Law on the Protection of Personal Data

    Latin America

    Law on the Protection of Personal Data

    Law 25.326/2000

    Argentina’s Personal Data Protection Act was passed by Congress on 4 October 2000, and partially came into effect on 30 October, 2000. The law was fully enacted on 30 October 2001 upon creating the Data Protection Authority and publication of Executive Decree No 1558 of 2001, implementing Law 35.326.

    Last Updated: July 30, 2019

  • General

    The current legal framework for the protection of personal data in Argentina is spread across the Constitution, Framework Law 25.326 of 2000, implementing Decree 1558 of 2001, and Decision 47/2008 concerning the security measures that ought to be implemented in order to secure the integrity of personal data kept and processed by public and private entities. This legal framework afforded an adequacy decision to Argentina under Directive 95/46 EC. However, the European Commission is bound to monitor developments that could affect the functioning of an adequacy decision. In this vein, all adequacy decisions issued by the EC are subject to being repealed, amended, or suspended in the event that a specific territory no longer affords sufficient protection to personal data. On 19 September, 2018 the President of Argentina issued a draft Bill for the protection of personal data with the aim of modernising data protection legislation.

    Article 43 (habeas corpus) of the Argentinian Constitution stipulates that everyone has the right to exercise a habeas corpus action in order to access personal data, kept in public or private databases, relating to him or her and to receive information about the purpose for which the data are being collected and processed. In addition, this article also grants the right to exercise a habeas corpus action if the data subjects deem the data to be false or discriminatory, and to request the erasure, rectification, updating, or to secure confidentiality of their data.

    Under the umbrella of Article 43 of the Argentinian Constitution, the objective of Law 25.326 is to afford protection to the personal data kept in private or public databases, registries, archives, or any other filing system used for the processing of personal data. The Law is divided in six chapters laying down: general provisions; principles relating to processing of personal data; rights of data subjects; users and controllers of archives, registries and databases; DPA; administrative and criminal sanctions; and, the procedure for exercising the right to habeas data (from initial claim to adjudication).

    The material scope of this law is quite ample as it applies to all data kept in databases that allow the processing of the data. In addition, article 1 states that this protection can be extended to legal entities where appropriate.
    Furthermore, Article 23 states that all personal data which need to be permanently stored for admin purposes in the databases of the armed forces/law enforcement/intelligence agencies fall under the purview of this Law. The Processing of personal data (by the aforementioned agencies) for the purpose of defence, national security, or the prosecution of crimes shall be limited to the circumstances and categories of data that are strictly necessary for the fulfilment of specific missions assigned to those agencies. All personal data collected by law enforcement agencies must be deleted when they cease to be relevant to the investigative activities that caused the collection and processing of the data.

    Article 28 lays down an exemption whereby all processing activities of anonymised data for statistical purposes (in compliance with Law 17.622 on census and statistics) are not under the purview of Law 25.326. In addition, processing activities of anonymised data for the purpose of market or scientific research, opinion surveys or similar are not subject to the provisions laid down in this Law.

    The territorial scope of the law is defined in Article 44, which states that: the norms contained in chapters I – IV (excluding the chapter on fines and the chapter addressed to the DPA) of the Law are applicable nationwide and requests the provinces to align their data protection legislation to the provisions contained in this law. In addition, the Law stipulates that interconnected registries, archives, or databases with interjurisdictional reach (national and international) are subject to the provisions laid down therein.

    Article 2 defines some core data protection concepts,

    1. Personal data is defined rather loosely as any information relating to identified or identifiable natural or legal persons.
    2. Sensitive data is defined as personal data revealing: political opinions, religious, philosophical or moral beliefs, racial or ethnic origin, union trade affiliation, health status, or sex life. Compared to the GDPR, this Law falls short for not including biometric data, genetic data, and information revealing sexual orientation. Another difference with the GDPR is that, this law explicitly refers to this information as ‘sensitive data’ (instead of ‘special categories of data’).
    3. The terms archive, registry and database are used interchangeably to designate an organised set of personal data subject to manual or automated processing regardless of the modality in which the set is built, kept organised or accessed.
    4. Processing of data is defined any manual or digital operation performed on personal data (i.e., collection, storage, structuring, preservation, modification, combination, assessment, blocking, access, consultation, disclosure or transfers to third parties, erasure, or destruction).
    5. Controller (of database/registry/archive) is any legal or natural person holding (in control of) a database.
    6. Digital information is defined as all personal data subject to automated or digital processing operations.
    7. Data subject (data owner) is defined as any legal or natural person with a legal residence or establishment in Argentina, and whose personal data are subject to processing operations as defined in this Law.
    8. A data user is any legal or natural person that processes personal data contained in registries (databases/archives) that belong to him/her or to which the user has access.
    9. Anonymisation is defined as any processing of personal data that is carried out in a way in which the information cannot be linked to an identified or identifiable natural person.
    10. Although the concept of ‘processor‘ is not listed in Article 2, Article 25 stipulates that the processing of personal data on behalf of another person can only by performed for the purpose defined by the controller, which must be stated in the contract governing the processing services offered. Moreover, Article 25 states that the processor must not transfer the personal data under any circumstances. (even the preservation of the information).

    It is worth noting that in comparison to the GDPR, the scope and definitions laid down in the Argentinian data protection framework is lacking in breadth and depth. This is particularly relevant because their status as adequate country may not be secure after a revision of the adequacy decision by the European Commission.

    Finally, this Law dedicates one article to regulating services that provide credit and financial information. Article 26 lays down a few limitations to the processing of information concerning wealth, credit history and economic solvency:
    a) this information can only be processed provided it was obtained from publicly accessible databases or directly from the data subject;
    b) information relating to pecuniary obligations can only be processed if the data were obtained directly from the data subject or his/her legal representative;
    c) information that is relevant for the assessment of financial solvency of an individual can be stored, registered or transferred during a period of up to five years (two years if the concerned individual has fulfilled his/her obligation, in which case an explanatory note must be added to that information).

  • Cross-border data transfer

    Argentina is one of the few countries to hold an adequacy decision. Therefore, personal data can be safely transferred from the European Union to Argentina. Law 25.326 prohibits the transfer of personal data from Argentina to third countries or international organisations that do not afford an adequate level of protection. Like the EU, the Argentine AAIP is empowered to evaluate and decide which countries afford an adequate level of protection. Argentina has issued adequacy decisions to the EEA, Switzerland, Guernsey, Jersey, the Isle of Man, the Faroe Islands, Canada (private sector only), New Zealand, Andorra, Israel, and Uruguay.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.