International data transfers are a key compliance issue for companies operating in Argentina with cross-border operations. Law No. 25,326 on the Protection of Personal Data (LPDP) establishes that, in principle, personal data may not be transferred to countries or international organizations that do not provide an adequate level of protection—unless certain exceptions apply.
In this article, we outline the conditions under which personal data can be transferred abroad, which countries are deemed adequate, and what mechanisms are available for transfers to jurisdictions that do not meet Argentina’s standards.
General rule: Data transfers are only allowed to countries with adequate protection
Article 12 of Law No. 25,326 provides that international transfers of personal data are only permitted when the recipient country offers an adequate level of protection, meaning its legal framework is equivalent or comparable to the Argentine standards for ensuring data security and privacy.
However, the law also provides specific exceptions that allow data transfers to countries without adequate protection under certain circumstances.
Exceptions: When can data be transferred to non-adequate countries?
Even if the recipient country does not ensure an adequate level of protection, the prohibition on international transfers does not apply in the following situations:
- International judicial cooperation
- Exchange of medical data for treatment or epidemiological research
- Bank or stock transfers under relevant legislation
- When the transfer has been agreed within the framework of international treaties to which the Argentine Republic is a party
- Cooperation in combating organized crime, terrorism, and drug trafficking
Which countries are considered to provide adequate protection?
The National Directorate for Personal Data Protection (DNPDP) under the Agency for Access to Public Information (AAIP)—Argentina’s data protection authority—has issued a list of countries that are considered to offer adequate protection.
According to DNPDP Resolution 60/2016 and AAIP Resolution 34/2019, the following territories are deemed adequate:
- Member States of the European Union and European Economic Area (EEA)
- United Kingdom
- Switzerland, Guernsey, Jersey, Isle of Man, Faroe Islands
- Canada (only for the private sector)
- Andorra, New Zealand, Uruguay
- Israel (only for data subject to automated processing)
Importantly, on January 15, 2024, the European Commission reaffirmed Argentina’s adequacy status, meaning that data can flow freely from the EU to Argentina without requiring additional safeguards.
How to transfer data to non-adequate countries?
Under Regulatory Decree 1558/2001, DNPDP Resolution 60-E/2016, and AAIP Resolution 159/2018, if a company needs to transfer personal data to a non-adequate country, two main mechanisms can be used:
1. Obtaining the data subject’s express consent
The data subject must be informed about the purpose of the transfer and the identity of the recipient before consenting.
2. Providing appropriate safeguards through:
- Model contractual clauses: These are pre-approved by the AAIP and ensure that the transfer provides an equivalent level of protection. They govern obligations for both the data exporter and importer, security measures, data subjects’ rights, and dispute resolution mechanisms. In 2023, the AAIP updated these model clauses via Resolution 198/2023, aligning them with international standards. Custom contracts may also be used, but they require AAIP’s prior approval to be valid.
- Binding corporate rules (BCRs): Applicable to companies within the same economic group (under common control). These internal rules must comply with Law 25.326, the Regulatory Decree, and AAIP Resolution 159/2018.
Conclusion
Ensuring compliance with Argentina’s data transfer rules is essential to avoid sanctions and protect users’ personal information. Companies must assess whether the recipient country provides adequate protection, implement model clauses when required, adopt BCRs if operating under a corporate group, and obtain express consent when needed.
At Legal Core Group, we provide comprehensive advice to ensure your international data transfers are conducted securely and in full compliance with Argentine law.
If your company is planning to transfer personal data internationally and needs legal guidance, contact us.
