Argentina - Data Protection Overview
1. THE LAW
1.1. Key Acts, Regulations, Directives, Bills
The right to personal data protection was incorporated in the Argentine legal system in 1994, through the new Article 43 of the National Constitution (only available in Spanish here). In 2000, the National Congress of Argentina ('the Congress') enacted the Personal Data Protection Act, Act No. 25.326 of 2000 ('the Act'), which sets forth the main principles and rules for the protection of personal data. Decree No. 1558/2001 Regulating Law No. 25.326 (only available in Spanish here) ('the Decree'), amended by Decree No. 1160/10 (only available in Spanish here) introduced additional rules for the implementation of the Act. The regulations issued by the Argentinian data protection authority ('AAIP'), formerly the National Directorate for Personal Data Protection ('PDP'), complement a creditable legal framework, which in 2003 allowed Argentina to be recognised by the EU as a country providing an adequate level of protection for personal data. All of the above are referred to as the Argentine data protection regulations ('the Regulations').
In addition, the National Criminal Code (only available in Spanish here), as amended by the Act and Law No. 26.388 of 2008 (only available in Spanish here), punishes offences related to data confidentiality, veracity and integrity with fines and imprisonment.
Additionally, other regulations, which are not specifically related to personal data protection, nonetheless contain important rules that affect data protection. Article 52 and 1770 of the National Civil and Commercial Code (only available in Spanish here) ('the Code') protect the right to privacy. Moreover, Article 22 of Law No. 26.061 on the Protection of Girls, Boys and Adolescents (only available in Spanish here) protects minors' data.
It should be noted that the Regulations were drafted following European regulations. Since the Data Protection Directive (Directive 95/46/EC) has been replaced by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), in 2016 the AAIP started working on a draft bill (only available in Spanish here) ('the Bill') to replace the current Act. The final version of the Bill was submitted by the Executive Branch to Congress on 19 September 2018. Regarding its content, the Bill follows the main principles of the GDPR, although it is less precise in the specifications of its provisions and also presents some differences. It is not clear whether the Bill will be approved within the year before the Congress has the power to discuss it or if, at the end of this period, a new project will have to be submitted to Congress.
The AAIP issued guidelines for the processing of personal data for electoral purposes, setting basic guidelines to ensure the integrity and protection of personal data before election processes, by means of Resolution No. 86/2019 (only available in Spanish here). Resolution No. 86/2019 does not imply a change in existing Regulations, but recalls the general principles established by them, adapting the Regulations to the context of electoral campaigns. In this way, the guidelines for the processing of personal data for electoral purposes note that data that reveal political opinions and/or the affiliation to a political organisation are considered sensitive data, which can be treated legitimately with the data subject's consent. Resolution No. 86/2019 classifies its analysis into the following aspects:
- fundamental principles of personal data protection;
- rights of data subjects;
- political opinions;
- affiliation to a political organisation;
- public data in social networks, forums and web platforms;
- electoral propaganda in social networks, messaging platforms and other web services;
- basic data;
- provision of computerised services; and
- security and confidentiality.
Moreover, by means of Resolution 4/2019, (only available in Spanish here), the AAIP also approved the guiding principles of best practices for the application of the Act in order for controllers and processors to make a correct interpretation and implementation of the Regulations. In this sense, the AAIP has covered the following matters:
- data collection through video surveillance systems;
- automated data processing;
- data dissociation;
- biometric data; and
- data subject's consent, including the consent of children and adolescents.
Although not formally guidelines, the AAIP Resolution No. 47/2018 approved the Recommended Security Measures for the Processing and Conservation of Personal Data (only available in Spanish here) ('the Recommended Security Measures') in relation to computerised and non-computerised media and repealed Dispositions No. 11/2006 (only available in Spanish here) and No. 9/2008 (only available in Spanish here) of the PDP, eliminating the obligations of those responsible for the processing of personal data to adopt the security measures defined in the repealed provisions. These are discussed further under section 6. Finally, it is important to highlight that the AAIP issued a guide on privacy good practices for the development of applications, approved by Resolution No. 18/2018 of the PDP (only available in Spanish here) ('the Guide'), which provides guidelines and recommendations for software developers concerning personal data protection and privacy policies. In the Guide, the AAIP states that cloud storage is considered an international transfer of data.
1.3. Case Law
Salvador, Claudio v. Citibank N.A. - Chamber D of National Court of Appeals in Commercial Matters of 22 November 2005
Citibank N.A. had a 'privacy promise' outlining that Citibank could share its clients' data with third parties for direct marketing purposes.
Mr. Salvador filed a data action in order to:
- access his personal data stored in Citibank's databases, and obtain information regarding the specification on the origin of the data, their assignors and/or concessionaires, and the particular uses and purposes for which they were stored; and
- request that the defendant be ordered to keep his personal data confidential and prohibit any data transfers to third parties.
Citibank answered the complaint and requested the rejection of the claim. The court issued a judgment ordering Citibank to safeguard and preserve the confidentiality of the data relating to the plaintiff that Citibank kept in its records, and ordered that the data not be transferred to third parties except by legal imperative, without the prior consent of the plaintiff.
In this respect, the plaintiff appealed and argued that his claim aimed at accessing his personal data held by the bank was not granted. It also claimed that the Act requires, in response to a request for access, that the controller provide the information in a clear, comprehensive manner and within the period stipulated in said regulation.
