Act No. 25.326 of 2000, Landmark Personal Privacy Law

October 26, 2021 | 6 minutes read
Act No. 25.326 of 2000, Landmark Personal Privacy Law

The Personal Data Protection Act, Act No. 25.326 of 2000, also known as the Act for short, is an Argentinian data protection law that was passed in 2000. As the first data protection law to be passed within the continent of South America, the landmark law set forth the regulations that data controllers and processors within Argentina must follow when processing the data of citizens. While the National Congress of Argentina had spent the last few years attempting to pass an updated data protection law in a similar vein to that of the EU’s General Data Protection Regulation or GDPR, these attempts were ultimately unsuccessful, as the proposed Bill lost parliamentary status in March of 2020. Nevertheless, the Personal Data Protection Act, Act No. 25.326 of 2000 still serves as a means of protecting the personal privacy of data subjects within Argentina.

What is the scope and application of the Personal Data Protection Act, Act No. 25.326 of 2000?

As it relates to the personal scope of the law, the Personal Data Protection Act, Act No. 25.326 of 2000 applies  “to processors and controllers of databases, meaning all natural persons or legal entities, either public or private”. Conversely, the territorial scope of the law states that “the Regulations apply whenever personal data is processed in the territory of Argentina”. Effectively, this means that isolated data processing activities that occur within Argentina fall under the jurisdiction of law, even if the rest of said activities take place outside of the country. Moreover, the material scope of the law applies to processors and controllers of databases in respect of any personal data processing that takes place in Argentina”.

Under the Personal Data Protection Act, Act No. 25.326 of 2000, data processing is defined broadly to mean “any systematic operation or procedure, either electronic or otherwise, which enables the collection, integration, sorting, storage, change, relation, assessment, blocking, destruction, disclosure of data, or transfer to third parties”. To this end, the law also protects the following forms of sensitive personal data

What are the requirements of data controllers and processors under the Personal Data Protection Act, Act No. 25.326 of 2000?

While the Personal Data Protection Act, Act No. 25.326 of 2000 was passed over 20 years, the law still set forth various principles as it relates to the protection of the personal data of Argentine citizens. These data protection principles include:

In addition to these data protection principles, the Personal Data Protection Act, Act No. 25.326 of 2000 also places obligations on data controllers that are found in other privacy laws that have been passed in recent years. This includes ensuring that data controllers and processors register with the National Registry of Personal Databases for the purposes of providing data subjects with data processing notifications, as well as maintaining detailed data processing records. Data controllers and processors are also obliged to Data Protection Impact Assessment or DPIA. However, unlike many other privacy policies which do set forth guidelines regulating DPIAs, all DPIA under the Personal Data Protection Act, Act No. 25.326 of 2000 must include the following phases:

What are the rights of data subjects under the law?

In keeping with the somewhat outdated nature of the Personal Data Protection Act, Act No. 25.326 of 2000 when compared to the legislated privacy protections set forth in the past decade, the Act does not provide data subjects within Argentina with many rights that are now deemed as standard and common. Such rights include the right to erasure, to object or opt-out, and data portability. Alternatively, the Personal Data Protection Act, Act No. 25.326 of 2000 provides data subjects with the right to be informed, access, and rectification. Additionally, while the law does not provide data subjects with the right not to be subject to automated decision making, data subjects do have the right to request an explanation of the logic that applied to such decisions, in instances where such decisions led to adverse consequences for data subjects.

As it pertains to penalties that can be imposed against individuals and agencies found to be in violation of law, the Argentinian data protection authority, or AAIP for short has the authority to enforce the provisions of the law, and utilizes a three-tier system in doing so. As such, violators of the law are subject to the following penalties:

The Personal Data Protection Act, Act No. 25.326 of 2000 also provides Argentinian citizens with the private right of action to bring civil liability charges against individuals and agencies who violate their rights under the Law. However, the following four requirements must be proven by claimants who bring forth such charges:

While some of the provisions and rights offered by the Personal Data Protection Act, Act No. 25.326 of 2000 are somewhat archaic by the standard of 2021, the law nevertheless provides Argentinian citizens with a comprehensive level of privacy protection. This dedication to personal privacy was reflected in Argentina’s decision to sign the Convention 108+ for the Protection of Individuals with Regard to Processing of Personal Data or the modernized Convention 108 for short. As such, the nation of Argentina is sure to continue to improve upon the level of privacy protection they offer their respective citizens.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Using Redaction for Privacy Maintenance as An Investigator
May 31, 2023 | 5 minutes read
Using Redaction for Privacy Maintenance as An Investigator

These oaths emphasize upholding the law, serving the public, and protecting the rights of individuals. One of these many rights is privacy. An investigator must adhere to the legal and ethical guidelines within the jurisdiction and perform their investigation within those specifically set boundaries.

Learn More »