Argentina’s Controlling Authority Published a Personal Data Oversight Guide

The Argentine Agency of Access to Public Information (the Argentine Controlling Authority or “AAIP”)’s Regulation No. 332/2020 was published in the Official Gazette on December 31, 2020. The Regulation approved a new guide governing the personal data inspection proceedings and legal as well as technical guidelines to be followed in those inspections, mainly aiming to monitor compliance with Personal Data Protection Law No. 25,326 (“PDPL”). This Regulation repeals the former inspections regime.

 

1. Guide for personal data inspection proceedings

 

The guide establishes that its main purpose is the inspection, investigation and oversight –by the AAIP– of the activities of the controller or user, to monitor compliance with the PDPL.

 

The guide also provides that the inspection covers legal and technical aspects, and the following must be considered:

• lawfulness of processing;
• quality of personal data being processed;
• consent of the data subject;
• information provided to the data subject;
• special categories of data;
• security;
• confidentiality;
• assignment and international transfer of personal data;
• provision of credit information services;
• processing of personal data with marketing purposes; and
• proceedings for exercising the data subject’s right to access, rectification, update or suppression.

 

Additionally, if applicable, the following aspects should also be considered:

• existence of a data protection impact assessment;
• terms and conditions and privacy policy of the controller;
• performance of the controller or the data protection officer;
• system of notifications to data subjects and to the AAIP in case of data breaches.

 

As for the type of inspections that may be carried out by the AAIP, they can be planned or spontaneous, and in both cases the AAIP can choose to assess only certain aspects (and not all of them) related to the processing of personal data.

Moreover, any individual or company is allowed to file a complaint before the AAIP requesting the investigation of a possible infringement of the PDPL. The Personal Data Protection Directorate will decide whether it is appropriate to move forward with the investigation and, if so, will conduct spontaneous inspection, keeping the complaint confidential.

Likewise, the AAIP must implement an annual inspection plan and select the controllers who will conduct the investigation following an objective criterion. Then, controllers may be ordered by sectors or groups, the number of inspections to be conducted will be determined, and the following will be inspected, among other considerations:

• impact of the processing of personal data on the privacy of individuals;
• volume of the processing of personal data;
• type of personal data processed;
• amount of complaints received by the oversight body;
• severity of the complaints received;
• activity performed by the controller.

 

With regards to the inspection proceeding itself, the AAIP will initiate an individual proceeding for each controller being inspected. The controller will be notified of the initiation of the proceeding and will be informed of the information/documentation that has to be submitted within 10 administrative days. If the controller has appointed a data protection officer, this fact should be informed in its first filing. Once the required information has been received, or when the deadline to file that information has expired, the inspection will be scheduled at least 5 administrative days in advance. Exceptionally, upon a founded decision, the requirement of prior notification for the inspection may be omitted.

Inspectors participating in the inspection will draft a deed in which they will include their objections and any requirements made. The deed should be signed by the inspector and the data controller and/or its authorized representative. 

The inspector will be empowered to require reports, documentation, make inquiries and to call on additional visits, as long as they are necessary for the investigation, until the final report is prepared.

If the inspectors need to access devices or systems of processing personal data, they need to have the cooperation and consent of the investigated controller. If the controller under investigation refuses, the AAIP shall decide whether it is appropriate to request judicial authorization or not, or to start a sanctioning proceeding with the information obtained until that point. Judicial authorization may also be sought before refusal, when lack of cooperation is anticipated.

Judicial authorization may also be sought in cases in which the controller is located outside of the Argentine territory. In those cases, the AAIP may use any of the formal or informal international cooperation mechanisms that have been enabled by current regulations.

Regarding the investigation techniques, the Guide provides for oral techniques (interviews), visual techniques (those that can be visually verified), documentary and technical techniques (through action aimed to monitor compliance with rules on integrity and security applied to the processing of personal data).

All inspectors participating in the inspections are subject to confidentiality and security obligations regarding the information they have access to as well as the evidence they collect during the proceeding.

Lastly, once the inspection and control tasks are over, the inspector must elaborate a final report within 10 administrative days. In this report, the level of compliance of the controller under investigation must be included. If there were no observations, the proceeding will be terminated. On the contrary, if there were observations, the investigated controller will be required to cure such observation within 10 administrative days. Once the term to file a response has expired, a report will be elevated to evaluate whether it is appropriate to continue with the proceeding to verify possible infringement or not.

 

2. Legal and technical guidelines for inspections

 

On the other hand, the Legal and Technical Guidelines for Inspections contain the general guidelines on the different aspects of the PDPL to be considered by the inspector when performing an inspection.

In this sense, the guidelines establish that the inspector must verify:

• the lawfulness of processing of both general personal data and sensitive data and/or data related to criminal offenses;
• quality of personal data;
• consent (or applicable exceptions), including an analysis of the consent in the case of minors;
• the information provided to data subjects;
• security and confidentiality aspects;
• assignment of personal data;
• international transfer;
• provision of credit information services;
• marketing; and
• data subject’s rights.

 

Both documents will have a significant impact on future proceedings of the AAIP as they will not only be used as a guide for inspectors who will be performing the inspections but will also be useful to controllers to verify their practices before any inspection occurs.

Non-compliance with the PDPL may result in fines, closing or cancellation of the database.

The complete text of the guide for personal data inspection proceeding can be accessed here (in Spanish), and the legal and technical guidelines for inspections, here (also in Spanish).