Argentine Data Protection Authority Approves Model Clauses
The Argentine Data Protection Authority recently issued a new regulation approving two sets of model contractual clauses (controller-to-controller and controller-to-processor) for the international transfer of personal data. Argentina’s Personal Data Protection Law No. 25,326 (PDPL) generally prohibits the transfer of personal data to countries that do not provide adequate levels of protection, unless certain narrow exceptions apply. The newly approved model clauses are deemed to guarantee an adequate level of protection for personal data. The clauses are based on the European Union (EU) model clauses with some modifications.
As in the EU, the Argentine DPA has recognized certain jurisdictions as providing adequate levels of protection. The list of adequate counties is set forth in the regulation and includes the majority of those countries deemed adequate by the EU (i.e., States of the EU and members of the European Economic Area (EEA), Andorra, Canada (with respect to the privacy sector), Switzerland, Faeroe Islands, Guernsey, State of Israel (with regard to automated processing of personal data), Isle of Man, Jersey, New Zealand, and the Eastern Republic of Uruguay). Notably absent from the list, however, is the United States and the U.S. Privacy Shield program.
What does the new regulation mean for companies that transfer personal data cross-border from Argentina to other jurisdictions? Companies must now ensure that:
If you have any questions about cross-border data transfers or about privacy compliance in general, please feel free to reach out to Kilpatrick Townsend’s Cybersecurity, Privacy, and Data Governance team. Our team is deeply committed to helping its clients integrate their privacy programs into their business strategies, addressing their bigger marketing, customer relations, and risk management issues along with regulatory compliance.
Amanda M. Witt