You are here
Important Developments In Argentina Regarding Personal Data Protection
Important Developments In Argentina Regarding Personal Data Protection, Diego Fernández, Marval, O'Farrell & Mairal, Argentina
The Argentine DPA has recently issued new regulation regarding international data transfer and inspection proceedings
International data transfer
According to the Argentine Data Protection Law No. 25,326 and its regulatory Decree 1558/01 (the “DPL”), international data transfer is forbidden if the jurisdiction of destination does not provide for an adequate level of protection. In that connection, the DPL provides that an adequate level of protection is met if such protection arises from the legislation itself, from autoregulation systems or if contractually agreed among the parties.
Particularly in connection with adequate protection arising from a contractual relationship, the Argentine Data Protection Authority (the “DPA”) has recently passed Regulation No. 60-E/2016 (the “Regulation”) further regulating the international transfer of data.
First, the Regulation listed those countries and regions which in view of the DPA –and also considering the EU Commission’s decisions on the adequacy of the protection of personal data- provide for an adequate level of protection and would not need any addition safeguard before the transfer takes place. Those jurisdictions are member states of the European Union and the European Economic Area, Switzerland, Guernsey and Jersey, the Isle of Man, the Faeroe Islands, Canada (only applicable to their private sector), New Zealand, Andorra and Uruguay. The DPA also noted that this list is illustrative and that it will be reviewed periodically and communicated on their official website.
Moreover, the Regulation approved two sets of standard model clauses addressing the two most common types of transfer of data: the assignment of data to a third party and the transfer of data for the rendering of data processing services. Also, both models are inspired by the EU Model Contracts for the transfer of personal data to third countries approved by EU decisions 2001/497/CE and 2010/87/UE.
It is worth noting that the use of these standard model clauses is mandatory for the transfer of data to countries which do not meet an adequate level of protection, provided that a self-regulatory mechanism with adequate protection is not in place.
If the parties choose to use a model different from the ones indicated by the DPA or one that do not include the principles, warranties and content covered by the approved standard model clauses, they are required to submit the agreement for DPA approval within 30 calendar days as from the execution date. Thus, providing for a mandatory approval which was not required before the Regulation was passed.
The DPA has the authority to conduct inspections to enforce the provisions of the DPL and make certain that those treating personal data are doing so in compliance with applicable laws.
In that regard, back in 2008 and 2012 the DPA passed Regulations No. 5/2008 and 3/2012 which set the framework under which inspection proceedings were conducted (for more information please see “Supervision and control rules of the Personal Data Protection Agency”). Particularly, the DPA can carry out inspections to check compliance with all applicable principles contained in the DPL, such as prior, express, informed and written consent for the validity for the treatment of personal data; whether there exist an international transfer of data; the possibility for data subjects to exercise the rights granted by the DPL, or whether the data controller is involved in marketing activities, among others.
Moreover, in 2014 Congress passed Law No. 26,951 which created a “Do Not Call” Registry and appointed the DPA as the supervising authority (for more information please see “New Argentine “Do Not Call” Registry”).
With all these regulations in mind, the DPA decided that it was necessary to update the framework governing inspection proceedings and issued Regulation 55-E-/2016 which replaced the former Regulation No. 3/2012.
The most significant changes introduced by Regulation 55-E-/2016 are the following:
- The DPA can carry our unannounced inspections when the notification to the data controller may result in an unsuccessful measure.
- In all other cases, the DPA will initiate proceedings, notify the data controller and carry the inspection and gather the information within 15 working days.
- Compliance with “Do Not Call” Registry is now included as part of the framework of the inspection.