Every January 28 is celebrated the “International Data Privacy Day”, an initiative adopted by the Council of Europe and the European Commission, in commemoration of the execution of the Convention 108 “for the Protection of Individuals with regard to Automatic Processing of Personal Data”. This event aims to raise citizens’ awareness of the importance of protecting the privacy of their personal data.
In Argentina the protection of personal data is provided in our National Constitution and is mainly regulated by the Personal Data Protection Act No. 25,326, Decree 1558/01 and other regulations issued by the Data Privacy Authority, currently the Access to Public Information Agency (previously the control authority was the National Directorate for the Protection of Personal Data under the structure of the Justice Ministry. This was modified by Decree 899/2017 in order for that directorate to be included within the structure of the Access to Public Information Agency).
The Personal Data Protection Act No. 25,326 aims to ensure the treatment and comprehensive protection of personal data to guarantee the right to honor and privacy of individuals, as well as the right of access to the personal information included in databases. To this effect, the Act provides the right of data subjects to access, rectify, update and suppress their personal information. Also, this law establishes a series of principles and obligations that must be observed for a legally process personal data.
Failure to comply with the obligations set forth in this regulatory framework may result in administrative sanctions by the Access to Public Information Agency, data subjects’ civil actions and even criminal sanctions. In relation to administrative sanctions, these include warnings, suspension, closure or cancellation of the database, and fines from $1,000 to $100,000, depending on the nature of the infringement, which may be accumulated up to $5,000,000 (five million pesos).
During 2020, the Agency for Access to Public Information imposed 43 sanctions, of which 28 were for non-compliance with the “Do Not Call Registry” Act No. 26,951 and 15 for non-compliance with the Personal Data Protection Act No. 25,326 [1]. In addition, on January 13rd, the Access to Public Information Agency published a ranking of the companies that have received the highest number of complaints and sanctions for non-compliance with the “Do Not Call Registry” Act [2]. The total amount of these sanctions was 78 million pesos and the ranking is headed by telecommunications companies.
Finally, Access to Public Information Agency has recently published its planning for 2021 in which it foresees the adjustment of the regulations on classification and sanction graduation and establishes planned and officio inspections [3].
In view of this context, and the relevance of the matter in these times, our recommendation is to review the processes and projects taking into account and adapting to the data privacy regulations in force and those that may be modified or issued in the short term.
For further information, please contact us at info@lermanszlak.com.
[1] The Registry of non-compliers of the Act Nº 25.326 y 26.951 is available at: https://www.argentina.gob.ar/aaip/datospersonales/registro-infractores
[2] The ranking is available at: https://www.argentina.gob.ar/noticias/no-llame-las-empresas-mas-sancionadas-en-2020
[3] The Planning for 2021 of the Access to Public Information Agency is available at https://www.argentina.gob.ar/aaip/planificacion2021 and has been approved by Resolution AAIP 313/2020.