Regulation No. 1/2022 of the National Registry of Persons Directorate: approval of the ReNaPer´s Personal Data Protection Policy.
CIRCULAR
Data Privacy and Data Protection Department Report | Regulation No. 1/2022 of the National Registry of Persons Directorate: approval of the ReNaPer´s Personal Data Protection Policy.
Dear Sir or Madam,
On January 4, 2022, Regulation No. 1/2022 (the “Regulation”) of the National Registry of Persons Directorate (“ReNaPer”, for its acronym in Spanish) was published in the Official Gazette, whereby the “The ReNaPer´s Personal Data Protection Policy” (the “Policy”) was approved.
The Policy was drafted with the main purpose of safeguarding and protecting the right to privacy of individuals whose personal data may be processed by the ReNaPer.
The Policy reaches the entire scope of ReNaPer, its human resources and the agencies that depend on it, the offices that the ReNaPer has in the Argentine territory or jurisdiction, and those public agencies or agents to whom ReNaPer delegates the performance of any function within the framework of its specific and delegated competencies. All ReNaPer personnel, regardless of their relationship with it, and those individuals or legal entities that have access to ReNaPer’s systems or use its services directly or indirectly, must comply with the Policy.
Among some of the most important aspects of the Policy, the following may be mentioned:
1. The incorporation of the concept of “Biometric Data”, which is defined as the personal data resulting from specific treatments related to the physical or physiological characteristics of a natural person, which allow or confirm their unique identification.
2. The inclusion of the concept of “Privacy by Design”, that establishes the ReNaPer must apply all technical and organizational measures within its reach to ensure respect for privacy from the early stages of the design of any operation involving the processing of personal data.
3. The obligation to notify the Agency for Access to Public Information and the National Cybersecurity Directorate in case of detection of a security incident -which is defined as any attempt or unauthorized access, use, disclosure, modification, or destruction of personal data. To this end, the Policy establishes a 48-hour time limit for notifying said authorities of the security incident, and at the same time taking corrective and mitigating measures to minimize the consequences of the incident.
4. The adoption of criteria for the Impact Assessment of personal data, in those cases where third parties who are in charge of the processing of personal data request access to ReNaPer’s databases. To this end, the Policy establishes that the impact assessment must include at least: (i) that the purposes of processing be adequate and in compliance with the Policy; (ii) the implementation of technical and organizational measures foreseen to protect personal data from undue access inside and outside the organization; (iii) compliance with ReNaPer’s policies, both in personal data protection and information security policy; (iv) that the data not be stored by the third party at any time during the relationship with ReNaPer.
5. The appointment of a personal data protection officer, who shall ensure compliance with the Policy and shall act as a consultant to those responsible for the processing of data.
You may access the full text of the Regulation and its Annex by clicking on the following link: Regulation No. 1/2022 National Registry of Persons Directorate.
Please, do not hesitate to contact us should you require any additional information on this matter.
Sincerely,
Emilio Beccar Varela
Florencia Rosati