Page 1

PROTECTION OF PERSONAL DATA
Decree 1558/2001
The regulation of Law No. 25,326 is approved. General principles relating to data protection. Rights of the owners of the data. Users and managers of files, records and databases.
Control. Sanctions
Bs. As., 11/29/2001
HAVING SEEN file No. 128,949 / 01 of the registry of the MINISTRY OF JUSTICE AND HUMAN RIGHTS, Law No. 25,326, and
CONSIDERING:
That article 45 of the aforementioned Law establishes that the NATIONAL EXECUTIVE POWER must regulate it and establish the control body referred to in article 29 within ONE HUNDRED EIGHTY (180) days of its promulgation.
That article 46 of the aforementioned Law establishes that the regulations will establish the term within which the data files intended to provide reports existing at the time of the enactment of said Law must be registered in the Registry referred to in article 21
and adapt to the provisions of the regime established in said regulation.
That article 31, subsection 2, of Law No. 25,326 provides that the regulations shall determine the conditions and procedures for the application of sanctions, in the terms that said norm establishes.

That the GENERAL DIRECTORATE OF LEGAL AFFAIRS of the MINISTRY OF JUSTICE AND HUMAN RIGHTS, the GENERAL DIRECTORATE OF LEGAL AFFAIRS of the UNDER SECRETARIAT FOR LEGAL AFFAIRS of the LEGAL AND TECHNICAL SECRETARIAT of
the PRESIDENCY OF THE NATION and the PROCUREMENT OF THE TREASURE OF THE NATION have taken the intervention that corresponds to them.
That this measure is issued in use of the powers conferred by article 99, paragraph 2) of the NATIONAL CONSTITUTION.
Thus,
THE PRESIDENT OF THE ARGENTINE NATION
DECREE:
Article 1 - Approve the regulations of Law No. 25,326 on Protection of Personal Data, which as Annex I is part of this.
Art. 2 - Establish in ONE HUNDRED EIGHTY (180) days the term established in article 46 of Law No. 25,326.
Art. 3 - The Provinces and the AUTONOMOUS CITY OF BUENOS AIRES are invited to adhere to the rules of exclusive national application of this regulation.
Art. 4 - Communicate, publish, give to the National Directorate of the Official Registry and file. —From LA RUA. - Chrystian G. Colombo. - Jorge E. De La Rúa.
ANNEX I
REGULATION OF LAW No. 25,326
CHAPTER I
GENERAL DISPOSITION
ARTICLE 1.- For the purposes of this regulation, those that exceed the exclusively personal use and those whose purpose is the
assignment or transfer of personal data, regardless of whether the circulation of the report or the information produced is for consideration or free of charge.
ARTICLE 2.- Not regulated.
CHAPTER II
GENERAL PRINCIPLES RELATING TO DATA PROTECTION
ARTICLE 3.- Not regulated.
ARTICLE 4.- To determine the loyalty and good faith in obtaining personal data, as well as the destination assigned to them, the procedure carried out for the collection must be analyzed and, in particular, the information that has been provided to the headline
of the data in accordance with article 6 of Law No. 25,326.
When the obtaining or collection of personal data is achieved by interconnection or processing of files, records, databases or databases, the source of information and the intended destination of the data controller or user must be analyzed.
obtained personal.
The data that has lost validity with respect to the purposes for which it was obtained or collected must be deleted by the person in charge or user without the need for the owner of the data to require it.
The NATIONAL DIRECTORATE OF PERSONAL DATA PROTECTION will carry out ex officio controls on compliance with this legal principle, and will apply the pertinent sanctions to the person responsible or user in the corresponding cases.
The NATIONAL DIRECTORATE FOR THE PROTECTION OF PERSONAL DATA will proceed, at the request of an interested party or ex officio upon suspicion of an illegality, to verify compliance with the legal and regulatory provisions in order to each of the
following stages of the use and exploitation of personal data:
a) legality of the collection or collection of personal information;
b) legality in the exchange of data and in the transmission to third parties or in the interrelation between them;
c) legality of the assignment itself;
d) legality of the internal and external control mechanisms of the file, registry, database or database.
