If your website collects personal data from users in Argentina, you may be subject to the Personal Data Protection Act 25.326 or PDPA (Ley de Protección de los Datos Personales).
Argentina’s PDPA defines personal data as any information about an individual or legal entity that is identified or identifiable using an associative process.
Keep reading to learn how Argentina’s PDPA impacts businesses and consumers.
- What Is Argentina’s Personal Data Protection Act (PDPA)?
- PDPA Key Terms and Definitions
- What Does Argentina’s Personal Data Protection Act Cover?
- Requirements of Argentina’s Personal Data Protection Act
- Argentina’s PDPA vs. Global Data Privacy Laws: Similarities and Differences
- How Does Argentina’s PDPA Impact Consumers?
- How Does Argentina’s PDPA Impact Businesses?
- Who Must Comply With Argentina’s PDPA?
- How Can Businesses Prepare for Argentina’s PDPA?
- How Is Argentina’s PDPA Enforced?
- Fines and Penalties Under Argentina’s Personal Data Protection Act
- How Does Termly Help With Argentina’s PDPA Compliance?
- Are There Other Privacy-Related Laws in Argentina?
- Summary
What Is Argentina’s Personal Data Protection Act (PDPA)?
The Argentina Personal Data Protection Act is the country’s leading consumer data protection law that describes requirements data controllers or processors must follow to collect, process, and use personal data from people in Argentina.
The law applies to private and public entities and is officially available only in Spanish.
When Did Argentina’s PDPA Take Effect?
Argentina’s Personal Data Protection Act took effect in 2000.
A current bill under consideration by the Constitutional and General Legislation Commissions of the House of Representatives would revise Argentina’s data protection regulations if approved.
The bill, drafted by the Argentine Data Protection Authority (Agencia de Acceso a la Información Pública, or AAIP), introduces modern privacy concepts such as:
- Privacy by design
- Accountability obligations
- Escalated fines
The increase in fines would range from five (5) to one million (1,000,000) units (equivalent to 2% to 4% of global annual turnover) for non-compliance.
PDPA Key Terms and Definitions
To understand how to comply with Argentina’s PDPA, you should familiarize yourself with the following key terms and their definitions:
For specific definitions, as they appear in the text of the PDPA, view Section 2 of the law, which is only available in Spanish.
What Does Argentina’s Personal Data Protection Act Cover?
The PDPA covers the personal data of people in Argentina and applies to both natural persons and public or private legal entities.
It regulates how data processors and controllers can legally collect, store, share, and disclose the personal information of people in Argentina.
Requirements of Argentina’s Personal Data Protection Act
The Personal Data Protection Act outlines several requirements and guidelines impacting covered entities that I’ll cover in the following section.
Lawful Bases for Processing Personal Data
To legally process personal data under Argentina’s PDPA, entities must obtain consent from the data subjects unless the information is used to fulfill a contractual obligation.
It’s also legal to process personal data obtained from publicly accessible sources, to comply with state powers or legal obligations, and for specific marketing purposes.
Consent
Consent under Argentina’s PDPA must be freely given, informed, and expressed by the data subject by taking an action.
Like Europe’s General Data Protection Regulation (GDPR), the PDPA requires opt-in consent.
However, obtaining consent is unnecessary if you’re processing anonymous data or publicly available information.
International Data Transfers
Under the PDPA, entities can only transfer personal data to an international location if that country provides an adequate level of protection.
Regulations also allow entities to establish Standard Contractual Clauses (SCCs) to facilitate the transfer of data internationally.
In addition, transferring the data is okay if you obtain the data subjects’ consent.
Retention of Data
According to the PDPA, entities must destroy personal data when it’s no longer necessary for its originally collected purposes.
While credit reporting agencies can maintain records of personal data for up to five years for the purpose of assessing people’s finances, it must be stored using proper security measures.
Argentina’s PDPA vs. Global Data Privacy Laws: Similarities and Differences
Argentina’s data privacy law is similar to other laws that exist in various countries across the world, like the following:
- California Consumer Privacy Act (CCPA)
- Europe’s General Data Protection Regulation (GDPR)
- Brazil’s General Data Protection Law (LGPD)
- Thailand’s Personal Data Protection Act (Thailand PDPA)
- Canada’s Personal Information Protection and Electronics Documents Act (PIPEDA)
- South Africa’s Protection of Personal Information Act (POPIA)
- Australia’s Privacy Act 1988 (the Privacy Act)
- New Zealand’s Privacy Act 2020
The table below compares Argentina’s PDPA to the other global privacy laws.
| Data Privacy Law | Requires opt-in consent* | Mandates publishing a privacy policy | Outlines contractual obligations with third parties | Holds businesses accountable for data security | Has specific requirements for international data transfers | Requires additional guidelines for categories of sensitive (special) information |
| Argentina PDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| CCPA | ✓ | ✓ | ✓ | ✓ | ||
| GDPR | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| LGPD | ✓ | ✓ | ✓ | ✓ | ✓ | |
| Thailand PDPA | ✓ | ✓ | ✓ | ✓ | ✓ | |
| PIPEDA | ✓ | ✓ | ✓ | |||
| POPIA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Privacy Act 1988 | ✓ | ✓ | ✓ | ✓ | ||
| Privacy Act 2020 | ✓ | ✓ | ✓ | ✓ | ✓ |
*With some exceptions for some laws.
