Untitled Document

PERSONAL DATA PROTECTION

Regulatory Decree 1558/2001

Regulation of the Act Nº 25.326 is approved. General principles concerning data protection. Rights of the owners of the data. Users and responsible persons of archives, registers and databases. Control. Sanctions.

Buenos Aires, 11/29/2001

HAVING SEEN the file N º 128.949/01 of the Registry of the MINISTRY OF JUSTICE AND HUMAN RIGHTS, Act Nº 25.326, and

WHEREAS,

That section 45 of the aforementioned Act states that the NATIONAL EXECUTIVE POWER shall elaborate its regulation and set up the regulatory body mentioned in its section 29 within ONE HUNDRED AND EIGHTY (180) days from its enactment.

That section 46 of the aforementioned Act states that the regulation shall stipulate a period of time within which the data files aimed to provide reports existing at the moment this Act is enacted, shall be registered in the Registry referred to in section 21 and adapted to the provisions of that rule.

That section 31, sub-section 2, of the Act Nº 25.326 states that the regulation shall set up the conditions and procedures to impose sanctions, according to the terms established by this rule.

That the DIRECTORATE GENERAL OF LEGAL AFFAIRS of the MINISTRY OF JUSTICE AND HUMAN RIGHTS, the DIRECTORATE GENERAL OF LEGAL AFFAIRS of the UNDERSECRETARY OF LEGAL AFFAIRS of the LEGAL AND TECHNICAL SECRETARY of the PRESIDENCY OF THE NATION and the ATTORNEY FOR THE NATIONAL TREASURY have acted within their jurisdiction.

That this norm is issued under the exercise of the faculties conferred by section 99, sub-section 2 of the NATIONAL CONSTITUTION.

Now therefore,

THE PRESIDENT OF THE ARGENTINE REPUBLIC

DECREES:

SECTION 1º - Regulation of the Personal Data Protection Act N° 25.326 —enclosed herein as Annex I— is approved.

SECTION 2º - The term stated in section 46 of the Act Nº 25.326 is set in ONE HUNDRED AND EIGHTY (180) days.

SECTION 3º - The Provinces and the Autonomous City of Buenos Aires are invited to adhere to these rules, which are intended to be imposed exclusively in this country.

SECTION 4º - Let it be reported, published, given notice to the National Directorate of the Official Registry and archived.

ANNEX I

REGULATION TO THE ACT N° 25.326

CHAPTER I

GENERAL PROVISIONS

SECTION 1° - For the purposes of this regulation, the concepts of archives, files, registers, databases and databanks intended to provide reports, include all those which are not intended exclusively for personal use, notwithstanding the circulation of the reports or information be for a charge or free of charge.

SECTION 2° - Non-regulated.

CHAPTER II

GENERAL PRINCIPLES GOVERNING THE PROTECTION OF DATA

SECTION 3° - Non-regulated.

SECTION 4° - In order to determine the loyalty and good faith when personal data is obtained, as well as the use it will have, it shall be analyzed the procedure carried out for its collection, and particularly the information that was given to the data owner according to section 6° of the Act N° 25.326.

When the collection of the information had been done by linking up or processing archives, registers, databases or databanks, the source of information and its intended use shall be analyzed. The out-of-date information shall be deleted by the user without being necessary any request on the part of the data owner.

The NATIONAL BUREAU OF PERSONAL DATA PROTECTION shall monitor ex-officio the due compliance of this legal principle, and shall impose the corresponding penalties to the person responsible or user, when applicable.

The NATIONAL BUREAU OF PERSONAL DATA PROTECTION, upon request or ex-officio in case of suspicion of illegality, shall check the due compliance with the legal and regulatory provisions concerning every stage of the use of personal data:

a) Legality of collection or personal information taking;
b) Legality of exchange of data, and transfer to third parties, or in the interrelationship between them;
c) Legality of cession itself;
d) Legality of the mechanism used for internal and external control of the archive, register, database or databank.

SECTION 5° - The consent given by the data owner is that preceded by an explanation to him according to his social and cultural status, regarding the information referred to in section 6° of the Act N° 25.326.