ARTICLE 5.- Informed consent is preceded by an explanation, to the owner of the data, in a manner appropriate to their social and cultural level, of the information referred to in Article 6 of Law No. 25,326.
The NATIONAL DIRECTORATE FOR THE PROTECTION OF PERSONAL DATA will establish the requirements for consent to be given by a means other than the written form, which must ensure the authorship and integrity of the statement.
The consent given for the processing of personal data can be revoked at any time. The revocation has no retroactive effect.
For the purposes of article 5, subsection 2 e), of Law No. 25,326, the concept of financial entity includes the persons covered by Law No. 21,526 and credit card issuing companies, financial trusts, and liquidated financial exemptions.
by the CENTRAL BANK OF THE ARGENTINE REPUBLIC and the subjects expressly included by the Enforcement Authority of the aforementioned Law.
Consent is not necessary for the information described in sections a), b), c) and d) of Article 39 of Law No. 21,526.
In no case will bank secrecy be affected, the disclosure of data relating to passive operations carried out by financial entities with their clients is prohibited, in accordance with the provisions of articles 39 and 40 of Law No. 21,526.
ARTICLE 6.- Not regulated.
ARTICLE 7.- Not regulated.
ARTICLE 8.- Not regulated.
ARTICLE 9.- The NATIONAL DIRECTORATE FOR THE PROTECTION OF PERSONAL DATA will promote cooperation between public and private sectors for the preparation and implementation of measures, practices and procedures that arouse trust in the
information systems, as well as in their provision and use modalities.
ARTICLE 10.- Not regulated.
ARTICLE 11.- The provisions set forth in Article 5 of Law No. 25,326 and Article 5 of this regulation are applicable to the consent for the transfer of data.
In the case of public files or databases dependent on an official body that, due to their specific functions, are intended for dissemination to the general public, the requirement regarding the legitimate interest of the transferee is considered implicit in the
reasons of general interest that motivated the unrestricted public access.
The massive transfer of personal data from public registries to private registries can only be authorized by law or by decision of the responsible official, if the data is publicly accessible and respect for the protection principles established in
Law No. 25,326. No administrative act is necessary in cases where the law provides unrestricted access to the public database. Mass transfer of personal data is understood to be one that comprises a collective group of people.
The NATIONAL DIRECTORATE FOR PERSONAL DATA PROTECTION will set the security standards applicable to data dissociation mechanisms.
The assignee referred to in article 11, paragraph 4, of Law No. 25,326, may be totally or partially exempted from liability if he demonstrates that the fact that caused the damage cannot be attributed to him.
ARTICLE 12.- The prohibition of transferring personal data to countries or international or supranational organizations that do not provide adequate levels of protection, does not apply when the owner of the data has expressly consented to the transfer.
Consent is not necessary in the case of data transfer from a public registry that is legally constituted to provide information to the public and that is open to consultation by the general public or by any person who can demonstrate
a legitimate interest, provided that the legal and regulatory conditions for the consultation are met in each particular case.
The NATIONAL DIRECTORATE OF PERSONAL DATA PROTECTION is empowered to evaluate, ex officio or at the request of an interested party, the level of protection provided by the norms of a State or international organization. If you were to conclude that a
State or body does not adequately protect personal data, it will submit to the NATIONAL EXECUTIVE POWER a draft decree to issue such a statement. The project must be endorsed by the Ministers of Justice and Human Rights and of Relations
Foreign, International Trade and Worship.
The adequate nature of the level of protection offered by a country or international organization will be evaluated taking into account all the circumstances that occur in a transfer or in a category of data transfers; in particular, the
nature of the data, the purpose and duration of the treatment or of the planned treatments, the final destination, the general or sectoral rules of law, in force in the country in question, as well as professional standards, codes of conduct and
security measures in force in said places, or that are applicable to international or supranational organizations.
It is understood that a State or international organization provides an adequate level of protection when said protection derives directly from the current legal order, or from self-regulation systems, or from the protection established by the contractual clauses.
that provide for the protection of personal data.
CHAPTER III
RIGHTS OF DATA HOLDERS
ARTICLE 13.- Not regulated.
