Section 43 of the Argentine Constitution and Personal Data Protection Law No. 25,326 ("PDPL") as restated by regulatory Decree No. 1558/2001 ("Regulatory Decree") governs the collection, storage and security, accuracy, retention, use and disclosure of personal data.

Since 2019, Argentina is a party to the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (“Convention 108”), ratified by Law No. 27,483. Argentina has also signed the protocol that modifies Convention 108, commonly known as Convention 108+, which has not yet been ratified by the Argentine Congress. 

The PDPL constitutes a comprehensive legal framework that regulates all the stages of data processing.

The main purpose of the PDPL is to guarantee: (i) the complete protection of the personal data contained in files, records, databases or other technical means, either public or private, if destined “to supply information”; and (ii) the rights to good reputation, privacy and access to information, in accordance with article 43 of the Argentine Constitution.

In addition to the PDPL, personal data protection and privacy rules are also contained in other laws at the federal level, such as:

• The Argentine Civil and Commercial Code;
• The Criminal Code;
• The Labour Contract Law No 20,744;
• The Telecommunications Law No 27,078;
• The Financial Institution Law No 21,526; and
• The Do Not Call Registry Law No 26,951.

There are also local provisions regulating the Habeas Data action and Do Not Call Registries in several provinces of Argentina. The City of Buenos Aires has also enacted a local law on personal data protection, but it only applies to the public sector. These local laws regulate aspects concerning the procedure of the Habeas Data action, a judicial remedy available to any data subject seeking enforcement of his/her right to access, rectify, update or remove any information relating to him/her, and only apply within the specific territory of each province.

In this case, the Supreme Court established that under Article 26(4) of the PDPL and the Regulatory Decree, adverse credit information may be retained for five years if the debt remains enforceable, or two years if the obligation has been canceled or extinguished. Accordingly, the debtor’s “right to be forgotten” only applies once the relevant statutory retention period has expired (Supreme Court, Yas Dardo v Citibank N.A., 2013).

In this other case, the Court held that jurisdiction over a precautionary measure seeking rectification of financial data before the Central Bank of Argentina ("BCRA") belonged to the local courts. Because the request was incidental to ongoing provincial proceedings under consumer and contractual law, it had to be decided by the same judge handling the main actions, in order to preserve consistency and avoid contradictory rulings, notwithstanding that habeas data claims under the LPDP generally fall under federal jurisdiction (Supreme Court, Garay Gonzalo v. Toyota Financiera, 2023).

The court upheld the plaintiff’s habeas data claim, ruling that RENAPER had failed to provide complete and transparent information as required under Articles 14 and 15 of the PDPL. The decision reinforced the constitutional right to informational self-determination and emphasized that public authorities must fully comply with access, transparency, and security obligations, particularly in the aftermath of data breaches involving sensitive personal information (Court of Appeals in Contentious matters, “Palazzi v. Renaper”, 2025).

The Agency of Access to Public Information (“DPA”), the local data protection regulator, held that the company violated Article 16 of the PDPL by failing to delete a user’s personal data for marketing purposes after the termination of the contractual relationship. The DPA found that retaining such data for alleged accounting obligations was excessive and unfounded, stressing that data controllers must establish clear and efficient procedures for erasure, ensure internal coordination, and comply with statutory deadlines, with exceptions allowed only where legal obligations expressly justify retention (AAIP, “Proceedings against Rappi”, 2020).

The exposure of delivery tracking data led the DPA to find violations of the PDPL, particularly Articles 4 and 9 regarding data quality, retention, and security. Chazki, acting as data controller, failed to implement adequate safeguards and lacked a valid legal basis for processing sensitive data such as ID photos. The case highlights the duty of companies to ensure proportionality, purpose limitation, lawful processing, and robust security measures, as well as to register databases and document confidentiality practices, in order to avoid administrative sanctions (AAIP, “Proceedings against Chazki, 2021).

A Court of Appeals upheld a fine imposed for violating the Do Not Call Registry Law (Law 26.951), confirming that companies bear the burden of proof to demonstrate compliance by providing records of outgoing calls. Claims of communication inviolability were dismissed, as they do not extend to a company’s own marketing calls. The decision highlights the DPA’s authority to enforce the registry, the protective purpose of the regime, and the legitimacy of sanctions where users registered in the system are contacted without valid consent or legal exemption (Court of Appeals, “Telecom v. AAIP, 2024).