The NATIONAL BUREAU OF PERSONAL DATA PROTECTION shall establish the requirements for the consent to be given by means other than written notification, which should assure the authorship and integrity of the statement.

The consent given for the treatment of personal data can be revoked at any time. Such revocation will not have retroactive effect.

For the purposes of section 5°, sub-section 2 e) of the Act N° 25.326 the concept of financial entity comprises people affected by the Act N° 21.526 and credit card issuing companies, financial trustees, financial entities liquidated by the Central Bank of Argentina, and people who are specifically included by the enforcement authority indicated in the aforementioned Act.

It is not necessary to get consent for the information described in sub-sections a), b), c) and d) of section 39 of the Act N° 21.526.

Bank secrecy will never be affected, and the spreading of the information concerning passive transactions carried out between banks and their customers is forbidden, according to sections 39 and 40 of the Act N° 21.526.

SECTION 6° - Non-regulated.

SECTION 7° - Non-regulated.

SECTION 8° - Non-regulated.

SECTION 9º - The NATIONAL BUREAU OF PERSONAL DATA PROTECTION shall stimulate the cooperation among public and private sectors to create and implement measures, practices and procedures that arouse confidence in the information systems and the providing and handling methodologies.

SECTION 10° - Non-regulated.

SECTIONS 11º - The provisions stated in section 5 of the Act Nº 25.326 are applicable to the consent for the cession of data. In the particular case of public databases or archives of an official agency which according to its specific functions were intended to be released to the general public, the requirement concerning the legitimate interest of the grantee shall be considered implicit in the general interest that caused the unrestricted public access.

The massive cession of personal data from public registers to private registers shall only be authorized by law or by the decision of an official responsible, if the information is accessible by the public and respect for the protection principles established in the Act Nº 25.326 has been guaranteed. It shall be understood by personal data massive cession that which affects a collective group of people.

The NATIONAL BUREAU OF PERSONAL DATA PROTECTION shall set the security standards applicable to the mechanisms of dissociation of data. The cessionary referred to in section 11, sub-section 4 of the Act Nº 25.326 could be totally or partially exempt from all responsibility if he proves that the event causing the damage cannot be attributed to him.

SECTION 12º - Banning to transfer personal data to countries or international or supranational entities which do not provide adequate levels of protection, is not in force when the data owner had not given express consent to the cession.

Consent shall not be necessary in case of transfer of data from a public register which is legally constituted to provide the public with information and is open to consultation by the general public or any person that can prove legitimate interest, as long as the corresponding legal and regulatory conditions are satisfied.

The NATIONAL BUREAU OF PERSONAL DATA PROTECTION is allowed to evaluate ex-officio or upon the request of the interested party, the level of protection provided by the rules of a State or international organization. If it concludes that a State or organization does not protect appropriately personal data, it shall submit to the NATIONAL EXECUTIVE POWER a decree project to issue such statement. The project shall be endorsed by the Minister of Justice and Human Rights and the Minister of Foreign Affairs, International Commerce and Religion.

The appropriate level of protection offered by a country or international organization shall be evaluated taking into account all the circumstances that concur in a data transfer; particularly it shall be considered the nature of the information, the aim and length of the treatment planned, their final destination, general and sectorial rules of law, in force in the corresponding country, as well as professional rules, codes of conduct and security measures in force in such places, or those applicable to the international and supranational organizations.

It is understood that a State or international organization offers an adequate level of protection when it is directly derived from its legal system in force, or from self-regulation systems, or from the protection established by the contractual clauses that establish the personal data protection.

CHAPTER III

RIGHTS OF DATA OWNERS

SECTION 13º - Non-regulated.

SECTION 14º - The request referred to in section 14, sub-section 1 of the Act Nº 25.326 does not require specific methods as long as it guarantees the identification of the owner. It can be made by the interested party directly to the person responsible or user of the archive, register, database or databank, or indirectly, by means of a written demand which leaves an acknowledgement of receipt. Other services of direct or semi-direct access can also be used, such as electronic means, telephone calls, on-line complaints or any other means valid for this purpose. In each case, preferred means to know the answer could be indicated.

