New Bill to Replace Current Personal Data Protection Law

In September 2022, the Data Protection Authority (DPA) had published a preliminary draft bill seeking to amend the Personal Data Protection Law No. 25,326 (PDPL) and had invited stakeholders from the public and private sectors, the civil society, and scholars to participate in a public consultation process. Once the public consultation ended, in October 2022, the DPA published a draft bill including part of the comments, opinions, and contributions received (see previous article here).

On June 30, 2023, the Executive Branch submitted the draft bill to the National Congress, incorporating some amendments to the text published in October 2022.

The draft:

• Adds to the definition of “sensitive personal data” the data that may reveal a person's gender identity. 
• Incorporates the definition of "credit institutions".
• Clarifies that the law applies to any processing of personal data carried out by human or legal persons, be them public or private. Thus, it includes the processing carried out by the State for safeguarding public safety, the defense of the Nation, the protection of public health, and the freedoms of third parties.
• Incorporates that the DPA may require from the controller a prior analysis to justify the processing of personal data for satisfying legitimate interests. The controller must be able to demonstrate that the processing was within the principles of reasonableness and proportionality.
• Allows the withdrawal of consent when there is a legal or contractual duty to continue processing the data.
• Prohibits processing sensitive data entailing prejudice or discrimination against its owner.
• Establishes that public sector agencies transferring personal data must do it through an agreement complying with certain requirements and also respecting the principles of maximum publicity and availability.
• Obligates the public sector to document the procedures established for processing personal data, to train its personnel on the subject, and to establish improvements in infrastructure and security measures regarding the volume and nature of the data processed.
• Clarifies that, if the data processed belongs to children and adolescents, the consent of adolescents over sixteen years of age will be valid. It also contemplates that those under sixteen years old may give informed consent, provided the parent or whoever is in charge of the parental responsibility, guardianship, or trusteeship consents as well.
• Eliminates the right of erasure when it harms legitimate interests of third parties.
• Establishes that credit information will be retained two years when the debtor cancels or extinguishes the obligation.
• Replaces article 31 of Law No. 25,326 on administrative sanctions to align it to the sanctions proposed in the bill. 

Finally, the bill establishes that it will become effective 180 days after its publication in the Official Gazette, except for the provision changing the sanction regime, which will become effective as of the day it is published.

Although the bill has not yet been debated in Congress, on August 2, the DPA was invited to present the main changes before the Committee of Constitutional Affairs and General Legislation of the Chamber of Deputies.

You may access the text of the bill here.