🇦🇷Argentina

Argentina's data compliance framework is built around a single foundational privacy law

Argentina's data protection regime is anchored by the Personal Data Protection Act, Law 25.326, which has been in force since November 2000. The Act creates the accountability framework for the collection and processing of personal data by both public and private entities. Decree 1558/2001 provides the regulatory detail that translates the Act into operational requirements for registration, international transfers and controller obligations. AAIP resolutions — particularly Resolution 47/2018 on security measures and Resolution 4/2019 on consent, biometric data and video surveillance — sit beside the primary framework as a layer of binding administrative guidance that directly affects how organisations design their data practices.

The three pillars to understand first

Law 25.326 (the PDPA) answers the legal question: when may an organisation process personal data, and what duties does it owe to the individual? Its core idea is consent. If an organisation collects or processes someone's personal data, it must have that person's free, express and informed consent — unless a specific statutory exception applies. The controller remains responsible for that data, including when it is handled by processors or transferred to third parties.

Decree 1558/2001 and AAIP Resolutions answer the implementation question: what must the organisation actually build, register and publish? They prescribe the database registration obligation with the AAIP, the minimum security standards that controllers must implement proportionate to data sensitivity, the contractual requirements for data processing agreements, and the procedural rules for cross-border transfers to countries without adequate protection. Resolution 47/2018 sets the baseline security framework covering access controls, encryption, audit trails and incident response. Resolution 4/2019 addresses consent mechanics, biometric data governance, and children's data.

The Habeas Data constitutional right (Article 43) answers the individual enforcement question: what can a person do when an organisation refuses to honour their rights? Argentina's Constitution gives individuals a direct judicial remedy to access, correct or delete personal data held in any database — public or private. This constitutional mechanism operates independently of the AAIP complaint process and can result in court orders with immediate effect. It makes Argentina's framework distinctively enforceable at the individual level without requiring regulatory intermediation.

How these elements work together

A database registration obligation under the AAIP sits alongside the substantive consent and security obligations under the Act. A controller that has registered its database but has not implemented the minimum security measures required by Resolution 47/2018 is still non-compliant. A consent mechanism that satisfies the Act's formalities but does not meet the specific requirements for sensitive data — which must be in writing — creates enforcement exposure. A cross-border data transfer to a country without adequate protection, even where the controller is otherwise compliant, requires either individual consent or one of the narrow statutory exceptions.

These obligations should not be managed in separate silos. Database registration, consent design, security implementation, data subject rights workflows, processor contracts and transfer governance all operate across the same data lifecycle. The Habeas Data mechanism means that individuals can escalate directly to court without waiting for the AAIP — so any gap in rights fulfilment is also a litigation risk, not merely a regulatory one.

What organisations should prioritise

Start with a complete inventory of databases and data processing activities, and confirm that every database holding personal data of Argentine residents is registered with the AAIP. Then audit every consent mechanism against the Act's formality requirements — particularly for sensitive data, which requires written consent. Verify that processor contracts contain the obligations required by the Act, including joint and several liability provisions. Security controls must meet the Resolution 47/2018 baseline as a floor, not a target.

For organisations processing sensitive data, conducting cross-border transfers, or operating at scale, the preparation should go further: documented lawful basis for every category of sensitive data, transfer adequacy assessments or individual consent records for each destination country, data subject rights workflows capable of responding within the statutory timeframe, and an incident response procedure that aligns with the security resolution's breach notification expectations.