BitRaser >
Article >
Interpreting Argentina’s Personal Data Protection Act: Ley 25.326

BITRASER^®

Interpreting Argentina’s Personal Data Protection Act: Ley 25.326

Written By

Kanika Verma linkdin

Published On

Oct 16, 2024

Principles Guiding Data Protection

Chapter I, Articles 1 and 2, covers the purpose and definitions under general provisions specifying sensitive data, data processing, data owners, etc.

Chapter II - General Principles Relating to Data Protection, covers details on the principles that the data controller and processor need to abide by in order to execute the processing of personal data. Articles 3-12 are explained below:

Article 3, Data Files – Legality: The data files created will be considered lawful only if they are registered and abide by the principles and regulations of this law and public morality.
Article 4, Data Quality: The collected personal data must be adequate, true, relevant, accurate, and limited to the purpose and scope. It should be updated when necessary and used only for the purposes for which it is collected and should be collected in a lawful manner. Inaccurate or incomplete data must be replaced or deleted. The data should be stored in a way that it is accessible by the data subject. After the collected data has served its purpose or is no longer necessary, it must be destroyed.
Article 5, Consent: The processing is considered unlawful if written consent is not obtained from the data owner. If the data is collected from sources of unrestricted, public access for the functions inherent to powers of the state or by virtue of a legal obligation, or under similar circumstances specified in this article, getting the consent of the data owner will not be required.
Article 6, Information: The data owner must be clearly informed in advance about the purpose of data collection, the existence of data files or banks, whether providing data is mandatory or optional, the consequences of not providing it, and their rights to access, delete, or correct the data.
Article 7, Category of Data: Sensitive data must only be collected for lawful reasons, and no one can be forced to provide it. Storing data that reveals sensitive information is prohibited except for records kept by religious or political organizations. Criminal records can only be processed by authorized authorities.
Article 8, Health-related Data: Healthcare professionals and establishments in public and private administrations related to health sciences may collect and process physical and mental health data of patients who have been treated by them or are still under treatment.
Article 9, Data Security: Data security is required to be maintained to ensure data integrity of confidential data. All necessary measures – technical and non-technical – must be taken to safeguard data.
Article 10, Data of Confidentiality: It is the duty of the data controller and processor to maintain professional secrecy w.r.t. to data collected. This obligation ends when there is a court order or reasons related to public health, national defense, or national security exist.
Article 11, Assignment: Personal data of data subjects can be transferred or assigned only with their consent. Consent is, however, not required in the following cases:
- as governed by law
- as per the conditions of Article 5
- the transfer took place between departments of two state bodies
- both the transferee and transferor are governed by the same laws and regulations and, hence, can be held liable for non-compliance with the due obligations
- the identities of the data owners have been preserved when the health-related data is transferred for an emergency, public health reasons, or the performance of epidemiological studies
- appropriate procedures have been applied to dissociate the information from its owners

Article 12, International Transfer: Without adequate levels of protection of personal data, data transfer to countries or supranational or international organizations is prohibited. In the following cases, the prohibition won’t apply:
- International judicial cooperation
- Medical data required for patient treatment is transferred while applying dissociative procedures to protect owner identities
- Stock or bank transfers related to respective transactions according to the applicable legislation
- When within the framework of international treaties to which Argentina is a party, the data transfer has been agreed upon
- When the intended data transfer for international cooperation between intelligence agencies in the fight against crime, drug trafficking, and terrorism.

Note: Ley 25.326 defines a data owner as any person or legal entity who has offices, legal domicile, or branches in the Argentine Republic and whose data can be processed. In addition, a data user is defined as any person, private or public, who processes personal data, whether in their own records, files, or databases or via any connected entity.

Rights of the Data Subjects

Chapter III, Rights of Data Subjects, spread across Articles 13-20 defines the rights of individuals that can be exercised when their data is mishandled and principles of data protection are violated by the data controller or processor.