How Does Argentina’s PDPA Impact Consumers?
The PDPA impacts consumers in Argentina by granting them rights over their personal data, including the right to:
- Be informed about what data will be processed and why
- Access the data collected about them
- Request to correct or amend their data
- Request an explanation if a data controller makes decisions using automated processing
The law also gives individuals the right to file a judicial claim against entities that don’t fulfill their requests to follow through on their rights.
Who Does Argentina’s PDPA Apply To?
Argentina’s PDPA applies to any person in Argentina whose personal data is processed, even if that processing happens outside of the country.
How Does Argentina’s PDPA Impact Businesses?
The Personal Data Protection Act impacts businesses beyond the data processing purposes and storage limitations mentioned previously in this guide.
It also impacts the contents of your privacy policy and cookie policy.
How Does Argentina’s PDPA Affect My Privacy Policy?
Because the PDPA gives Argentinian data subjects the right to be informed, businesses should update their privacy policies to meet this legal obligation.
Under the PDPA, you must clearly explain to consumers:
- The purpose for the data processing
- The addresses of any third parties, if relevant
- If any databases exist, and if so, the address of who controls it
- If providing data is mandatory or voluntary, and the consequences for refusing to give data
- The subject’s rights to request to access, update, correct, or delete their data and how to follow through on these rights
Post a link to your privacy policy in an easy-to-find location, like the footer of your website, to ensure all users can easily access the information.
How Does Argentina’s PDPA Affect My Cookie Policy?
Argentina’s PDPA impacts your cookie policy because data subjects have the right to access their data, including information collected through internet cookies.
Therefore, you must have an updated, accurate cookie policy linked to your website.
To know what cookies your website uses, run it through our website cookie scanner, which will help name, organize, and list all cookies for you automatically.
Who Must Comply With Argentina’s PDPA?
Any business that processes personal data within the territory of Argentina must comply with the PDPA.
Who Is Exempt From Argentina’s PDPA?
There are very few exemptions under the PDPA, and the act does not describe any exceptions for specific businesses or industries.
That said, if your business does not process or control personal information from users in Argentina, you don’t need to comply with the law.
How Can Businesses Prepare for Argentina’s PDPA?
To prepare for Argentina’s PDPA, businesses should plan to update their privacy policy to meet the requirements related to properly informing data subjects.
You should also determine the timeline for storing the collected data to achieve the purposes you present to your users.
You’ll also need to maintain an accurate, up-to-date cookie policy.
How Is Argentina’s PDPA Enforced?
The Argentinian data protection authority enforces the PDPA, Agencia de Acceso a la Información Pública (AAIP).
The AAIP uses a three-tiered system to determine the seriousness of different infractions and applies penalties based on those levels.
Fines and Penalties Under Argentina’s Personal Data Protection Act
Depending on the severity of the infringement, fines under the PDPA fall between ARS 1,000 ($3) to ARS 100,000 ($274).
Additional penalties include suspension, deletion, or closure of data files.
How Does Termly Help With Argentina’s PDPA Compliance?
Termly offers a Consent Management Platform (CMP) configurable to meet the opt-in requirements outlined by Argentina’s data privacy law.
We’re also working on updating our Privacy Policy Generator so it can help businesses simplify compliance with Argentina’s PDPA.
Backed by our legal team and data privacy experts, the generator asks simple questions about your business and makes a comprehensive, unique privacy policy based on your answers.
It currently includes all necessary provisions to meet the requirements outlined in several other notable data privacy laws.
However, ensuring proper coverage takes time, so check back soon to learn when the Argentina PDPA updates go live.
Are There Other Privacy-Related Laws in Argentina?
Argentina is protected by other privacy-related laws beyond the Personal Data Protection Act, which the AAIP enforces.
For example, the Personal Data Protection Regulatory Decree introduced additional processing requirements that specific entities must follow when processing personal information.
Specific cybersecurity laws also address penalties if a data breach occurs and establish the timeline for notifying proper parties about unauthorized access.
Summary
Understanding the Personal Data Protection Act is essential for websites operating in Argentina or who collect and process the personal information of data subjects in the country.
Ensure you have an updated, compliant privacy policy to keep your users adequately informed about your processing activities.
Termly can help simplify your privacy compliance efforts by offering resources like our Privacy Policy Generator.
More about the author
Written by Heloisa Valdívia, CIPM
As a Certified Information Privacy Manager (CIPM) and experienced privacy consultant, Heloísa deeply understands the data privacy industry. With a passion for safeguarding data and ensuring compliance, she provides valuable insights and practical guidance on navigating the complexities of data privacy regulations and best practices. More about the author
