Breaking down data rules from around the globe

Privacy laws

Personal Data Protection Law Pdpl

Argentina‘s Personal Data Protection Law

Argentina enacted Personal Data Protection Law in 2000 to protect individuals' privacy rights. It aligns with the European data privacy law GDPR.

Learn more about what PDPL is and how to comply with the law.

What Is Argentina‘s Personal Data Protection Law?

The Personal Data Protection Act (PDPA), officially known as Law No. 25,326 (Ley de Protección de los Datos Personales) was executed in 2000 to regulate the processing of personal data and help protect individuals' privacy rights.

Argentina is among the first countries in Latin America concerning data protection, aligning closely with international standards such as the European Union's General Data Protection Regulation (GDPR).​

In 2016, a new regulation (Provision 60-E/2016, in Spanish) was issued, that governs cross-border transfers of personal data. Based on the data transfer model in the EU, this new regulation-approved model forms for such transfers to data controllers and data processors.

Argentina was the first country in Latin America to achieve an adequacy qualification for data transfers from the EU.

Use CookieScript CMP to comply with the PDPL, GDPR, and other privacy laws worldwide. In 2024, users ranked CookieScript CMP on G2, a peer-reviewed website, as the best CMP

Register for free Show pricing plans

Who does Argentina’s PDPL Apply to?

The Argentina’s PDPL applies to:

  • Organizations established in Argentina that collect, use, and share personal data of Argentina residents (data subjects);
  • Organizations that are not established in Argentina but process data of Argentina residents or monitor or profile Argentina residents;
  • Government agencies and armed forces of Argentina (with some proportional limitations that respect fundamental rights).

Note that the law applies to organizations, that collect and process the personal data of Argentina residents, even if the data processing takes place abroad.

The PDPA covers the personal data of individuals in Argentina and applies to both natural persons and public or private legal entities.

Data Subject Rights under the PDPL

Under the PDPL and its updated regulation, the data subjects have the following rights:

  • Right to access: Individuals have the right to know what personal data was collected and is stored and processed by data controllers.
  • Right to update or correct: Individuals have the right to request correction of inaccurate or incomplete data.
  • Right to delete: Individuals have the right to request deletion of personal data when it is no longer necessary or was unlawfully processed.
  • Right to object: Individuals have the right to object to the processing of personal data on legitimate grounds.
  • Right to object automated decisions and profiling: Data subjects have the right to object automated decisions and profiling, meaning that they can request a human review of decisions based on automated processing.
  • Right to data portability: Data subjects can request to obtain a copy of their data in a usable format. However, this right does not apply if the requests are too excessive or violate other data subjects’ privacy.
  • Right to limit data processing: Data subjects can request to limit data processing under specific conditions, such as disputing data accuracy or objecting to processing.

Under the PDPL, organizations must respond to data requests within 10 calendar days from the date of the request.

Fundamental Principles of the Argentina’s PDPL

The PDPL discloses the following core principles:

  • Lawfulness and transparency: Organizations must collect personal data lawfully. It means that they must obtain data subject's consent prior the collection of personal data. Personal data must be processed lawfully, fairly, and transparently. The information about the processing must be clear and easily accessible.
  • Purpose limitation: Personal data should be collected only for legitimate purposes. Additional processing that is not compatible with the original purpose is not allowed. However, processing for statistical or public interest research purposes is allowed.
  • Data minimization: The law requires to collect and process only minimal amount of personal data necessary the original purpose.
  • Accuracy: Data controllers must ensure personal data is accurate and up-to-date. They must correct or delete personal data upon request from data subjects.
  • Storage limitation: Personal data must be retained only as long as necessary for the original purposes for which it was collected. When the purposes are achieved, personal data must be deleted. However, it is allowed to keep the data longer for statistical, archival, and research purposes.
  • Security and confidentiality: Organizations must implement adequate security measures to protect personal data from unauthorized access, alteration, or deletion. Data processing must remain confidential even after the relationship with the data subject ends.
  • Accountability: Organizations must comply with the PDPL. This includes conducting data protection impact assessments (DPIAs).

