E-Commerce and Retail Company is Sanctioned by the Data Protection Authority

In February 2021, a data subject filed a complaint before the Agency for Access to Public Information (the “AAIP”) alleging infringement of security duties in the processing of personal data. The complaint was grounded on the notion that a delivery company failed to establish adequate security measures in the processing of personal data, namely: (i) the company's website consisted of a public API, which allowed viewing and downloading third-party data by using consecutive order tracking numbers; (ii) the complainant's data was publicly disclosed and could be viewed and downloaded by third parties (name, telephone number, order number, address, signature), including photographs of the complainant’s ID cards; and (iii) the information continued to be viewable several days after product delivery.

As a result, the AAIP ordered the company to: (a) register with the National Database Registry, (b) report on the security and confidentiality measures implemented on its platform, and (c) report the legal basis under which it stored and kept personal data of the data subjects and photos of their ID cards. The company responded on each of the requested points, stating that it was dealing with information of unrestricted public access and that it is governed by ENACOM Resolution No. 304/20 as it is a postal service provider, which allows the company to verify the identity of its customers by showing their ID cards from a safe distance due to the Covid-19 pandemic. However, the company argued that this safe distance prevented it from properly checking all the information in the ID cards, so photographs were taken to avoid potential delivery-related claims.

The AAIP, in turn, stated on the official record that the company did not demonstrate proper registration in its database, that its security and confidentiality measures were insufficient, and that the personal data contained in ID cards not only includes data of unrestricted public access (such as name or ID number) but also other categories of data that enjoy greater protection, such as fingerprints, photographs of the individual or their ID procedure number. Likewise, the AAIP found that the company failed to comply with the duties set forth in Article 6 of the Personal Data Protection Law and with its duty to obtain valid consent from data subjects.     

Additionally, the AAIP argued that the company did not comply with the principle of proportionality in photographing data subjects’ IDs since it could have verbally requested the ID number from its clients and then compared it with the data obtained by the company or simply required a signature on their delivery forms.

Moreover, pursuant to current case law on the authorization to use an individual’s image and the restrictive interpretation awarded to such authorization, the AAIP held that a person’s identity should be limited to that person simply showing their ID card without having to provide any additional data like photographs of the person's face or ID cards.

It also held that the company violated Article 4, paragraph 7 of the Argentina Data Protection Law (“LPDP”), which states that “data must be destroyed when it is no longer needed or relevant for the purposes for which it was collected,” because the information was indeed still accessible on the company's website several days after confirmed delivery.

Consequently, the AAIP fined the company for the commission of three serious infringements: (i) collecting personal data without having provided the data owners with the necessary information for its processing; ii) processing personal data in violation of certainty, adequacy, pertinence, and proportionality standards in relation to the scope and purpose for which data was obtained; and (iii) keeping personal databases without adequate security measures. In addition, it sanctioned the company for committing a very serious infringement in processing personal data unlawfully and against the principles and guarantees established in the LPDP.