Financial Crime World

Data Protection and E-Privacy Regulations in Argentina

======================================================

Introduction

Argentina has a set of regulations aimed at protecting personal data and regulating marketing practices. In this article, we will discuss the key points related to data protection, e-privacy, and enforcement.

Data Protection Agency

The National Data Protection Agency (Agency) is responsible for conducting audits of local companies to ensure compliance with data protection regulations.

  • Audit Frequency: The Agency conducts approximately 3-7 company audits per week since 2009.
  • Audited Companies: Between 2009 and 2022, the Agency audited various companies, including:
    • Internet companies
    • Credit reporting agencies
    • Supermarkets
    • Home appliance stores
    • Hotels
    • Banks
    • Pharmaceutical companies
    • Insurance companies
  • Published Resolutions: The Agency publishes all resolutions it issues, including communications, recommendations on the interpretation of local personal data regulations, and other sanctions.

Enforcement

Enforcement is relatively infrequent, but there have been cases where criminal complaints have been filed against companies that failed to comply with regulations.

  • Criminal Complaints: Examples include a case against ChoicePoint for selling information about Argentinean citizens to the US government.
  • Fines and Sanctions: The Agency has imposed fines on companies that:
    • Failed to register or renew their database registration
    • Processed data without authorization
    • Refused to provide access, rectification, or suppression of personal data
    • Failed to notify the purpose of data collection

E-Privacy

Argentina has no specific rules on e-privacy matters.

  • Cookies: Conditions for using cookies are not specified, nor is there any regulatory guidance on the use of cookies.
  • E-Mail Marketing: The sending of direct marketing by email is subject to the general principles of the Data Protection Act (DPA).
  • Opt-Out Mechanism: Direct marketing emails must be prominently marked as advertising and provide technical means to opt out.

Marketing by E-Mail and Telephone

The National “Do Not Call Registry” has been created to protect customers or authorized users from unsolicited calls. Companies are prohibited from contacting phone lines that are registered in the Do Not Call Registry.

  • Direct Marketing: The sending of direct marketing by email is subject to the general principles of the Data Protection Act (DPA).
  • Opt-Out Mechanism: Direct marketing emails must be prominently marked as advertising and provide technical means to opt out.
  • Do Not Call Registry: Companies are prohibited from contacting phone lines that are registered in the Do Not Call Registry.

Sanctions

Between 2009 and 2022, the Agency imposed fines totaling ARS$290,000 on CENCOSUD S.A. for failing to inform clients about a data breach. In 2023, the DPA imposed 24 monetary sanctions for infringing the “Do Not Call” rule, totaling ARS$66,000,000.

Overall, Argentina has regulations in place to protect personal data and regulate marketing practices, but enforcement is relatively infrequent.