Last reviewed: 2 December 2024
The main local regulator is the Agency for Access to Public Information (Agencia de Acceso a la Información Pública), which is the current DPA. The other regulator is the Federal Cybersecurity Agency.
Last reviewed: 2 December 2024
The DPA approved the Strategic Plan for the period 2022-2026 ("Plan") via Resolution No. 94/2023, which sets forth these main objectives:
- Promote and strengthen the exercise of the right to the protection of personal data and access to public information.
- Expand regulatory and management powers (seeking to update and strengthen regulations and improve information management capacities).
- Promote transparency in public management and citizen participation by bringing the state closer to its citizens.
- Expand and strengthen the institutional powers of the DPA.
The Plan will undergo an annual review to evaluate its progress and make any necessary adjustments.
It is anticipated that the DPA will continue in its efforts to extend its jurisdiction and enforce Argentine law on foreign entities processing personal data of data subjects residing in Argentina.
Last review date: 2 December 2024
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
☒ Staying the same
Class actions/group actions under data or cyber regulation are:
☒ Rare
Last reviewed: 2 December 2024
There are:
☒ administrative remedies /civil penalties applied by regulators and law enforcement
The administrative remedies for damages arising from non-compliance with key data privacy and cybersecurity laws include warnings, suspensions, fines from ARS 1,000 to ARS 100,000, and closure or cancellation of the files, registers or database.
DPA’s Resolution No. 126/2024 unifies the sanctions regime of Personal Data Protection Law No. 25,326 and National Do Not Call Registry Law No. 26,951. It seeks to systematize, in a single rule, the diverse regulations in the various dispositions and resolutions that constitute the sanctions regime.
In this sense, the Resolution raised the maximum limits for applicable fines when a condemnatory administrative act includes more than one pecuniary sanction for an identical punishable action within each of the levels of the "graduation of sanctions." It provides a maximum limit for the total amount of the fine for such conduct equivalent to the maximum of the scale according to the seriousness of the infringements committed, multiplied by 500.
☒ criminal penalties from regulators and law enforcement
Pursuant to Personal Data Protection Law No. 25,326, certain data protection infringements are considered criminal offenses:
- Knowingly providing to a third-party false data stored in a database (punished by a six-month to three-year imprisonment).
When a person is harmed as a result of the offense, the minimum and maximum punishments specified above will be increased by 50% (e.g., where a person is harmed by an offender knowingly providing to a third-party false data stored in a database, the offender will be punished by imprisonment for three months to 1.5 years).
When the infringer is a public officer in the exercise of their duties, an accessory penalty consisting of disqualification to serve as a public officer will be applied. The penalty will be doubled if the public officer:
- Knowingly and unlawfully, or violating data confidentiality and data security systems, accesses, in any way, a personal database (punishable by a one-month to two-year imprisonment).
- Discloses to a third party any information registered in a database that should be kept secret by law (punishable by a one-month to two-year imprisonment).
- Unlawfully introduces or modifies data in a database (punished by a one-month to two-year imprisonment).
In the event that the infringer is a public officer, an accessory penalty resulting in a special disqualification for one to four years will be imposed.
☒ private remedies
Individual personal action (i.e., a claim). In any event, damages must be evidenced.