Argentina Data Privacy Laws: PDPL Compliance Guide (2026)

Argentina occupies a unique position in the global data privacy landscape. It enacted Latin America's first comprehensive data protection law more than two decades ago, earned the European Union's adequacy recognition, and built a constitutional foundation for informational self-determination that predates most national privacy frameworks.

Yet the country's legal infrastructure is now under pressure. Law 25.326 was written before smartphones, social media, cloud computing, and generative artificial intelligence reshaped how personal data is collected and used. Multiple reform bills are working their way through Congress, and the AAIP has launched new programs to address AI transparency and modernize enforcement.

This guide covers every element of Argentina's current data privacy regime, the pending reforms, and what organizations need to know to comply.

Constitutional Foundation: Article 43 and Habeas Data

Argentina's data protection framework begins with the national constitution. The 1994 constitutional reform introduced Article 43, which established the writ of habeas data. This provision gives every person the right to file a judicial action to:

• Obtain knowledge of the content and purpose of all personal data about them held in public registries or databases, or in private databases whose purpose is to provide reports.
• Demand the suppression, rectification, confidentiality, or updating of false or discriminatory data.

This constitutional guarantee is not limited to correcting inaccurate information. Argentine courts have interpreted habeas data as protecting a broader right to informational self-determination, meaning the ability of individuals to control how their personal data is collected, stored, and used.

The habeas data action functions as a judicial remedy. When a data controller refuses to comply with an access or correction request, the affected person can bring the matter directly before a court. This gives Argentine data subjects a constitutional enforcement mechanism that exists independently of the administrative processes run by the AAIP.

Argentine courts have applied habeas data in a growing range of contexts, including ordering the removal of outdated criminal records from search engines and halting the Buenos Aires city government's facial recognition surveillance system in 2023 for lacking adequate privacy safeguards.

Law 25.326: The Personal Data Protection Law (PDPL)

Enacted on October 4, 2000, and regulated by Decree 1558/2001, Law 25.326 is the cornerstone of Argentina's data privacy regime. Its stated purpose is to provide comprehensive protection of personal data contained in files, records, databases, or other technical means of data processing, whether public or private.

The law applies to personal data recorded in any medium that makes it subject to processing, and to any form of subsequent use of such data by public or private actors.

Key Definitions

Personal data is defined broadly as information of any type referring to individuals or legal entities, whether determined or determinable. This covers names, identification numbers, contact details, financial records, and any other information that can be linked to a specific person or entity.

Sensitive data receives heightened protection under the law. It includes information revealing racial or ethnic origin, political opinions, religious or philosophical convictions, moral beliefs, trade union membership, and data concerning health or sexual life. Following Argentina's ratification of Convention 108+ and the AAIP's Resolution 255/2022, genetic data and biometric data are now also expressly classified as sensitive.

Database is defined as any organized set of personal data that is subject to processing, whether electronic or non-electronic, regardless of the manner in which it was created, stored, organized, or accessed.

General Principles of Data Processing

The PDPL establishes several foundational principles that govern all personal data processing in Argentina:

Lawfulness: Databases may not have purposes that violate the law or public morality.

Purpose limitation: Data collected for one purpose cannot be used for a different, incompatible purpose without the data subject's consent.

Data quality: Personal data must be accurate, complete, and kept up to date. Inaccurate or incomplete data must be corrected or deleted.

Proportionality: Only data that is adequate, relevant, and not excessive in relation to the purpose of the database may be collected.

Data retention limits: Personal data must be destroyed once it is no longer necessary for the purpose for which it was collected, unless required by law to be retained.

Security obligation: Data controllers must adopt technical and organizational measures to ensure the security and confidentiality of personal data, preventing unauthorized alteration, loss, consultation, or processing.

Consent Requirements Under the PDPL

Consent is the primary legal basis for processing personal data in Argentina. The PDPL requires that consent be:

• Prior: Obtained before data processing begins.
• Free: Given voluntarily, without coercion or undue pressure.
• Express: Clearly and affirmatively communicated. Silence or inaction does not constitute consent.
• Informed: The data subject must be told the purpose of the data collection, who will process the data, and the consequences of providing or refusing to provide the data.

