Section 43 of the Argentine Constitution and Personal Data Protection Law No. 25,326 ("PDPL") as restated by regulatory Decree No. 1558/2001 ("Regulatory Decree") governs the collection, storage and security, accuracy, retention, use and disclosure of personal data.

Since 2019, Argentina is a party to the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (“Convention 108”), ratified by Law No. 27,483. Argentina has also signed the protocol that modifies Convention 108, commonly known as Convention 108+, which has not yet been ratified by the Argentine Congress. 

Note: 

The PDPL constitutes a comprehensive legal framework that regulates all the stages of data processing.

The main purpose of the PDPL is to guarantee: (i) the complete protection of the personal data contained in files, records, databases or other technical means, either public or private, if destined “to supply information”; and (ii) the rights to good reputation, privacy and access to information, in accordance with article 43 of the Argentine Constitution.

In addition to the PDPL, personal data protection and privacy rules are also contained in other laws at the federal level, such as:

• The Argentine Civil and Commercial Code;
• The Criminal Code;
• The Labour Contract Law No 20,744;
• The Telecommunications Law No 27,078;
• The Financial Institution Law No 21,526; and
• The Do Not Call Registry Law No 26,951.

There are also local provisions regulating the Habeas Data action and Do Not Call Registries in several provinces of Argentina. The City of Buenos Aires has also enacted a local law on personal data protection, but it only applies to the public sector. These local laws regulate aspects concerning the procedure of the Habeas Data action, a judicial remedy available to any data subject seeking enforcement of his/her right to access, rectify, update or remove any information relating to him/her, and only apply within the specific territory of each province.

The PDPL protects personal data, being information about an identifiable individual or legal entity.

Note: 

Personal data is defined as any kind of information referring to an identified or identifiable natural person or legal entity. Thus, personal data concerning companies is also protected by the provisions of the PDPL.

In addition, the PDPL defines “sensitive data” as information pertaining to the data subject’s racial or ethnic origin, political opinions, moral, religious or philosophical views, trade union affiliations, health or sex life.

The PDPL applies to individuals and private and public entities.

Note: 

Data controllers and data processors are subject to privacy obligations. The data controller is defined as the individual or legal entity owner of a database. The data processor is the individual or legal entity that provides services in connection with personal data processing at the request of third parties.

The PDPL applies to both private and public entities.

The legal basis for data processing depends on the nature of the personal data. As a general rule, the treatment, disclosure, collection, storage and amendment of personal data must be specifically consented to by the data subject. However, there are some cases in which no consent is needed for collecting and processing personal data.

Note: 

In principle, the data subject must consent to the collection of his/her personal data. Consent must be given freely, based on the information previously provided to the data subject and expressed in writing or by an equivalent means, depending on each individual case.

No consent is needed for data processing when the personal data:

• Is obtained from public sources with unrestricted access.
• Is collected by the government pursuant to its legal authority or in its capacity as such;
• Comprises the following categories of data: name, ID number, tax or social security identification numbers, occupation, date of birth and domicile.
• Derives from a contractual, scientific or professional relationship with the data subject, provided that such data is necessary for the development and compliance with such relationship.
• Is related to transactions made by financial institutions and information received by their own clients (specifically related to their lending transactions and other financial services).

The PDPL imposes specific requirements for the processing of sensitive data. In principle, sensitive data may only be collected if authorized by law and for a public interest purpose, and no person may be obliged to supply such information. Sensitive data may also be collected for statistical or scientific purposes, as long as identification of the data subject is not possible. Data related to criminal precedents may be collected only by the relevant competent authorities, and within the scope of the applicable legislation.

Public or private health institutions, as well as practitioners, are entitled to collect and treat health data as long as the information is related to the physical or mental condition of the patients. In this case, the duty of professional confidentiality must be honored.

Specific rules govern the use and treatment of personal data. In that sense, personal data collected must be:

• accurate and updated if necessary;
• adequate;
• pertinent;
• not excessive in relation to the scope and purpose for which it was obtained; and
• used for purposes compatible with those for which the data was collected.

Personal data may not be gathered through dishonest, fraudulent or illegal means.

Personal data which is totally or partially inaccurate or incomplete must be deleted, substituted or completed by the data controller if there is knowledge of such inaccuracy or incompleteness.

Personal data must be stored in a way that allows the data subject to exercise his/her rights of access, updating, modification and removal of such data.

Any person who intervenes in any phase of the processing of personal data has a duty of professional confidentiality, except in the case of a judicial resolution or for reasons of public security, national defense or public health. Such duty will persist even after the relationship with the data subject has been terminated.

