Implementing Decree of the Personal Data Protection Act

    Latin America

    Implementing Decree of the Personal Data Protection Act

    Executive Decree No. 1558/2001

    The Decree was issued on 29 November, 2001 and it came into effect upon publication in the Official Journal on 3 December 2001. This Decree was issued with the aim of facilitating the implementation of, and compliance with, Law 25.326.

    Last Updated: July 30, 2019

  • General

    This Executive Decree constitutes secondary legislation. Public and private Registries/databases/archives containing personal data for the purpose of providing information, transferring or disclosing data, or any other purpose exceeding a purely household activity are subject to the provisions laid down in this Decree (regardless of whether this is provided free of charge or subject to the payment of a fee).

    This Decree partially implements some of the provisions laid down in Law 25.326, leaving some other provisions unregulated. Besides the one article under the chapter labelled ‘General Provisions’, this Decree is structured in six other chapters, each of them expanding upon the basic provisions laid down in the Law: principles relating to the processing of personal data; rights of data subjects; users and controllers of databases; control mechanisms; and (administrative) sanctions.

    A few things to highlight from this Decree:

    • (a) it only partially regulates some of the provisions laid down in the Law;
    • (b) the chapter concerning sanctions does not touch upon the penal sanctions laid down in the Law;
    • (c) the regulator in charge of enforcing Law 25.326 is the Agencia de Acceso a la Información Pública as stipulated in Decree No. 746 of 2017 (before Decree No. 746/17 the DPA was the Dirección Nacional de Protección de Datos Personales);
    • (d) this Decree does not provide any definitions relying on the short list laid down in Law 25.326.
  • Cross-border data transfers

    Like the GDPR, this decree allows international data transfers to countries without an adequate level of protection when: (a) data subjects consent to their data being transferred; and (b) when the adequate level of protection arises from contractual clauses that provide (e.g.) self-regulation systems such as Binding Corporate Rules (BCRs). BCRs have agreed upon between all the members within a corporate group (including employees, contractors, and third-party beneficiaries) and they have to encompass appropriate mechanisms for safeguarding the data. The AAIP approved specific guidelines for BCRs by means of Regulation No 159/2018. Regulation No 159/2018 lays down elements and principles that must be included in the BCRs in order to reflect the following requirements:

    • Lawfulness: BCRs must include and implement general data protection principles, especially (a) legal grounds for processing personal data; (b) accuracy; (c) purpose limitation; (d) transparency; (e) security and confidentiality.
    • Restrictions to cross-border data transfers to non-adequate jurisdictions.
    • Rights of Data Subjects, including (a) the right to object to the processing of personal data for the purpose of unsolicited direct marketing; and, (b) the right not to be subject to automated decision-making.
    • Protection of sensitive aspects of the processing, such as (a) restrictions to the processing of special categories of personal data; and, (b) restrictions to the creation of files that include information related to criminal convictions and offences.
    • Data subjects and the DPA of Argentina ought to be considered beneficiaries of the rights and guarantees granted by the BCRs.
    • Complaint procedures.
    • The legally binding nature of the BCRs all members of the corporate group vis-à-vis data subjects.
    • Provisions mandating that personnel in charge of da processing are subject to appropriate and regular training.
    • Judicial and administrative oversight.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.