What Is Personal Information under the Argentina’s PDPL?

The PDPL defines personal data as any information related to identified or identifiable natural persons or legal entities.

An identifiable person can be identified directly or indirectly using physical, physiological, genetic, mental, economic, cultural, or social identifiers.

Sensitive personal data includes data revealing health data, sexual preferences, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and genetic or biometric data. The law sets higher security, confidentiality, access restrictions, and usage and sharing requirements for sensitive personal data processing.

Consent Requirements under the Argentina’s PDPL

The lawfulness principle of the law means that organizations must obtain data subject's consent for the collection of personal data.

User consent must be:

  • Prior: Organizations must obtain user consent before data collection.
  • Explicit: User consent must be obtained through clear affirmative action. Closing a Cookie Banner or continuing to search a website does not mean that a data subject gave explicit consent.
  • Freely given: User consent must not be achieved through deceptive means or dark patterns.
  • Informed: As outlined in Article 16, organizations must provide data subjects with information for which they need personal information.
  • Specific: If data processing involves multiple purposes, data subjects should grant consent for each distinct purpose. General user consent for all purposes is not allowed.
  • Unambiguous: Organizations must clearly explain why they need to collect personal information and what they are planning to do with it. Organization must keep user consent and should be able to demonstrate that they process personal data for the purposes the consent was collected.

The data subjects have the right to revoke or withdraw consent at any time without justification. However, they can't revoke consent when there exists a legal or contractual obligation exists to process the data.

Organizations must provide easy and cost-free mechanisms to revoke consent. Consent revocation should be as easy as the mechanism to grant consent.

Unline the GDPR and other privacy laws, The Argentina’s data privacy law does not specifically define children. According to the PDPL, both adults and children must grant consent for the processing of their data.

Not sure if your website uses cookies and has user consent for them? Scan your website for free and see what cookies, including Third-Party Cookies, your website uses:

Enforcement of the PDPL and Penalties

The Argentine Agency of Access to Public Information (Agencia de Acceso a la Información Pública, AAIP) within the Chief of Ministries' Cabinet is responsible for enforcing the PDPL.

Non-compliance with the PDPL can lead to sanctions ranging from warnings and suspensions to fines and the closure of databases.

The law provides administrative fines for violations, starting from ARS 1,000 ($1) to ARS 100,000 ($100).

A current draft bill proposes significantly higher penalties. If enacted, fines could range from ARS 50,000 (approximately $50) to ARS 10 billion (approximately $10 million), or 2% to 4% of the company’s total annual turnover, whichever is higher. ​

These proposed changes aim to align Argentina's data protection law more closely with international standards, such as the EU's GDPR.

International Transfer of Personal Data under Argentina’s PDPL

The Argentine Agency of Access to Public Information (AAIP) regulates the transfer of personal data.

According to the law, transfers to countries that are not considered adequate for personal data protection are forbidden.

AAIP establishes the countries that meet the adequate legislation regarding personal data protection, including:

  • Member States of the European Economic Area
  • Andorra
  • Guernsey
  • Jersey
  • Isle of Man
  • Faroe Islands
  • Canada (only private sector),
  • New Zealand
  • Switzerland
  • Uruguay.

International data transfers can also be made if:

  • The data subject grants consent to it;
  • It is necessary to fulfill contractual obligations; or
  • It is necessary for public interest, legal proceedings, or to protect the vital interests of data subjects.

The data exporter is responsible for ensuring compliance with the necessary laws. The data exporters must implement safety measures, provide individuals with the data rights, and be accountable for any potential violations.

How to Comply with Argentina’s PDPL?