In this line, personal data can be transmitted/disclosed to another data controller provided the following conditions are met:

• The data is only transferred for purposes directly related to the legitimate interest of the transferor and transferee.
• The data subject has been informed of the purpose of the transfer, as well as the identity of the transferee.
• The prior consent of the data subject has been obtained unless an exception applies.

Note: 

Personal data must be protected from unauthorized loss, use, modification or disclosure with mandatory security measures. Moreover, personal data must be automatically erased or removed when it has ceased to be necessary or current for the purpose for which it was obtained.

Personal data must be protected from unauthorized loss, use, modification or disclosure with mandatory security measures. Moreover, personal data must be automatically erased or removed when it has ceased to be necessary or current for the purpose for which it was obtained.

Note: 

Pursuant to the PDPL, necessary technical and organizational measures must be adopted to guarantee the protection and confidentiality of personal data in a way that prevents their adulteration, loss, consultation or unauthorized treatment. The processing of personal data in databases that do not comply with this requirement is forbidden.

In addition, the Argentine Personal Data Protection Authority ("DPA") has issued Rule No. 47/2018, which establishes a set of recommendations that can be adopted or be replaced by other more effective measures based on the practices and circumstances of the processing of personal data.  

This rule creates two sets of recommended security measures for the processing and conservation of personal data, one in connection with personal data stored by electronic means or and the other when the personal data is not stored by electronic means. Furthermore, some of the recommendations also include additional guidelines regarding the processing of sensitive personal data.

Personal data must be automatically erased or removed from the relevant databases or servers when it has ceased to be necessary or current for the purpose for which it was obtained. Moreover, the PDPL provides that personal data should be kept for the terms specified in the applicable legal regulation or in the corresponding contractual clause. Therefore, the retention terms set forth in each specific regulation or agreement will provide the legal basis for maintaining the information.

The data subject, or his/her legal heirs in case of the data subject’s decease, is entitled to exercise the rights of access, rectification, removal and confidential treatment of the personal data as provided by the PDPL vis-à-vis the data controller.

Note: 

Any data subject is entitled to request access to any database containing his/her personal data and obtain information in connection with his/her data.

In addition to the access right, data subjects have the following rights:

• request the rectification and update of the personal data;
• request the removal of the personal data;
• request the confidential treatment of personal data. The data subject’s rights can be denied by a public data controller in order to safeguard:
  • the national defense;
  • the national order;
  • the public security;
  • the rights and interests of third parties;
  • the prosecution of judicial or administrative proceedings concerning compliance with tax or social security obligations;
  • the development/execution of control policies concerning health and the environment;
  • the investigation of criminal offenses;
  • the investigation of administrative infringements;

The data controller must answer the access request within ten calendar days, while the request for the modification, update, removal and confidential treatment must be answered within five working days.

The PDPL prohibits the cross-border transfer of personal data to countries or international organizations that do not provide an adequate level of protection.

Note: 

The transfer of personal data to non-adequate countries is restricted. Pursuant to the DPA’s Rule No. 60-E/2016, the following countries are deemed to grant adequate privacy protection: member states of the European Union and the European Economic Area, Switzerland, Guernsey and Jersey, the Isle of Man, the Faeroe Islands, Canada (only private sector), New Zealand, Andorra, Uruguay, the United Kingdom and Northern Ireland. 

The cross-border data transfer restriction does not apply to the following cases:

• international judicial collaboration;
• certain cases in connection with medical treatments;
• banking or stock-exchange transactions conducted in accordance with applicable laws and regulations;
• transfer of personal data under international treaties; or
• data transfer between government intelligence agencies for the purpose of fighting against organized crime, terrorism and drug dealing. 

The transfer of personal data to non-adequate countries is also permitted when the data subject consents to the transfer or when adequate protection levels arise from “self-regulation systems” (i.e., binding corporate rules following the guidelines set forth by the DPA) or “contractual clauses” (i.e., an international data transfer agreement executed between the data exporter and data importer, provided that such agreement follows the model clauses issued by the DPA).

No, there are not any notification requirements for data breaches. 

Note: 

Although there are no notification obligations for data breaches, some resolutions of the Data Protection Authority (such as Regulation No. 47/2018, among others), recommend doing so.

Furthermore, this obligation may arise from other sectorial rules (e.g., regulations issued by the Argentine Central Bank or the Argentine Securities Commission applicable to financial institutions).

The Regulatory Decree establishes the DPA as the controlling authority. The functions of the DPA range from promoting privacy to investigating complaints of interference with privacy.

