Argentine DPA Approves Guidelines for Binding Corporate Rules

Pursuant to Resolution No. 159/2018 published December 7, 2018 in the Official Gazette, the Argentine Data Protection Agency (hereinafter, “ADPA”) approved a set of guidelines —which are currently in force— for binding corporate rules (hereinafter, “BCRs”) as a mechanism available to multinational companies to legitimize international data transfers within their group.

BCRs are a mechanism to legitimize data exports within a corporate group. They are designed to be a global solution for multinational companies by ensuring their intra-group transfers comply with the relevant regulations.

Like the EU General Data Protection Regulation and other personal data protection laws around the world, Argentine Personal Data Protection Law No. 25, 326 prohibits the cross-border transfer of personal data from Argentina to other countries or to international organizations that do not provide for an adequate level of protection. Pursuant to Regulatory Decree No. 1558/2001, the ADPA is empowered to evaluate whether a country has an adequate level of protection of personal data. In that regard, ADPA’s Rule 60-E/2016 declared the following countries as adequate: member states of the European Union and the European Economic Area, Switzerland, Guernsey, Jersey, the Isle of Man, the Faroe Islands, Canada (only applicable to the private sector), New Zealand, Andorra, Israel and Uruguay. The list may periodically be modified by the ADPA.

Regulatory Decree No. 1558/2001 also allows international data transfer to countries without an adequate legislation on personal data protection when: (i) the data subjects consent the transfer; or (ii) when adequate protection levels arise from contractual clauses – such as international data transfer agreements or self-regulation systems. Now, the ADPA has ruled aspects concerning the use of valid binding corporate rules in the context of the exception to the restriction for transferring personal data to non-adequate jurisdiction.

The guidelines approved by Regulation No. 159/2018 determine that the BCRs must be binding upon all members of the corporate group as well as employees, subcontractors and third-party beneficiaries. Moreover, this new regulation provides for the following elements and principles to be found in BCRs to reflect the requirements and conditions imposed by the Argentine Personal Data Protection Law framework.

• Lawfulness conditions: BCRs must consider the application of the general data protection principles, in particular, legal basis for processing, data quality, purpose limitation, transparency, security and confidentiality, the data subjects’ rights and the restriction to subsequent cross-border data transfer to non-adequate jurisdictions.
• Specific protection concerning sensitive aspects: This involves the restriction of the processing of special categories of personal data, the right to object to the processing of personal data for the purpose of unsolicited direct marketing, the right not to be subject to automated decision-making, and restricting the creation of files containing personal data relating to criminal convictions and offenses.
• Third-party beneficiaries: Both data subjects and the ADPA are deemed third-party beneficiaries regarding the rights and guaranties granted by the BCRs.
• Complaint procedure: Data subjects may present a judicial or administrative complaint using their local venue.
• Liability: Members of the corporate group must be jointly liable vis-à-vis the data subject and the supervisory authority for any violation of BCRs.
• Supervisory authority: The ADPA is the authority to hear in any cross-border transfer conducted by an Argentine entity as data exporter. Moreover, the ADPA will be entitled to intervene as third-party beneficiary in those cases in which personal data of subjects in Argentina is compromised.
• Legally binding nature: The BCRs must guarantee that its provisions are effectively binding upon the members of the corporate group vis-à-vis the data subjects and the ADPA.
• Training: The BCRs must provide for appropriate data protection training to personnel in charge of data processing activities.
• Finally, the BCRs must provide for independent, effective and accessible judicial and administrative resources and mechanisms.

Any company relying on BCRs that differ from the conditions stated in Regulation No. 159/2018 will need to submit the relevant document to the ADPA for approval within the term of 30 calendar days from the date that the transfer took place. No approval is required in the case of BCRs that follow the requirements of the regulation.