The City of Buenos Aires enacts new laws on personal data protection and labour privacy

1.    The Personal Data Protection Law

The Personal Data Protection Law (the “Personal Data Law”) was sanctioned on November 24, 2005 and was partially vetoed by the Executive Branch. The Legislature accepted the partial veto by Resolution No 223, and finally, the law was published in the Official Gazette on August 3, 2006.

a.    Purpose: The purpose of this law, which is in line with Argentine Personal Data Protection Law No 25,326, is to regulate, in the City of Buenos Aires (the “CBA”), the processing of individuals’ and legal entities’ data, which is, or will be, collected in public databases belonging to the CBA, in order to guarantee privacy rights.

b.    General Principles: The Personal Data Law establishes the following general principles on personal data protection:

(i)    any personal data which is collected must be accurate, adequate, pertinent and not excessive in relation to the scope and purpose for which it had been obtained; and cannot be used for purposes different from those for which it was obtained;

(ii)   collection of personal data must not be carried out through dishonest or fraudulent means or in violation of the Personal Data Law;

(iii)  personal data must be accurate and must be up-dated if necessary;

(iv)  personal data must be destroyed, without the need for the owner’s request, when it has ceased to be necessary or relevant for the purpose for which it was obtained.

c.    Creation of public databases: creation and maintenance of databases shall be in accordance with legally and socially accepted general intention and use. Furthermore, the norms creating, modifying or suppressing public databases must be published in the CBA Official Gazette, indicating specified information and characteristics.

The database owner, the database manager and the users must observe the rules of professional secrecy in relation to the data gathered in the database, and apply the security measures set forth in the national law.

d.    Consent: the law maintains the fundamental principle that the consent of the data owner is needed to collect personal data. Such consent must be freely given, based upon the information previously provided to the data owner and expressed in writing or by equivalent manner, depending on each case. The owner, without retrospective effect, may revoke the consent at any time.

However, the law establishes several exceptions where consent is not needed.

e.    Sensitive data: the Personal Data Law also covers sensitive data. Sensitive data may only be collected if authorized by law and for the purpose of public interest. Such data may also be collected for statistical or scientific purposes, provided that the owners cannot be identified.

The law establishes that no person may be obliged to supply sensitive data, and such information shall not be required of any person as a condition of applying to or being promoted in the public sector of the CBA.

Furthermore, the law forbids the formation of files, records or databases which either directly or indirectly reveal sensitive data, unless this law or any other norm allow it, or the data owner consents to it.

f.     Health data: public health institutions, as well as the medical science professionals working in them, may collect and process personal data relating to the physical or mental health of their patients, observing the norms of professional secrecy.

g.    Assignment of personal data: The norm, following the Law No 25,326, also governs the assignment of personal data, which can only be assigned for the compliance with purposes directly related to the legitimate interest of the assignor and assignee and made with the previous consent of the owner, who must be informed of the purpose of the assignment as well as of the identity of the assignee.

The law specifies exceptions in which the consent of the data owner is not necessary.

Also, the law reiterates the provisions of the national law by which assignor and assignee are subject to the same legal obligations as the assignor and both shall be jointly and severally liable for any obligations vis-à-vis the controlling authority and the data owner.

h.    International transfer and transfer between Provinces: the Personal Data Law contains specific provisions governing the international transfer of personal data and transfers to and between Provinces.

The law forbids the transfer of personal data to other provinces, municipalities, countries or international organizations if such provinces, municipalities, countries or organizations do not grant an adequate level of protection according to this law. This prohibition ceases if the owner expressly gives consent for the assignment or if any of the other exceptions to this law apply. 

i.     Data owner’s rights: the Personal Data Law grants the data owners the right to a) information, b) access, and c) rectification, updating and suppression of their data.

It is important to underline that the law declares null and void any administrative acts and decisions that involve an assessment of a person’s behavior or personality based upon the handling of that person’s personal data.

j.     Controlling Authority. Infractions: The Personal Data Law designates the CBA Peoples’ Defender as the controlling authority, and creates the Personal Data Registry, in which the public databases must be registered.

The law sets out several infractions, with corresponding penalties, for violating its dispositions, as in Law No 25,326 and its regulatory decrees.

k.    Habeas Data action: the law regulates the use of the “Habeas Data” action, in accordance with section 16 of the Constitution of the CBA.

This action enables data owners to request information in connection with data held in any public database of the CBA and to demand that it be corrected, deleted, up-dated or treated as confidential.

l.     Labour privacy measures in the public sector of the CBA: the law includes several provisions relating to labour privacy measures.

The Personal Data Law interprets as “e-mail”, every correspondence, message, file, data or any other electronic information that is transmitted to one or more persons by an interconnected network of computers or any comparable device.

The law also provides that when the e-mail is provided by a public entity of the CBA to its employees, the e-mail shall be owned by the employer, independent of the name and password needed for its use.

The employer has the right to access and control all the information circulating by such e-mail, as well as to forbid its use for personal purposes. That right, as well as the terms and conditions of use and access to the e-mail, must be notified in writing to the employees before or at the time of allowing them the right to use e-mail, but prior to exercising it.

The employer must duly notify its employees of the terms and conditions of access to and use of private e-mail, as well as the use of the internet at the workplace.

Finally, non-fulfillment of the orders given by a superior regarding the politics of e-mail and internet use at the workplace shall be sanctioned in accordance with sections 10 and 47 of Law No 471 (CBA Public Administration Labour Relationship Law).

2.    Do Not Call Law

The Do Not Call Law was published in the Official Gazette on August 10, 2006. The Do Not Call Law creates the “Do Not Call Registry” in the CBA, which still has to be regulated by the local Executive Branch.

The law establishes that any phone number owner may register itself in the Do Not Call Registry in order to not be contacted by phone by companies that, using personal data and telemarketing systems, advertise, offer, sell or provide goods or service.

The duration of the registration is two years from the incorporation in the registry, and is renewed automatically for the same period, unless the data owner declares its desire to be removed at the time of the renewal or at any other time.

Companies may not call any person registered in the “Do Not Call Registry”, and for such purpose they must check the Registry inputs within ninety days from the enactment of this law. Afterwards, they must check the Registry every ninety days.