The defendant also appealed arguing, among other things, that the only data that it had shared with third parties was data of free circulation according to the Act, such as name, ID number and address.
The court confirmed the judgment and stated, among other things, that the data shared with third parties differed in purpose for which it had been collected by the bank and, consequently, needed new prior, express and informed consent of the data subject and, in addition, that data included in the transfer was not only free circulation data, but also included implicit data (i.e. that the data subject was a client of Citibank), and such data is not free circulation data according to the Act.
AoL Argentina S.R.L. v GCBA - Court of Appeals in the Administrative and Tax Matters of the City of Buenos Aires, Chamber I of 29 December 2005 (only available in Spanish here)
Mr. Carlos Alberto Brizuela filed a complaint with the General Directorate of Consumer Protection and Defense of the Autonomous City of Buenos Aires ('the Directorate') against Aol Argentina S.R.L. Brizuela reported in his complaint that during September the company had given him a CD so he could surf the internet for free for three months. He added that in order to access this service he had to register his personal data and his credit card number. He stated that, in mid-December, and after the free period had expired, he received two invoices to be debited from his credit card. In view of this situation, he contacted the company and agreed a new plan. He outlined that he had used the new plan alternatively until April, until the bank statement of his credit card registered an amount to be debited. The next day he called the company nine times and the company informed him that he had exceeded the plan's limit. In view of this, he requested the termination of the service and was told that he should request it 72 hours before the end of his term. He asked for an explanation and, in the absence of an answer, filed the complaint.
After the administrative phase, the Directorate, under provision 4335-DGDyPC-2003, imposed a fine of ARS 2,000 (approx. €30), considering Aol liable for infringing the information duty established in Article 4 of the Consumer Protection Law No. 24.240 (only available in Spanish here) ('the Consumer Protection Law').
In making its decision, the court made observations regarding the registration system chosen by Aol to inform consumers about the essential characteristics of the service provided, noting,
- "there is no way to guarantee that the registration process is carried out by the person who appears as the owner of the service;
- there is no evidence that the registration process coincides with that which the consumer claims to have made; and
- there is no evidence that the information that emerges from the documents provided by the company coincides with the information supplied to the complainant when registering."
By virtue of this, it concluded that Aol had infringed Article 4 of the Consumer Protection Law. The plaintiff appealed the decision.
In his dissenting vote, Dr. Esteban Centanaro established, "The contracting modality called 'click wrap agreement,' consisting of the expression of the agreement by clicking in a box that contains the general conditions, implies the existence of an agreement of wills between the parties, as it grants the possibility of previously checking the contracting conditions, constituting an electronic document. In electronic contracts, acceptance is subject to the possibility of the acquirer previously verifying the general contracting conditions. These general conditions and their acceptance thereof constitute an electronic document. To support its legitimacy, the modality of presenting them in an unavoidable or forced way for the user has been employed in order to prove that they have to read them before contracting. This will serve as documentary proof of the acceptance of the offer in the event that the client denies having seen the conditions to which he was subject. In this hermeneutical line, a court in California considered that the user is bound by the general conditions when clicking on the 'accept' button, after having had the opportunity to read them. That is, what is called the 'click wrap agreement' is used. It is a modality in which the agreement is expressed by clicking the mouse on the computer; in other words, when the internet user wishes to enter a website, he/she is presented with a text and a box that contains a list of general conditions (terms and conditions, usage agreement) with the option to accept or not. This is what, in my opinion, happened in the case under analysis, that the consumer acknowledges that in September 2000 he received a CD from the company Aol Argentina SRL, which, according to the company's promotion, allowed access to a free internet connection for three months. In turn, it acknowledges that to enable the system and as a condition to use the internet service, he had to register his personal information and enter his credit card number. That is, the same consumer acknowledges that in order to access the service, he must have registered and entered his credit card. As we said above, the consumer had the possibility of being informed about the general conditions of the service provided by the company Aol Argentina S.R.L. Consequently, and by virtue of the foregoing, I consider that in this case there was no infringement of the Consumer Protection Law, as it was proved that there was an agreement of wills between the parties, corresponding to revoke the appealed provision."
Judges Horacio A. G. Corti and Carlos F. Balbín, adhered to the facts mentioned by Dr. Centanaro, but not to the solution he suggested. They considered that the plaintiff had to provide truthful, detailed, effective and sufficient information, in accordance with Article 4 of the Consumer Protection Law. In the first place, it is proven that the user installed the company's software, registered and surfed the internet for a few months. However, the terms and conditions of the electronic contract have not been duly evidenced, since there is no evidence that the documentation filed by the company at court is the same information as that which the user actually had in view at the time he gave his consent.
The importance of this case from a data protection standpoint is that in the dissenting vote, having to scroll down through the text of an electronic contract before clicking an accept button was considered as sufficient consent.
Unión de Consumidores y Usuarios v. Citibank N.A. – Chamber E of National Court of Appeals in Commercial Matters of 12 May 2006
Citibank N.A. sent a 'privacy promise' to its clients stating, among other things, that if they did not want their data to be shared and/or assigned to third parties for direct marketing purposes, they should make an express opposition.
The plaintiffs, the Union of Consumers and Users, claimed that the 'privacy promise' violated the Act and Citibank should be ordered to cease its conduct.
Citibank claimed, among other things, that habeas data actions cannot be filed as class actions.
