Argentina Personal Data Protection Law (Law No. 25,326)

Overview

Argentina Personal Data Protection Law — Bill 1,024 (proposed update to Law 25,326) represents Argentina’s modernization effort to update its data protection framework aligning with contemporary privacy standards including the EU GDPR. The bill proposes significant expansions of data subject rights, new obligations for data controllers, and updated cross-border transfer mechanisms.

Developed through the Argentine legislative process, Bill 1,024 builds on the foundation of Law 25,326 while introducing GDPR-aligned concepts including data protection officers, privacy impact assessments, privacy by design, and enhanced breach notification requirements. It aims to modernize Argentina’s privacy framework supporting continued international adequacy recognition.

Organizations preparing for the updated law are assessing gaps against proposed requirements, updating privacy programs, and planning for new obligations that would expand data subject rights and strengthen accountability requirements.

Why it Matters

Argentina’s PDPL modernization aligns the country’s data protection framework with international standards supporting continued participation in the global digital economy.

Key benefits include:

• Align with international standards

Update compliance programs to reflect GDPR-aligned requirements supporting international data transfer recognition.

• Expand data subject rights

Implement enhanced rights including data portability and strengthened erasure rights under the updated framework.

• Strengthen accountability

Establish DPO roles, privacy impact assessments, and privacy by design requirements enhancing governance.

• Improve breach response

Implement enhanced breach notification requirements aligned with international standards.

• Support market access

Maintain and strengthen Argentina’s data protection adequacy enabling international data flows.

How it Works

Bill 1,024 proposes updating Law 25,326 with new obligations for DPOs in high-risk processing activities, PIAs for high-risk processing, privacy by design principles, enhanced breach notification timelines, new data subject rights, and updated cross-border transfer mechanisms aligned with international standards.

Organizations prepare by gap-assessing current compliance against proposed requirements, updating privacy governance structures, developing PIA processes, and training staff on new obligations expected under the modernized framework.

Key Elements

• Data Protection Officers

Proposed requirement for DPOs in organizations conducting high-risk processing activities.

• Privacy Impact Assessments

Mandated PIAs for high-risk data processing activities under the modernized framework.

• Enhanced Data Subject Rights

Expanded rights including data portability and strengthened erasure and restriction rights.

• Breach Notification Updates

Enhanced breach notification requirements with defined timelines for AAIP and data subject notification.

Framework Scope

The proposed update applies to entities processing personal data in Argentina, building on existing Law 25,326 scope with expanded obligations for larger processors and high-risk activities.

Framework Objectives

Argentina’s PDPL modernization strengthens data protection aligning with international standards.

• Modernize Argentine data protection framework with GDPR-aligned requirements
• Expand data subject rights supporting individual privacy control
• Strengthen organizational accountability through DPOs and PIAs
• Maintain international adequacy enabling cross-border data flows
• Align Argentine privacy law with evolving global standards

Common Framework Mappings

Mapped frameworks include:

EU General Data Protection Regulation (GDPR)

ISO/IEC 27001

ISO/IEC 27701

NIST Privacy Framework