Data Privacy & Data Protection Department Report | Normative alert: Resolution No. 4/2019 of the Access to Public Information Agency
Dear Sir or Madam,
Resolution No. 4/2019 (the “Resolution”) of the Access to Public Information Agency was published in the Official Gazette yesterday, through which the guiding criteria and indicators of best practices regarding the application of Law No. 25,326 were approved, being of obligatory observance for all those subjects reached by said law.
In this connection, the guiding criteria and indicators of best practices regarding the application of Law No. 25,326 regulate, in summary, the following aspects:
a) Right of access to personal data collected through video surveillance systems: in response to a request from the owner of the data to access their personal data collected through video surveillance systems (their personal image), certain guidelines must be taken into consideration.
b) Automated data processing: in the event that the data controller makes decisions based solely on the automated processing of data that produce pernicious legal effects to the owner of the data or negatively affect it in a negative way, the owner of the data will have the right to request an explanation of the logic applied in that decision, in accordance with article 15, paragraph 1, of Law No. 25,326.
c) Dissociation of data: it will not be considered a determinable person, under the terms of Article 2 of Law No. 25,326, when the procedure to be applied to achieve its identification requires the application of disproportionate or unfeasible measures or deadlines.
d) Biometric data: the biometric data that identify a person will be considered sensitive data (according to article 2, Law No. 25,326) only when they can reveal additional data whose use could be potentially discriminatory for their owner (e.g. data revealing ethnic origin or health information).
e) Consent: whatever the type of consent adopted, according to Article 5, paragraph 1, of Law No. 25,326, the person responsible for the database must prove that the person who has given such consent is actually the owner of the data required and not another person, that is, that has effective identity validation mechanisms.
Please, do not hesitate to contact us should you require any additional information on this matter.
Emilio Beccar Varela
Martín Beccar Varela