The court ruled in favour of the plaintiffs, admitting the class action and, based on the rule of prior consent and the principle of purpose that govern all processing of personal information, established that the 'privacy promise' violated the Act.
Napoli, Carlos Alberto v. Citibank N.A. - Supreme Court of Justice of the Nation of 8 November 2011
The Napoli case starts with a lawsuit filed by Mr. Napoli, a bank debtor, against Citibank N.A., with the aim of stopping its status as an 'irrecoverable debtor in situation 5' from being reported to the Central Bank of the Argentine Republic ('BCRA') and other credit reporting entities. He argued that Section 26(4) of the Act provides for a maximum five year term to report debts that have not been cancelled, and that such period had expired.
The court, when revoking the decision of the court of first instance, granted the habeas data action brought by Napoli against Citibank under the terms of the Act, ordering Citibank to suppress the totality of the data referring to the debt of the plaintiff and to communicate such circumstance to the BCRA for the purpose of being eliminated from the central registry of debtors of the financial system. The defendant filed an extraordinary appeal, the denial of which initiated an appeal before the Supreme Court of Justice of the Nation.
The Supreme Court of Justice of the Nation upheld the ruling of Division III of the Federal Court of Appeals in Civil and Commercial Matters, arguing that it did not arise from the text of the Act, nor could it be inferred from its genesis, that the five year term must be postponed while the debt is due and while the statute of limitations has not yet passed. The intention of the legislator had been to consecrate a shorter period than the ten years proposed originally, which had been suggested as it coincided with the statute of limitations.
Pavolotzki, Claudio and others v. Fischer Argentina S.A. - Chamber IX of National Court of Appeals in Labour Matters of 10 July 2015
Fischer Argentina appealed the decision of the court that gave rise to the claim through which their employees pursued the restoration of the previous working conditions, after the implementation of software that allowed the company to know, at any time, the geographical location of employees who were commercial travellers.
The Court of Appeals upheld the appealed decision, arguing that the installation of the software through which the employer had access, at all times and instantly, to the precise geographical location of employees, even outside of working hours, was unjustified and arbitrary in as much as it constituted an intrusion into the private sphere, since the use of the equipment was not subject to any type of restriction, whereby the claimants could use it to carry out personal communications, especially since they paid the expenses generated by the telephone equipment.
In addition, the Court of Appeals argued that knowing the geographical location of those who work as commercial travellers is arbitrary and unjustified, since it is highly sensitive information and, therefore, both lacks the reasonableness required by Sections 62 and 63 of the Contract of Employment Law No. 20.744 (only available in Spanish here) and breaches the provisions of the Act, especially as there is no concrete justification of the need for a data survey to such a magnitude and extent.
Yahoo de Argentina S.R.L. in re Security Incident – File Number EX-2016-04629409 – DNPDP#MJ of 6 June 2019
This is an administrative case wherein Yahoo de Argentina S.R.L. was penalised by the AAIP for a security incident affecting the personal data of eight million Argentines, which occurred in 2013.
The AAIP considered that:
- the backup archives that had been affected did not have the appropriate encryption level in order to avoid the non-authorised copying or extraction of information;
- the security copies were not encrypted by default and, despite including personal data; and
- the company could not confirm the mechanics of the incident nor who had been involved in same.
The sanction was a fine of ARS $80,000 (approximately €1,200). This was the first sanction imposed by the AAIP for a security incident.
2. SCOPE OF APPLICATION
The Regulations apply whenever personal data is processed in the territory of Argentina. Therfore, if an isolated action concerning personal data takes place in Argentina, the Regulations apply to that action, even when the rest of the data processing takes place abroad and is governed by a different law. As a result, if the controller has no presence at all in Argentina and performs all its activities from abroad, it could be interpreted that it is out of the reach of Argentine authorities. However, Argentine authorities have jurisdiction over all the activities carried out locally (e.g. through a company representative or branch or even a local server).
2.1. Who do the laws/regs apply to?
The Regulations apply to processors and controllers of databases in respect of any personal data processing that takes place in Argentina.
2.2. What types of processing are covered/exempted?
Processing is broadly defined as any systematic operation or procedure, either electronic or otherwise, which enables the collection, integration, sorting, storage, change, relation, assessment, blocking, destruction, disclosure of data or transfer to third parties.
Processing of anonymised data is exempted since it is not considered personal data.
3. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY
3.1. Main regulator for data protection
According to the terms of Article 19 of the Right of Access to Public Information Law No. 27,275 (only available in Spanish here), as amended by Article 11 of Decree N° 746/2017 (only available in Spanish here), the AAIP is the main supervisory authority of the Regulations.
3.2. Main powers, duties and responsibilities
The AAIP aims to 'supervise the comprehensive protection of personal data stored in files, records, databases, or other technical means of data processing, whether public or private, intended to provide information, to guarantee the right to honour and privacy of individuals and access to the information that is registered about them.' As a consequence, Article 2 of Decree No. 899/17 on Access to Public Information (only available in Spanish here) provided that any reference in the Regulations to the PDP should be considered as referring to the AAIP.
The AAIP has the right to make inspections with the aim of:
- checking the activities of controllers of databases and the data they manage;
- assessing compliance with the Regulations; and
- making recommendations in order to improve their performance within the legal framework.
