Although personal data protection in Argentina is crucial for companies in Argentina, it is often overlooked. Companies must comply with important legal and international regulations and failing to do so can result in significant economic, personal, and reputational consequences.

Are personal data legally protected?

Yes.
The protection of personal data in Argentina is a constitutional right (Article 43 of the National Constitution) and is primarily regulated by Law No. 25,326 on Personal Data Protection (hereinafter, “PDPL”), its Regulatory Decree No. 1558/2001, the Convention for the Protection of Individuals with regard to the Automated Processing of Personal Data and its Amending Protocol (approved by Laws No. 27,483 and No. 27,699, also known as Convention 108 and modernized Convention 108), and the complementary regulations of the Agency for Access to Public Information (hereinafter, “AAIP”).

What is understood by personal data in Argentina?

The PDPL defines “personal data” as “… information of any kind referring to individuals or legal entities who are identified or identifiable” (Article 2 — (Definitions)).

The PDPL applies to personal data “… recorded in files, registries, databases, or other technical means of data processing, whether public or private, intended to provide reports…” (Article 1 — (Purpose), first paragraph).

What is a personal data database intended to provide reports?

The AAIP understands a personal data database intended to provide reports to be any registry, file, database, or repository that allows obtaining information about persons, whether or not it is transmitted to third parties.

In addition, the supervisory body interprets that the PDPL does not require the recipient of the report to be a third party unrelated to the data controller or user; it also includes internal uses of personal information (for example, customer, supplier, staff databases, etc.)[1].

Does the PDPL apply only in Argentine territory?

According to the PDPL, its regulations apply to individuals or legal entities (data subjects) who have legal domicile or delegations or branches in the country (Article 2 — (Definitions)).

However, the AAIP construes that individuals or legal entities who process personal data of Argentines, even if they do not have an establishment in the territory, must register to comply with the PDPL.

What are the legal obligations for personal data protection in Argentina?[2]

Those who process personal data and are data controllers of databases must comply with the following obligations:

a) Information and consent of the data subject

To process personal data, the PDPL requires the consent of the data subject, free, express, and informed, which must be documented in writing or by equivalent means (Article 5 — (Consent) 1.).

To obtain the aforementioned consent, before the collection of personal data, the data subject must be informed, clearly and expressly, of:
“a) The purpose for which the data will be processed and who the recipients or categories of recipients may be;

b) The existence of the file, registry, or database, in electronic form or otherwise, and the identity and address of its controller;

c) Whether responding to the requested information is mandatory or optional, especially regarding sensitive data[3];

d) The consequences of providing the data, of refusing to do so, or of inaccuracy of the data;

e) The possibility for the data subject to exercise the rights of access, rectification, and deletion of their data (Article 6 — (Information))”.

The PDPL establishes exceptions to the obligation to obtain prior consent from the data subject, among them: when the data is obtained from unrestricted publicly accessible sources; when collected due to a legal obligation; when the lists are limited to name, national identity document, tax or social security identification, occupation, date of birth, and address; and when derived from a contractual, scientific, or professional relationship with the data subject and are necessary for its development or fulfillment (Article 5 — (Consent) 2.).

The PDPL defines “data processing” as “… systematic operations and procedures, whether electronic or not, that allow the collection, preservation, classification, storage, modification, linking, evaluation, blocking, destruction, and, in general, the processing of personal data, as well as its transfer to third parties through communication, access, interconnections, or transfers” (Article 2 — (Definitions)).

b) Registration of the data controller and the databases

Those who process personal data must register as data controllers with the AAIP and, additionally, register all databases they own with the supervisory body.

c) Guarantee the rights to access, update, rectify, and request deletion of personal data

Data controllers must guarantee individuals whose personal data is collected and processed the exercise of the following rights:
(i) The right to access the database containing their personal data and to request information about it; and

 (ii) The right to request that their personal data be updated, rectified, or deleted from the databases.

The right of access may only be exercised free of charge at intervals of not less than six months, unless a legitimate interest justifies otherwise.

Additionally, there are specific rights to request that companies engaged in advertising, direct sales, or similar services remove data from their databases to avoid being contacted (National Do Not Call Registry), and to request the rectification of data regarding debts already paid or the deletion of data regarding debts already settled after a certain period.

d) Guarantee the security and confidentiality of personal data

Data controllers must “…adopt the technical and organizational measures necessary to ensure the security and confidentiality of personal data, in order to avoid its alteration, loss, unauthorized consultation or processing, and to detect intentional or unintentional deviations, whether the risks arise from human actions or the technical medium used” (Article 9 — (Data Security)).

In this regard, the AAIP — through Resolution No. 47/2018 — approved recommended security measures for the processing and storage of personal data in computerized and non-computerized media[4].

