Data Protection Law and Do Not Call Law. Modifications to the sanctioning regime
Data Privacy & Data Protection – Cybersecurity Department Report | Data Protection Law and Do Not Call Law. Modifications to the sanctioning regime
Resolution No. 126/2024 (the “Resolution” – available only in Spanish here) of the Agency of Access to Public Information (“AAPI”) was published on May 27th in the Official Gazette.
The Resolution introduces modifications to the sanctioning regime for non-compliance with the Personal Data Protection Law No. 25.326 (“DP Law”) and the Do Not Call Law No. 26,951 (“DNC Law”).
The Resolution, which comes into force on June 1, 2024, approves the following:
Under Annexes I and II: the “Classification of Infringements” and the “Graduation Regime for Infringements”.
Among the new features introduced under Annex II, the Resolution stipulates that when there is an accumulation and the condemning administrative act includes more than one pecuniary sanction for identical punishable conduct, a cap equivalent to the maximum of the scale that corresponds according to the seriousness of the infringement multiplied by 500 (five hundred).
on the total amount of the fine will apply, multiplied by 500 (five hundred).
This implies an increase in the cap amounts to be applied, which will be as follows: (i) in the case of minor violations AR$40,000,000 (forty million pesos), (ii) in the case of serious violations AR$45,000,000 (forty-five million pesos), and (iii) in the case of very serious violations AR$50,000,000 (fifty million pesos).
Additionally, regarding the payment of fines, the Resolution establishes that: (i) in the event of voluntary payment within 20 business days from the notification of the resolution imposing the sanction, the amount of the fines will be reduced by 50%, and (ii) failure to pay the imposed fines will make their collection enforceable through fiscal execution, with the authenticated testimony of the condemning resolution constituting sufficient executive title.
Notwithstanding the sanctions imposed, the National Directorate of Personal Data Protection (“NDPDP”) may impose an obligation on the sanctioned party to cease the non-compliance that gave rise to the sanction and may mandate compulsory training on personal data protection to prevent the recurrence of the infringing conduct.
Under Annex III: the “Procedure for the registration, deregistration, and change of ownership of telephone lines in the National ‘Do Not Call’ Registry and consultation of procedures and complaints“.
Under Annex IV: the “Procedure relating to complaints for alleged non-compliance with Law No. 26.951 and the initiation and management of administrative proceedings” which establishes the conditions for the admissibility of a complaint and the guidelines to be followed for the initiation and management of administrative proceedings.
Under Annex V: the “Procedure for consulting the National ‘Do Not Call’ Registry” which must be followed by those who advertise, offer, sell, or give away goods or services using telephone services in any of their forms, at least every 30 days.
Under Annex V, an automated consultation system is provided, which can be accessed by those required to comply with the procedure after meeting the following requirements: (i) being duly registered in the National Database Registry and having declared the database to be used for conducting telephone advertising campaigns, and (ii) submitting the Authorization Form for the consultation of registrations and deregistrations in the National ‘Do Not Call’ Registry ‘FC.01’—accompanied by the specified documentation—through one of the approved channels, as authorized by the Resolution under Annex VI.
- Under Annex VI: the “Form for requesting the consultation of registrations in the National ‘Do Not Call’ Registry ‘FC.01’.”
Additionally, the Resolution establishes that the NDPDP will manage the Register of Violators of the DP Law and Do Not Call Law, with the objectives of: (i) organizing and keeping the register up-to-date, and (ii) recording the nature of the violation committed, the sanction applied, the degree of compliance with it, the appeals filed, the final decision reached, the recidivist status of the violator, and any other elements of interest to the NDPDP.
Furthermore, the Resolution approves the implementation of the National ‘Do Not Call’ Registry and its management system, establishing that the holders or users of telephone services, in any of their forms, may file complaints for non-compliance with Law No. 26.951 through the website https://nollame.aaip.gob.ar.
The Resolutions repeals, effective from its the entry into force, the National Directorate of Personal Data Protection Provision No. 7/05 and the Agency of Access for Public Information Resolutions No. 12/18; No. 240/22; No. 243/19, and No. 244/22.
We remain at your disposal for any additional information you may need.
Yours sincerely,
Emilio Beccar Varela
Florencia Rosati
Mariana Lamarca Vidal
Martín Beccar Varela