The AAIP is entitled, at its sole discretion, to carry out inspections so as to control compliance with the Regulations. In fact, Article 4 of the Decree expressly authorises the AAIP to apply the pertinent sanctions if legal principles are not fulfilled. In addition, if it is requested by data subjects or if the AAIP, at is sole discretion, considers it appropriate, it is entitled to verify:
- the lawfulness of data collection;
- the legality of exchanges of data and their transmission to third parties, as well as the interrelation between them;
- the lawfulness of the transfer of data; and
- the legality of both the internal and external control mechanisms for files and databases.
4. KEY DEFINITIONS | BASIC CONCEPTS
Personal Data: Information of any kind referring to individuals or corporations, identified or identifiable by an associative process (Section 2 of the Act).
Sensitive Data: Data revealing racial and ethnic origin, political views, religious, philosophic or moral beliefs, union membership and information referring to health or sexual life (Section 2 of the Act). According to Resolution 4/2019 of the AAIP, biometric data that identifies a person will also be considered sensitive data only when it can reveal additional data whose use may result in potential discrimination for its owner (e.g. biometric data that reveal ethnic origin or reference information to health).This is simply a sub-category of personal data that receives enhanced protection.
Data Controller | Data Processor: The Act does not expressly define the concepts of data controller (it does provide a definition for 'person responsible for a database') and data processor. Nonetheless, it can be understood that data controllers are those that process data at their own discretion and data processors are those that process data following data controllers' instructions.
Person responsible for a data file, register, bank or database: The natural person or legal entity, whether public or private, that owns a data file, register, bank or database. It can be assimilated to the data controller (Section 2 of the Act).
Processing: The Act does not define processing, however, Section 2 of the Act defines a 'data treatment' as any systematic operation or procedure, either electronic or otherwise, which enables the collection, integration, sorting, storage, change, relation, assessment, blocking, destruction, disclosure of data or transfer to third parties.
Data Subject: The Act does not define a data subject, however, Section 2 of the Act defines a 'data owner' as any individual or legal entity (the latter domiciled in the country, or having offices or branches in the country), whose data are subject to the processing referred to by the Act. It is important to note that the Act protects data referring not only to people but also to legal entities, such as corporations, companies and associations.
Data User: Any person, whether public or private, performing at their discretion the processing of data contained in data files, registers, databases or databanks, whether owned by them or to which they may have access through a connection (Section 2 of the Act). It can also be assimilated to the data controller.
Data Dissociation: Any processing of personal data in such a way that information cannot be associated with a particular person (Section 2 of the Act).
5. NOTIFICATION | REGISTRATION
5.1. Requirements and brief description
According to Sections 3 and 21 of the Act, databases are only lawful if they are registered with the National Registry of Personal Databases maintained by the AAIP.
It is important to point out that the AAIP does not require the disclosure of the content of the databases, but only certain general information about their creation and maintenance, and compliance with the Act's principles.
Following the AAIP's Resolution No. 132/2018 (only available in Spanish here), the registration process must be performed through the public online platform called, "Trámites a Distancia", which involved no official fees. There is still no obligation to record the data themselves but certain descriptive information regarding each database is required, which less extensive than what was requested before Resolution No. 132/2018. In addition, controllers must now register themselves as such through the aforementioned platform.
It should be also noted that although Resolution No. 132/2018 does not establish the obligation to renew the databases annually, as was previously required in some cases, it is mandatory to report any update or modification in the data of the registrant and in the data of the databases, and it is up to the person responsible to comply with this duty, since registration amounts to an affidavit.
Databases of exclusively personal use are exempted from the obligation of registration (e.g. addresses of friends on personal computers, personal agendas, etc).
6. DATA CONTROLLER RIGHTS AND RESPONSIBILITIES
As discussed in section 4 above, the Act does not expressly define the concept of data controller. Nonetheless, it can be understood that data controllers are those that process data at their own discretion, and data processors are those who process data following the data controller's instructions.
Section 9 of the Act sets forth that the person responsible for, or the user of, data files must take all the technical and organisational measures necessary to guarantee the security and confidentiality of personal data, in order to avoid their alteration, loss, unauthorised access or processing. The Act prohibits the recording of personal data in files that do not meet the technical requirements of integrity and security.
The Recommended Security Measures, which were approved by Resolution 47/2018 of the PDP and published in the Official Gazette on 25 July 2018 (only available in Spanish here), repealed Dispositions No. 11/2006 (only available in Spanish here) and No. 9/2008 (only available in Spanish here) issued by the PDP, which contained the mandatory security measures for the treatment and conservation of databases.
Moreover, it is no longer mandatory for those who process and preserve personal data to adopt the security measures defined in the repealed dispositions. However, while the generic security duty established in Section 9 of the Act must still be met, data controllers and processors may decide to adopt the Recommended Security Measures or, failing that, those that they consider sufficient to comply with the aforementioned duty of security of Section 9 of the Act.
The AAIP has changed its view regarding compliance with the security duty of those who process and preserve personal data from the idea of compulsive compliance to that of accountability, in the terms of the GDPR. Therefore, compliance must be in line with the principle of proactive responsibility or accountability provided in the GDPR, which stipulates that organisations that process personal data implement the appropriate technical and organisational measures to guarantee their security and confidentiality, can demonstrate their actions and, likewise, prove the effectiveness of this when required. This change of view is part of steps taken by the AAIP in order to adapt Argentine legislation to the new principles established by the GDPR and to maintain the qualification of an adequate country by the EU.