In the case of public databases or archives of an official agency which according to its specific function were intended to be released to the general public, the conditions to exercise the right to access could be proposed by the institution and approved by the NATIONAL BUREAU OF PERSONAL DATA PROTECTION, which shall assure that the procedures suggested do not either violate nor restrict in any way the warranties of that right.

The right to access shall permit:

a) To know whether or not the data owner is in the archive, register, database, databank;
b) To know all the information concerning his person included in the archive;
c) To request information about the sources and means used to get his data;
d) To ask about the purposes for which they were collected;
e) To know their destination;
f) To know if the archive is registered according to the requirements of the Act Nº 25.326

Upon expiration of the term to answer stated in section 14, sub-section 2 of the Act Nº 25.326, the interested party shall be able to carry out the protection of personal data and report the event before the NATIONAL BUREAU OF PERSONAL DATA PROTECTION.

In the event of dead persons, their general heirs shall prove their bonds by means of either the corresponding affidavit of heirship, or a written document that proves them as universal heirs of the interested party.

SECTION 15º - The person responsible or user of the archive, register, database or databank shall answer the requests sent to him, regardless the fact that the personal data of the affected party is included or not. For such purpose, he shall use any of the means authorized in section 15, sub-section 3 of the Act Nº 25.326 at the owner's option, or the preferences that the interested party had expressly manifested when he exerted the right to access.

The NATIONAL BUREAU OR PERSONAL DATA PROTECTION shall produce a form that facilitates the right to access of the interested parties.

The following means to answer to the request could be suggested:

a) Electronic means (online);
b) Written report delivered in the domicile of the respondent;
c) Written report sent to the domicile informed by the petitioner;
d) Electronic response, as long as the identity of the interested party, confidentiality, integrity and reception of the information be guaranteed;
e) Any other means appropriate to the configuration and implementation of the archive, register, database or databank suggested by its person responsible or user.

SECTION 16º - In the provisions included in sections 16 up to 22 and 38 up to 43 of the Act Nº 25.326 in which some of the rights to correction, updating, deletion and confidentiality are mentioned, it shall be understood that such rules refer to all of them.

In the case of public databases or archives created as a result of the cession of information provided by financial entities, pension funds management companies, insurance companies, and according to section 5, sub-section 2 of the Act Nº 25.326, the rights to correction, updating, deletion and confidentiality shall be exercised before the grantor involved as a party in the legal relationship related to the contested data. If the complaint is sustained, the corresponding entity shall request the CENTRAL BANK OF ARGENTINA, the SUPERINTENDENCY OF PENSION FUNDS MANAGEMENT COMPANIES, or the NATIONAL SUPERINTENDENCY OF INSURANCE COMPANIES, whichever is applicable, to make the necessary changes in their databases. Every change shall be notified by the same means used to the spreading of the information.

The person responsible for or the user of the public databases or archives accessible to the public without restrictions can carry out the notification referred to in section 16, sub-section 4 of the Act N° 25.326 through the rectification of the data done by the same means used for its spreading.

SECTION 17º - Non-regulated.

SECTION 18º - Non-regulated.

SECTION 19º - Non-regulated.

SECTION 20º - Non-regulated.

CHAPTER IV
PERSONS RESPONSIBLE FOR OR USERS OF DATA BANKS, ARCHIVES, AND REGISTERS
SECTION 21° - The registration of private archives, registers, databases and databanks intended to provide with information shall be enabled after this regulation is published in the Official Bulletin.

Public and private archives, registers, databases and databanks referred to in section 1 of this regulation shall be registered.

For the purposes of registering the archives, registers, databases and databanks for the objective of publicity, the persons responsible shall proceed according to what is stated in section 27, fourth paragraph, of this regulation.

SECTION 22º - Non-regulated.

SECTION 23º - Non-regulated.

SECTION 24º - Non-regulated.