For sensitive data, consent must be explicit and cannot be presumed under any circumstances. The data subject must expressly agree to the processing of health, biometric, genetic, political, religious, or other sensitive categories of information.

The data subject retains the right to revoke consent at any time without needing to provide justification. Revocation does not have retroactive effect.

Exceptions to Consent

The PDPL recognizes several situations where personal data may be processed without consent:

• Data obtained from publicly accessible sources.
• Data collected in the exercise of functions proper to the powers of the State or pursuant to a legal obligation.
• Data limited to name, national identity document number, tax or social security identification, occupation, date of birth, and domicile.
• Data arising from a contractual, scientific, or professional relationship with the data subject, where the processing is necessary for the relationship's performance.
• Operations carried out by financial entities in relation to data from their customers, following Central Bank rules.

Data Subject Rights

The PDPL grants data subjects a comprehensive set of rights that data controllers must respect:

Right of Access

Any person may request confirmation of whether their personal data is being processed and obtain a copy of the information held. The data controller must respond within 10 calendar days of receiving the request. The right of access may be exercised free of charge at intervals of no less than six months, unless the data subject demonstrates a legitimate interest in doing so more frequently.

Right of Rectification

Data subjects may demand correction of inaccurate, outdated, or incomplete personal data. When incorrect data has been transferred to a third party, the data controller must notify the third party of the rectification within five business days.

Right of Deletion (Suppression)

Data subjects can request the deletion of their personal data when it is no longer necessary for the purpose for which it was collected, when consent has been revoked, or when the data is being processed unlawfully. Deletion may be refused if it would harm the rights of third parties, serve public interest purposes, or be necessary for legal compliance.

Right of Confidentiality

Data subjects may request that their data be treated as confidential and not disclosed to third parties.

Right to Object

Individuals may object to the processing of their personal data when they have legitimate grounds relating to their particular situation.

If a data controller does not comply with an access, rectification, or deletion request, the data subject may file a complaint with the AAIP or bring a habeas data action before the courts.

The AAIP: Argentina's Data Protection Authority

The Agencia de Acceso a la Informacion Publica (AAIP) is the independent authority responsible for enforcing the PDPL. Originally, enforcement was handled by the Direccion Nacional de Proteccion de Datos Personales (DNPDP), but the AAIP assumed these functions and has since expanded its regulatory role.

The AAIP's key responsibilities include:

• Overseeing compliance with the PDPL across public and private sectors.
• Administering the National Registry of Databases (Registro Nacional de Bases de Datos, or RNBD).
• Investigating complaints filed by data subjects.
• Imposing administrative sanctions for violations.
• Issuing resolutions, guidelines, and recommendations on data protection matters.
• Representing Argentina in international data protection forums.

National Registry of Databases (RNBD)

All organizations that maintain databases containing personal information of Argentine residents must register with the RNBD. This requirement applies to both domestic and foreign entities. Following Resolution 132/2018, foreign data controllers that process personal data of Argentine citizens must register even if they have no physical presence in Argentina.

The registration must be completed online and includes information about the purpose of the database, the types of data processed, the security measures in place, and whether international data transfers occur.

Failure to register a database is itself a violation of the PDPL and can result in administrative sanctions.

AI and Emerging Technology Oversight

The AAIP has moved to address the challenges posed by artificial intelligence. In September 2023, it launched the Program for Transparency and Personal Data Protection in the Use of Artificial Intelligence through Resolution 161/2023. This program established:

• An AI Observatory to monitor developments across government, industry, and academia.
• Non-binding guidelines covering the entire AI lifecycle.
• A multidisciplinary Advisory Council to develop regulatory consensus.
• A requirement for public agencies to document automated decision-making systems on a Transparency Portal.

Additionally, Administrative Decision 750/2023 created an Interministerial Roundtable on AI Use, coordinating policy development across government agencies.

Penalties and Enforcement

The PDPL establishes a tiered system of administrative sanctions. The AAIP's Resolution 126/2024 unified the sanctions regime under both the PDPL and the National Do Not Call Registry Law (Law 26.951).

