is mandatory or optional, especially for sensitive data
• The consequence of disclosing or refusing to give data, as well as providing inaccurate information
• How data subjects can exercise their right to access, correct, or delete their data

Here's how the legal text displays this:

To see how you can present these clauses in practice, let's go over some examples in actual Privacy Policies.

Here's how Amazon explains why it uses consumers' personal information in its Privacy Notice:

And here's how Amazon clarifies the third parties and circumstances under which it may share personal information:

When it comes to data subject's rights, Bumble adopts a simple and informative approach, including clear instructions about how to exercise these rights:

Implement Privacy By Design and By Default

Privacy by Design and by Default are data protection best practices required under privacy laws like the GDPR.

Privacy by Design means ensuring that data protection measures are baked into your business processes from the very start - not retrofitted later on. In contrast, Privacy by Default means applying the most protective privacy settings on your service without user intervention.

For instance, a fitness tracking app that collects only necessary user data (such as age, height, and weight) and encrypts it during storage and transmission follows Privacy by Design principles.

Similarly, an online service in which data sharing with third-party advertisers is set 'off' right from installation (i.e., by default) observes Privacy by Default principles.

It's worth noting that these principles aren't present in the current text of Argentina's law but are being considered under the new bill.

Conduct Privacy Impact Assessments (PIAs)

A Privacy Impact Assessment evaluates the effect of specific data processing activities on data subjects' rights. It's interchangeable with the GDPR's Data Protection Impact Assessments (DPIAs).

While PIAs are not a new concept in Argentina, they're not mandatory under the current text of Argentina's Personal Data Protection Act (PDPA). The new bill changes this by requiring a PIA when data processing activities may pose a high risk to data subjects' rights.

Specifically, the new bill requires a PIA in the following instances:

• You engage in automated or semi-automated data processing that can legally or significantly affect data subjects (e.g., loan approvals)
• You process sensitive data or data related to criminal records on a large scale
• You systematically monitor publicly accessible areas on a large scale

Appoint a Data Protection Officer (DPO) and/or Legal Representative

Another requirement that aligns Argentina's law with the GDPR is the need to appoint a Data Protection Officer (DPO) and/or legal representative in specific circumstances. Note that these appointments aren't required under the current text but are proposed by the new bill.

A DPO guides you on data protection laws, monitors compliance, and acts as a bridge between your business and the authorities. Under the new bill, you must appoint a DPO if:

• You're a government agency or public body, or
• Your data processing activities are extensive, ongoing, and potentially risky (think large-scale profiling or handling sensitive data)

On the other hand, you need a legal representative if your business isn't based in Argentina. Your representative would be an Argentina-based employee working as a liaison between your business, data subjects, and the authorities.

Note: Once you appoint a DPO and/or legal representative, you must publicly disclose their identity and contact information (typically within your Privacy Policy).

For example, here's how Oracle discloses its DPO's details:

And here's how Upwork displays its UK and EU/EEA representatives in its Privacy Policy:

Send Timely Data Breach Notifications

Given how prevalent data breaches are today, it's no surprise that the new bill proposes notification requirements under Argentina's Personal Data Protection Act (PDPA).

In short, if a data breach occurs, you must notify Argentina's data protection authority within 72 hours of becoming aware (unless the breach poses no risk to data subjects' rights).

If the breach is likely to endanger data subjects' rights, you must also notify the affected data subjects using straightforward language. And if informing data subjects requires disproportionate effort, you can make a public announcement or use alternative disclosures.

According to the new bill, your notification should include the following:

• The nature of the breach
• What personal data was compromised
• The corrective actions you've immediately taken
• What protection measures you recommend for data subjects
• Your dedicated contact point for more information, including your DPO's name and contact information

Compliance with this requirement also means documenting the data breach for future reference.

Observe International Data Transfer Rules

Under Argentina's law, data transfers to countries without adequate data protection (by Argentina's standards) are prohibited unless one of the following applies:

• Data subjects provide express consent
• Transfers are for outsourcing purposes with approved standard contractual clauses (SCCs) in place
• Transfers are between companies within the same economic group with approved binding corporate rules (BCRs) in place

The new bill updates the rules by allowing international data transfers in the following circumstances:

1. The destination country provides adequate data protection
2. An exception applies (such as consent, contractual obligations, vital interests, etc.)

For countries without Argentina's adequacy decision, safeguards like legally binding instruments or mechanisms like SCCs and BRCs are valid alternatives.

How will Argentina's Personal Data Protection Act (PDPA) be Enforced?

Argentina's data protection authority - officially the "Agencia de Acceso a la Información Pública" (AAIP) - is responsible for enforcing the law and providing guidance.

To keep penalties proportionate to offenses, the AAIP will adopt a tiered system to determine the severity and extent of violations.

What are the Penalties for Violating Argentina's Personal Data Protection Act (PDPA)?

Violating Argentina's Personal Data Protection Act (PDPA) will attract a number of penalties, including:

• Suspension of data processing activities
• Shutdown of databases
• Warnings, and
• Fines

At the time of this writing, fines for non-compliance range between ARS 1,000 and ARS 100,000 (approximately $1.21 to $120):

Given how lenient these fines are for modern times, the new bill will adopt a unit-based fine system (where 1 unit equals 10,000 ARS) with fines ranging from:

• 5 units to 1 million units (ARS 50,000 to ARS 10,000,000,000)
• 2% to 4% of a business's annual global turnover

Moreover, the new bill will introduce other corrective measures for violations, taking case-specific circumstances into account.

Summary

Argentina's Personal Data Protection Act (PDPA) is the country's primary data protection law. It's expected to be updated soon, thanks to the new bill proposed by Argentina's data protection authority (AAIP).

Argentina's Personal Data Protection Act (PDPA) currently applies to organizations that operate within the country. If the new bill passes, the PDPA will apply to organizations outside Argentina as long as they deal with Argentinians or process their personal data.

Like most laws, Argentina's Personal Data Protection Act (PDPA) gives its residents several rights over their data while imposing privacy obligations on applicable organizations.

The new bill expands data subjects' rights and introduces new requirements to reflect modern privacy standards. To recap, compliance with Argentina's law (including the new bill's requirements) means satisfying the following:

• Identify a legal basis before processing data
• Publish a PDPA-compliant Privacy Policy
• Implement Privacy by Design and by Default principles
• Appoint a DPO and/or legal representative
• Conduct Privacy Impact Assessments (PIAs) for "high-risk" data processing activities
• Send timely and valid data breach notifications
• Observe international data transfer rules (if applicable)

Remember, non-compliance invites legal action and significant penalties from Argentina's data protection authority.