An important ruling on Registration of Databases

In a recent ruling, the Court of Appeals revoked a preliminary measure filed by Prudential Seguros SA, an Argentine insurer (“Prudential”). Prudential had requested the court to order the Argentine Personal Data Agency (“Agency”) to temporarily refrain from requesting the company to register their databases with the Registry of Databases (“Registry”) under threat of initiating administrative investigations, prosecutions or imposing sanctions. In that respect, Prudential demanded the provisional suspension of the Agency’s request until Prudential’s administrative appeal had been decided.

Prudential argued that their databases were only used exclusively for personal purposes and that the company did not assign or transfer their databases to third parties. Thus, Prudential argued that they were not obliged to register their databases.

Among other dispositions, Section 21 of the Personal Data Protection Law No. 25,326 (“PDPL”) provides that “any public file, record or database, as well as private databases which are intended to provide information, must be registered before a registry to be created by the Controlling Authority” (i.e. the Agency). For more information about the Registry of Databases please see Marval News # 37, # 38, # 39, and #46.

The Judge of First Instance in Civil and Commercial matters granted the preliminary measure. The Agency appealed that ruling. However, the Court of Appeals revoked the First Instance Court decision in the understanding that there were no reasons to consider that the company should not comply with the duty of registering their databases.

The Court of Appeals considered that the phrase “intended to provide information” included in Section 21 of the PDPL refers to a database which may provide information about individuals or entities regardless of whether the data is disclosed to third parties or not. The reason for this statement is that the processing of personal data involves a risk which may harm a Data Subject.

Furthermore, the Court of Appeals stated that, bearing in mind that the plaintiff commercializes insurance, it cannot be argued that the data included in its databases belong to the company’s exclusive personal use as database owner. The company is engaged in different activities involving clients, suppliers, and employees that exceed the company’s exclusive personal use considering the assignment and transfer of information that may be executed.

To wrap up, the Court of Appeals’ decision follows the broad criteria adopted by the Agency that companies must register their databases.