The new Recommended Security Measures are adapted to the technological changes that have taken place in recent years since the, now repealed, provisions were enacted. The Recommended Security Measures cover the entire cycle of processing and conservation of personal data, from its collection to its destruction, including access controls, actions aimed at backup and recovery, and the management of vulnerabilities and security incidents.
It should be noted that among the Recommended Security Measures there is a duty to report security incidents to the AAIP.
7. DATA PROCESSOR RIGHTS AND RESPONSIBILITIES
As mentioned in section 4 above, the Act does not expressly define the concepts of data controller or data processor. Nonetheless, since data controllers process data at their own discretion, data processors must comply not only with requirements under the Regulations but also with the instructions given by the data controller.
8. DATA CONTROLLER AND PROCESSOR AGREEMENTS
Although the Act does not expressly state so, it is generally agreed that the processing of personal data can be outsourced to third-party service providers without requesting the prior consent of the data owners. However, the controller and the processor must execute an agreement which states, in particular, that the processor can only process the data following the instructions of the controller and that the processor must comply with the security and confidentiality obligations set forth by the Act.
Section 25 of the Act states that the processor cannot use the data for any purpose other than the one appearing on the corresponding contract for the provision of the services, nor can it disclose the data with other parties, not even for storage purposes.
According to Section 11 of the Act and Disposition No. 60/2016 (only available in Spanish here), the controller and the processor will respond jointly and severally for the observance of the legal and regulatory obligations before the AAIP and the owner of the data. However, the processor may be totally or partially exempt from liability if it proves that the cause of damage cannot be attributed to them.
Once the corresponding contractual obligations have been performed, the service provider must destroy the data, except when the database controller foresees the possibility of future assignments and so instructs the service provider to keep the data (for a maximum additional term of two years).
9. DATA SUBJECT RIGHTS
Section 14 of the Act provides that data subjects have the right to request and obtain information about their personal data held in databases. According to Section 4(6) of the Act, data must be stored in a way that enables data subjects to exercise their right of access. The data controller or data user must provide the requested information within ten calendar days from the request.
On the other hand, Section 16(1) of the Act establishes that data subjects have the right to require the rectification, update and where applicable, the suppression or confidentiality of their data stored in databases. The data controller or data user of such databases must take all the relevant measures within a maximum of five business days, following the receipt of the data subject's claim or gaining knowledge of the error (Section 16(4) of the Act).
If the above requests are not duly fulfilled, the data subject is entitled to file a special judicial claim for the protection of personal data or habeas data, as set forth under Sections 33 to 43 of the Act.
Prior consent of data subjects
According to Section 5 of the Act, personal data processing is only legal with the prior, express and informed consent of the data subject, except in the circumstances provided by the Act.
Consent to process personal data is not necessary when the data:
- is obtained from unrestricted publicly accessible sources;
- is collected to comply with state powers, or by virtue of a legal obligation;
- consists of lists limited to name, identity document, taxpayer or pension identification number, occupation, date of birth and domicile;
- arises from a contractual, scientific or professional relationship with the data subject, and it is necessary for its development or fulfilment; or
- refers to transactions performed by financial entities and the information they receive from their clients (protected by banking secrecy rules).
Moreover, consent is not necessary when the data:
- is processed for marketing purposes, to the extent permitted by Article 27 of the Act and the Decree;
- is transferred to a third-party service provider, to the extent permitted by Article 25 of the Act and the Decree; or
- is processed for the provision of credit information services, to the extent permitted by Article 26 of the Act and the Decree.
Furthermore, consent is not necessary to process anonymous data. Personal data may be rendered anonymous by removing the information which allows the recipient to identify the data subject. Such information will consequently not be considered personal data, and therefore will not be shielded by the Regulations.
Consent should be expressed in writing or by other means that can be equated to writing. In view of this, means of collecting consent other than in writing should produce and record enough evidence that consent was actually given.
10. DATA PROTECTION OFFICER
10.1. DPO – compulsory appointment (yes/no)
There is currently no obligation to appoint a data protection officer ('DPO'). However, the Bill does include such a requirement.
11. DATA BREACH NOTIFICATION
11.1. General obligation (yes/no)
As discussed in section 6 above, the Recommended Security Measures reach the entire cycle of processing and conservation of personal data, from its collection to its destruction, passing through access controls, actions aimed at its backup and recovery, the management of vulnerabilities and security incidents.
In connection with this last point, it is important to highlight that the Recommended Security Measures include a new protocol for reporting security incidents, again approaching the provisions of the GDPR.
Section G.1.3. of Annex I and Annex II, attached to Resolution 47/2018, which contain the Recommended Security Measures in the electronic and non-electronic context, respectively, states that, in case of a security breach, controllers and processors must notify the AAIP of the incident accompanying a report of the security incident that contains as a minimum:
- the nature of the violation;
- the category of affected personal data;
- an identification of affected users; and
- the measures taken by the person responsible to mitigate the incident and measures applied to avoid future incidents.
However, it should be noted that the Recommended Security Measures are not strictly mandatory obligations.
11.2. Sectoral obligations
Article 39 of the Financial Entities Law No. 21,526, as amended (only available in Spanish here) ('the Financial Entities Law'), is the primary law governing bank secrecy in Argentina. In addition, the BCRA regulates Argentina's financial institutions and has the power to issue regulations, directions, notices, and guidelines in relation to the disclosure of customer data.