SECTION 25° - Contracts for the provision of services involving the treatment of personal data must have the levels of security established in the Act N° 25.326, this regulation and the complementary rules dictated by the NATIONAL BUREAU OF PERSONAL DATA PROTECTION, as well as the tenant's obligations that arise concerning the confidentiality that should be kept about the information obtained.

The performance of data treatment services must be regulated by a contract that links the person in charge of the provision of the service and the person responsible or user of such service, as well as particularly states:

a) That the person in charge of the data treatment service shall only act following the instructions of the person responsible of the treatment;
b) That the obligations stated in section 9 of the Act N° 25.326 are also incumbent on the person in charge of the data treatment service.

SECTION 26° - For the purposes stated in section 26, sub-section 2, of the Act N° 25.326, personal data related to the performance or non-performance of pecuniary obligations, mutual agreements, current accounts, credit cards, trust agreements, leasing and loans in general, and any other obligation of patrimonial nature, as well as those that show the level of performance and the qualification in order to determine without any doubt the content of the information issued.

In the case of public databases or archives from an official entity intended to be released to the general public, the obligations stated in section 26, sub-section 3, of the Act N° 25.326 shall be considered fulfilled as long as the person responsible for the database notify the data owner of any information, assessment or appreciation that had been done upon those files and spread during the last SIX (6) months.

In order to evaluate somebody's economic and financial solvency, according to section 26, sub-section 4, of the Act N° 25.326, it shall be taken into account all the available information from the beginning up to the expiry date of every obligation. To count FIVE (5) years, they shall be considered from the date when the last adverse piece of information that indicates the debt was demandable was filed. If the debtor proves that the last available piece of information coincides with the expiration of the debt, the term shall be reduced to TWO (2) years. For data about performance of the obligations before their due date, there shall be no time to delete them.

In order to calculate the term of TWO (2) years for the maintenance of the data when the debtor had paid off or settled the obligation, the exact expiry date of the debt shall be taken into account.

For the purposes of fulfilling what is stated in section 26, sub-section 5 of the Act N° 25.326, the CENTRAL BANK OF ARGENTINA shall restrict the access to their databases available on the Internet, except for those cases concerning information about natural persons, demanding the input of the ID number or CUIL (Workers Identification Number) of the data owner, which had been obtained by the cessionary through a previous commercial or contractual relationship.

SECTION 27° - Data with advertising purposes could be collected, treated and transferred without the consent of the owner when it was intended to be used in the formation of specific profiles that categorize similar preferences and habits, as long as the data owners are only identified by their belonging to those generic groups, plus their personal information strictly necessary to make the offer to the recipient.

Chambers, associations and professional organizations of the sector that have a Code of Conduct approved by the NATIONAL BUREAU OF PERSONAL DATA PROTECTION, to which their members adhere by bylaws, along with the enforcement authority, shall implement within NINETY (90) days following the issuing of this regulation, a method of blocking or deletion on the part of the owner of the piece of information that must be excluded from the databases with advertising purposes. The deletion could be total or partial to blocking, strictly upon the owner's request, the use of some of the means of communication, such as mail, telephone, e-mails or others.

In every communication with advertising purposes done by mail, telephone, email, Internet or other means to be known, the data owner's possibility to ask for the total or partial deletion and blocking of his name from the database shall be expressly indicated and highlighted. Upon the request of the interested party, the name of the person responsible or user of the databank that provided the information shall be informed.

For the purposes of guaranteeing the right to information in section 13 of the Act N° 25.326, only chambers, associations and professional organizations of the sector that have a Code of Conduct approved by the NATIONAL BUREAU OF PERSONAL DATA PROTECTION, to which their members adhere by bylaws, shall be registered. At the moment of their registration, the chambers, associations and professional organizations shall provide a list of their members indicating their names, surnames and domiciles.

The person responsible or user of the archives, registers, databases and databanks for advertising purposes who does not adhere to any Code of Conduct, shall register in the Registry mentioned in section 21 of the Act N° 25.326.

