There are several enforcement mechanisms:
- The data protection authority may enforce the legal provisions and regulations on data protection, imposing fines in case of violation.
- Violation of data protection rules may constitute a crime subject to prison terms imposed by criminal courts.
- Court actions may be brought to have access to personal data and to request their correction, suppression, confidentiality or updating.
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that 'undertaking' should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called "look through" liability. Again, it remains to be seen whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of the preceding year, whichever is higher, apply to infringement of:
- the basic principles for processing including conditions for consent;
- data subjects’ rights;
- international transfer restrictions;
- any obligations imposed by Member State law for special cases such as processing employee data; and
- certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide turnover of the preceding year, whichever is the higher, apply to infringement of:
- obligations of controllers and processors, including security and data breach notification obligations;
- obligations of certification bodies; and
- obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
- any person who has suffered "material or non-material damage" as a result of a breach of the GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
- data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
Enforcement powers
Part 6 of the DP Act provides the DPC with a wide-range of powers to supervise organisations under its jurisdiction, including:
- Powers to handle complaints made (directly or indirectly) to it;
- Powers to open and conduct “own-volition” inquiries;
- Powers to issue decisions and exercise corrective powers (including administrative fines) provided for in GDPR;
- Powers to issue a variety of corrective orders including warnings, reprimands, directions, suspensions or restrictions;
- Powers of entry, search, seizure and inspection, including the removal and retention of documents or records;
- Powers to issue information and enforcement notices; and
- Powers to require an organisation to carry out a report or audit.
Criminal offences
The DP Act provides for several offences which can result in prosecution, imprisonment, and criminal penalties being imposed. Where offences are committed by an organisation, and such offence is committed with the consent, connivance or negligence of a manager, director, secretary or other officer of the company, the individual will be personally liable for the offence, as well as the organisation. The offences under the DP Act include:
- an employer or potential employer forcing an individual to make a subject access request;
- a processor disclosing personal data without the consent of the controller unless required to do so by law;
- obtaining and disclosing, or selling personal data to a third party without the consent of the relevant controller or processor of that data, or in relation to data which were unlawfully disclosed to them;
- contravening the provisions relating to the processing of criminal convictions and offences data;
- not cooperating with an authorised officer during an investigation, audit or inspection; and
- failing to comply with an information or enforcement notice.
Article 43 of the Federal Constitution, third paragraph, provides, in relevant part that any person may file an action to have access to personal data about such person and to information about the purpose with which they are kept, included in public data registries or banks, or in private data registries or banks, and to request the suppression, correction, confidentiality or updating of the data where inaccurate or discriminatory.
These provisions do not create an express constitutional right to privacy or data protection, but do create the basic framework for the protection of such right, as well as the foundation for the legislation, subsequently enacted, which regulates the details of that protection.
Law 25,326 - the Personal Data Protection Law (PDPL) includes the basic personal data rules. It follows international standards, and has been considered as granting adequate protection by the European Commission. Decree 1558 of 2001 includes regulations issued under the PDPL. Further regulations have been issued by the relevant agencies.
In November 2022, Argentina ratified Decision 108 of the Council of Europe, as amended, by means of Law 27,699.
Definition of personal data
Personal data is defined as information of any type referred to individuals or legal entities, determined or which may be determined.
Definition of sensitive personal data
Sensitive data includes personal data which reveal racial or ethnic origin, political opinions, religious, philosophical or moral convictions, trade union affiliation and information related to health and sexual activities.
Pursuant to Decree 746 of 2017, it is the Agency for Access to Public Information (Agencia de Acceso a la Información Pública).
All archives, registries, databases and data banks, whether public or private, having the purpose of supplying information, must be registered with the Registry organized by the national data protection authority. This registration requires the following information, to be provided to the registry:
-
The name and domicile of the person responsible for the archive, registry, database or data bank
-
The characteristics and purpose of the archive, registry, database or data bank
-
The nature of the personal data included or to be included in the archive, registry, database or data bank
-
The way in which data are collected and updated
-
The destination of the data and the identity of the individuals or legal entities to whom such data may be transferred
-
The way in which the recorded information is interrelated
-
The means to assure the security of the data, indicating the category of persons with access to the processing of data
-
The term during which the data will be preserved
- The way and conditions pursuant to which interested persons may have access to the data referring to such persons, and the procedures to be followed to rectify and update the registered data
Generally, there is no specific requirement to appoint a data protection officer. Under certain circumstances, in which special security standards apply, it may be necessary to appoint an officer in charge of data security.
