Guidelines and basic contents of binding corporate rules.
CIRCULAR
Data Privacy & Data Protection Department Report: Guidelines and Basic Contents of Binding Corporate Rules
Dear Sir or Madam,
On December 7, 2018 Resolution No. 159/2018 (the “Resolution”) of the Access to Public Information Agency was published in the Official Gazette (“APIA”), through which the “Guidelines and Basic Contents of Binding Corporate Rules” were approved for the international data transfers of Argentinean companies to companies that belong to the same economic group located in countries without adequate level of protection for personal data.
In this connection, the guidelines establish that binding corporate rules that seek to achieve an adequate level of protection for personal data must be mandatory and enforceable for all companies that are part of the economic group (through corporate resolutions that oblige the company to comply with such rules) as well as for employees, subcontractors and third-party beneficiaries (through specific clauses). It also requires the provision of judicial and administrative remedies of an independent, effective and accessible nature.
Likewise, the binding corporate rules must include a series of minimum contents, which must be interpreted with the scope of Law 25,326 on Personal Data Protection or the one that replace it in the future, and are classified as follows: a) Conditions of lawfulness in the processing; b) Specific protection considering the sensitivity of the matter; c) Designation of the data subject and the APIA as third beneficiaries; d) Rights of the data subject; e) Local jurisdiction to exercise the rights of the data subject; f) Joint liability before the data subject and the control authority; g) Intervention of the APIA; h) Commitment to guarantee enforceability and well-founded explanation; i) Continuous training of personnel assigned to the processing of personal data.
The Resolution also provides that those companies that transfer personal data from Argentina to companies of the same group located in countries without adequate legislation for the protection of personal data and support their transfer in binding corporate rules that differ from the guidelines outlined in the Resolution, shall submit said rules for approval by the APIA within 30 days of the transfer.
Finally, it should be noted that this Resolution implies a new faculty that will allow economic groups to perform international data transfers to countries that do not have adequate level of protection and, at the same time, ensure the protection of personal data.
Please, do not hesitate to contact us should you require any additional information on this matter.
Sincerely.
Emilio Beccar Varela
Florencia Rosati
Mariel Marcet
Martín Beccar Varela