Personal Data Protection - Security Measures

October 15, 2008

The Argentine Personal Data Protection Agency postponed the implementation term of security measures regarding medium and critical security levels and also approved a Personal Data Security Document Model.

On September 1, 2008, the Argentine Personal Data Protection Agency (“Agency”) enacted Executive Order No 09/2008 postponing the term fixed by Executive Order No 11/2006 for the implementation of security measures regarding medium and critical levels.

As reported previously (please see “Processing and Storage of Personal Data” in Marval News # 54), Executive Order No 11/2006 approved security measures for the processing and storage of personal data in private and non-governmental databases.

Executive Order No 11/2006 established three security levels considering the information contained in the database. Each security level must comply with its own stipulated security measure as well as the measures of the previous level.

Moreover, Executive Order No 11/2006 set different terms for the implementation of each security level measures. The deadline for the Basic security level occurred on September 22, 2007, and for Medium security level on September 22, 2008. Furthermore, the term for the implementation of the Critical security measures was fixed for September 22, 2009.

As the Agency has ascertained that databases owners has not properly implemented the security measures, it decided to extend the implementation term of the security measures. In this regard, the Executive Order No 9/2008 established the following new deadlines:

-       Medium security level: August 3, 2009.

-       Critical security level: August 3, 2010.

These terms may be extended only at the request of an interested party, which has to be properly founded.

Finally, Executive Order No 9/2008 approved a draft Personal Data Security Document providing the minimum essential guidelines required by the legislation. The Personal Data Security Document must be instrumented by all data owners whose databases contain personal information. This draft document can be adopted by database owners, making the proper amendments.