Insights: Alerts Argentine Data Protection Authority Approves Model Clauses
The Argentine Data Protection Authority recently issued a new regulation approving two sets of model contractual clauses (controller-to-controller and controller-to-processor) for the international transfer of personal data. Argentina’s Personal Data Protection Law No. 25,326 (PDPL) generally prohibits the transfer of personal data to countries that do not provide adequate levels of protection, unless certain narrow exceptions apply. The newly approved model clauses are deemed to guarantee an adequate level of protection for personal data. The clauses are based on the European Union (EU) model clauses with some modifications.
As in the EU, the Argentine DPA has recognized certain jurisdictions as providing adequate levels of protection. The list of adequate counties is set forth in the regulation and includes the majority of those countries deemed adequate by the EU (i.e., States of the EU and members of the European Economic Area (EEA), Andorra, Canada (with respect to the privacy sector), Switzerland, Faeroe Islands, Guernsey, State of Israel (with regard to automated processing of personal data), Isle of Man, Jersey, New Zealand, and the Eastern Republic of Uruguay). Notably absent from the list, however, is the United States and the U.S. Privacy Shield program.
What does the new regulation mean for companies that transfer personal data cross-border from Argentina to other jurisdictions? Companies must now ensure that:
- Personal data is only transferred to jurisdictions identified as adequate by the Argentine DPA;
- Non-conforming contractual clauses are submitted to the DPA for approval within 30 days; or
- Agreements are updated to include the new clauses.
If you have any questions about cross-border data transfers or about privacy compliance in general, please feel free to reach out to Kilpatrick Townsend’s Cybersecurity, Privacy, and Data Governance team. Our team is deeply committed to helping its clients integrate their privacy programs into their business strategies, addressing their bigger marketing, customer relations, and risk management issues along with regulatory compliance.
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.