Follow this checklist to comply with the Argentina’s PDPL:

  • Obtain explicit, freely given, informed, specific, and unambiguous user consent before collecting or processing personal data.
  • Inform data subjects about what personal data will be collected, why, and with whom it will be shared.
  • Provide data subjects with the mechanism to revoke their user consent for personal data management.
  • Process personal data lawfully, fairly, and transparently.
  • Collect and process personal data only for legitimate purposes.       
  • Collect and process only minimal amount of personal data necessary for the original purpose.
  • Don’t store personal data longer than necessary for the original purposes for which it was collected.
  • Implement adequate security measures to protect personal data from unauthorized access, alteration, or deletion.
  • Conduct data protection impact assessments (DPIAs).
  • Transfer personal data only to third parties that provide an adequate level of protection.
  • Notify users and supervisory authority in case of data breach.
  • Take proactive steps to comply with the PDPL.

How can CookieScript Help?

Choose a professional Consent Management Platform (CMP) to comply with the PDPL and other privacy laws.

CookieScript provides essential features and functionalities such as:

CookieScript CMP also offers automation solutions and integrations, including:

Geo-targeting. The CookieScript geo-targeting feature is an important feature that allows businesses to show different banners to website users from different countries, thus enabling compliance with many privacy laws. Different countries or states require different levels of compliance. It determines your website’s user location and automatically presents the correct Cookie Banner. This is a valuable feature when you have visitors from all over the world. CookieScript geo-targeting feature is available for 250 countries and 50 US states.

Local storage and session storage. Besides cookies, CookieScript also scans for local storage and session storage and blocks them until users provide consent. Local storage and session storage needed to be checked to fully comply with the GDPR.

 

In 2024, CookieScript CMP was ranked by users as the best CMP on a peer-review site G2.
It also received a GOLD Tier in the New Google Tiering System.

Register for free Show pricing plans

Frequently Asked Questions

Does Argentina have a personal data protection law?

Argentina’s Personal Data Protection Act (PDPA), officially known as Law No. 25,326 (Ley de Protección de los Datos Personales) was enacted in 2000 to regulate the processing of personal data and help protect individuals' privacy rights. Argentina is among the first countries in Latin America concerning data protection, aligning closely with international standards such as the European Union's GDPR.​ Use CookieScript CMP to comply with the PDPL, GDPR, and other privacy laws worldwide.

What is the Data Protection Act in Argentina?

Argentina’s Personal Data Protection Law (PDPL)was passed in 2000 by the Argentina National Congress to regulate the collection and processing of personal data by government agencies and private organizations in Argentina. Argentina is among the first countries in Latin America concerning data protection, aligning closely with international standards such as the European Union's GDPR.​ The law has many similarities with GDPR. Use CookieScript CMP to comply with the PDPL.

Can I request to delete my data according to the Argentina’s Ley 25.326?

Yes. Article 16 of the Argentina’s Ley 25.326 provides individuals the rights to data correction, updating, or deletion. Individuals have the right to request deletion of personal data when it is no longer necessary or was unlawfully processed. CookieScript CMP can help your website to comply with the PDPL, GDPR, and other privacy laws worldwide.

Who does Argentina’s Personal Data Protection Act apply to?

The Argentina’s PDPL applies to: organizations established in Argentina that collect, use, and share personal data of Argentina residents; organizations, that are not established in Argentina but processes data of Argentina residents or monitor or profile Argentina residents; and government agencies and armed forces of Argentina. CookieScript CMP can help your website to comply with the PDPL, GDPR, and other privacy laws worldwide.

Do I need user consent to collect user data under the Argentina’s Personal Data Protection Act?

Yes, organizations must obtain data subject's consent for the collection of data subjects’ personal data. User consent must be prior, explicit, freely given, informed, specific, and unambiguous. The data subjects have the right to revoke or withdraw consent at any time without the need for justification. Use Consent Management Platforms such as CookieScript to collect and store user consent through cookie banners

ON THIS PAGE

New to CookieScript?

CookieScript helps to make the website ePrivacy and GDPR compliant.

We have all the necessary tools to comply with the latest privacy policy regulations: third-party script management, consent recording, monthly website scans, automatic cookie categorization, cookie declaration automatic update, translations to 34 languages, and much more.