The PDPL defines “personal data” as any kind of information referring to identified or identifiable individuals or legal entities.

Additionally, the PDPL defines “sensitive data” as any personal data revealing racial or ethnic origin, political affiliation, religious, moral, or philosophical convictions, union activity, or information related to health or sexual orientation.

Moreover, Resolution 255/2022 of the DPA defines genetic data as the data on inherited or acquired genetic features of an individual that provides information about their physiology or health. Furthermore, the Resolution establishes that such data will be considered sensitive when univocally identifying an individual and revealing information on the health or physiology of the data subject, or when processing such data can cause the data subject to potentially be discriminated against.

Regarding biometric data, DPA Resolution No. 4/2019 states that biometric data is sensitive data only when it can reveal additional information whose use could potentially result in discrimination against the data subject (e.g., data that reveals ethnic origin or health-related information).

The PDPL protects personal data, defined as information relating to an identifiable individual or legal entity with domicile or branches in Argentina.

In this regard, the PDPL sets forth a series of obligations for data controllers (i.e., those who determine the purposes and means of the processing of personal data) and data processors (i.e., those who process personal data on behalf of and under the instructions of a controller) to ensure the protection of the personal data they handle. These obligations include:

1. Comply with the general principles governing the processing of personal data.
2. Provide data subjects with information regarding the processing of their personal data.
3. Have sufficient legal basis for data processing.
4. Register their databases with the DPA. 
5. Guarantee the exercise of the rights granted to data subjects.
6. Adopt the necessary technical and organizational measures to ensure the security and confidentiality of personal data. 
7. Process sensitive data in a restrictive manner.
8. Enter into a data processing agreements when data processing services are provided. 
9. Implement the correct safeguard mechanisms when internationally transferring data to jurisdictions that do not provide an adequate level of protection. 
10. Comply with data retention obligations under the PDPL and other applicable laws (such as labor, corporate, or tax legislation).
11. Transfer personal data to a new controller only under lawful grounds and with prior information to data subjects.

The PDPL applies to individuals and private and public entities.

Data controllers and data processors are subject to privacy obligations. The data controller is defined as the individual or legal entity owner of a database. The data processor is the individual or legal entity that provides services in connection with personal data processing at the request of third parties.

The PDPL applies to both private and public entities.

The PDPL defines “processing” as the systematic operations and procedures, electronic or not, that allow the collection, conservation, management, storage, modification, relationship, evaluation, blocking, destruction, and in general the processing of personal data, as well as its transfer to third parties through communications, inquiries, interconnections or transfers.

In principle, the data subject must consent to the collection of his/her personal data. Consent must be given freely, based on the information previously provided to the data subject and expressed in writing or by an equivalent means, depending on each individual case.

No consent is needed for data processing when the personal data:

1. Is obtained from public sources with unrestricted access; 
2. Is collected by the government pursuant to its legal authority or in its capacity as such; 
3. Comprises the following categories of data: name, ID number, tax or social security identification numbers, occupation, date of birth and domicile; 
4. Derives from a contractual, scientific or professional relationship with the data subject, provided that such data is necessary for the development and compliance with such relationship; 
5. Is related to transactions made by financial institutions and information received by their own clients (specifically related to their lending transactions and other financial services).

The PDPL imposes specific requirements for the processing of sensitive data. In principle, sensitive data may only be collected if authorized by law and for a public interest purpose, and no person may be obliged to supply such information. Sensitive data may also be collected for statistical or scientific purposes, as long as the identification of the data subject is not possible. Data related to criminal precedents may be collected only by the relevant competent authorities, and within the scope of the applicable legislation.

Public or private health institutions, as well as practitioners, are entitled to collect and treat health data as long as the information is related to the physical or mental condition of the patients. In this case, the duty of professional confidentiality must be honored.

Specific rules govern the use and treatment of personal data. In that sense, personal data collected must be:

• accurate and updated if necessary;
• adequate;
• pertinent;
• not excessive in relation to the scope and purpose for which it was obtained; and
• used for purposes compatible with those for which the data was collected.

Personal data may not be gathered through dishonest, fraudulent or illegal means.

