Draft Personal Data Protection Bill

    Latin America

    Draft Personal Data Protection Bill

    MEN-2018-147-APN-PTE

    On 19 September 2018 the President of Argentina submitted a draft data protection bill to Congress with the aim of revamping Argentinian Data Protection legislation. If this Bill is adopted it will replace Law 25.326 in its entirety, and is expected to better define the scope and concepts, reach, accountability mechanisms, and security obligations regarding the processing of personal data.

    Last Updated: July 30, 2019


  • General

    The objective of this proposal (as stated in its preamble) is to provide Argentina with a more modern data protection Law that reflects the circumstances generated by new technologies and global developments in data protection legislation. The draft Bill — in its preamble — makes a reference to its intention to align with modern international standards of data protection. A clear example of this can be found in the new list of concepts defined by the law, where crucial concepts that were left out of Law 25.326 are now included (e.g., “biometric data” and “genetic data”) and some other concepts are redefined in a clearer way (e.g., “personal data” and “sensitive data”), and some others are adjusted to reflect current technological developments.

    This Bill is structured in twelve chapters. This section presents a summary of Chapter 1, which lays down general provisions: definitions, scope of application, and exceptions to the application of the Bill when/if enacted.

    The list of definitions is considerable longer than in Law 25.326, sixteen definitions in total are included and worded along the same lines as the GDPR. Important additions are: genetic and biometric data, security breach, data processor, international transfer, data protection authority, third party, and group of undertakings. Some redefined concepts are: data subject, personal data, sensitive data, data processing, and database (which reflects technological developments of processing software).
    The material scope of application changes in that this law will not afford protection to legal entities. The preamble to the Bill clarifies that legal persons are not to be considered data subjects (therefore not granting them data subject rights) in order to follow the path paved by the international institutions (i.e., Consultative Opinion OC – 22/16 of the Interamerican Court of Human Rights) that hold that legal entities cannot be afforded fundamental rights’ protection.

    Concerning the material scope of this law, Article 3 explicitly excludes databases created and used for purely domestic purposes. The Bill also redefines the territorial scope. Article 4 states that the Bill would apply where:

    • (a) the controller is established within Argentina, regardless of whether the processing is carried out in another country;
    • (b) the controller is not established in Argentina, but in a place where Argentinian law applies by virtue of public international law;
    • (c) the processing of data concerns residents of the Republic of Argentina and is carried out by a controller not established in Argentina but who processes said data for the purpose of offering goods or services or profiling individuals residing in Argentina.

    It is worth noting that, whereas the GDPR talks about location, which does not require formal documentation of residence (e.g., the processing of data concerning individuals located in the EU), this Bill uses the word “residents” (which implies having a valid residence document).

    Argentina is a federal republic where federal law applies to the provinces only in certain cases. In the case of data protection legislation, this draft Bill stipulates in Article 92 that the federal Bill would apply to:

    • (a) the processing of personal data carried out by public authorities or public entities that belong to the National Executive Branch; and,
    • (b) to the processing of personal data carried out by private entities if the personal data are accessible from inter-jurisdictional networks, regardless of whether they are national or international.

    Therefore, the 23 provinces and the autonomous republic of Buenos Aires should also modify their legislation in order to reflect the Bill

  • Incident and breach notification

    Article 20 of the draft Bill is drafted using the same wording and severity threshold as Article 33 of the GDPR. Article 20 of the draft Bill stipulates that: in case of a (security) personal data breach, the controller shall without undue delay, and where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, except where the breach is unlikely to result in a risk to the rights and freedoms of data subjects. If the controller is delayed in notifying the authority, the notification must be accompanied by an explanatory note. In addition, controllers must record all security incidents which are likely to pose a high risk to the rights of data subjects, regardless of the stage of the processing where the breach took place. As a minimum, the record must include the date of the breach, the cause of the incident (e.g. internal threat, external threat, unauthorised access, etc.), all relevant facts and the effects, as well as any corrective measures that were immediately implemented.

    Article 20 also stipulates that controllers must inform data subjects of the breach, in plain and simple language, where the breach is likely to result in high risk to the rights of data subjects.

    The notification to the data protection authority (and where appropriate to data subjects) must at the very least include:

    • (a) the nature of the incident;
    • (b) the personal data that have been compromised;
    • (c) any corrective measures implemented immediately after becoming aware of the breach;
    • (d) recommendations to data subjects concerning the measures they can adopt to protect their interests; and,
    • (e) all resources available to the controller for getting more information about the incident.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust


OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.