Bank secrecy obligations, under Article 2 of the Financial Entities Law, apply to private and public financial entities in Argentina that act as financial intermediaries, including but not limited to:
- commercial banks;
- investment banks;
- mortgage banks;
- financial companies;
- savings and loan companies for housing or other real estate; and
- credit unions.
The duty of secrecy also applies to:
- all individuals who act for the covered financial entities including:
- directors and officers;
- employees; and
- third-party vendors;
- the BCRA and its personnel regarding information they receive while supervising the activities of covered financial institutions; and
- external audit firms and their personnel regarding customer data they receive while rendering services to covered financial institutions.
Likewise, the secrecy obligations under the Financial Entities Law continue to apply to those who receive customer data even after they leave the position in which they received the customer data (Article 1753 of the Civil and Commercial Code Law No. 26.994 (only available in Spanish here)).
The Financial Entities Law does not prohibit the disclosure of all customer data but only information about 'passive transactions,' or those in which the financial institutions act as a debtor (for example, undertaking to pay a return to customers, generally in the form of interest) such as:
- deposits in checking and savings accounts;
- time deposits (an interest-bearing bank deposit account that has a specified date of maturity, such as a savings account or certificate of deposit); and
- other transactions recorded as liabilities.
Additionally, the Financial Entities law does not state whether this prohibition includes passive transactions related to individuals or legal entities. However, the broad language used throughout the law and in the Act suggests that bank secrecy obligations protect both corporate and individual customer borrowing transactions' data.
Bank secrecy obligations do not apply to:
- active transactions (i.e. those in which the customer agrees to pay the financial institution an interest rate or return) such as customer loans, the opening of credit and the use of credit; and
- neutral transactions (those in which the bank provides services as neither a debtor nor a creditor) such as bills of lading, silver and foreign exchange, and providing security boxes.
The Financial Entities Law's bank secrecy provisions only protect customer data about an identified or identifiable customer. This broadly includes any information provided by the customer in relation to passive transactions, such as name, address, marital status, and information about assets and property. However, an entity or individual covered by the Financial Entities Law can disclose customer data if it does not identify the customer, for example, by anonymising customer personal data by removing elements such as the customer's name, account number, and online or other identifiers, or by aggregating customer data so that customers cannot be identified by any associative process.
The Regulations do not include a separate piece of legislation addressing how to process individually identifiable health information, although the Act and the Decree do include several specific provisions related to the subject, thus the generic rules will be applicable to such processing.
However, the Patient Rights in Their Relationship With Health Professionals and Institutions Law (only available in Spanish here) as amended by Law No. 26.742 (only available in Spanish here) ('the Patients' Rights Law'), which regulates patients' rights in their relationship with healthcare professionals ('HCP') and health institutions was passed on 21 October 2009 in Argentina. The Patients' Rights Law is regulated by Decree No. 1089/2012 (only available in Spanish here) ('the Patients' Rights Decree').
The general principle in relation to Argentine laws is that they are mandatory for all of those who inhabit the Argentine territory, whether citizens or foreigners, residents, domiciled or bystanders. Therefore, the Patients' Rights law would not be applicable to health or medical information of patients not located in Argentina or organisations, entities or persons that keep records of, treat, administrate, host, transfer, etc., such information, even if they are located in Argentina.
In any case, the Patients' Rights Law could be applicable if a person is located outside the Argentine territory but remits their medical information or documents to a local HCP who provides a diagnosis, treatment or medical recommendation as a HCP duly authorised to practice medicine in Argentina.
Information protected by the Patients' Rights law consists of any medical or clinical information or documentation pertaining to a patient, any information provided to the patients on their condition as such, and patients' sensitive personal data (revealing ethnic origin, political opinions, religious convictions, philosophical or moral, union affiliation and information regarding health or sexual life) within the scope of the Act.
As a result of the above, the law applies to patients' medical records. The Patients' Rights Law defines same as the mandatory document, chronologically kept, paged and completed in which all acts performed by a HCP in relation to the patients' health are stated and recorded.
Although, the patient is the holder and owner of the medical record, the HCPs of the health facility where the patient is treated participates in the patient's diagnosis and treatment have access to the patient's medical record.
Those entitled to request access to medical records are:
- the patient or their legal representative;
- their spouse or partner and its mandatory successors (with the patients' consent unless they are unable to give it); and
- the HCP when they have the patient's or their legal representative's consent, unless they are the HCP currently treating the patient.
While the medical record is kept in custody, access is only granted to HCPs in the following cases:
- in the case of treating professionals;
- when the protection of public health or the health or life of other persons is endangered, on the part of those who have a well-founded health authority; or
- when it is necessary to access information for the performance of medical audits or the work of health insurance agents, provided that mechanisms for safeguarding the confidentiality of the data inherent to the patient are adopted.
It is also possible for third parties to access medical records of a deceased patient if there is a risk to public health, in which case the information provided must be the one strictly needed. In no case must the information disclosed which could affect the intimacy of the dead person, harm third parties, or which has been expressly forbidden by the patient.
Any medical or healthcare activity in which clinical information or documentation of the patient is obtained, classified, used, administrated, kept or transferred, human dignity and free will must be respected. The privacy of the patient and the confidentiality of their sensitive information must be protected.
