Resolution No. 332/2020: Guidelines for audits by the Agency for Access to Public Information (“AAPI”).
Data Privacy & Data Protection Department Report | Resolution No. 332/2020: Guidelines for audits by the Agency for Access to Public Information (“AAPI”)
On 31 December 2020, Resolution No. 332/2020 of the Agency for Access to Public Information (“AAPI”) was published in the Official Gazette, approving the guidelines for personal data audits (the “Guidelines for Audits”), the purpose of which is to establish guidance and procedures for inspections in order to assess the degree of compliance with the regulations in force on the protection of personal data.
The Guidelines for Audits provide that the inspections, which may be scheduled or spontaneous, will cover legal and technical aspects of the processing of personal data and will involve the examination of the following general aspects relating to the protection of personal data:
a. Lawfulness of the processing;
b. Quality of the processed personal data;
c. Consent of the data subject;
d. Information;
e. Special categories of data;
f. Security;
g. Confidentiality;
h. International assignment and transfer of personal data;
i. Provision of credit information services;
j. Processing of data for advertising purposes;
k. Procedures for the exercise of the rights of data subjects: access, rectification, update or deletion.
In appropriate cases, other aspects will be taken into account, such as, for example, the existence of a personal data protection impact assessment; the terms and conditions and privacy policy of the data controller; the performance of a data protection officer; the notification systems to data subjects and to the AAPI in case of security incidents.
Likewise, the Guidelines for Audits establish that any public or private person may report to the AAPI an alleged unlawful activity that may violate the principles and obligations imposed by Law No. 25,326. The complainant will have the status of a third party in the procedure and not a party, reason why he/she does not have to prove that his/her rights have been affected.
Amongst other aspects, the Guidelines for Audits establish that the AAPI will implement annual planning of inspections. In this regard, the selection of the data controllers to be inspected will be based on objective criteria and may be ordered by sectors or groups, defining the number of inspections to be carried out, taking into account the following parameters, among others: impact of data processing on the privacy of individuals; the volume of data processing; type of data processed; a number of complaints received by the AAPI; severity of the complaints received and activity carried out.
Click here to access the full text of the regulation