Disposition Nº 1/2003. Data Protection infrigments and penalties.

On June 25, 2003 the Director of the Data Protection Agency of Argentina enacted Disposition Nº 1/2003 describing the different types of infrigments and fines established in Section 31 of Law No. 25.326.

Such fines range from one thousand pesos ($1,000) to one hundred thousand pesos ($100,000) in proportion to the seriousness and extent of each infrigment.

Infringements shall be classified as minor, serious and very serious:

Minor infringements:

a) Failure to respond, for formal reasons, to a request by a data owner for the rectification, confidenciality or cancellation of personal data owner to processing, when that request is justified in law.

b) Failure to provide the information requested by the Data Protection Agency in the exercise of the functions assigned to it by law, with regard to non-substantive aspects of data protection.

c) Failure to request the entry of the file of personal data either public or private which are not intended for exclusively personal use.

d) Collection of personal data on data owners without providing them with the information set out in Section 6 of Law No. 25.326.

e) Failure to respect the duty of secrecy set out in Section 10 of Law No. 25.326, where this does amount to a serious infringement.

Serious infringements:

a) Creating files in public ownership, or colect personal data for such files, without the authorisation published in the Boletín Oficial del Estado or the corresponding official newspaper, with the requirements established in Section 22 of Law Nº 25.326.

b) Processing personal data that don`t fulfill the obligation of being certain, appropriate, pertinent, and not excessive with reference to the scope within and purpose for which such data has been obtained.

c) Collecting personal data without obtaining the explicit and written consent of the data owners, where this has to be obtained.

d) Processing personal data or subsequently using them in infringement of the principles and guarantees laid down in Law Nº 25.326, and failure to respect the protection laid down by the implementing provisions, where this does not amount to a very serious infringement.

e) Preventing or hindering the exercise of the rights of access and objection, and refusing to provide data owners the information asked.

f) Maintaining incorrect personal data or failure to rectify or cancel such data when legally obliged if the citizens rights protected by this Law are affected

g) Breach of the duty of secrecy for personal data incorporated into files containing data on the commission of administrative or criminal offences, public finance, financial services, provision of creditworthiness and credit services, as well as other files containing a set of personal data sufficient to obtain an assessment of the personality of the individual.

h) Maintaining files, premises, programs or hardware containing personal data without the security required by regulations.

i) Failure to provide on time to the Data Protection Agency any documents and information due to Law No. 25.326 or its implementing provisions.

j) Impeding Data Protection Agency inspections.

k) Failure to enter a file of personal data in the National Data Protection Register when been required by the Data Protection Agency Director.

l) Failure to comply with the duty of information laid down in Sections 6 and 26 of Law No. 25.326, when the data have been obtained from a person other than the data owner.

Very serious infringements:

a) The misleading or fraudulent collection of data.

b) Communication or transfer of personal data other than in cases where these are allowed.

c) Obtaining and processing sensitive personal data in breach of the principles and guarantees laid down in Law Nº 25.326.

d) Failure to cease the illegitimate use of personal data processing operations when required to do so by the Data Protection Agency Director or by the persons owning the rights of access.

e) Processing personal data illegally or in breach of the principles and guarantees applying to them, when this prevents or infringes the exercise of fundamental rights.

f) Breach of the duty to maintain the secrecy of the sensitive personal data, as well as of data obtained for police purposes without data owners consent.

g) Systematically impeding or failing to comply with the exercise of the rights of access, rectification, updating, cancellation or blocking.

h) Systematic failure to comply with the duty to notify the inclusion of personal data in a file laid down in Sections 5 y 6 of Law 25.326.

Penalties

1. Minor infringements shall be punished by a fine of one thousand pesos ($1,000) to three thounsand pesos ($3,000).

2. Serious infringements shall be punished by a fine of three thousand pesos ($3,000) to fifty thounsand pesos ($50,000).

3. Very serious infringements shall be punished by a fine of fifty thousand pesos ($50,000) to one hundred thousand pesos ($100,000).

4. The amount of the penalties shall be graded taking account the nature of the personal rights involved, the volume of the processing operations carried out, the profits gained, the degree of intentionality, repetition, the damage caused to the data owners and to third parties, and any other considerations of relevance in determining the degree of illegality and culpability of the specific infringement.