The Data Protection Authority has imposed a sanction on a well-known retail company for failing to meet its security obligations.
In September 2021, the Data Protection Authority (DPA) sanctioned a large group of distribution companies (“Society“) operating in Argentina for the following:
- Failure to comply with its obligation to implement adequate technical and organizational security measures
- Not informing the DPA or its clients of the security incident that the Company was aware of
In addition, although the PDPL does not expressly provide for the obligation to notify a security incident to the DPA or to the persons concerned, the DPA has stated that the Company should have proactively reported it given that it falls under the obligations. data controller to alert data subjects of any fraud or phishing maneuvers and / or allow them to exercise their rights.
In summary, the decision of the DPA would indicate in principle that:
- Although the technical and organizational measures included in Resolution No. 47/2018 are recommendations, in practice the DPA uses them as a guide to verify the degree of compliance with the requirements of the PDPL.
- Even if the PDPL does not provide for the obligation to report the incident to the DPA or to the persons concerned, in practice the DPA, by interpreting Article 9 of the PDPL and certain international standards that it follows, requires and promotes the principle of responsibility.
See the Spanish version