The Argentine National Registry of Individuals Adopts a Privacy Policy

After the alleged occurrence of a security incident, the National Registry of Individuals (“RENAPER”, after its acronym in Spanish) published its privacy policy for the protection of personal data within the organism (the “Policy”).

The Policy aims to safeguard and protect the right to privacy of individuals whose personal data are processed by RENPER. In its Regulation No. 1/2022 (which can be accessed in the following link), RENAPER highlights that the adopted Policy is superior to the Template Privacy Policy for National Public Agencies issued by the Agency of Access to Public Information (approved through Regulation No. 40/2018 of the Agency, and accessible in the following link).

The scope of application of the Policy seems to extend to third parties using the services of RENAPER, too.

The Policy establishes that all databases containing personal data and being used for statistical purposes must be previously anonymized so they cannot be linked with any citizen. Moreover, the anonymized data must impede its association with the data subjects before it is processing. As for biometric data, the Policy follows Criterion 4 of Regulation No. 4/2019 of the Agency, confirming that such data can be considered sensitive data only when it may reveal additional data which use may result in potential discrimination of the data subject.

On the other hand, the Policy establishes that each individual responsible for the processing of personal data within RENAPER must keep a written record of the processing activities carried out within its competencies, which must contain, at least, the categories of personal data, the identification of assets and the record of all the processing activities carried out under its competences. This obligation has not been expressly foreseen in the Personal Data Protection Law No. 25,326 yet, although it is present in comparative legislation such as the European General Data Protection Regulation (GDPR).

Also, RENAPER must appoint a data protection officer, who must ensure compliance with the Policy and will act as a consultant for those responsible for the processing of the personal data.

Finally, with regards to security incidents, the person responsible for information security -identified in the Information Security Policy approved by RENAPER’s Regulation No. 2979 of December 13, 2013- must communicate the existence of the incident to both the National Cybersecurity Directorate and the Agency within no more than 48 hours of becoming aware of it and under the rules imposed by the Administrative Decision No. 641/2021 on the Minimum Information Security Requirements for Agencies, together with the corrective and mitigating measures implemented and/or to be implemented by RENAPER to minimize the consequences of such security incident.