Administrative Sanctions

Violations are classified into three levels:

Minor infractions: Up to two warnings and fines ranging from ARS 3,000 to ARS 25,000.

Serious infractions: Up to four warnings, suspension of database operations for 1 to 30 days, and fines from ARS 25,000 to ARS 80,000.

Very serious infractions: Up to six warnings, suspension for 31 to 365 days, closure or cancellation of the database, and fines from ARS 80,000 to ARS 100,000.

The AAIP may also order the deletion of an entire database as a sanction for the most severe violations.

Criminal Penalties

The PDPL includes criminal provisions. Knowingly inserting false information into a personal data file carries a sentence of one month to two years in prison. Knowingly providing false data stored in a database to a third party is punishable by six months to three years of imprisonment.

Illegally accessing a personal database, or violating the confidentiality and security obligations imposed by the law, may result in one month to two years in prison.

Enforcement Reality

Historically, the AAIP has functioned more as an educational and advisory body than an aggressive enforcement agency. Fines under the current framework are modest by international standards, particularly given Argentina's inflation. However, the AAIP's Strategic Plan 2022-2026 signals a shift toward more proactive enforcement, including the Program for Strengthening Personal Data Protection in the National Public Administration (Resolution 145/2025).

Data Breach Notification

This is an area where Argentina's current law shows its age. The PDPL does not contain a mandatory data breach notification requirement. There is no legal obligation under Law 25.326 to report data breaches to either the AAIP or affected data subjects.

However, the AAIP has addressed this gap through soft regulation. Resolution 47/2018, which replaced the earlier Disposition 11/2006, establishes recommended security measures and encourages breach notification as a best practice. Under this resolution, data controllers are advised to:

• Prepare a breach report including the nature of the incident, categories of personal data affected, identification of affected individuals, measures adopted to mitigate the breach, and measures to prevent future incidents.
• Notify the AAIP of the security incident and attach the report.
• Inform affected data subjects in clear, simple terms.

While this is technically voluntary, failing to follow the AAIP's recommended practices may be considered in any enforcement proceeding as evidence of inadequate security measures.

The pending reform bills would change this substantially. The most prominent draft proposes mandatory breach notification to the AAIP within 48 hours of becoming aware of a breach that is likely to result in a risk to data subjects' rights.

International Data Transfers

The PDPL restricts cross-border transfers of personal data to countries or international organizations that provide an adequate level of protection. The AAIP maintains a list of jurisdictions deemed adequate, which includes EU and EEA member states and other countries recognized by the European Commission.

Transfers to countries without adequate protection are prohibited unless one of the following exceptions applies:

• The data subject gives express consent to the transfer.
• The transfer is necessary for international judicial cooperation.
• The transfer involves medical data exchanges necessary to protect the data subject's health.
• The transfer relates to banking or stock exchange operations in accordance with applicable legislation.
• The transfer is governed by an international treaty to which Argentina is a party.
• The transfer is necessary for intelligence cooperation against organized crime, terrorism, or drug trafficking.

Organizations may also rely on contractual clauses approved by the AAIP (similar to the EU's standard contractual clauses) to legitimize transfers to non-adequate jurisdictions.

Convention 108+ and International Commitments

Argentina became a party to the Council of Europe's Convention 108 in 2019 and ratified the modernized Convention 108+ in April 2023 (through Law 27.699, approved by Congress in November 2022). This ratification strengthened Argentina's international data protection commitments by incorporating principles of data minimization, proportionality, expanded sensitive data categories (including genetic and biometric data), and updated international transfer rules.

Argentina was the 23rd state to ratify Convention 108+, further solidifying its position as a leader in data protection within Latin America.

EU Adequacy Status

Argentina was the first Latin American country to receive an EU adequacy decision, originally granted under the Data Protection Directive in the early 2000s. This recognition was maintained under the GDPR framework.

In January 2024, the European Commission concluded its review of 11 existing adequacy decisions and confirmed that Argentina continues to provide an adequate level of protection for personal data transferred from the EU. The Commission noted Argentina's accession to Convention 108 and Convention 108+, its clear rules on public authority access to personal data, and its independent supervisory authority as factors supporting the adequacy finding.