Personal data which is totally or partially inaccurate or incomplete must be deleted, substituted or completed by the data controller if there is knowledge of such inaccuracy or incompleteness.

Personal data must be stored in a way that allows the data subject to exercise his/her rights of access, updating, modification and removal of such data.

Any person who intervenes in any phase of the processing of personal data has a duty of professional confidentiality, except in the case of a judicial resolution or for reasons of public security, national defense or public health. Such duty will persist even after the relationship with the data subject has been terminated.

In this line, personal data can be transmitted/disclosed to another data controller provided the following conditions are met:

• The data is only transferred for purposes directly related to the legitimate interest of the transferor and transferee.
• The data subject has been informed of the purpose of the transfer, as well as the identity of the transferee.
• The prior consent of the data subject has been obtained unless an exception applies.

Personal data must be protected from unauthorized loss, use, modification or disclosure with mandatory security measures. Moreover, personal data must be automatically erased or removed when it has ceased to be necessary or current for the purpose for which it was obtained.

Personal data must be protected from unauthorized loss, use, modification or disclosure with mandatory security measures. Moreover, personal data must be automatically erased or removed when it has ceased to be necessary or current for the purpose for which it was obtained.

Pursuant to the PDPL, necessary technical and organizational measures must be adopted to guarantee the protection and confidentiality of personal data in a way that prevents their adulteration, loss, consultation or unauthorized treatment. The processing of personal data in databases that do not comply with this requirement is forbidden. In addition, the DPA has issued Rule No. 47/2018, which establishes a set of recommendations that can be adopted or replaced by other more effective measures based on the practices and circumstances of the processing of personal data.  This rule creates two sets of recommended security measures for the processing and conservation of personal data, one in connection with personal data stored by electronic means or and the other when the personal data is not stored by electronic means. Furthermore, some of the recommendations also include additional guidelines regarding the processing of sensitive personal data.

Personal data must be automatically erased or removed from the relevant databases or servers when it has ceased to be necessary or current for the purpose for which it was obtained. Moreover, the 
PDPL provides that personal data should be kept for the terms specified in the applicable legal regulation or in the corresponding contractual clause. Therefore, the retention terms set forth in each specific regulation or agreement will provide the legal basis for maintaining the information.

The data subject, or his/her legal heirs in case of the data subject’s decease, is entitled to exercise the rights of access, rectification, removal and confidential treatment of the personal data as provided by the PDPL vis-à-vis the data controller.

Any data subject is entitled to request access to any database containing his/her personal data and obtain information in connection with his/her data.

1. In addition to the access right, data subjects have the following rights: 
   request the rectification and update of the personal data; 
2. request the removal of the personal data; 
3. request the confidential treatment of personal data. 

The data subject’s rights can be denied by a public data controller in order to safeguard:

1. the national defense; 
2. the national order; 
3. the public security; 
4. the rights and interests of third parties; 
5. the prosecution of judicial or administrative proceedings concerning compliance with tax or social security obligations; 
6. the development/execution of control policies concerning health and the environment; 
7. the investigation of criminal offenses; 
8. the investigation of administrative infringements; 

The data controller must answer the access request within ten calendar days, while the request for the modification, update, removal and confidential treatment must be answered within five working days.

The general principle is that all processing of personal data must be consented to by the data subjects. Such consent must be prior, free, given based on information previously provided to the data subjects (i.e., informed) and expressed in writing or by other equivalent means depending on the circumstances of the case, including electronic means.

There are certain exceptions in which the data subject´s consent is not required. Consent is not necessary for the processing of personal data when such data is: 

1. Obtained from sources of unrestricted public access. 
2. Collected for the exercise of functions proper to the powers of the State, or by virtue of a legal obligation. 
3. Limited to a list containing the name, national identity card, tax or social security identification number, occupation, date of birth and address of the data subject. 
4. Derives from a contractual, scientific, or professional relationship with the data subject, and are necessary for its development or performance; or
5. Related to transactions or operations carried out by financial entities in accordance with the provisions of Section 39 of Law No. 21,526 of the Financial Entities Law.

Based on the above, the general rule is that the legal basis for the processing of personal data is the consent of the data subjects, with certain exceptions that must be interpreted restrictively.