The information related to the health condition could only be treated for purposes of making offers of goods and services, as long as they were obtained according to the Act N° 25.326, and they could not arouse discrimination, in a context of consumer–supplier of medical services/treatments or non-profit organization relationship. That information could not be transferred to third parties without previous express consent of the data owner. For that purpose, the data owner shall be clearly informed of the delicate nature of the information he is giving out and the fact that he is not forced to provide with them, as well as the content of sections 6 and 11, sub-section 1, of the Act N° 25.326 and the possibility he has of requesting the deletion or blocking in the database of his information.

SECTION 28° - the archives, registers, databases and databanks mentioned in section 28 of the Act N° 25.326 are responsible and subject to the fines established in section 31 of the aforementioned Act when they infringe its regulations.

CHAPTER V
CONTROL
SECTION 29° -
1) The NATIONAL BUREAU OF PERSONAL DATA PROTECTION, in the domain of the SECRETARY OF JUSTICE AND LEGISLATIVE AFFAIRS of the MINISTRY OF JUSTICE AND HUMAN RIGHTS is created as a controlling body for the Act N° 25.326.

The Director shall be exclusively devoted to his functions, which he will exercise in full autonomy, and shall not be subject to any instruction.

2) The NATIONAL BUREAU OF PERSONAL DATA PROTECTION shall be formed by a National Director, Level "A" with Executive Function I, designated by the NATIONAL EXECUTIVE POWER, for a term of FOUR (4) years, and shall be elected among other people with experience in this field by the Minister of Justice and Human Rights or his deputy, as an exception to the Annex I of the Decree N° 993/91 and its amendments.

The Bureau will count on the personnel designated by the Ministry of Justice and Human Rights resorting to human resources existent in the NATIONAL PUBLIC ADMINISTRATION. The personnel shall keep secrecy regarding the personal data that handle during their work.

Within THIRTY (30) business days from the day he assumed the post, the National Director shall submit a project concerning the organizational structure and internal regulation to the NATIONA EXECUTIVE POWER for him to approve it and broadcasting it in the Official Bulletin.

3) The NATIONAL BUREAU OF PERSONAL DATA PROTECTION shall be financed with:

a) The funds collected as fees for the services provided;
b) The funds derived from the fines established in section 31 of the Act N° 25.326;
c) The budgetary allocation included in the Budget of the National Administration Law from the year 2002.

Transitorily, since the effective date of this regulation until December 31, 2001, the cost of the structure shall be afforded with the budgetary credit corresponding to the MINISTRY OF JUSTICE AND HUMAN RIGHTS for the year 2001, without prejudice to what is stated in points a) and b) of the previous paragraph.

4) The NATIONAL BUREAU OF PERSONAL DATA PROTECTION shall have an Advisory Council that will work ad-honorem and shall be in charge of advising the National Director in significant issues, and will be constituted by:

- A representative of the MINISTRY OF JUSTICE AND HUMAN RIGHTS;
- A magistrate of the PUBLIC FISCAL MINISTRY;
- A representative of the public archives which purpose is to provide with information, designated by the Chamber that groups the national credit information entities;
- A representative of the ARGENTINE FEDERATION OF COMMERCIAL DATA BUSINESS ORGANIZATIONS;
- A representative of the CENTRAL BANK OF ARGENTINA;
- A representative of the business organizations which purpose is stated in section 27 of the Act Nª 25.326, designated by common consent of the respective Chambers;
- A representative of the FEDERAL CONSUMER ADVISORY COUNCIL;
- A representative of the IRAM, the Argentine Institute of Normalization, specialized in Information technology Security;
- A representative of the NATIONAL SUPERINTENDENCY OF INSURANCE COMPANIES;
- A representative of the Bicameral Committee for the Control of Internal Security and Intelligence Agencies and Activities of the NATIONAL CONGRESS

The entities mentioned above are invited to designate the representatives that shall integrate into the Advisory Council.