This adequacy status provides a significant competitive advantage for Argentine businesses. Organizations in Argentina can receive personal data from EU-based companies without needing to implement standard contractual clauses, binding corporate rules, or other transfer mechanisms required for transfers to non-adequate countries.

However, this status is subject to periodic review. If Argentina's reform efforts stall and its legal framework falls too far behind the GDPR standard, the adequacy decision could be revisited.

Pending Reform: The New Data Protection Bill

Argentina's data protection community has recognized for years that Law 25.326 needs a comprehensive update. Multiple attempts have been made since 2017, but none have yet resulted in enacted legislation.

As of 2025, several reform bills are pending in Congress:

Bill S-0644/2025 and Bill 1948-D-2025 share substantially the same content. They were introduced in May 2025 by senators and representatives respectively, and they prioritize a rights-based approach to data protection.

Bill 0904-D-2025 (introduced by Representative Yeza) takes a more innovation-oriented, technology-driven approach.

Bills 3540-D-2025 and 2968-D-2025 focus on specific aspects, including algorithmic transparency guarantees and data subject protective mechanisms.

Bill S-0968/2025 addresses children's data consent protections.

The most comprehensive proposals share several key features drawn from the GDPR:

• Mandatory data breach notification within 48 hours to the AAIP when breaches pose a risk to data subjects.
• Significantly higher fines, with proposals ranging from ARS 50,000 to ARS 10 billion, or 2% to 4% of total annual global turnover, whichever is greater.
• Data Protection Officer (DPO) requirements for certain organizations, with defined qualifications for suitability, capacity, and specialized knowledge.
• Data portability rights allowing data subjects to receive their personal data in a structured, commonly used format.
• Automated decision-making protections, including the right not to be subject to decisions based solely on automated processing that produce legal effects.
• Accountability and privacy by design principles requiring organizations to demonstrate compliance proactively.
• Expanded definitions covering anonymization, pseudonymization, biometric data, profiling, and automated decision-making.

The AAIP has indicated it is preparing its own draft bill, largely inspired by a 2023 proposal that was never debated in Congress. Legislative discussions are expected to advance in 2026, though the timing and final shape of any reform remain uncertain.

Sector-Specific Regulations

Beyond the PDPL, several sector-specific rules affect data processing in Argentina:

Financial sector: The Central Bank of Argentina (BCRA) issues regulations on the handling of customer data by financial institutions, including cybersecurity requirements.

Health data: Health-related personal data receives additional protection under the PDPL's sensitive data provisions and is subject to professional secrecy obligations under medical ethics regulations.

Telecommunications: Law 19.798 (National Telecommunications Law) establishes the secrecy of telecommunications and imposes obligations on service providers regarding subscriber data.

Do Not Call Registry: Law 26.951 created the National Do Not Call Registry (Registro Nacional No Llame), allowing individuals to opt out of telemarketing calls. The AAIP enforces this law alongside the PDPL.

Credit reporting: The PDPL contains specific provisions governing credit information databases, including limitations on data retention (negative credit information must be deleted after five years, or two years from the date the debt was settled).

Practical Compliance Checklist for Organizations

Organizations processing personal data of Argentine residents should ensure they meet the following requirements:

• Register all databases with the RNBD, including from outside Argentina if processing data of Argentine residents.
• Obtain prior, free, express, and informed consent before collecting personal data, unless a recognized exception applies.
• Provide clear privacy notices explaining the purpose of data collection, the identity of the data controller, and data subject rights.
• Implement technical and organizational security measures appropriate to the sensitivity of the data processed.
• Respond to data subject access requests within 10 calendar days.
• Notify third parties of any rectification within five business days.
• Restrict international transfers to adequate jurisdictions or ensure an applicable exception exists.
• Maintain breach records accessible to the AAIP upon request.
• Follow the AAIP's recommended breach notification practices under Resolution 47/2018.
• Monitor pending reform legislation that may impose new obligations.