Argentina’s Personal Data Protection Law (PDPL)

Comprehensive privacy legislation enacted in 2000 protects Argentina residents’ data rights.

Effective date: October 30, 2000

Official text: Proteccion de los Datos Personales

The Argentina Personal Data Protection Law was passed by the Argentina National Congress to regulate the treatment and handling of personal data by both government agencies and private organizations in Argentina. The law has many similarities with the EU’s General Data Protection Regulation (GDPR).

The Argentina National Directorate for Personal Data Protection, which sits within the Argentina Agency for Access to Public Information, is the regulatory authority that oversees and enforces the Personal Data Protection Law nationally. 

The law applies to organizations established in Argentina that collect, use, and share personal data of Argentina residents (data subjects), even if the data processing takes place abroad.

It also applies if the organization is not established in Argentina but processes data of people in Argentina or monitors/profiles people in Argentina.

The law applies to data processing by government agencies and armed forces, with any limitations needing to be necessary, proportional and respect fundamental rights.

Personal data refers to information related to identified or identifiable natural persons.

An identifiable person can be identified directly or indirectly using identifiers such as physical, physiological, genetic, mental, economic, cultural, or social information.

Sensitive personal data includes data revealing ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, sexual preferences, and genetic or biometric data that could potentially result in discrimination. When handling sensitive data, reinforced responsibility must be implemented, involving higher levels of security, confidentiality, access restrictions, and usage and sharing constraints.

• Legality, loyalty and transparency: Personal data must be processed lawfully, fairly, and transparently. Processing is lawful if done according to the law, fair if not achieved through deceptive means, and transparent if information about the processing is clear and accessible.
• Purpose limitation: Personal data must be collected only for specific, explicit, and legitimate purposes. Further processing not compatible with the original purpose is prohibited. However, processing for statistical, archival, and public interest research purposes is allowed.
• Data minimization: Only personal data necessary and relevant for processing purposes should be collected and processed.
• Accuracy: Personal data processed must be truthful, accurate, verifiable, and up-to-date. Processing false, outdated, inaccurate, or misleading data is prohibited.
• Retention limitation: Personal data should not be kept beyond what is necessary for processing purposes. Longer retention is allowed for statistical, archival, and research purposes if privacy safeguards are in place.
• Preeminence: In case of doubt about the interpretation and application of this law, the most favorable to the data subject will prevail.
• Security: Organizations must protect data via appropriate technical and organizational measures based on the risk and impact.
• Accountability: Organizations must adopt suitable measures to guarantee lawful processing and demonstrate compliance. This includes conducting data protection impact assessments.
• Confidentiality: Those involved in data processing must maintain confidentiality even after their relationship with the data subject ends. The duty can be waived by court order, supervisory authority directive, legal obligation, or competent authority’s administrative act based on public order.

• Consent: Data processing is permissible if the data subject provides consent for one or more specific purposes.

• Exercise of state powers: Processing is allowed when carried out in the exercise of state powers, necessary for the strict fulfillment of its competencies.

• Legal obligation: Data processing is justified if necessary for compliance with a legal obligation applicable to the organization.

• Contractual obligation: Processing is legitimate when necessary for the execution of a contract in which the data subject is a party.

• Vital interests: Processing is acceptable to safeguard the vital interests of the data subject or third parties, provided such interests do not override those of the data subject and consent is impossible due to physical or legal incapacity.

• Legitimate interests: Processing is allowed if it is necessary for the legitimate interests of the organization, with the condition that these interests do not supersede the rights of the data subject, especially if the latter is a minor. A detailed, prior, and documented analysis is required to determine the existence of a legitimate interest.

Upon request from the supervisory authority, organizations must demonstrate proof of a legitimate interest and explain the necessity of collecting or processing data in each case.

​​If the legal justification for data processing relies on the consent of the data subject, such consent must be explicit, obtained in advance, freely given, specific, informed, and unambiguous for one or more specified purposes, either through a declaration or a clear affirmative action:

• Prior refers to the situation where consent is requested before data collection.
• Express means the owner expresses their intention through a clear affirmative action.
• Free implies that the consent is devoid of defects, and the data subject has the option to refuse without facing any harm.
• Specific requires the owner to grant consent for each distinct purpose if the data processing involves multiple objectives.
• Informed entails providing the owner with information as outlined in Article 16.
• Unambiguous ensures there is no ambiguity about the extent of the authorization granted by the owner. The organization must be capable of demonstrating that the owner gave consent for the processing of personal data.

Consent for online services is valid for minors aged 13 or older. For those younger, parental consent is mandatory. Efforts should be made to verify consent from parents or guardians. Sensitive data of minors requires consent or is allowed for public interest or safety reasons.

Consent revoke: The data subject retains the right to revoke or withdraw consent at any time without the need for justification. However, this does not apply when there exists a legal or contractual obligation to process the data. Furthermore, the revocation does not affect the legality or validity of the data processing activities that occurred before withdrawing the consent. 

The organization is obligated to provide straightforward, cost-free, and prompt mechanisms for consent revocation, ensuring, it is as easy as when the mechanism to obtain consent.