Personal data collected for purposes of processing must be truthful, adequate, relevant and not excessive in relation with the scope and purpose for which they were obtained. The gathering of data shall not take place by unfair or fraudulent means or in an otherwise illegal manner.
Personal data may not be used for purposes different from or incompatible with those for which the personal data was initially collected. Personal data must be accurate and properly updated when necessary. Totally or partially inaccurate personal data, or those that are incomplete, shall be suppressed and substituted, or completed where relevant, by the person responsible for the archive or database, whenever such person becomes aware of the inaccurate or incomplete character of the information.
Consent from the data subject is required, which must be free, express and informed consent and in writing or in another equivalent form, unless:
-
The personal data were obtained from sources open to unrestricted public access
- The personal data were obtained as part of the performance of state duties or in compliance with a legal obligation
- The personal data consists of lists whose data are limited to the name, national identity document number, tax or social security identification, occupation, date of birth and domicile
-
The personal data are derived from a contractual, scientific or professional relationship and are necessary for such relationship
-
The personal data result from operations conducted by financial entities with their clients or consist in the information such financial entities receive from their clients pursuant to the Financial Entities Law
When the authorization for the collection and processing of data is requested, the data subject must be informed about the purpose for which the data will be processed, as well as about the individuals or groups of individuals who will have access to the processed information. In addition, the archive, registry or data bank where the information will be kept must be identified, together with the person responsible for it. The data subject must be informed about the voluntary or compulsory nature of the answers requested from such owner, as well as about the consequences of providing the personal data or of refusing to give such information or of providing untruthful information. The data subject must also be informed about the right to access, rectify and suppress the relevant data.
Special rules apply to sensitive data. No person may be required to disclose sensitive data. Sensitive data may only be collected and processed where necessary, and with consent, as expressly permitted by law, or for statistical or scientific purposes provided the person they refer to may not be identified.
Data related to criminal records may only be processed by the relevant public authorities.
Transfers and disclosures to third parties
Personal data may only be transferred for legitimate purposes of the transferor and the transferee, and generally with the prior consent of the data subject who must be informed of the transfer’s purpose and of the transferee’s identity. This consent may be rescinded.
Consent is not required in the case of transfer of data regarding which consent was not necessary for collection. Also, it is not necessary in the case of transfer of data between state agencies, for purposes of performance of their respective activities, on in connection with health-related data, if the transfer is necessary for public health or emergency reasons, or for the performance of epidemiological studies, provided the identity of the persons to whom such data refer is reserved by means of adequate dissociation mechanism. In addition, consent is not necessary, for personal data generally, if an adequate dissociation mechanism is used in a way such that the data subjects are not identifiable.
Cross-border transfers
The cross-border transfer of personal data is prohibited to countries or international or supranational organization which do not provide adequate protection to such data, unless:
-
The data subjects expressly consents to that transfer
-
The transfer is necessary for international judicial cooperation
-
The transfer takes place as part of certain exchanges of medical data
-
Bank or stock exchange transfers, in the context banking or stock exchange transactions
-
The transfer takes place as provided in the context of international treaties to which Argentina is a party
- The transfer has as its purpose the international cooperation between intelligence agencies engaged in combating organized crime, terrorism and drug traffic
The person responsible for a data archive, or using such archive, must adopt the technical and organizational measures to assure the security and confidentiality of personal data, so as to avoid their adulteration, loss, consultation or non-authorized processing, and to detect the misuse of information. The recording of personal data in archives, registries or data banks that do not comply with the legal requirements on integrity and security is prohibited.
Not specifically required under data protection law.
Failure to notify a data security breach is not in itself a violation of the data protection regime, but may bear on the effects of security violation, especially if lack of such notification results in other security breaches or damages. The person responsible for the data must keep records on security breaches, and these records may be requested by the data protection authority.
Breach notification may be mandatory if the data protection authority specifically requests information about data breaches.
There are several enforcement mechanisms:
- The data protection authority may enforce the legal provisions and regulations on data protection, imposing fines in case of violation.
- Violation of data protection rules may constitute a crime subject to prison terms imposed by criminal courts.
- Court actions may be brought to have access to personal data and to request their correction, suppression, confidentiality or updating.
Electronic marketing, to the extent that it may involve processing of personal data, is subject to the general rules applicable to such data, such as valid data subject consent, adequate privacy notices as to use and disclosure of personal data and data subject rights.
Although there are no detailed regulations on online privacy, the general rules on privacy provided by the Civil and Commercial Code are applicable in this context. Nuisances from unrequested communications may be actionable. Unauthorized collection of personal data will be subject to the general rules applicable to such data.
