Guidelines Clarifying Personal Data Protection Law

On January16, 2019, the Argentine Data Protection Authority (“DPA”) issued Resolution 4/2019 (“the Resolution”), which provides guidelines on the application and interpretation of the Argentine Data Protection Law No. 25,326. These guidelines are particularly in connection with the right of access to personal data (personal image) stored by surveillance systems, clarifications on data dissociation, biometric data and automatic processing of personal data, as well as general aspects of consent. These are mandatory guidelines.

In connection with video surveillance, Resolution 4/2019 provides that the data subject must accredit their identity and provide approximate date and time in which their image could have been stored. In turn, the data controller must provide the data requested, indicating the purpose of the collection, if the data was shared with any third parties and whether the database containing the images is registered with the DPA. Exceptionally, the data controller should also provide a hard or digital copy of the image, provided that the data subject substantiates the request and also bears any costs associated therewith.

Moreover, as regards to decisions based only on the automatic processing of personal data, it provides that upon request the data controller should provide the data subject with a logical explanation of any decision so taken.

Further, it provides that data that requires the application of unfeasible or disproportionate measures to be associated to a specific data subject must not be considered to refer to a determinable person, which would otherwise trigger the application of the Data Protection Law (dissociated data is beyond the scope of the law).

In addition, Resolution 4/2019 clarifies that biometric data will only be considered sensitive data –which is subject to a stricter scrutiny- when its use could lead to potential discrimination of the data subject (for example, data that could reveal ethnic origin or health data).

Lastly, it clarifies that data controllers relying on consent as the legal basis for processing data should have appropriate authentication mechanisms to prove that the person providing the consent is actually the data subject. However, it only requires best efforts to prove that the person providing consent representing a minor is actually the legal custodian.