ARTICLE 14.- The request referred to in Article 14, subsection 1, of Law No. 25,326, does not require specific formulas, as long as it guarantees the identification of the holder. It can be done directly, by presenting the interested party to the person in charge or
user of the file, registry, database or database, or indirectly, through reliable notice in writing that leaves proof of receipt. Other direct or semi-direct access services such as media can also be used.
electronic devices, telephone lines, receipt of the claim on the screen or other suitable means for this purpose. In each case, media preferences may be offered to find out the required response.
In the case of files or public data banks dependent on an official body intended for dissemination to the general public, the conditions for the exercise of the right of access may be proposed by the body and approved by the DIRECTORATE
NATIONAL FOR THE PROTECTION OF PERSONAL DATA, which must ensure that the suggested procedures do not violate or restrict in any way the guarantees of this right.
The right of access will allow:
a) know whether or not the owner of the data is in the file, registry, database or database;
b) know all the data relating to his person that appear in the file;
c) request information on the sources and means through which your data was obtained;
d) request the purposes for which they were collected;
e) know the intended destination for personal data;
f) know if the file is registered in accordance with the requirements of Law No. 25,326.
Upon expiration of the deadline to reply set in article 14, paragraph 2 of Law No. 25,326, the interested party may exercise the action of protection of personal data and report the fact to the NATIONAL DIRECTORATE OF PROTECTION OF PERSONAL DATA to the
purposes of the relevant control of this body.
In the case of data of deceased persons, the link must be proven by the corresponding declaration of heirs, or by a reliable document that verifies the nature of the universal successor of the interested party.
ARTICLE 15.- The person responsible or user of the file, registry, database or database must answer the request addressed to him, regardless of whether or not personal data of the affected person is included, having to use any of the authorized means.
in article 15, subsection 3, of Law No. 25,326, at the option of the owner of the data, or the preferences that the interested party has expressly expressed when filing the right of access.
The NATIONAL DIRECTORATE OF PERSONAL DATA PROTECTION will prepare a model form that facilitates the right of access of the interested parties.
The following may be offered as alternative means to respond to the request:
a) screen display;
b) written report delivered to the domicile of the requested person;
c) written report sent to the address reported by the applicant;
d) electronic transmission of the response, provided that the identity of the interested party and the confidentiality, integrity and receipt of the information are guaranteed;
e) Any other procedure that is appropriate to the configuration and material implementation of the file, registry, database or database, offered by the person in charge or user thereof.
ARTICLE 16.- In the provisions of articles 16 to 22 and 38 to 43 of Law No. 25,326 in which some of the rights of rectification, updating, deletion and confidentiality are mentioned, it is understood that such regulations refer to all of them .
In the case of public files or databases made up of the transfer of information provided by financial entities, pension and retirement fund administrators, and insurance entities, in accordance with Article 5, subsection 2, of Law No.
25.326, the rights of rectification, updating, deletion and confidentiality must be exercised before the transferor entity that is a party to the legal relationship to which the contested data refers. If the claim proceeds, the respective entity must request the BANK
CENTRAL DE LA REPUBLICA ARGENTINA, to the SUPERINTENDENCY OF ADMINISTRATORS OF RETIREMENT AND PENSION FUNDS or to the SUPERINTENDENCY OF INSURANCE OF THE NATION, as the case may be, that the modifications are made
necessary in their databases. Any modification must be communicated through the same means used for the disclosure of the information.
Those responsible or users of public files or databases of unrestricted public access can comply with the notification referred to in article 16, paragraph 4, of Law No. 25,326 by modifying the data made through the same means
employees for disclosure.
ARTICLE 17.- Unregulated.
ARTICLE 18.- Unregulated.
ARTICLE 19.- Unregulated.
ARTICLE 20.- Unregulated.
CHAPTER IV
USERS AND CONTROLLERS OF FILES, RECORDS AND DATA BANKS
ARTICLE 21.- The registration and registration of public and private files, registers, databases or databases intended to provide information, will be enabled once this regulation has been published in the Official Gazette.
The public and private files, registers, databases or databases referred to in article 1 of this regulation must be registered.
For the purposes of the registration of files, records, databases and databases for publicity purposes, those responsible must proceed in accordance with the provisions of article 27, fourth paragraph, of this regulation.
ARTICLE 22.- Unregulated.
ARTICLE 23.- Not regulated.
ARTICLE 24.- Not regulated.