The patient has the right to ensure that any person who participates in the preparation or manipulation of clinical or medical documentation, or has access to the contents of the same, maintains its confidentiality, unless otherwise expressly provided by the competent judicial authority or by authorisation of the patient themselves.
In this sense, the Patients' Rights Decree clarifies that everything that comes to the attention of the HCP due to or because of their practice of medicine must not be disclosed without the patient's express authorisation, except in cases where the regulatory law or other laws so determine, if there is a judicial provision to the contrary or when it is a question of avoiding a greater evil on the grounds of public health.
All these assumptions, in which it is necessary to reveal the content of the confidential data, must be duly recorded in the medical record and, where appropriate, made known to the patient, if there is no judicial provision to the contrary.
The confidentiality obligation is extended to any person who accesses the medical records and health information of a patient, including those who act as insurers or social security entities.
In case of health institutions, not only the treating HCP may be liable for any breach of the confidentiality obligation established herein but also the highest authority of the healthcare establishment, and of the social security institutions or any other public or private entity that accesses the medical records and health information of a patient.
According to Section 5 of the National Intelligence Law No. 25.520 (only available in Spanish here) ('the National Intelligence Law'), all telephone, postal, telegraphic or facsimile communications or any other system for sending objects or transmitting images, voices or data, as well as any type of information, files, registers and/or private documents or documents not accessible to the public, are inviolable except in cases where a court order requires the contrary.
Article 18 of the National Intelligence Law provides that when as part of intelligence or counterintelligence activities it is necessary to make interceptions or capture private communications of any kind, the Intelligence Secretariat must request the pertinent judicial authorisation, and such authorisation must be formulated in writing and must indicate precisely the telephone number(s), electronic addresses or any other means relating to the communications that are intended to be intercepted or captured.
According to Article 31 of the Act and Regulation No. 7/2005 (only available in Spanish here) as modified by Regulation No. 9/2015 (only available in Spanish here) on the classification of infringements and the gradation of penalties to be imposed in cases of data protection violations, the AAIP may impose administrative sanctions consisting of warnings, suspensions, fines from ARS 1,000 to ARS 100,000 (approx. €15 to €1,520), closure or cancellation of the database.
The amount of the sanction is determined according to the nature of the rights affected, the volume of the data processing, the benefits obtained, the degree of intentionality, the recidivism, the damages caused to the interested persons and to third parties, as well as any other relevant circumstances.
Sanctions are grouped into three different categories:
- basic level, which includes up to two warnings and a fine from ARS 3,000 (approx. €45) to ARS 25,000 (approx. €380);
- mid-level, which includes up to four warnings and/or suspension from one to 30 days and a fine from ARS 25,000 (approx. €380) to ARS 80,000 (approx. €1,210); and
- critical level, which includes up to six warnings and/or suspension from 31 to 365 days and/or closure or cancellation of the file, register or databank, and a fine from ARS 80,000 (approx. €1,210) to ARS 100,000 (approx. €1,520).
In December 2016, the AAIP issued Regulation No. 71-E/2016 (only available in Spanish here) to set limits to the sanctioning system created by Regulation No. 7/2005 and its amendments. Regulation No. 71 - E/2016 establishes that when a condemnatory administrative act includes more than one pecuniary sanction, the following caps can apply:
- for minor infringements penalties, up to ARS 1,000,000 (approx. €15,150);
- for serious infringements penalties, up to ARS 3,000,000 (approx. €45,450); and
- for very serious infringements penalties, up to ARS 5,000,000 (approx. €75,760).
Article 117-bis(2) of the Argentine Criminal Code Law No. 11.179 ('the Criminal Code') (only available in Spanish here) sets forth that any person who knowingly furnishes to a third party false information contained in any given personal data record may be imprisoned for six months to three years. Article 117-bis(3) of the Criminal Code establishes that the sentence may be increased by half the minimum sentence and half the maximum sentence if any person sustains damage as a result.
Article 156 of the Criminal Code, on the other hand, states that penalties of ARS 1,500 to ARS 90,000 (approx. €22,70 to €1,360) and suspension from six months to three years, can be imposed on employees who gain access to confidential information, the disclosure of which could generate damages, and disclose it without authorisation and/or legal or justified cause.
Finally, Article 157-bis of the Criminal Code sets forth that imprisonment of one month to two years may be imposed on anyone who:
- knowingly and unlawfully or in violation of data confidentiality and security systems, accesses in any way a personal databank;
- unlawfully provides or discloses to third parties' information registered in a personal databank which should be kept confidential in accordance with the law; or
- unlawfully inserts data in a database, or has it inserted.
Habeas data and liability for damages
Additionally, individuals affected by unlawful data processing may file a specific civil lawsuit called habeas data (Article 33 to 43 of the Act). In addition to the specific habeas data action, the data subject may also file a general claim for damages. However, as in any claim for damages, the success of the claim is subject to four basic requirements, which must be proven by the claimant:
- illegality of the damaging action;
- real and actual damage;
- cause-effect relationship between the action and the damage; or
- negligence, wrongful misconduct or objective liability.
Local courts have, however, repeatedly assumed the existence of moral damage in cases of inaccurate credit reports without the need for any evidence.
13. ADDITIONAL RELEVANT TOPICS
13.1. Data Transfers and Outsourcing
Article 12 of the Act prevents the transfer of personal data of any kind to a country or international or supranational organisation that does not provide an adequate level of protection.
