In brief
On 4 January 2022, Disposition No. 1/22 issued by the National Registry of Persons (Renaper) was published in the Official Gazette, approving Renaper’s Personal Data Protection Policy (“Policy“).
In depth
The Policy aims to safeguard and protect the right to privacy of individuals whose data is processed by Renaper.
The Policy follows the provisions of Personal Data Protection Law No. 25,326 and includes novelty international criteria, some of which are included in guidelines and complementary resolutions issued by the Public Access Information Agency (“Agency“).
The Policy sets forth the following, among other matters:
- Biometric Data (Sections 4 and 9). This is defined as personal data resulting from specific processing related to the physical or physiological characteristics of an individual, which allows to confirm or confirms the unique identification of that individual. Biometric data will only be considered sensitive data if, as the result of the processing, the biometric data reveals additional information the use of which may potentially result in the discrimination of the data subject.
- Privacy by Design (Section 17). To ensure the respect of privacy and of the principles set forth in the Policy, Renaper will implement technical and organizational measures from the early stages of the design of any operation involving the processing of personal data.
- Security Incident Notification (Section 23). The data protection officer (DPO) must notify the Agency and the National Cybersecurity Directorate of a security incident within 48 hours of having effective knowledge of such incident.
- Appointment of a DPO (Section 25). The appointed DPO must ensure compliance with the Policy and act as a consultant to those who are responsible for the processing of personal data.
Click here to download the Spanish Version.