5) The following are the functions of the NATIONAL BUREAU OF PERSONAL DATA PROTECTION apart from those established in the Act Nª 25.326:

a) To make the administrative and procedural rules related to registration proceedings and other functions of the bureau, and technical rules and procedures related to the treatment and security conditions of public and private archives, registers, databases and databanks:
b) To deal with complaints related to the treatment of personal data according to the Act Nª 25.326.
c) To collect the fees established for the services of registration and others it offers;
d) To organize and provide with it be necessary for the adequate operation of the Registry of public and private archives, registers, databases and databanks established in section 21 of the Act Nª 25.326;
e) To elaborate the necessary tools suitable for the best citizens data protection and the best fulfilment of the applicable legislation;
f) To approve the codes of conduct that are submitted according to section 30 of the Act Nª 25.326, after report of the Advisory Council, taking into account their adaptation to the regulatory principles for the personal data treatment, the representation exercised by the association and organization that elaborates the code, and its executive efficacy related to the operators of the sector through the provision of penalties or appropriate mechanisms.

SECTION 30º - The NATIONAL BUREAU OF PERSONAL DATA PROTECTION shall encourage the creation of codes of conduct for the purpose of contribution to, depending on the characteristics of each sector, the proper application of the national rules stated in the Act Nª 25.326 and this regulation.

The professional associations and other organizations that represent other categories of person responsible or users of public or private archives, registers, databases or databanks, which had developed projects of Ethics codes, or had the intention to modify or extend the validity of the existent national codes, could submit those projects to the NATIONAL BUREAU OF PERSONAL DATA PROTECTION for it to consider them. The bureau shall approve it or suggest the changes that it consider necessary for its approval.

CHAPTER VI
SANCTIONS
SECTION 31º -

1. The administrative sanctions established in section 31 of the Act Nº 25.326 shall be applied to persons responsible or users of archives, files, registers, data bases and data banks intended to provide reports, which would have registered or not in the corresponding registry. The amount of the sanctions shall be adjusted according to the nature of the personal rights affected, the quantity of treatments done, the benefits gained, the degree of intent, the recidivism, the damages caused to interested persons and third parties, and any other circumstance that be relevant to determine the degree of illegality and guilt present in the specific offense. It shall be considered as a recidivist someone who, having been sanctioned for an infringement of the Act Nº 25.326 or its regulations, commits another infringement of similar characteristics within THREE (3) years from the application of the sanction.

2. The funds collected with the fines referred in section 31 of the Act Nª 25.326 shall be applied for the financing of the NATIONAL BUREAU OF PERSONAL DATA PROTECTION.

3. The procedure shall respect the following provisions:

a) The NATIONAL BUREAU OF PERSONAL DATA PROTECTION shall start administrative actions in case of alleged infringement to the provisions of Act Nº 25.326 and its regulations, ex-officio upon a denounce submitted by someone that cite a particular interest, by the Ombudsman, or by consumers associations.

b) A report shall be written in which it shall be expressly stated the event reported or checked and the provision allegedly infringed.
In the same report, the documentation submitted shall be added and the alleged offender shall be summoned so that, within FIVE (5) business days, he submit his defense and evidence to prove his right.

If it were an inspection record that requires a subsequent technical verification in order to determine the alleged infraction and it results positive, the alleged offender of such infraction shall be notified and summoned to submit his written defense within FIVE (5) business days. In his first submission, the alleged offender shall establish domicile and certify his legal status.

The proof of the report written according to the provisions of this section, as well as the technical verifications provided, shall be sufficient evidence of the proven event, except when it turn out distorted by other evidence.

c) Evidence shall be accepted only when controversial events exist and as long as they do not turn out overtly irrelevant. Against the resolution that denies means of evidence it shall only be granted an appeal of reconsideration. The proof shall occur within a period of TEN (10) business days, extendable only because of justified causes, and those which do not occur within the aforementioned period due to a cause attributable to the offender shall be withdrawn.

When the investigative proceedings conclude, the final decision shall be issued within TWENTY (29) business days.

SECTION 32º - Non-regulated.

CHAPTER VII

ACTION FOR THE PROTECTION OF PERSONAL DATA

SECTIONS 33º up to 46º - Non-regulated.