The organization must provide the data subject, before data collection, with concise, transparent, understandable, and easily accessible information in clear and simple language, including, at least, the following details:

• organization’s contact details, including name, address, and electronic information.
• Categories and purposes of personal data processing with legal bases.
• Rights of data subjects, procedures for their exercise, and responsible contact.
• Details on transfers to other organizations.
• Information on international data transfers, including destination countries, risks, safeguards, and mechanisms for rights exercise.
• Mandatory or optional nature of data provision, and consequences.
• The data subject’s right to revoke consent.
• Duration of data retention or criteria for determining it.
• Existence of automated decisions, including profiling.
• Right to file a complaint or initiate data protection procedures.

The organization must provide this information even if not obtained directly from the data subject or if consent is not the legal basis. If data is not obtained from the data subject, the organization must provide the information within a reasonable period, not exceeding one month. In cases of data used for communication or transfer, the information must be provided at the first interaction or transfer.

In the event of a personal data breach, the organization must notify the supervisory authority within 72 hours of becoming aware of it. If the deadline cannot be met due to material constraints, the organization must justify the extension to the supervisory authority.

Similarly, The organization also has to inform the data subject in simple terms, using public communication if needed. 

The notification must include the following information: 

• The nature of the incident
• The personal data that may be deemed compromised
• Immediate corrective actions taken
• Recommendations regarding protective measures
• How to access more information, including the name and contact information of the data protection officer or any other designated contact

All high-risk breaches must be documented, including the date, cause, effects, and corrective measures. If detailed information can’t be provided at once, it can be sent as it becomes available without delay.

Let’s look at the data rights granted to Argentinian residents:

• Right to access: Data Subjects can request confirmation and access to their personal data. They have the right to know the purposes of processing, types of data, recipients, and more. The information must be clear, provided in a readable manner, and can be delivered in writing, electronically, or through other suitable means.

• Right to rectify: Data Subjects have the right to request corrections to inaccurate or outdated personal data. If incorrect data is transferred, the organization must notify the correction within five business days.

• Right to object: Data Subjects can object to data processing for specific purposes. The organization must stop processing unless there are legitimate reasons. This right also applies to data used for advertising or marketing purposes.

• Right to delete: Data Subjects can request the deletion of their personal data under certain conditions. Deletion may not occur if it harms the rights of third parties, serves public interests, or is necessary for legal compliance.

• Right to object Automated Decisions and Profiling: Data Subjects have the right not to be solely subject to automated decisions. They can request human review of decisions based on automated processing.

• Right to data portability: Data Subjects can obtain a copy of their data in a usable format. This right applies if it doesn’t burden the organization excessively or violate privacy.

• Right to limit data processing: Data Subjects can request the limitation of data processing under specific conditions, such as disputing data accuracy or objecting to processing.

Exercising one’s rights doesn’t impede the exercise of others, and any attempt to waive rights through contracts is void. Organizations are required to respond to access requests within 10 days. In cases of denial or deemed insufficient responses, data subjects have the option to seek administrative or judicial recourse. The procedures for exercising rights should be simple, free, and easily accessible. 

International transfers of personal data beyond national borders, including subsequent transfers, are allowed under the following circumstances:

• The receiving party provides an adequate level of protection.
• The data exporter ensures compliance with the necessary laws.
• Other exceptions for specific situations outlined in the law.

To demonstrate compliance, the burden of proof lies with the data exporter. Those conducting international data transfers must implement measures to ensure the rights of data subjects and be accountable for any potential violations.

The regulatory authority determines the adequacy of a country, considering factors such as the rule of law, respect for human rights, and existing legislation. Adequate guarantees include judicial and institutional mechanisms for data protection.

In the absence of an adequacy decision, adequate guarantees can be provided through contractual clauses, binding corporate rules, or certified data protection mechanisms approved by the regulatory authority.

Data transfers can also be made if:

• the data subject consents to it
• it is necessary to fulfill contractual obligations 
• it is necessary for public interest, legal proceedings, or to protect the vital interests of data subjects

The law provides for a range of administrative fines for violations, starting from a minimum of ARS 1,000 to up to ARS 100,000.

Higher penalty amounts can be imposed depending on the severity, intent, negligence, damage caused, and repetitive nature of the violation.

• Obtain explicit, informed consent from data subjects before collecting or processing personal data
• Notify data subjects with transparency about what, why, and how their personal data will be handled
• Only collect and retain personal data that is adequate, relevant, and necessary for specified purposes
• Implement appropriate technical and organizational measures to protect personal data
• Transfer personal data only to recipients that provide an adequate level of protection
• Provide user-friendly mechanisms for data subjects to exercise their rights and respond to requests within defined time periods
• Notify users and supervisory authority in case of data breach
• Conduct periodic risk assessments and audit of personal data

Does Argentina have a data protection law?

Yes, Argentina has a data protection law in place since 2000, called the Personal Data Protection Law (PDPL). It’s similar to other international data protection laws.

What is the cookie law in Argentina?

In Argentina, there is no dedicated “cookie law” akin to the GDPR in the EU. Instead, the use of cookies falls under the broader scope of Argentina’s Personal Data Protection Law (PDPL) enacted in 2000. While cookies are not explicitly mentioned, the PDPL’s principles apply to their use.

The PDPL mandates informed consent for collecting and processing personal data, including that obtained through cookies, if it can identify an individual.