As mentioned before, the general principle established in the PDPL is that all processing of personal data must be consented to (or authorized) by the data subjects. Such consent must be prior, free, given based on information previously provided to the data subjects (i.e., informed), and expressed in writing or by other equivalent means, depending on the circumstances of the case, including electronic means. 

To achieve this, consent can be granted by clicking on an “I Agree” acceptance box, signing electronically or any other mechanism enabled that the data controller deems convenient.

Additionally, Resolution No. 4/2019 of the Argentine Data Protection Authority establishes that, regardless of the method of consent adopted, the entity responsible for the database must verify that the person who provided such consent is indeed the data subject and not another individual.

The PDPL prohibits the cross-border transfer of personal data to countries or international organizations that do not provide an adequate level of protection. 

The transfer of personal data to non-adequate countries is restricted. Pursuant to the DPA’s Rule No. 60-E/2016, the following countries are deemed to grant adequate privacy protection: member states of the European Union and the European Economic Area, Switzerland, Guernsey and Jersey, the Isle of Man, the Faeroe Islands, Canada (only private sector), New Zealand, Andorra, Uruguay, the United Kingdom and Northern Ireland.  

The cross-border data transfer restriction does not apply to the following cases: 

1. international judicial collaboration; 
2. certain cases in connection with medical treatments; 
3. banking or stock-exchange transactions conducted in accordance with applicable laws and regulations; 
4. transfer of personal data under international treaties; or 
5. data transfer between government intelligence agencies for the purpose of fighting against organized crime, terrorism and drug dealing.  

The transfer of personal data to non-adequate countries is also permitted when the data subject consents to the transfer or when adequate protection levels arise from “self-regulation systems” (i.e., binding corporate rules following the guidelines set forth by the DPA) or “contractual clauses” (i.e., an international data transfer agreement executed between the data exporter and data importer, provided that such agreement follows the model clauses issued by the DPA).

The PDPL does not define “data breach”, but it may be understood as any event that results in the adulteration, loss, and/or unauthorized access to or treatment of personal data. In this regard, the DPA’s Resolution No. 47/2018 provides certain guidance as well, as it identifies a data breach with any event that may affect personal data, its detection, evaluation, containment and response.

No, there are no notification requirements for data breaches. 

Although there are no notification obligations for data breaches, some resolutions of the Data Protection Authority (such as Regulation No. 47/2018, among others) recommend doing so. Furthermore, this obligation may arise from other sectoral rules (e.g., regulations issued by the Argentine Central Bank or the Argentine Securities Commission applicable to financial institutions).

The Regulatory Decree establishes the DPA as the controlling authority. The functions of the DPA range from promoting privacy to investigating complaints of interference with privacy.

The DPA is a self-governing entity within the scope of the Chief of Cabinet.

The DPA is responsible for overseeing the PDPL. It assists and advises individuals on the terms of the PDPL and the remedies available to them. It also issues rules and regulations, monitors compliance, conducts inspections, receives and processes claims filed by data subjects, and imposes sanctions. The DPA also manages the national register of databases in which data controllers and data processors must register their personal data processing operations.

A failure to comply with the obligations imposed by the PDPL may lead to sanctions imposed by the DPA or compensation for damages. Criminal sanctions for violating the PDPL are not common. 

Depending on the nature of the infringement, the DPA may impose the following administrative sanctions for non-compliance with the PDPL and complementary regulations:

1. written warnings; 
2. suspension of the database from one to 365 days; 
3. cancellation of the database; and 
   fines ranging from Argentine Pesos 1,000 (approximately USD 8 at the current exchange rate) to 100,000 (approximately USD 800). The fine may amount to up to Argentine Pesos 5,000,000 (approximately USD 41,000) in the case of identical conduct within the same kind of violation. 

The PDPL establishes the Habeas Data Action, a judicial remedy available to any data subject seeking enforcement of his/her right to access, rectify, update or remove any information relating to him/her stored in a database. Any affected data subject may also request compensation for damages if he/she understands that privacy rights have been violated.

The Argentine Criminal Code punishes with imprisonment from one month to three years those who:

1. illegally insert information in a database; 
2. illegally gain access to databases; 
3. disclose personal data protected by a duty of confidentiality pursuant to law; or 
4. knowingly supply false information stored in a database to a third party. 

