Law Name

Protección de los Datos Personales, Ley 25.326 (2000)

Link to the Law

Updates to the law (2019) Biometric data is added to the protections established by law 25326 318874/texto

For the Autonomous City of Buenos Aires, Law 1845/05 (It is similar to the National Law)

Data Transfer

The transfer of data is forbidden unless the data subject explicitly consents and the person receiving the data complies with, at a minimum, the adequate security regulations that are currently in place.

Data Sharing

Must receive explicit consent to use data and can revoke consent at any time. Data subjects have the right to access any database containing personal data, request information about their data or demand their data be corrected, deleted and updated. Data can be shared for medical purposes, regarding the treatment of the patient or epidemiological research. Data can be shared for medical purposes as long as the individual, or data subject, cannot be identified.

Exceptions for international data sharing of personal data, as stated under Degree 1558/01, chapter 12, include: judiciary requests, medical or epidemiological data, banking, international cooperation against drug trafficking or terrorism.

Data Retention

The data subject has the right to amend, update, keep confidential or suppress information if it is incorrect. The data subject can revoke consent, but this will not have a retroactive effect.


There is no requirement for organizations to appoint a data protection officer, but a data controller must appoint a Head of Data Security (Responsable de Seguridad). The database must meet the requirements of technical integrity and safety; the level of security required depends on the sensitivity of the personal data. Only data controllers may collect and process personal data with the data subject’s consent. Consent is not required if data is collected from a public database, if it is in exercise of government duties or as a result of legal obligation, or if the database is limited to basic information; or if personal data comes from a scientific or professional contractual relationship. Anonymous sensitive personal data can be collected for statistical or scientific purposes as long as the data subjects cannot be identified.


Poder Ejecutivo Nacional (PEN) and the Dirección Nacional de Protección de Datos Personales (DNPDP) are responsible for enforcing data protection, which it does so through inspections. Each database must meet the requirements of technical integrity and safety; the level of security required depends on the sensitivity of the data.

Breach Notification

If there is a breach of security it must be annotated into the “Security Incidents Ledger” that can be requested by the DNPDP when conducting an inspection. Security breaches or losses do not need to be disclosed to the data subject nor the PEN.

Health Privacy Law


Electronic Health Record Law

Ley 14494

The law will establish a system for electronic health records that is particular to each individual. The data can only be used for the appropriate means, the data must be up-to-date and accurate, it must remain confidential, the data subject has the right to access their data and only they or a guardian can access the data. (Only for the Province of Buenos Aires)


There was a dictum or opinion (2017 dictamen) from the Ministry of Justice and Human Rights, National Direction of Personal Data Protection,

That dictum lead to the Resolution 47/2018 that creates the “Agency for Access to Public Information” 314999/312662/norma.htm

Resolution-2019-4-APN-AAIP Access to Public Information 319999/318874/norma.htm