ARTICLE 25.- The contracts for the provision of services for the treatment of personal data must contain the security levels provided for in Law No. 25,326, this regulation and the complementary rules issued by the NATIONAL DIRECTORATE OF
PROTECTION OF PERSONAL DATA, as well as the obligations that arise for the tenants in order to confidentiality and reserve that they must maintain on the information obtained.
The performance of processing on request must be regulated by a contract that binds the person in charge of the treatment with the person in charge or user of the treatment and that provides, in particular:
a) that the person in charge of the treatment only acts following instructions of the person in charge of the treatment;
b) that the obligations of Article 9 of Law No. 25,326 are also incumbent on the person in charge of the treatment.
ARTICLE 26.- For the purposes of Article 26, subsection 2, of Law No. 25,326, data relating to compliance or non-compliance with obligations are those relating to mutual contracts, checking accounts, credit cards, trust, leasing, credits in
general and any other obligation of patrimonial content, as well as those that allow knowing the level of compliance and the qualification in order to specify, in an indubitable way, the content of the information issued.
In the case of public files or databases dependent on an official body intended for dissemination to the general public, the obligations arising from article 26, subsection 3, of Law No. 25,326 will be deemed to have been fulfilled as the person responsible for the base of
data communicate to the owner of the data the information, evaluations and assessments that have been disseminated about it during the last SIX (6) months.
In order to assess the economic and financial solvency of a person, in accordance with the provisions of Article 26, subsection 4, of Law No. 25,326, all available information from the birth of each obligation until its termination will be taken into account. In the computation of
FIVE (5) years, these will be counted from the date of the last adverse information filed that reveals that said debt was enforceable. If the debtor proves that the latest available information coincides with the extinction of the debt, the term will be reduced to TWO (2)
years. For compliance data without delay, there will be no deadline for elimination.
For the purposes of calculating the period of TWO (2) years for data conservation when the debtor has canceled or extinguished the obligation, the precise date on which the debt is extinguished will be taken into account.
In order to comply with the provisions of article 26, paragraph 5, of Law No. 25,326, the CENTRAL BANK OF THE ARGENTINE REPUBLIC must restrict access to its databases available on the Internet, in the case of information on
natural persons, requiring the entry of the national identity document number or unique tax or labor identification code of the owner of the data, obtained by the assignee through a prior contractual or commercial relationship.
ARTICLE 27.- Data may be collected, processed and transferred for advertising purposes without the consent of the owner, when they are intended for the formation of specific profiles that categorize preferences and similar behaviors of people, always
that the owners of the data are only identified by their belonging to such generic groups, plus the individual data strictly necessary to formulate the offer to the recipients.
The chambers, associations and professional associations of the sector that have a Code of Conduct approved by the NATIONAL DIRECTORATE OF PERSONAL DATA PROTECTION, to which by statute all its members adhere,
Together with the Application Authority, they will implement, within NINETY (90) days following the publication of this regulation, a withdrawal or blocking system in favor of the owner of the data that wants to be excluded from the databases for advertising purposes. . The
Withdrawal may be total or partial, blocking exclusively, at the request of the owner, the use of one or more of the means of communication in particular, such as mail, telephone, email or others.
In all communication for advertising purposes that is carried out by mail, telephone, email, Internet or other remote means to be known, the possibility of the owner of the data to request the withdrawal or blocking must be indicated, expressly and prominently, total or
partial, from your database name. At the request of the interested party, the name of the person in charge or user of the database that provided the information must be informed.
In order to guarantee the right to information in article 13 of Law No. 25,326, only the chambers, associations and professional associations of the sector that have a Code of Conduct approved by the NATIONAL DIRECTORATE OF
PROTECTION OF PERSONAL DATA, to which by statute all its members compulsorily adhere. When registering, chambers, associations and professional associations must submit a list of their associates indicating name, surname and address.
Those responsible or users of files, records, banks or databases for advertising purposes that are not adhered to any Code of Conduct, will comply with the duty of information by registering in the Registry referred to in article 21 of the Law.
No. 25,326.
