Sanctions for Non-Compliance with the Personal Data Protection Law
“I want to delete my account, but I can’t find the option. I want you to stop sending me emails. Enough!” was one of the many messages that Juan — we keep his real name confidential — sent to stop the company from sending him non-consented communications. However, despite the clarity of the message, it had no result. This impotence and anger at continuing to receive messages from the company ‑which we have all experienced at some time- motivated Juan to file a complaint before the Control Authority of the Personal Data Protection Law No. 25,326 (“DPA”).
During March, two sanctions for gross non-compliance with the DPA were imposed by the Access to Public Information Agency (DPA Control Authority). One was the one motivated by Juan’s complaint: The delivery application that had not complied with a user’s request for deletion of his data. In this case, the company continued to send communications to the User who repeatedly requested to stop receiving them.
The other sanction was to a home delivery service company of products from an online store that would have committed 3 infringements: (i) collecting personal data in breach of the provisions of the DPA (they did not obtain their clients’ consent in the terms of the Law); (ii) processing data that does not meet the quality of certain, adequate, relevant and not excessive to the scope and purpose for which they were collected (i.e: it was understood that collecting and retaining copies of the identity document was excessive to the purpose of the delivery of packages); and (iii) processing personal data without the security measures determined in the standard (i.e: the online tracking service allowed to see the customers’ personal data so that third parties could view and download such information).
Both penalties reaffirm the importance of providing mechanisms to meet the requirements of the data subjects under the terms of the Law. In addition, they reveal the need to review the processes and policies for the treatment of personal data to confirm compliance with the DPA and its related regulations.
Finally, it is worth remembering that breaches of the personal data protection regime may result in administrative sanctions by the Control Authority, civil actions by data subjects (i.e., customers or users of the companies) and even criminal sanctions. Regarding administrative sanctions, these include warnings, suspension, closure or cancellation of the database, and fines from $1,000 to $100,000, depending on the nature of the infraction, which may accumulate up to $5,000,000.
For further information please contact us at [email protected].