🇦🇷Personal Data Protection Act

A law built around consent, not balancing

Law 25.326, Argentina's Personal Data Protection Act, has been the country's foundational data protection law since November 2000. It predates the GDPR by nearly two decades, and understanding what it actually does — and what it deliberately does not do — matters more than knowing when it passed.

The Act is built around one central idea: if you want to collect and use someone's personal data, you need their consent. Not a legitimate interest analysis. Not a balancing test. Not a broad contractual necessity exception. Consent. The Act treats consent as the default legal basis and everything else as a narrow exception to that rule. That simplicity is both the law's greatest strength and its most common source of compliance failure — because organisations accustomed to GDPR's six-basis framework often assume they have more room than they do.

Who the Act covers — and who it doesn't

The Act applies to all entities — public and private — that maintain files, records or databases containing personal data about individuals in Argentina. There is no revenue threshold, no employee count exemption, no small business carve-out. If you hold personal data about Argentine residents in a structured database, you are covered.

The Act has a limited set of processing exceptions that are often confused with a broader flexibility that does not exist. Processing without consent is permitted where: the data is collected for the fulfilment of state functions or by virtue of a legal obligation; it is derived from a contractual or professional relationship with the data subject; it comes from publicly accessible sources of unrestricted access; or it consists of basic identifying information limited to name, identity document, taxpayer or pension number, occupation, date of birth and domicile. These are narrow and specific. The contractual basis covers necessity arising from the relationship with the data subject, not third-party processing for unrelated commercial purposes. The public source exception applies only to data that is genuinely publicly accessible — it is not a licence to scrape and repurpose.

The Act introduces a clear role distinction. The data controller is the person or entity that decides the purpose and means of processing — this is you. The data processor is an entity that processes data on the controller's behalf under a contract. The data subject is the individual whose data is held. The controller-processor distinction matters because the Act makes the assignee of personal data subject to the same legal and regulatory obligations as the assignor — and holds the assignor jointly and severally liable to the AAIP and to the data subject for the assignee's compliance. That liability does not transfer away through a contract clause.

The consent requirement — and what it actually demands

Under the Act, consent must be free, express and informed. For ordinary personal data, consent may be given in writing or by any equivalent means. For sensitive personal data — health information, racial or ethnic origin, political opinions, religious beliefs, trade union membership and sexual life — consent must be in writing. There is no equivalent of the GDPR's explicit consent for sensitive data processing; the Argentine requirement is more precise: it must be written, and it cannot be inferred or presumed.

Before consent is sought, the data subject must be clearly informed of: the purpose of the collection; the existence of the database or file in which their data will be held; whether provision of data is mandatory or optional; the consequences of not providing it; and their rights to access, rectify and delete their data. This notification obligation is not satisfied by a long-form privacy policy buried in a footer. It must be given before collection, must be clear, and must address each of these elements specifically.

The burden of proving valid consent rests on the controller. If consent is challenged — whether in an AAIP proceeding or a Habeas Data action — the controller must be able to demonstrate that informed consent was actually obtained. A checkbox, an implied acceptance, or a pre-ticked field does not satisfy this standard. Controllers relying on consent as their legal basis should maintain records that can be produced to a court or regulator on demand.

The database registration obligation — a requirement with no GDPR equivalent

One of the most operationally significant requirements of the Act — and the one most frequently missed by international organisations — is the obligation to register every database containing personal data with the AAIP before it is brought into operation. This is not a one-time notification. Every database must be registered, and the registration must be kept current. Changes to the database's purpose, content or processing activities require updated registration.

The registration obligation applies to both public and private sector controllers. Failure to register is itself a violation of the Act, independently of whether any other obligation has been breached. GDPR compliance does not satisfy this requirement. An organisation that has a comprehensive GDPR-aligned privacy programme but has not registered its Argentine databases with the AAIP is non-compliant from the moment those databases begin operating.

Sensitive data — a higher bar, strictly applied

The Act defines sensitive data broadly: health and medical information, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and information about sexual life. Processing sensitive data without written consent — or without a specific statutory basis — constitutes a serious violation and triggers elevated penalties.

No person can be compelled to provide sensitive data. Storing data that reveals racial or ethnic origin, political opinions, religious beliefs or trade union membership is prohibited except for records maintained by religious, political, trade union or similar organisations in connection with their own members and with their consent. Health data may be processed without consent only in specific emergency, public health or epidemiological research contexts — and even then, adequate disaggregation mechanisms must be applied to protect individual identity. These are not general permissions. They are narrow statutory carve-outs that must be documented and justified.

International transfers — adequacy first, exceptions narrow

Argentina prohibits the transfer of personal data to countries or international organisations that do not provide an adequate level of protection. The AAIP maintains the list of countries considered adequate. Argentina itself holds adequacy status with the EU, which means personal data can flow from EU member states to Argentina without additional transfer mechanisms — a commercially significant fact for European businesses with Argentine operations or service providers.

The reverse flow — from Argentina to third countries — is subject to Article 12's prohibition unless one of the following applies: the data subject has given express consent to the transfer; the transfer is necessary for the performance of a contract between the controller and the data subject; the transfer is required for public health reasons or the prevention of serious harm to the data subject; the transfer is to a country that is a party to the same laws and regulations as Argentina and can be held jointly liable; or adequate dissociative procedures have been applied so that individual identity is protected. Standard Contractual Clauses modelled on the EU framework are available under AAIP Provision 60-E/2016, but they must be filed with the AAIP and approved — they are not self-executing.

Data subject rights — and the constitutional escalation path

Every data subject has the right to access any personal data held about them free of charge, at intervals of no less than six months — or at any time if a legitimate interest is demonstrated. They have the right to rectification, updating and deletion of inaccurate, incomplete or outdated data. They have the right to object to processing for direct marketing purposes. And they have a constitutional right — enshrined in Article 43 of the Argentine Constitution — to pursue a Habeas Data action directly before a court, without any prior regulatory step, to compel access, correction or deletion.

The Habeas Data mechanism is what makes Argentina's individual rights framework materially different from most comparable jurisdictions. A data subject does not need to exhaust an internal complaints procedure. They do not need to wait for the AAIP to investigate. They can go directly to court and obtain an order — including an immediate injunction — against the controller. This means that any failure to respond to a rights request within the statutory timeframe, or any refusal that is not grounded in a specific statutory exception, is simultaneously a regulatory violation and a litigation trigger.

Penalties — the current framework and what is changing

Under the current Act, administrative fines range from ARS 1,000 to ARS 100,000. The Act also provides for criminal sanctions: knowingly providing false information from a personal data file carries a penalty of six months to three years' imprisonment, with the penalty increased by half if the act causes harm to the data subject. The AAIP may also order the suspension or closure of a database as an enforcement measure.

A significantly revised data protection bill has been under parliamentary discussion, aiming to bring Argentina's framework more closely into alignment with GDPR's accountability principles. The proposed reforms would introduce penalties ranging from ARS 50,000 to ARS 10 billion, or two to four percent of annual turnover — whichever is higher — as well as mandatory data protection impact assessments for high-risk processing and a formal data protection officer requirement. The bill has not yet been enacted, but the direction of travel is clear. Organisations that build their compliance posture to meet only the current framework risk having to restructure again when the reform passes.