Argentina: Entry into force with grace period of Law 25.326 on Personal Data Protection, including data protection regulation

On 2 November 2000, the data protection measures outlined in Law 25.326 on Personal Data Protection entered into force. The Law applies to data controllers, defined as any individual or legal entity that collects and processes personal data within the jurisdiction. The Law defines personal data as information that could lead to a person's identification and specifies the information that classifies as sensitive data, including data on racial and ethnic origin, political opinions, religious, philosophical or moral beliefs, labour union membership, and information concerning health conditions or sexual habits or behaviour. The data controllers are required to follow the principles governing the protection of data, including the lawfulness and quality of data, by collecting and processing data based on a specific purpose. The Law requires data controllers to obtain the data subject's informed consent for processing the data and provide information regarding the purpose for which the data will be processed, the consequences for providing, refusing or offering inaccurate information and the data subject rights. The data subjects have the right to access, rectify, update, and, when applicable, suppress or keep confidential their data. The entities can deny access or rectification based on national defence, public order, and safety grounds or the protection of rights and interests of third parties. In regard to sensitive data, the Law specifies that no individual can be compelled to provide sensitive data and that it can be collected based on general interest authorised by Law or with statistical or scientific purposes if the data is anonymised. Finally, the data controllers must implement technical and organisational measures to ensure the security and confidentiality of the data stored.