The transfer of personal data is the act by which the controller of a database transfers personal information to a third party for its use, processing, or storage. In Argentina, the transfer of personal data is regulated by Law 25,326 on Personal Data Protection (the “LPDP”) and Regulatory Decree 1558/2001, which establish strict requirements for its legality.
According to Article 11 of the LPDP, the transfer of data is only valid with the prior, express, and informed consent of the data subject, except in specific cases contemplated by the regulations.
Legal Framework: Article 11 of Law 25,326
Article 11 of the LPDP regulates the transfer of personal data to third parties and establishes the following requirements:
- General Principle of Consent: The transfer of personal data requires the prior, express, and informed consent of the data subject.
- Exceptions to Consent: Authorization is not required in certain cases, such as:
- When a law expressly provides for it.
- When necessary for compliance with a legal obligation.
- When there is a contractual relationship between the data subject and the data controller.
- When data is transferred to government agencies in the exercise of their functions.
- In emergency situations or for reasons of public interest.
- When the data being transferred is limited to lists containing names, national identity documents, tax or social security identification, occupation, date of birth, and address.
- Prohibition on Transfers for a Different Purpose: Data cannot be transferred for a use other than the original purpose for which it was collected.
- International Data Transfers: Transfers to another country are only valid if the recipient jurisdiction guarantees an adequate level of protection, if sufficient safeguards are provided for such transfers, or if the data subjects have given their express consent.
It is important to highlight that Article 11 states: “The transferee shall be subject to the same legal and regulatory obligations as the transferor, and the latter shall be jointly and severally liable for compliance before the regulatory body and the data subject concerned.“
Obligations for Companies Engaging in Personal Data Transfers
Companies that process personal data must comply with specific requirements when transferring information:
- Inform data subjects about the transfer and its purpose.
- Sign contracts with third parties to ensure proper data processing.
- Implement security measures to prevent unauthorized access.
- Respect the data subjects’ rights (such as access, rectification, updating, and deletion of data).
Consequences of Non-Compliance
The improper use of personal data may result in administrative, civil, and even criminal sanctions. The Access to Public Information Agency (AAIP) has the authority to impose fines.
Additionally, data subjects may take legal action in cases of unauthorized data transfers, seeking compensation for damages.
Conclusion
The transfer of personal data in Argentina is regulated by the LPDP to ensure privacy and data protection. Companies that manage personal information must comply with strict requirements, ensuring informed consent and data security.
At Legal Core Group, we provide legal advice to companies on regulatory compliance and data protection. If you need assistance to ensure your company complies with current legislation, contact us.