Share

New sanctions imposed by the data protection authority

New sanctions imposed by the data protection authority

By Mariano Peruzzotti and Belen Sorrentino.

During the first months of 2022 the Agency of Access to Public Information (AAPI) imposed sanctions to different organizations for violations of Personal Data Protection Law No. 25,326 (“PDPL”). Below we will briefly comment each case:

  • Electricity provider
    • The claimant requested an electricity provider to remove his personal data as the company had reported a debt that was challenged by the claimant. There was no business relationship between the parties. As the claimant did not receive a positive response, he filed a complaint with the Agency.
    • Consequently, the Agency requested the company to:
      • Inform whether it had provided a response to the claimant in due time;
      • If applicable, remove the claimant´s personal data;
      • Register the databases with the National Registry.
    • The electricity provider informed that the claimant registered no debt.
    • The Agency forwarded the response to the claimant, who did not raise any concern or objection.
    • Nevertheless, since the company had not complied with the obligation to register its databases, a fine of Argentine Pesos 80,001.00 (approximately USD 707.97 at the current exchange rate) was imposed.
  • Medical institution
    • The claimant asked a medical institution to remove her personal data. In view of the lack of response, she filed a complaint with the Agency, which in turn requested the company to:
      • Inform whether it has proceeded to the removal of the personal data belonging to the claimant;
      • Has registered its databases with the National Registry.
    • The medical institution informed that it had removed the personal data and that the company’s databases were already registered with the Agency.
    • The claimant additionally challenged the transfer of personal data to the relevant health insurance provider. However, the Agency considered that the transfer was lawful under the terms of the PDPL since in this case the consent of the data subject was not required.
    • Since the organization did not have completed the database registration proceedings, the Agency sanctioned the company with a fine of Argentine Pesos 80,001 (approximately USD 707).
  • Financing entity
    • The claimant sent an e-mail to the financing entity requesting the update of her credit information that was held in the company’s records. As she received no reply, a complaint with the Agency was filed.
    • The Agency requested the company to:
      • Inform whether it has given a response to the data subject in due time;
      • If applicable, proceed to the update of the relevant credit records;
      • If applicable, inform this modification concerning the individual’s credit profile to the Central Bank and Equifax Argentina; and
      • Comply with the registration of its databases with the Agency.
    • As a consequence of not receiving a proper reply, the Agency considered that the company committed the following infringement:
      • Failure to provide the requested information.
      • Failure to comply with the request for access, rectification or removal of personal data.
    • Regarding the registration of its databases, the Agency could verify that the company had complied with the obligation in due time.
    • Thus, the Agency imposed a fine of Argentine Pesos 40,001 (approximately USD 354).
  • Financial trust
    • The claimant requested a financial trust to inform about an alleged debt that the company had claimed insistently.
    • As no response was received, the claimant filed a complaint with the Agency. Consequently, the supervisory authority ordered the company to:
      • Inform whether it had answered the claimant’s petition;
      • If applicable, remove the relevant personal data or inform the reasons for the refusal;
      • If applicable, cease with any communication addressed to the claimant or her relatives requesting the payment of the debt;
      • Comply with the obligation or registering the database with the Agency.
    • The Agency considered that the company committed the following violations:
      • Failure to provide the information requested by the Agency;
      • Failure to comply in due time with the request for access, rectification or removal of the personal data; and
    • The Agency realized that the company had complied with the registration obligation before being served notice of these charges.
    • Since the company did not answer the notifications, the Agency imposed a fine of Argentine Pesos 60,000 (approximately USD 530).

In the following case, the Agency imposed a sanction for breaching the provisions of the Do Not Call Registry regime.

  • Internet and satellite TV service provider
    • The Agency received 724 complaints against the company for alleged abuse of contact, advertising, offer, sale and gift of unsolicited goods or services by telephone. This conduct could constitute an infringement to the Do Not Call Registry Law No. 26,951.
    • Consequently, the Agency requested the company to provide information about the case and submit its defenses.
    • The company’s arguments were dismissed and the Agency imposed a fine of Argentine Pesos 3,000,000 (USD 26,548) for committing the following infringements:
      • To not provide the requested information in due time.
      • To contact 724 telephone lines that were duly registered with the Do Not Call Registry.

For further information contact: mperuzzotti@ojambf.com.

Share post: