New Updates From The Supervisory Authority Regarding The Protection Of Personal Data In Argentina
If your company or organization processes personal data of Argentines as a data controller, please note that the Supervisory Authority on the protection of personal data of Argentina (the Agency for Access to Public Information or “Agency”), has issued updates regarding the registration of foreign companies, as well as the classification, grading and maximum limits of the infringements applicable in the event of non-compliance. Please find below a summary of these developments.
- Registration of foreign companies before the Agency
On November 29, 2022, the Agency enabled a new web form to be filled by companies and organizations located in foreign countries who process personal databases of Argentine persons, in order to proceed with their registration before the Agency, as foreign Controllers/ Responsible entities. It should be noted that, until now, the registration was only enabled for those responsible for databases with legal domicile in Argentina.
With this form, the registration obligation is now also extended to those Controllers with legal addresses abroad.
It is expected that from said registry the foreign Controllers will need to comply with the obligations derived from the exercise of rights of the data subjects (right of information, access, rectification, updating or deletion), among other related obligations, through the email to be informed to the Agency.
Likewise, the Agency will use such registered email for the purpose of notifying any requirement to the foreign Controller, among other uses related to applicable regulations that could derive from the new registration obligation.
The above-mentioned registration should be done through an online form that has the nature of an Affidavit and that requires providing the following information of the Foreign Controller: Telephone, Email Legal address and Country. Also, the registration requires determining an authorized person or proxy to carry out the procedure, and accredit said legal capacity, in addition to providing their contact information for the purposes of the registration.
- New Classification of Infringements
On December 5, 2022, Resolution AAIP No. 240/2022 was published in the Official Gazette, which derogates DNPDP Disposition No. 09/2015 and updates both the infringements classification regime and the sanction graduation regime.
Additionally, on December 6 of this year, AAIP Resolution No. 244/2022 was published, which updates the maximum fine limits to be applied when a sentencing administrative act includes more than one monetary sanction for the same punishable conduct.
Annex I of the Resolution updates the classification of infringements as follows:
-Minor infringements (for example, those related to the lack of registration before the National Registry of Databases or the lack of information in due time and form of modifications, updates or deletions).
-Serious infringements (the lack of registration of databases in the National Registry of Databases when required by the authority, the processing without adequate legitimization bases or various issues related to the exercise of rights by data owners, as well as the conduct of the data controller before the supervisory authority, among others).
III. New Graduation of sanctions
The amounts of fines are updated as follows:
-Minor infringements: from PESOS ONE THOUSAND ($ 1,000.00) to PESOS EIGHTY THOUSAND ($ 80,000.00)
-Serious infringements: from PESOS EIGHTY THOUSAND ONE ($ 80,001.00) to PESOS NINETY THOUSAND ($ 90,000.00)
-Very serious infringements: from PESOS NINETY THOUSAND ONE ($ 90,001.00) to PESOS ONE HUNDRED THOUSAND ($ 100,000.00)
In addition, new aspects are incorporated to assess the application and graduation of the amount of the sanctions. At this point, we emphasize that, despite the issues already provided in the previous Provision ‑such as the nature of the personal rights affected, volume of the processing, benefits obtained, degree of intentionality and recidivism‑, the enforcement authority will now also consider new aspects such as:
- the economic condition of the infringer
- the proven adoption of corrective measures and internal mechanisms and procedures capable of minimizing the damage, tending to the safe and adequate processing of the data
- whether the personal data of children and adolescents has been affected
- In the event of security incidents, the collaboration with the supervisory authority and the proven implementation of corrective measures, mechanisms and internal procedures capable of minimizing the damage by the data controller or data processor shall be taken into account.
Lerman & Szlak Services
If you have any queries about your organization’s compliance and/or need more information, please do not hesitate to contact us at [email protected].