In brief
The Data Protection Authority applied a sanction to a well-known retail company for breaching its security obligations.
In depth
In September 2021, the Data Protection Authority (DPA) sanctioned an important retail company group (“Company“) operating in Argentina for the following:
- Breaching its obligation to implement adequate technical and organizational security measures
- Not informing the DPA nor its clients about the security incident the Company was experiencing
Regarding the first item, the DPA alleged that the Company breached Section nine of Personal Data Protection Law No. 25,326 (PDPL) and that it provided no details on how it managed, mitigated, communicated and documented the security incident. Further, the DPA argued that the Company could not consider itself exempt from its security duties by including certain clauses in its Privacy Policy.
In addition, even if the PDPL does not expressly foresee the obligation to notify a security incident to the DPA nor to the affected data subjects, the DPA stated that the Company should have reported it proactively given that it is within the data controller’s security duties to alert data subjects of possible fraud or phishing manoeuvres and/or to allow them to exercise their rights.
To sum up, the DPA’s decision would, in principle, portray that:
- Even if the technical and organizational measures included under Resolution No. 47/2018 are recommendations, in practice the DPA uses them as guidance to verify the degree of compliance of the PDPL requirements.
- Even if the PDPL does not foresee the obligation to report the incident to the DPA nor to the affected data subjects, in practice the DPA, by interpreting Section 9 of the PDPL and certain international standards that it follows, requires and promotes the accountability principle.