In 2016, the AAIP issued Regulation No. 60-E/2016 (only available in Spanish here). Regulation No. 60-E/2016 lists the countries that the AAIP considers provide an adequate level of data protection, such as EU Member States and members of the European Economic Area, Switzerland, Guernsey, Jersey, the Isle of Man, the Faroe Islands, Canada (only for the private sector), the Principality of Andorra, New Zealand, the Republic of Uruguay, the State of Israel (only for data that is processed automatedly) and the United Kingdom of Great Britain and Northern Ireland (according to Resolution No. 34/2019 – only available in Spanish here).
Likewise, Regulation No. 60-E/2016 officially approved the Standard Contractual Clauses that must be incorporated into international transfer agreements for the provision of services and the transfer of data to countries that, according to the AAIP, do not have an adequate level of data protection.
Regulation No. 60-E/2016 also provides that if data transfers are made to countries that do not provide an adequate level of data protection and the agreements used to regulate the transfer differ from those approved by the AAIP or do not contain the same principles and guarantees, a request for approval of such agreements must be submitted to the AAIP within 30 calendar days of their execution.
In 2018, the AAIP issued Regulation No. 159/2018 (only available in Spanish here) which approves guidelines and basic contents for binding corporate rules ('BCR'), which may be used by companies who transfer personal data from Argentina to companies of the same economic corporate group that are located in countries that do not provide an adequate level of data protection. BCR must comply with the minimum content set forth by the AAIP. Otherwise, they must be submitted for approval by the AAIP within 30 days of the transfer. The BCR must be mandatory for all members of the same corporate group (through corporate resolutions that oblige them to comply with the BCR), as well as for their employees, subcontractors and third-party beneficiaries (through specific contractual clauses).
By virtue of the above, personal data transfers to countries that do not provide an adequate level of protection will be allowed when:
- the data subject has expressly consented to such transfers;
- when data is exported for outsourcing purposes, by means of an international transfer agreement which follows the Standard Contractual Clauses between the transferor and the transferee; and
- the transfer is among companies of the same economic group, if the companies have put BCR in place with the minimum content set forth by the AAIP or approved by the AAIP.
Articles 1 and 2 of the Law on Confidentiality No. 24.766 (only available in Spanish here) provide that any person must refrain from using and disclosing information, to which they have access due to their work, position, profession or business relations, without grounds or without the consent of the person that keeps the information or of the authorised user, if the information:
- is secret, in the sense that is not easily known nor accessible in its components or configuration, to people in the fields that normally use that kind of information;
- is commercially valuable because it is secret; or
- has been the object of reasonable measures, according to the circumstances, to keep it secret, and such measures have been taken by the person that legitimately controls the information; or
- they who have been warned about the confidentiality of said information.
In turn, Article 85 of the Labour Contract Law No. 20.744 (only available in Spanish here) provides for the duties of loyalty required of employees that arise from the nature of the tasks assigned to them, including confidentiality concerning information to which they have access and which might require such behaviour.
13.3. Data Retention
Section 4(7) of the Act provides that data must be destroyed whenever it is no longer necessary or relevant for the purposes for which it has been collected. Pursuant to this general principle, the applicable time limit must be determined on a case-by-case basis depending on the necessity and relevance of the data.
The Act also provides two particular rules on this issue, applicable to outsourcing and credit report operations:
- in the case of third-party processors, upon compliance with the contractual covenant, processed personal data must be destroyed, except when there is express authorisation to keep it on behalf of the person to whom such services are delivered, or if future services are reasonably expected, in which case data may be stored under proper security conditions for a maximum two-year period (Article 25(2) of the Act); and
- in the case of credit reporting agencies, only personal data relevant to assessing the economic and financial worthiness of an individual during the last five years may be kept on file, recorded or reported (such a term may be reduced to two years if the debtor pays the debt and provides evidence of such payment) (Article 26(4) of the Act).
14. OTHER SPECIFIC JURISDICTIONAL ISSUES
Article 27 of the Act, Article 27 of the Decree and Regulation No. 4/2009 (only available in Spanish here) set forth rules for direct marketing.
There has been some controversy as to whether the prior consent of recipients is necessary in order to target them with marketing communications. While the Act seems to adhere to the opt-in system, Article 27 of the Decree only requires that data subjects be allowed to request the removal of their data from the relevant databases. There have been several judgments that found that prior consent was necessary for direct marketing since the Act prevails over the Decree, which is lower in the hierarchy.
However, subsequent special regulations, such as Law No. 26.951 on the Do Not Call Register (only available in Spanish here) ('the DNC Law') and Regulation No. 4/2009 (only available in Spanish here), led to the conclusion that the opt-out rule currently prevails in Argentina. In particular, the DNC Law foresees that in order to not receive direct marketing phone communications, you must register in the Do Not Call Register, thus applying the opt-out rule. Likewise, Regulation No. 4/2009 provides that unsolicited or unconsented advertising communications must evidence their marketing nature in a noticeable manner, thus admitting unconsented advertising communications.
Convention 108 and 108+
Since June 2019, Argentina has been a part of the Convention for the protection of individuals with regards to the processing of personal data (the 'Convention 108'). The Convention 108 has been previously approved by Law No. 27,483 (only available in Spanish here).
On September 19, 2019, Argentina signed the Convention 108+ for the Protection of Individuals with Regard to Processing of Personal Data. However, there remain some necessary legislative and diplomatic processes for its effective entry into force.