There are no specific rules on electronic marketing; rather the general provisions on direct marketing apply to that case. 

The PDPL authorizes the treatment of personal data for marketing purposes. Companies may use gathered information connected to addresses, delivery of documents, advertising or direct sales and other similar activities to determine consumers’ profiles for commercial, promotional or advertising purposes, provided that:

1. such data is accessible to the public; and 
2. the data subject supplied the information voluntarily or gave his/her consent. Furthermore, the

Regulatory Decree provides that in some cases the data subject’s consent shall not be necessary for the collection, treatment and assignment of personal data.

The data subject must enjoy free access to the database and be able to request at any time the removal or blocking of his/her data from the database. In that regard, the DPA’s Decisions Nos. 10/2008 and 4/2009 provide that notice with specific language must be added in Spanish in every mass marketing communication. The email must also include a link or any alternative technical resource allowing the recipient to opt out of receiving this kind of message. 

Also, the DPA´s Decision No. 14/2018 provides that the controllers and users of public and private databases must clearly and expressly display, in a visible place, the information required by section 6 of Data Protection Law No. 25.326 (including indicating the purpose of the data processing, any possible recipients of data, the existence of the database and the identity of the data controller, whether providing the data is mandatory or not, and which rights data subjects have), to the data subjects, prior to any data collection and specifically mentioning how data subjects may exercise their rights.

Moreover, when sending communications that were not previously requested by the recipient the fact that the content of such communication refers to advertising must be highlighted. If such communication is made via email, the heading of the message has to include the term “advertising” (publicidad).

Yes. Certain sector-specific regulations, such as those applicable to the healthcare and banking industries, include references to the protection of personal data. However, in all cases, these sectoral rules expressly refer back to, and require compliance with, the general framework established by the PDPL. In other words, sectoral regulations do not create an independent or parallel data protection regime but rather confirm the mandatory application of PDPL to industry-specific activities.

The PDPL does not require the appointment of a Data Protection Officer.  

However, the DPA recommends its appointment (although in most cases this recommendation is oriented to government agencies).  

In this regard, DPA Resolution No. 40/2018, which contains the template of the personal data protection policy for public bodies, recommends the appointment of a permanent staff member as Data Protection Delegate, who will be assigned the implementation and internal compliance control of the body's data protection policy.  

Additionally, DPA Resolution No. 332/2020 establishes that the actions of the data controller or Data Protection Officer shall be considered during the inspections and that at the time the data controller responds to the notification, it shall communicate in its first submission whether it has a Data Protection Officer or Data Protection Delegate.

In the same sense, the DPIA Guide published by the DPA defines the Data Protection Officer as the person appointed or hired by the data controller, with proven experience and knowledge in the matter, for the purpose of advising on the formulation, design, and implementation of policies for the protection of personal data.   

Pursuant to the provisions of the PDPL, personal data must be destroyed, even without the express request of the data subject, when they are no longer necessary or relevant for the purposes for which they were collected. Additionally, the PDPL authorizes data controllers to retain personal data based on specific applicable rules (such as labor, corporate or tax law), or during the terms agreed between the data controller and the data subjects.

Once the purposes for which the data were collected have been fulfilled and, in the absence of a legal term that justifies their retention for longer periods, personal data must be destroyed.

The PDPL also provides that natural or legal persons who provide personal data processing services on behalf of the database controller (i.e., data processors) may keep the personal data provided to them for a maximum period of 2 (two) years from the date of termination of the contract for the provision of services, subject to the express authorization of the database controller and when it is reasonable to assume further orders or requests for additional services.

After these periods, personal data should be deleted. 

DPIAs are not mandatory in Argentina.

However, the DPA issued a non-binding DPIA Guide whose objective is to guide both public and private sector entities, from an initial stage, in those practices or projects that could affect the rights of individuals with regard to the protection of their personal data, and thus mitigate the possible negative effects.

The DPIA Guide is divided into six assessment stages, ranging from the identification of key individuals in the potential processing of personal data to the detection of risks in such processing. At each stage of the process, the person responsible is encouraged to make partial reports, which can then be integrated into a final report describing the actions planned and the results achieved.

The DPA recommends that the person responsible for the DPIA publish a copy of the final report on its website or display it in case of a request from an interested party, safeguarding confidential information, if applicable. 

