Argentina Adequacy Decision

(1) Pursuant to Directive 95/46/EC Member States are required to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and if the Member States' laws implementing other provisions of the Directive are complied with prior to the transfer.

(2) The Commission may find that a third country ensures an adequate level of protection. In that case, personal data may be transferred from the Member States without additional guarantees being necessary.

(3) Pursuant to Directive 95/46/EC the level of data protection should be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations, and giving particular consideration to a number of elements relevant for the transfer and listed in Article 25(2) thereof. The Working Party on Protection of Individuals with regard to the processing of Personal Data, established under Article 29 of Directive 95/46/EC, issued guidance on the making of such assessments(2).

(4) Given the different approaches to data protection in third countries, the adequacy assessment should be carried out, and any decision based on Article 25(6) of Directive 95/46/EC should be made and enforced in a way that does not arbitrarily or unjustifiably discriminate against or between third countries where like conditions prevail, nor constitute a disguised barrier to trade, regard being had to the Community's present international commitments.

(5) As regards Argentina, the legal standards on the protection of personal data have been provided for in general and sector-specific rules. Both of them have binding legal effect.

(6) General rules are laid down in the Constitution, the Personal Data Protection Act No 25.326 and the Regulation approved by Decree No 1558/2001 (hereinafter "Argentine Law").

(7) The Argentine Constitution provides for a special judicial remedy for the protection of personal data, known as "habeas data". This is a subcategory of the procedure enshrined in the Constitution for the protection of constitutional rights and therefore makes the protection of personal data a fundamental right. According to Article 43.3 of the Constitution any person is entitled, under the "habeas data" rule, to know the content and purpose of all the data pertaining to him or her contained in public records or data banks, or in private ones whose purpose is to provide reports. According to that Article in case of falsehood of information or its use for discriminatory purposes, a person will be able to demand the deletion, correction, confidentiality or update of the data contained in the above records. The Article will not affect the secrecy of journalistic information sources. Argentine jurisprudence has recognised "habeas data" as a fundamental and directly applicable right.

(8) The Personal Data Protection Act No 25.326 of 4 October 2000 (hereinafter "the Act") develops and widens the Constitutional provisions. It contains provisions relating to general data protection principles, the rights of data subjects, the obligations of data controllers and data users, the supervisory authority or controlling body, sanctions, and rules of procedure in seeking "habeas data" as a judicial remedy.

(9) The Regulation, approved by Decree No 1558/2001 of 3 December 2001 (hereinafter "the Regulation"), lays down rules for the enactment of the Act, supplements its provisions, and clarifies points of the Act that may be subject to diverging interpretation.

(10) Argentine Law covers the protection of personal data recorded in data files, registers, data banks or other technical means, which are public; and the protection of personal data recorded in data files, registers, data banks or other technical means which are private, whose purpose is to provide reports. This includes those which go beyond an exclusively personal use, and those which are intended for the assignment or transfer of personal data, irrespective of whether the circulation of the data or information produced is performed for payment or free of charge.

(11) Certain provisions of the Act apply uniformly throughout Argentina. They include general provisions and provisions concerning general data protection principles, rights of the data subjects, obligations of data controllers and users of data files, registers and data banks, criminal sanctions, and the existence and main features of the "habeas data" judicial remedy as established in the Constitution.

(12) Other provisions of the Act apply to registers, data files, databases or data banks which are interconnected through networks at inter-jurisdictional (meaning "interprovincial"), national or international level, and which are considered as falling within federal jurisdiction. They concern the control exercised by the supervisory authority, sanctions imposed by the supervisory authority, and the rules of procedure concerning the "habeas data" judicial remedy. Other kinds of registers, data files, databases or data banks should be regarded as falling under provincial jurisdiction. The provinces may issue legal provisions on these matters.

(13) Data protection provisions are also contained in a number of legal instruments regulating different sectors, such as credit card transactions, statistics, banking or health.

(14) Argentine Law covers all the basic principles necessary for an adequate level of protection for natural persons, even if exceptions and limitations are also provided in order to safeguard important public interests. The application of these standards is guaranteed by a special, simplified and quick judicial remedy for the protection of personal data, known as "habeas data", along with the general judicial remedies. The Act provides for the establishment of a data protection controlling body charged with taking all actions necessary for compliance with the objectives and provisions of the Act and endowed with powers of investigation and intervention. Pursuant to the Regulation, the National Directorate for the Protection of Personal Data was established as the controlling body. Argentine Law provides for effective dissuasive sanctions, of both an administrative and a criminal nature. Furthermore, the provisions of Argentine law regarding civil liability (both contractual and extra-contractual) apply in the event of unlawful processing which is prejudicial to the persons concerned.

(15) The Argentine government has provided explanations and assurances as to how the Argentine law is to be interpreted, and has given assurances that the Argentine data protection rules are implemented in accordance with such interpretation. This Decision is based on these explanations and assurances, and is therefore conditional upon them. In particular, this decision relies on the explanations and assurances given by the Argentine authorities as to how the Argentine law is to be interpreted as regards which situations fall within the scope of the Argentine law in data protection.

(16) Argentina should therefore be regarded as providing an adequate level of protection for personal data as referred to in Directive 95/46/EC.

(17) In the interest of transparency and in order to safeguard the ability of the competent authorities in the Member States to ensure the protection of individuals as regards the processing of their personal data, it is necessary to specify the exceptional circumstances in which the suspension of specific data flows may be justified, notwithstanding the finding of adequate protection.

(18) The Working Party on Protection of Individuals with regard to the processing of Personal Data established under Article 29 of Directive 95/46/EC has delivered an opinion on the level of protection of personal data in Argentina(3), which has been taken into account in the preparation of this Decision.

(19) The measures provided for in this Decision are in accordance with the opinion of the Committee established under Article 31(1) of Directive 95/46/EC,