Argentina: major retail company sanctioned for breach of security obligations

In short

The Data Protection Authority has imposed a sanction on a well-known retail company for failing to meet its security obligations.

In depth

In September 2021, the Data Protection Authority (DPA) sanctioned a large group of distribution companies (“Society“) operating in Argentina for the following:

  • Failure to comply with its obligation to implement adequate technical and organizational security measures
  • Not informing the DPA or its clients of the security incident that the Company was aware of

Regarding the first element, the DPA alleged that the Company had violated Article 9 of Law No. 25,326 on the protection of personal data (PDPL) and that it had not provided any details on how it had managed, mitigated, communicated and documented the security incident. In addition, the DPA argued that the Company could not consider itself exempt from its security obligations by including certain clauses in its privacy policy.

In addition, although the PDPL does not expressly provide for the obligation to notify a security incident to the DPA or to the persons concerned, the DPA has stated that the Company should have proactively reported it given that it falls under the obligations. data controller to alert data subjects of any fraud or phishing maneuvers and / or allow them to exercise their rights.

In summary, the decision of the DPA would indicate in principle that:

  • Although the technical and organizational measures included in Resolution No. 47/2018 are recommendations, in practice the DPA uses them as a guide to verify the degree of compliance with the requirements of the PDPL.
  • Even if the PDPL does not provide for the obligation to report the incident to the DPA or to the persons concerned, in practice the DPA, by interpreting Article 9 of the PDPL and certain international standards that it follows, requires and promotes the principle of responsibility.

See the Spanish version

The content is provided for educational and informational purposes only and is not intended and should not be construed as legal advice. This may be termed a “lawyer advertisement” requiring notice in some jurisdictions. Past results do not guarantee similar results. For more information, please visit: www.bakermckenzie.com/en/disclaimers.


Source link

Anne G. Cash