Regulation No. 7/20051 issued by the Personal Data Protection National Office (the "Office") repealing the previous offense regime2 (i) approves a new classification and degrees of the penalties imposed by the Office for offenses to Law No. 25326 (the "Data Protection Law") and (ii) creates a registry of offenders of the Data Protection Law (the "Registry").
1. New degrees of offenses
The Regulation provides for three degrees of offenses:
- minor offenses, punished with up to two warnings and/or a fine ranging from $1,000 to $3,000;
- (ii) serious offenses, punished with up to four warnings, suspension from 1 to 30 days and/or a fine ranging from $3,000 to $50,000; and
- (iii) highly serious offenses, punished with up to six warnings, suspension from 31 to 365 days, closure or suppression of data bank, record or registry and/or a fine ranging from $50,000 to $100,000.
The penalties imposed shall apply to holders or users of public or private data banks, bases, registries or records that provide information, either registered or not at the pertaining registry under Regulation No.2/2005 of the Office3, notwithstanding, however, the administrative liability of holders or users of public data banks, or the civil liability derived from violations to the Personal Data Protection Law and other applicable criminal penalties.
The application and the graduation of the penalties shall be assessed according to the nature of the affected personal rights, the number of files treated, the benefit gained, the intention, whether the breach is a second-offense, the damage caused and any other circumstance relevant in assessing the relevant offense.
The Regulation provides that second-offense takes place whenever the offender that has been punished for breaching the Personal Data Protection Law commits other offenses within three years as from the application of the relevant penalty.
Lack of payment of the penalties imposed shall entail the Office to lodge an expedite judicial action for the collection of monies.
2. New classification of offenses
The Regulation sets forth the following classification of offenses. The Office may include other offenses in the future:
(i) Minor offenses:
a. failure to comply with an access, rectification or suppression request of personal data;
b. failure to provide the information requested by the Office to the record subject;
c. failure to request the registration of public and private databases with mandatory registration under the Personal Data Protection Law;
d. collection of personal data without providing the data subjects with the information set forth in the Personal Data Protection Law or their willful, written and informed consent, whenever required;
e. failure to observe the gratuitousness principle on data access or rectification;
f. keeping, beyond the statutory term, of the registry, record or assignment of material data to evaluate the economic-financial solvency of the data subjects;
g. treatment, within loan-related information, of economic information exceeding that information related to the solvency and credit of the data subject;
h. treatment, in advertising data banks, registries or records, of data exceeding the ones necessary to determine advertising records or consumption habits;
i.failure to cease the unlawful use of personal data treatment whenever required by the data subject; and
j. treatment of personal data that is not true, proper, relevant or excessive with relation to the scope and purpose for which it was obtained.
(ii) Serious offenses:
a. unlawful treatment of personal data or treatment of such data without observing the principles and guarantees under the Personal Data Protection Law and regulations thereof;
b. actions to prevent or hinder the data subject’s exercise of the access right or denial to furnish the information requested;
maintenance of untrue personal data or failure to make the legal rectifications, updates or suppressions thereof whenever the individuals’ rights have been affected, if so requested by the Office;
d. breach of the confidentiality duty on the personal data included in data bases, registries, records or banks;
e. maintenance of local databases, programs or equipments containing personal data without the proper security measures duly provided for;
f. obstruction of the control or supervision duties by the Office;
g. failure to register the personal data base at the pertaining registry, if so requested by the Office;
h. failure to cease unlawful use of personal data treatment whenever required by the Office; and
i. collection of personal data through dodges or fraud.
(iii) Highly serious offenses:
a. creation of a data record for a purpose contrary to the laws or public morals;
b. transfer of personal data of whatever kind to countries or international entities not complying with proper protection measures, without having complied with other legal requirements provided for in the law and regulations thereof;
c. unlawful assignment of personal data other than the cases statutorily allowed;
d. collection and treatment of sensitive data with no general interest reasons authorized by the law or treatment thereof with statistical or scientific purposes in a joint manner;
e. creation of records, banks or registries containing information directly or indirectly revealing sensitive data, other than the cases expressly provided by the Personal Data Protection Law;
f. unlawful treatment of personal data or unobserving principles and guarantees under the National Constitution of the Argentine Republic;
g. breach of the confidentiality duty on sensitive date and data collected and treated for criminal or infringement purposes.
3. Offenders registry
The Regulation creates the Registry and sets forth its goals:
- organize and keep updated a registry of the offenders, including the evidence of the records initiated under the accusation proceedings before the Office; and
- (ii) evidence, at the pertaining file, the nature of the offense, the penalty applied, compliance with penalty, motions filed, final decision, whether the offender is a second-offender and any other element the Office deems proper.
Footnotes
1. Published in the Official Gazette on November 11.
2. According to Regulation No. 1/2003 issued by the Personal Data Protection National Office, published in the Official Gazette on June 30 2003.
3. Published in the Official Gazette on February 18 2005.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