Data related to health may only be processed, in order to make offers of goods and services, when they have been obtained in accordance with Law No. 25,326 and provided that they do not cause discrimination, in the context of a relationship between the consumer or
user and providers of medical services or treatments and non-profit entities. These data may not be transferred to third parties without the prior, express and informed consent of the owner of the data. To this end, the latter must receive clear notice
of the sensitive nature of the data you provide and that you are not obliged to supply them, together with the information of articles 6 and 11, paragraph 1, of Law No. 25,326 and the mention of your right to request the withdrawal of the database data.
ARTICLE 28.- The files, registers, databases or databases mentioned in article 28 of Law No. 25,326 are responsible and liable for the fines provided for in article 31 of the aforementioned law when they violate its provisions.
CHAPTER V
CONTROL
ARTICLE 29.
1. Create the NATIONAL DIRECTORATE OF PERSONAL DATA PROTECTION, within the scope of the SECRETARIAT OF JUSTICE AND LEGISLATIVE AFFAIRS of the MINISTRY OF JUSTICE AND HUMAN RIGHTS, as a control body of Law No. 25,326.
The Director will have exclusive dedication to his function, will exercise his functions with full independence and will not be subject to instructions.
2. The NATIONAL DIRECTORATE FOR THE PROTECTION OF PERSONAL DATA will be made up of a National Director, Level "A" with Executive Function I, appointed by the NATIONAL EXECUTIVE BRANCH, for a period of FOUR (4) years, and must be selected
between persons with antecedents in the matter, for which purpose the Minister of Justice and Human Rights, or whoever replaces him in his functions, is empowered to make the corresponding appointment, as an exception to the provisions of ANNEX I of Decree No. 993/91 and
its amendments.
The Directorate will have the hierarchical and administrative personnel designated by the Minister of Justice and Human Rights, taking advantage of the existing human resources in the NATIONAL PUBLIC ADMINISTRATION. The staff will be obliged to keep secrecy
Regarding the personal data of which it becomes aware in the development of its functions.
Within THIRTY (30) business days after taking office, the National Director will present a project of organizational structure and internal regulations, for approval by the NATIONAL EXECUTIVE BRANCH and publication in the Bulletin
Official.
3. The NATIONAL DIRECTORATE FOR THE PROTECTION OF PERSONAL DATA will be financed through:
a) what it collects as fees for the services it provides;
b) the proceeds of the fines provided for in article 31 of Law No. 25,326;
c) the budgetary allocations that are included in the Budget Law of the National Administration as of the year 2002.
Temporarily, from the entry into force of this regulation and until December 31, 2001, the cost of the structure will be paid with the corresponding budget credit to the MINISTRY OF JUSTICE AND HUMAN RIGHTS for the
year 2001, without prejudice to the provisions of subparagraphs a) and b) of the previous paragraph.
4. The NATIONAL DIRECTORATE FOR THE PROTECTION OF PERSONAL DATA will have an Advisory Council, which will function "ad honorem", in charge of advising the National Director on matters of importance, made up of:
a) a representative of the MINISTRY OF JUSTICE AND HUMAN RIGHTS;
b) a magistrate of the PUBLIC FISCAL MINISTRY specializing in the matter;
c) a representative of the private archives destined to give information designated by the Chamber that groups the national credit information entities;
d) a representative of the FEDERATION OF BUSINESS ENTITIES OF COMMERCIAL INFORMATION OF THE ARGENTINE REPUBLIC;
e) a representative of the CENTRAL BANK OF THE ARGENTINE REPUBLIC;
f) a representative of the companies dedicated to the purpose set forth in Article 27 of Law No. 25,326, appointed by the respective Chambers by mutual agreement, unifying the representation in one person;
g) a representative of the FEDERAL CONSUMER COUNCIL;
h) a representative from IRAM, the Argentine Institute for Standardization, specializing in the field of computer security;
i) a representative of the SUPERINTENDENCE OF INSURANCE OF THE NATION;
j) A representative of the Bicameral Commission for the Supervision of Internal Security and Intelligence Organs and Activities of the HONORABLE CONGRESS OF THE NATION.
Invite the entities mentioned in this subsection to designate the representatives that will make up the Advisory Council.