The controller and individuals involved in any phase of personal data processing must maintain professional secrecy regarding such data, even after the relationship with the data controller has ended (Article 10 — (Duty of Confidentiality) 1.).

Must video surveillance databases be registered?

Yes.

By Provision No. 10/2015, an image or film record constitutes personal data for the purposes of the PDPL, as long as a person can be identified or identifiable.

Video surveillance databases must therefore be registered, together with the so-called “personal data processing manual” that will be collected by the surveillance process.

Furthermore, in cases of video surveillance activities, the public must be informed in advance of: the existence of security cameras (without specifying their precise location), the purposes for which images are captured, and the contact details of the data controller.

Are there specific regulations on the international transfer of data?

Yes.

According to the AAIP, international transfers of personal data are the data flows carried out by controllers or processors from one country to another, using as an example an Argentine company (data controller) that collects data from its clients and contracts cloud storage services from a company in the United States (data processor) to manage that data[5].

The transfer of personal data to countries or international or supranational organizations that do not provide adequate levels of protection is prohibited, except in certain cases (PDPL, Article 12 — (International Transfer)).

Provision DNPDP No. 60/2016 and AAIP Resolution No. 34/2019 establish the countries that Argentina considers to have adequate levels of personal data protection and which currently are: member states of the European Union and the European Economic Area (EEA); United Kingdom of Great Britain and Northern Ireland; Swiss Confederation; Guernsey; Jersey; Isle of Man; Faroe Islands; Canada (only regarding its private sector); Principality of Andorra; New Zealand; Eastern Republic of Uruguay; and State of Israel (only regarding data that receive automated processing).

In the case of countries that do not provide an adequate level of protection, personal data may be transferred if data subjects give their consent or if done in one of the forms admitted by the supervisory body.

The AAIP has approved model contracts for the transfer of personal data to non-adequate countries, as well as the Implementation Guide of the Ibero‑American Data Protection Network (RIPD) (Provision No. 60/2016 and Resolution No. 198/2023).

When transferring personal data internationally to countries not deemed adequate by contracts differing from the approved models, the AAIP must be requested to approve them within thirty (30) calendar days from their signing.

When international personal data transfers occur between companies of the same corporate group, the AAIP has established basic guidelines and contents for binding corporate rules (Resolution No. 159/2018). If companies adopt self‑regulatory rules different from those laid down in the resolution, they must submit them to the AAIP within thirty (30) days following the transfer.

In January 2024, the European Commission revalidated the status of the Argentine Republic as an adequate country for the free cross‑border flow of personal data[6].

What are the legal consequences of non‑compliance with personal data protection rules in Argentina?

The PDPL empowers the AAIP to impose administrative sanctions of warning, suspension, fine, closure, or cancellation of the file, registry, or database (Article 31 — (Administrative Sanctions)). The AAIP maintains records of PDPL violators and the National Do Not Call Registry.

Furthermore, the Criminal Code typifies certain crimes related to personal data (Articles 117 bis and 157 bis).

Finally, in addition to administrative and criminal sanctions, offenders will be liable for damages based on the general principles of civil liability established in the National Civil and Commercial Code, and the injured parties may take action individually or collectively.

Colophon

The aforementioned issues were chosen solely to draw the attention of companies to topics frequently ignored or overlooked: personal data protection in Argentina has legal regulations that must be complied with and whose breach may give rise to significant sanctions and economic contingencies. Not to mention reputational damages of immeasurable impact that may be caused by, for example, data leaks from their databases.

The personal data protection regime is constantly evolving and is much more complex than the issues enumerated, so companies must thoroughly survey their activities, consult their trusted legal advisors to assess their compliance status, and undertake the necessary plans of action to stay up to date with legal requirements.

Mario E. Castro Sammartino

[1] https://www.argentina.gob.ar/aaip/datospersonales/responsables/basesainformar

[2] There are additional obligations for certain business activities, such as those providing mobile phone services and financial institutions.

[3] The PDPL defines “sensitive data” as “personal data revealing racial and ethnic origin, political opinions, religious, philosophical, or moral beliefs, trade union membership, and information concerning health or sex life” (Article 2—(Definitions)). No person is required to provide sensitive personal data.

[4] https://servicios.infoleg.gob.ar/infolegInternet/anexos/310000-314999/312662/norma.htm

[5] https://www.argentina.gob.ar/transferencias-internacionales

[6] https://ec.europa.eu/commission/presscorner/detail/es/ip_24_161

For additional information on these or any other issues related to doing business in Argentina, please, sign up for our Legal Blog or contact us at any time. Our publications exclusively express the author´s opinion and do not purport to be legal counsel on any case. Should you need it, you must consult with your trusted lawyer.​

More publications on companies