Search for:

In brief

The Data Protection Authority applied a sanction to a well-known retail company for breaching its security obligations.


In depth

In September 2021, the Data Protection Authority (DPA) sanctioned an important retail company group (“Company“) operating in Argentina for the following:

  • Breaching its obligation to implement adequate technical and organizational security measures
  • Not informing the DPA nor its clients about the security incident the Company was experiencing

Regarding the first item, the DPA alleged that the Company breached Section nine of Personal Data Protection Law No. 25,326 (PDPL) and that it provided no details on how it managed, mitigated, communicated and documented the security incident. Further, the DPA argued that the Company could not consider itself exempt from its security duties by including certain clauses in its Privacy Policy.

In addition, even if the PDPL does not expressly foresee the obligation to notify a security incident to the DPA nor to the affected data subjects, the DPA stated that the Company should have reported it proactively given that it is within the data controller’s security duties to alert data subjects of possible fraud or phishing manoeuvres and/or to allow them to exercise their rights.

To sum up, the DPA’s decision would, in principle, portray that:

  • Even if the technical and organizational measures included under Resolution No. 47/2018 are recommendations, in practice the DPA uses them as guidance to verify the degree of compliance of the PDPL requirements.
  • Even if the PDPL does not foresee the obligation to report the incident to the DPA nor to the affected data subjects, in practice the DPA, by interpreting Section 9 of the PDPL and certain international standards that it follows, requires and promotes the accountability principle. 

View Spanish version

Author

Guillermo Cervio is a partner in Baker & McKenzie´s Buenos Aires office. With more than 25 years of experience, he has been consistently recognized as a foremost practitioner in his field. He served as the coordinator of the Information Technology & Communications Group during from 2008 to 2016. Guillermo has authored books and articles on legal matters. He has been awarded for his book “Derecho de las Telecomunicaciones” by the National Academy of Law (Mención de honor, 1998) and Austral University (Premio tesina,1997) and for his paper filed in the IX National Congress on Corporate Law (Tucumán, 2004).He has been a professor in universities including the University of Buenos Aires, Austral University, Palermo University, Catholic University and CEMA. Guillermo has been awarded with Folsom fellowship granted by Center for American and International Law, Dallas, US in 2003.

Author

Martín Roth is a partner in the M&A, Real Estate and TMT practice groups in Baker McKenzie's Buenos Aires office. Martín has more than 13 years of extensive transactional domestic and international experience, focusing on the real estate and TMT industries. Prior to joining Baker McKenzie, he worked as a trainee lawyer on the Corporate, Banking/Finance and Litigation areas with a local law firm in Argentina. From 2007 to 2012, he worked in Baker McKenzie's Buenos Aires office. From 2013 to 2016, he worked as an independent attorney at another law firm. Martín rejoined the Buenos Aires office in 2016 and was named partner in July 2019.