...

Privacy Notice

Is the company required to provide a privacy notice to workers? (Y/N)
Yes.

Does the worker privacy notice need to address security measures?
Not necessarily. Security measures are mandatory but there is no legal obligation to include them in the privacy notice to workers

Are there any other unique disclosure requirements with respect to the privacy notice (e.g. list data retention periods, state legitimate bases, etc.)?
Yes. Employees (as any other data subject) shall be informed about data controller (employer) name and address; the purpose/s for which their data will be used; and their rights regarding such data (i.e., access, rectification and deletion). Employees shall also be informed about employer’s video surveillance policy; and how employees communications shall be monitored by employer. Additional information is usually included in HHRR privacy notices but is not mandatory.

Data Subject Rights

Are there data subject rights for workers? (Y/N – if Y, please list)
Yes. Workers have the same rights as any data subject (i.e., right of access, right to rectification, right of erasure, etc.). In addition, employees have generic privacy rights derived from provisions of the Civil and Commercial Code.

What is the timeframe to respond to data subject requests from workers?
In case of a worker’s access request, the timeframe is 10 calendar days. In case of a worker’s deletion or rectification request, the timeframe is 5 calendar days (Sections 14 and 16 of PDPA).

Are there exceptions to responding to data subject requests from workers?
Yes. Requests may be denied when responding to them may affect third parties’ rights and interest; or when public security may be jeopardized (PDPA, Section 17). A written explanation shall be provided to the employee requesting the information.

Special Rules for Worker Information

Are there employment rules about privacy-related discrimination (e.g., unlawful to terminate employment due to worker submitting an access request)?
There are no specific employment rules about privacy-related discrimination, pursuant to antidiscrimination law No. 23,592.

Are there any unique requirements for transfers of employee information to third parties (i.e., contractual restrictions or otherwise)?
Yes. Generic rules about transfer of personal data to third parties are also applicable to employee information (i.e., transfers to countries without ‘adequate’ data protection law require the execution of an international data transfer agreement set forth by Argentine data protection law; processors receiving such information have restrictions to use it, etc.).

Are there rules about automated decisionmaking involving workers (e.g., hiring decisions)?
No.

Are there rules about processing sensitive information or information about worker households or families (e.g., biometric data, health/medical information, sexual orientation, religious affiliation, union membership, etc.)?
Yes. Such information is considered “sensitive data” by PDPA; its treatment is restricted and strict security measures are applicable. Furthermore, unless mandated by law, as a general principle employer shall not collect said sensitive data from employees (Section 73 of the LCL). Collecting information about employees’ sexual orientation, religion and political orientation might be considered discriminatory.

Are there specific security requirements for storing and processing worker information?
No. The general regime is also applicable for worker information.

Are there rules about using worker information for marketing?
Yes. Generic rules about use of personal data for marketing is applicable also to worker information for marketing. As a general principle, Argentina has a vague permissive ‘opt out’ regime that allows use of restricted personal data (including workers data) for marketing purposes.

Also, prior consent would be required to publish advertisements with the employees’ personal image or data.

Are there rules about surveillance of workers?
Yes. As a general principle, workers’ consent is needed. Although written consent is advisable, consent may be replaced by posters indicating the existence of surveillance cameras (Reg AAIP 10/2015). Surveillance may not be performed in places or situations affecting the workers dignity (Section 70 of the LCL).

Are there other specific privacy rules or issues involving worker information (e.g., BYOD policies, monitoring technology use, automated tracking of workers)?
Without specific legal regulation on this particular topic, there are certain rules imposed by case law. As a general principle, employees’ consent is required to monitor his/her devices and communications. Some practices like geo location tracking may be considered abusive depending on the circumstances and they should be analyzed on a case-by-case basis.

Government and Recourse

Is there a legislative body or government entity that regulates employment-related privacy matters?
No.

In the event of a violation, is the recourse regulatory, a private right of action, or other?
Both.

Expected Changes to Worker Privacy Laws:
Yes. Telework Law No. Act 27,555 is expected to be further regulated, with regulations about employees’ privacy. Furthermore, there are in Congress several bills aiming to entirely replace current Personal Data Protection Law 25,326.

B2B Data

Is business-to-business (B2B) data treated differently than consumer or employee data? (Y/N – If yes, please explain).
Yes. Although PDPA is applicable to both B2B and consumer/employee data, the latter includes more specific regulations like the ones about ‘sensitive data’, privacy rights derived from Civil and Commercial Code; and the ones derived from labor laws (all of them applicable only to individuals).

Richards, Cardinal, Tützer, Zabala, Zaefferer

Argentina

Offices

Richards, Cardinal, Tützer, Zabala, Zaefferer
Av. Leandro N. Alem 1050,
Piso 13,
Buenos Aires (C1001AAS),
Argentina
Tel: +5411 5031 1500