The PDPL allows data controllers to share personal data with third-party vendors acting as data processors, establishing that the latter may not:

1. Use or apply the personal data for purposes other than those provided for in the contract for the provision of processing services; and
2. Transfer such data to other third parties, not even for storage purposes. 

According to the PDPL, the processing of personal data on behalf of a data controller must be carried out within the framework of written contracts for the provision of data processing services which, precisely, bind the data controller to the data processors. These contracts must specify that:

1. The data processor shall act only on instructions from the data controller; and 
2. The data processor shall comply with the obligations relating to the security and confidentiality of personal data provided for in the PDPL. 

Penalties for non-compliance with the Data Protection Regime are limited to: (i) warnings; (ii) fines from ARS 1,000 to ARS 100,000 (approximately USD 1 to 100 at the current exchange rate); (iii) suspensions; (iv) closure; or (v) cancellation of the database.
Infringements are graded as minor, severe or very severe:

1. MINOR. For minor infractions, up to 2 warnings and/or a fine of ARS 1,000 to ARS 80,000 (approximately USD 1 to USD 76) may be applied. 
2. SEVERE. For severe violations, the sanction to be applied will be up to 4 warnings, suspension from 1 to 30 days and/or a fine of ARS 80,001 to ARS 90,000 (approximately USD 76 to USD 85). 
3. VERY SEVERE. For very severe infractions, up to 6 warnings, suspension of 31 to 365 days, closure, or cancellation of the database and/or a fine of ARS 90,001 to ARS 100,000 (approximately USD 85 to USD 95) will be applied.

Where several violations are included in the same administrative proceeding, the total amount of the fine is limited to the maximum fine applicable according to the grade of the infringement committed, multiplied by five hundred (i.e., up to ARS 50,000,000 or approximately USD 47,300 at the current exchange rate).

The Data Protection Authority keeps a public registry of the individuals and legal entities that have been sanctioned as a result of an infringement to the Data Protection Law (available at https://www.argentina.gob.ar/aaip/datospersonales/registro-infractores). 

Moreover, there may be claims for damages by data subjects based on the general principles of civil liability established in the Argentine Civil and Commercial Code, including through class actions.

From a personal data protection perspective, the PDPL does not require the implementation of audits. However, in practice, audits are usually implemented as part of the privacy programs of companies and audits can also be developed and required in the framework of agreements for the provision of services involving the processing of personal data, to determine compliance with the PDPL. 

Currently, several legislative proposals are under consideration in Congress:

• Comprehensive Personal Data Protection Law: The draft bill was released for public consultation on June 25, 2025. This bill seeks to replace the PDPL by establishing a modern, flexible, and rights-based framework for personal data protection in Argentina. It aligns with international standards and expressly addresses emerging technologies such as artificial intelligence (AI).
• 644-S-25: This bill continues the reform process initiated by the Data Protection Authority in 2022, which lost parliamentary status this year without being passed. It aims to replace the PDPL and emphasizes informational self-determination, proactive compliance, and alignment with international privacy standards.
• 1948-D-2025: This bill is identical in substance to Bill S-644-2025, with the only difference being the legislative chamber in which it was introduced. While Bill S-644-2025 was submitted before the Senate, this version was presented in the House of Representatives. 
• 4243-D-2025: This legislative proposal aims to regulate the use of personal data from people or entities that develop, implement or commercialize Artificial Intelligence systems. It establishes a duty of transparency for the AI systems responsible and a mandatory risk assessment. 
• 2968-D-2025: The purpose of this law is to amend Law No. 25,326 on the Protection of Personal Data to incorporate protective mechanisms for data subjects. It modifies provisions related to minors, automated decisions and profiling.
  
• 3034-D-2025: This law aims to require biometric authentication for social network registration and access, along with random authentication controls, to prevent offenses such as grooming and safeguard the security of children and adolescents in virtual spaces.
  
• 3540-D-2025: This bill seeks to regulate the amendment of Law No. 25,326 on Personal Data Protection by incorporating principles of algorithmic transparency, the right to explanation, accountability, and auditing mechanisms for automated systems, profiling, algorithms, and artificial intelligence. It aims to safeguard individuals’ rights in the processing of their personal data and automated decision-making, promoting processes that are understandable, fair, and secure.