The Data Protection Authority applied a sanction to a well-known retail company for breaching its security obligations.
In September 2021, the Data Protection Authority (DPA) sanctioned an important retail company group (“Company“) operating in Argentina for the following:
- Breaching its obligation to implement adequate technical and organizational security measures
- Not informing the DPA nor its clients about the security incident the Company was experiencing
In addition, even if the PDPL does not expressly foresee the obligation to notify a security incident to the DPA nor to the affected data subjects, the DPA stated that the Company should have reported it proactively given that it is within the data controller’s security duties to alert data subjects of possible fraud or phishing manoeuvres and/or to allow them to exercise their rights.
To sum up, the DPA’s decision would, in principle, portray that:
- Even if the technical and organizational measures included under Resolution No. 47/2018 are recommendations, in practice the DPA uses them as guidance to verify the degree of compliance of the PDPL requirements.
- Even if the PDPL does not foresee the obligation to report the incident to the DPA nor to the affected data subjects, in practice the DPA, by interpreting Section 9 of the PDPL and certain international standards that it follows, requires and promotes the accountability principle.