Note: 

The DPA is a self-governing entity within the scope of the Chief of Cabinet. 

The DPA is responsible for overseeing the PDPL. It assists and advises individuals on the terms of the PDPL and the remedies available to them. It also issues rules and regulations, monitors compliance, conducts inspections, receives and processes claims filed by data subjects, and imposes sanctions. The DPA also manages the national register of databases in which data controllers and data processors must register their personal data processing operations.

A failure to comply with the obligations imposed by the PDPL may lead to sanctions imposed by the DPA or compensation for damages. Criminal sanctions for violating the PDPL are not common.

Note: 

Depending on the nature of the infringement, the DPA may impose the following administrative sanctions for non-compliance with the PDPL and complementary regulations:

• written warnings;
• suspension of the database from one to 365 days;
• cancellation of the database; and
• fines ranging from Argentine Pesos 1,000 (approximately USD 8 at the current exchange rate) to 100,000 (approximately USD 800). The fine may amount to up to Argentine Pesos 5,000,000 (approximately USD 41,000) in the case of identical conduct within the same kind of violation.

The PDPL establishes the Habeas Data Action, a judicial remedy available to any data subject seeking enforcement of his/her right to access, rectify, update or remove any information relating to him/her stored in a database. Any affected data subject may also request compensation for damages if he/she understands that privacy rights have been violated.

The Argentine Criminal Code punishes with imprisonment from one month to three years those who:

• illegally insert information in a database;
• illegally gain access to databases;
• disclose personal data protected by a duty of confidentiality pursuant to law; or
• knowingly supply false information stored in a database to a third party.

There are no specific rules on electronic marketing; rather the general provisions on direct marketing apply to that case.

Note: 

The PDPL authorizes the treatment of personal data for marketing purposes. Companies may use gathered information connected to addresses, delivery of documents, advertising or direct sales and other similar activities to determine consumers’ profiles for commercial, promotional or advertising purposes, provided that:

• such data is accessible to the public; and
• the data subject supplied the information voluntarily or gave his/her consent. Furthermore, the Regulatory Decree provides that in some cases the data subject’s consent shall not be necessary for the collection, treatment and assignment of personal data.

The data subject must enjoy free access to the database and be able to request at any time the removal or blocking of his/her data from the database. In that regard, the DPA’s Decisions Nos. 10/2008 and 4/2009 provide that notice with specific language must be added in Spanish in every mass marketing communication. The email must also include a link or any alternative technical resource allowing the recipient to opt out of receiving this kind of message.
Also, the DPA´s Decision No. 14/2018 provides that the controllers and users of public and private databases must clearly and expressly display, in a visible place, the information required by section 6 of Data Protection Law No. 25.326 (including indicating the purpose of the data processing, any possible recipients of data, the existence of the database and the identity of the data controller, whether providing the data is mandatory or not, and which rights data subjects have), to the data subjects, prior to any data collection and specifically mentioning how data subjects may exercise their rights.

Moreover, when sending communications that were not previously requested by the recipient the fact that the content of such communication refers to advertising must be highlighted. If such communication is made via email, the heading of the message has to include the term “advertising” (publicidad).

A new bill intended to modify the PDPL is currently being discussed.

Note: 

Currently, seven bills to amend the PDPL are pending before Congress:

1. Bill No. 0111-S-2021 (only available in Spanish here) was introduced to the National Congress of Argentina ('the Congress') to update article 26 of the LPDP, with respect to the processing of credit information or economic and financial solvency data.
2. Bill No. 835-D-2022 (only available in Spanish here) also intends to modify article 26 of the LPDP.
3. Bill No. 0108-S-2021 (only available in Spanish here) was introduced the same day in the Congress and proposes to regulate the processing of data collected through the use of VANTS or drones.
4. Bill No. 0066-S-2022 (only available in Spanish here) intends to replace article 2 of the LPDP regarding the inclusion of genetic, biometric and sexual orientation data as sensitive data.
5. Bill No. 0107-S-2021 (only available in Spanish here) seeks the regulation of unsolicited commercial electronic communications for advertising purposes.
6. Bill No. 0029-S-2021 (only available in Spanish here) intends to ensure that any person may exercise the right of suppression contemplated in article 16 of the LPDP respecting certain contents indexed to the data subject’s name by Internet search providers.
7. Bill No. 1123-S-2022 (only available in Spanish here) states, among other points, that the AAIP may apply fines of 5% of the income and/or global invoicing of the controllers or processors of the database.