Pursuant to Resolution No. 159/2018 published Dec. 7, 2018, in the Official Gazette, the Agency of Access to Public Information (Agencia de Acceso a la Información Pública, in Spanish) approved a set of guidelines for binding corporate rules as a mechanism available to multinational companies to legitimize international data transfers within their group.
BCRs are a mechanism to legitimize data exports within a corporate group. They are designed to be a global solution for multinational companies by ensuring their intra-group transfers comply with the relevant regulations.
Like the EU General Data Protection Regulation and other personal data protection laws around the world, the Argentine Personal Data Protection Law No. 25, 326 prohibits the cross-border transfer of personal data from Argentina to other countries or to international organizations that do not provide for an adequate level of protection. Pursuant to the Regulatory Decree No. 1558/2001, the AAIP is empowered to evaluate whether a country has an adequate level of protection of personal data. In that regard, AAPI’s Rule 60-E/2016 declared the following countries as adequate: member states of the European Union and the European Economic Area, Switzerland, Guernsey, Jersey, the Isle of Man, the Faeroe Islands, Canada (only applicable to the private sector), New Zealand, Andorra, Israel and Uruguay. The list could be periodically modified by the AAPI.
Regulatory Decree No. 1558/2001 also allows international data transfer to countries without an adequate legislation on personal data protection when: (i) the data subjects consent the transfer; or (ii) when adequate protection levels arise from contractual clauses – such as international data transfer agreements or self-regulation systems. Now, the AAIP has ruled aspects concerning the use of valid binding corporate rules in the context of the exception to the restriction for transferring personal data to non-adequate jurisdiction.
The guidelines approved by Regulation No. 159/2018 determine that the BCRs must be binding upon all members of the corporate group as well as employees, subcontractors and third-party beneficiaries. Moreover, this new regulation provides for the following elements and principles to be found in BCRs in order to reflect the requirements and conditions imposed by the Argentine Personal Data Protection Law framework.
- Lawfulness conditions: BCRs must consider the application of the general data protection principles, in particular, legal basis for processing, data quality, purpose limitation, transparency, security and confidentiality, the data subjects’ rights and the restriction to subsequent cross-border data transfer to non-adequate jurisdictions.
- Specific protection concerning sensitive aspects: This involves the restriction of the processing of special categories of personal data, the right to object to the processing of personal data for the purpose of unsolicited direct marketing, the right not to be subject to automated decision-making, and restricting the creation of files containing personal data relating to criminal convictions and offenses.
- Third-party beneficiaries: Both data subjects and the AAIP shall be deemed third-party beneficiaries regarding the rights and guaranties granted by the BCRs.
- Complaint procedure: Data subjects shall be allowed to institute a judicial or administrative complaint using their local venue.
- Liability: Members of the corporate group must be jointly liable vis-à-vis the data subject and the supervisory authority for any violation of BCRs.
- Supervisory authority: The AAIP shall hear in any cross-border transfer conducted by an Argentine entity as data exporter. Moreover, the AAIP will be entitled to intervene as third-party beneficiary in those cases in which personal data of subjects in Argentina is compromised.
- Legally binding nature: The BCRs must guarantee that its provisions are effectively binding upon the members of the corporate group vis-à-vis the data subjects and the AAIP.
- Training: The BCRs must provide for appropriate data protection training to personnel in charge of data processing activities.
- Finally, the BCRs shall provide for independent, effective and accessible judicial and administrative resources and mechanisms.
Those companies that would rely on BCRs that differ from the conditions stated in Regulation No. 159/2018 will need to submit the relevant document to the AAIP for approval within the term of 30 calendar days from the date that the transfer took place. No approval is required in the case of BCRs that follow the requirements of the regulation.
As a consequence of this new regulation, we expect to see an increased use of BCRs by multinational companies as an appropriate mechanism to validate the transfer of personal data to those countries that are not included in the white list of adequate jurisdictions.
If you want to comment on this post, you need to login.