5. The functions of the NATIONAL DIRECTORATE FOR PERSONAL DATA PROTECTION, in addition to those that arise from Law No. 25,326:
a) To dictate administrative and procedural rules relating to registration procedures and other functions under its responsibility, and technical rules and procedures relating to the treatment and security conditions of public files, records and databases or databases.
and private;
b) address the complaints and claims filed in relation to the processing of personal data under the terms of Law No. 25,326;
c) receive the fees that are set for the registration services and others that it provides;
d) organize and provide what is necessary for the proper functioning of the Registry of files, registries, databases or public and private databases provided for in Article 21 of Law No. 25,326;
e) design the appropriate instruments for better protection of citizens' personal data and better compliance with applicable legislation;
f) homologate the codes of conduct that are presented in accordance with the provisions of article 30 of Law No. 25,326, with the prior opinion of the Advisory Council, taking into account their adaptation to the regulatory principles of the processing of personal data, the
representativeness exercised by the association and body that elaborates the code and its executive effectiveness in relation to the operators of the sector through the provision of appropriate sanctions or mechanisms.
ARTICLE 30.- The NATIONAL DIRECTORATE OF PERSONAL DATA PROTECTION will encourage the elaboration of codes of conduct destined to contribute, depending on the particularities of each sector, to the correct application of the national provisions
adopted by Law No. 25,326 and this regulation.
Professional associations and other organizations representing other categories of managers or users of public or private files, registries, databases or databases, who have prepared draft codes of ethics, or who intend to
to modify or extend existing national codes, they may submit them to the consideration of the NATIONAL DIRECTORATE OF PERSONAL DATA PROTECTION, which will approve the ordinance or suggest the corrections deemed necessary for their
approval.
CHAPTER VI
SANCTIONS
ARTICLE 31.
1. The administrative sanctions established in article 31 of Law No. 25,326 will be applied to those responsible or users of public and private files, registries, databases or databases intended to provide information, whether or not they have been registered in the registry.
correspondent.
The amount of the sanctions will be graduated according to the nature of the personal rights affected, the volume of the treatments carried out, the benefits obtained, the degree of intentionality, the recidivism, the damages caused to the people.
interested parties and third parties, and any other circumstance that is relevant to determine the degree of unlawfulness and guilt present in the specific offending action. A repeat offender will be considered to have been sanctioned for an infraction of the Law
No. 25,326 or its regulations incur in another of a similar nature within a term of THREE (3) years, counting from the application of the sanction.
2. The proceeds of the fines referred to in article 31 of Law No. 25,326 will be applied to the financing of the NATIONAL DIRECTORATE FOR PERSONAL DATA PROTECTION.
3. The procedure will be adjusted to the following provisions: a) The NATIONAL DIRECTORATE FOR PERSONAL DATA PROTECTION will initiate administrative actions in the event of alleged infractions of the provisions of Law No. 25,326 and its regulations.
regulations, ex officio or by complaint of whoever invokes a particular interest, the Ombudsman of the Nation or consumer or user associations.
b) A record will be drawn up stating the fact denounced or verified and the provision allegedly infringed.
In the same minutes, it will be arranged to add the accompanying documentation and to summon the alleged offender so that, within a period of FIVE (5) business days, he / she can present his discharge in writing and offer the evidence that he is entitled to.
If it is an inspection report, in which a subsequent technical verification is necessary for the purposes of determining the alleged infringement and that is positive, the alleged responsible party will be notified of the verified infringement, informing him
so that within a period of FIVE (5) business days they present their discharge in writing. In his first presentation, the alleged offender must establish domicile and prove legal status.
The record of the act drawn up in accordance with the provisions of this article, as well as the technical verifications that may be provided, will constitute sufficient proof of the facts thus verified, except in cases in which they are disproved by other evidence.
c) Evidence will be admitted only in the event of controversial facts and as long as they are not manifestly irrelevant. Only a reconsideration appeal will be granted against the resolution that denies test measures. The test shall
occur within a period of TEN (10) business days, extendable when there are justified causes, considering those not produced within said period due to causes attributable to the offender to be terminated.
Once the summary proceedings are concluded, the final resolution will be issued within a term of TWENTY (20) business days.
ARTICLE 32.- Not regulated.
CHAPTER VII
PERSONAL DATA PROTECTION ACTION
ARTICLES 33 to 46.- Not regulated.

