Argentina Personal Data Protection Act (Law 25.326)
Argentina's Personal Data Protection Act (Law 25.326) is the country's foundational privacy law, grounded in the constitutional right of habeas data and recognized as EU-adequate. It requires consent, database registration, and security measures, enforced by the AAIP.
Argentina Personal Data Protection Act (Law 25.326)
Argentina's Personal Data Protection Act, Law No. 25.326, is the country's foundational data protection statute. It took effect on November 2, 2000 and implements the constitutional right of habeas data, which lets individuals access and correct information held about them. Argentina was one of the first countries in Latin America to be recognized by the European Commission as providing an adequate level of data protection, facilitating data flows with the EU.
Who It Applies To
The law applies to the processing of personal data recorded in public or private databases intended to provide reports, and it covers both public and private sector controllers operating in Argentina. The Agency for Access to Public Information (AAIP) is the supervisory authority. While the law is over two decades old, its broad scope and habeas data foundation give it wide reach, and a modernization effort to align it more closely with the GDPR has been under consideration.
Key Requirements
Processing requires the data subject's free, express, and informed consent unless an exception applies. Sensitive data, such as data revealing racial origin, political opinions, religious beliefs, or health, is subject to stricter limits. Data subjects have rights to information, access, rectification, updating, and suppression of their data. Controllers must register their databases with the AAIP and adopt technical and organizational security measures. Cross-border transfers to countries without adequate protection are restricted unless safeguards or consent are in place.
Penalties for Non-Compliance
The AAIP can impose administrative sanctions ranging from warnings and suspensions to fines, and it may order the closure or cancellation of non-compliant databases. Affected individuals may also pursue habeas data actions in court to enforce their rights.
How to Comply
Obtain valid consent and apply heightened protections to sensitive data. Register relevant databases with the AAIP and keep registrations current. Honor access, rectification, and suppression requests, and implement appropriate security measures. For international transfers, rely on adequacy, contractual safeguards, or explicit consent.
Modernization Outlook
Argentina's regime predates the GDPR, and a reform bill to modernize Law 25.326 toward GDPR-style principles, lawful bases, and stronger enforcement has been under discussion. Organizations operating in Argentina should track this reform, maintain database registrations under the current rules, and design programs that can absorb GDPR-aligned obligations such as data protection impact assessments and breach notification with minimal rework.
Building a Durable Program
Organizations operating across borders should treat this regime as one input into a unified, principles-based privacy program rather than a standalone checklist. Practical foundations include maintaining a current record of processing activities that documents purposes, lawful bases, data categories, recipients, retention periods, and any cross-border transfers; classifying data so that sensitive categories receive heightened safeguards by default; and embedding privacy-by-design reviews into product and engineering workflows so that new features are assessed before launch. Robust consent and preference management, demonstrable through audit logs, is essential where the law is consent-centric, since the burden of proving a valid lawful basis typically rests on the controller. Incident-response runbooks should encode the applicable breach-notification timelines and decision criteria so that the organization can act within tight windows. Vendor management should ensure processors are bound by contracts that flow down core obligations, and periodic audits should verify that controls remain effective. Aligning to recognized frameworks such as ISO 27701 and privacy-by-design principles helps satisfy overlapping obligations across jurisdictions while reducing duplicated effort and the risk of gaps.