Article 13, Right to Information: Similar to EU-GDPR, any person has the right to request information free of charge about the existence of records, files, databases, or personal data banks, along with the purposes of data collection.
Article 14, Right of Access: After proving their identity, the data holder can request and also obtain information about the inclusion of their data in public and private data banks. For the deceased person’s data, this right can be exercised by their successors.
Article 15, Content of the Information: The information provided to the data subject on ask must be clear, comprehensive, free of codification, and in an accessible language. It must have an explanation wherever necessary and cover the entire record, even if the request is regarding only one aspect.
Article 16, Right to Rectification, Updating, or Deletion: Every data owner whose personal data is included in a database has the right to get their data updated, rectified, and, if appropriate, deleted or made confidential. Deleting the data is not suitable when the data processor is legally obligated to retain the data, or when it can harm the rights of the involved third parties. The applicable period specified in the provisions or in the contractual agreement between the data owner and data user decides the duration that the data should be retained for.
Article 19, Free of Charge: No charge will be taken from the data subject for rectification, updating, or deletion of incomplete or inaccurate personal data in private or public databases.

Note: Rights under Articles 17, 18, and 20 can be referred to in Chapter III of Ley 25.326.

Chapter 4 provides information on users and managers of files, records, and databases. Likewise, Chapter 5 explains the actions of the control body along with the code of conduct.

Penalties in Case of Violation

Chapter VI, Sanctions of Ley 25.326, describes the administrative and criminal sanctions that apply for non-compliance.

Article 31, Administrative Sanctions: The penalty will be applied basis the seriousness and extent of the violation and the resultant damages. In case of non-compliance by the data controller and processer, the liability might be in the form of suspensions, warnings, closure/cancellation of a file, registry, or a data bank, or fines of 1000 pesos ($1,000) to 100,000 pesos ($100,000). Moreover, the penalties can be extended as per Article 32.
Article 32, Criminal Sanctions: These have been incorporated as Articles 117 and 157 of the Penal Code and explain the criminal sanctions that are applicable to the public and private data processors in case they violate the principles of data protection of this law. Further, the penalty for knowingly providing false information from a personal data file is six months to three years. Also, the penalty will be increased by half of both the minimum and maximum if the act harms someone.

How to Comply with Ley 25.326?

For a data user (data controller or processor) to comply with the obligations of Ley 25.326, it is essential that:

The personal data must be collected in a lawful manner.
The personal data collected is adequate, limited, true, and relevant to the purpose disclosed to the data owner (data subject).
The data owner has given free, informed, and explicit consent to the data user having complete cognizance of the consequences of having shared their personal data.
The incomplete and inaccurate personal data is updated with correct data or deleted whenever necessary.
The personal data that is not necessary, has fulfilled the purpose, or its deletion has been requested by the data subject, then it must be permanently destroyed. To erase personal data beyond recovery, use certified software like BitRaser, which erases data permanently using DoD 5220.22-M and NIST SP 800-88 standards for performing secure data destruction. The software-generated reports and certificates help comply with Ley de Protección de los Datos Personales of the Argentine Republic (Ley 25.326).

The consequences of negligence towards compliance with this law can vary from disqualification and imprisonment to paying hefty penalties per violation. To protect the personal data of Argentine citizens, organizations must follow data destruction policies along with implementing security measures for safeguarding data, be it public or private entities.

Was this article helpful?

FAQs

Does the constitution of the Argentine Republic provide any provision to protect personal data?

The constitution of the Argentine Republic provides a provision in the third paragraph of Section 43. This provision grants the right to any person to obtain information about their data registered in public or private databases. If there is any incorrect data or bias in data, the person can file an action in order to request the suppression, updating, or rectification of the concerned data.

What is the personal data protection law of Argentine Republic called?

Ley de Protección de los Datos Personales, or Personal Data Protection Act of the Argentine Republic, is known as Ley 25.326, or Law 25.326.

Which agency enforces Ley 25.326?

The Agencia de Acceso a la Información Pública, or the Public Information Access Agency (AAIP), is responsible for enforcing this law and imposing suitable repercussions and penalties on the violators.

Does Ley 25.326 provide the right to get your data deleted?

Yes. Article 16, Right to Rectification, Updating, or Deletion of Ley 25.326 grants the right to data owners to get their data updated, rectified, and, if appropriate, deleted or made confidential.

What is the amount of penalty that a violator can face in case of non-compliance?

Failure to comply with the obligations of Ley 25.326 can result in hefty fines of 1000 pesos ($1,000) to 100,000 pesos ($100,000). Further, the penalty for knowingly providing false information from a personal data file is six months to three years. Also, the penalty will be increased by half of both the minimum and maximum if the act harms someone.