Argentina Data Privacy Laws: PDPL Compliance Guide (2026)

Argentina's Personal Data Protection Law, Ley 25.326, governs how organizations collect, store, and use personal data. Enacted in 2000, it grants residents rights of access, rectification, and deletion, and the constitutional habeas data action under Article 43 provides a direct judicial remedy when controllers refuse to comply.

Argentina occupies a unique position in the global data privacy landscape. It enacted Latin America's first comprehensive data protection law more than two decades ago, earned the European Union's adequacy recognition, and built a constitutional foundation for informational self-determination that predates most national privacy frameworks.

Yet the country's legal infrastructure is now under pressure. Law 25.326 was written before smartphones, social media, cloud computing, and generative artificial intelligence reshaped how personal data is collected and used. Multiple reform bills are working their way through Congress in 2026, the AAIP has launched new programs to address AI transparency and modernize public-sector practices, and courts continue to define the boundaries of habeas data in an era of algorithmic surveillance.

This guide covers every element of Argentina's current data privacy regime, Ley Olimpia's digital violence protections, the AI governance landscape, the pending reforms, and what organizations need to know to comply.

Quick Answer: Is Argentina's Data Privacy Law Comparable to GDPR?

Argentina's Law 25.326 is a comprehensive data protection statute that predates the GDPR by 18 years. It shares the GDPR's foundational principles (purpose limitation, proportionality, data quality, and security obligations) and grants individuals rights of access, rectification, deletion, and objection. The EU confirmed in January 2024 that Argentina continues to provide adequate protection, meaning data can flow freely from the EU to Argentina without additional transfer mechanisms.

The main gaps relative to the GDPR are the absence of mandatory breach notification, the lack of explicit DPO requirements, no portability right, no automated decision-making protections, and fines that are very modest in real terms. Pending reform bills introduced in 2025 address all of these gaps and would bring Argentina's framework substantially closer to the GDPR standard. No reform bill had been enacted as of the date this article was verified (May 19, 2026).

Constitutional Foundation: Article 43 and Habeas Data

Argentina's data protection framework begins with the national constitution. The 1994 constitutional reform introduced Article 43, which established the writ of habeas data. This provision gives every person the right to file a judicial action to:

• Obtain knowledge of the content and purpose of all personal data about them held in public registries or databases, or in private databases whose purpose is to provide reports.
• Demand the suppression, rectification, confidentiality, or updating of false or discriminatory data.

This constitutional guarantee is not limited to correcting inaccurate information. Argentine courts have interpreted habeas data as protecting a broader right to informational self-determination, meaning the ability of individuals to control how their personal data is collected, stored, and used.

The habeas data action functions as a judicial remedy. When a data controller refuses to comply with an access or correction request, the affected person can bring the matter directly before a court. This gives Argentine data subjects a constitutional enforcement mechanism that exists independently of the administrative processes run by the AAIP.

Habeas Data in Practice: The Buenos Aires Facial Recognition Case

Courts have applied habeas data in a growing range of contexts. The most prominent recent example involved the Buenos Aires city government's Fugitive Facial Recognition System (Sistema de Reconocimiento Facial de Proscriptos, SRFP). A trial court suspended the system in 2022 after finding it unconstitutional, and the Court of Appeals of the City of Buenos Aires, Chamber I, confirmed that ruling on April 28, 2023.

The Appeals Court held that the SRFP had been deployed without adequate oversight mechanisms, had been applied to more than 15,000 people who were not listed as fugitives in the National Consultation on Rebellions and Captures (CONARC) database, and had violated constitutional protections for privacy, freedom of movement, presumption of innocence, and non-discrimination. The court set three conditions that must be met before any reintroduction: functional oversight mechanisms must be established, the city must investigate whether the system produced differential impact based on personal characteristics such as race, and the city must publicly disclose operational reporting.

As of early 2024, the city government and civil rights organizations were still negotiating the terms of an audit agreement. The SRFP remains suspended. This case stands as the most significant judicial application of constitutional privacy rights to biometric surveillance in Argentine history, and it illustrates the practical force that habeas data can carry when applied to modern data processing technologies.

Law 25.326: The Personal Data Protection Law (PDPL)

Enacted on October 4, 2000, and regulated by Decree 1558/2001, Law 25.326 is the cornerstone of Argentina's data privacy regime. Its stated purpose is to provide comprehensive protection of personal data contained in files, records, databases, or other technical means of data processing, whether public or private.

The law applies to personal data recorded in any medium that makes it subject to processing, and to any form of subsequent use of such data by public or private actors.

Key Definitions

Personal data is defined broadly as information of any type referring to individuals or legal entities, whether determined or determinable. This covers names, identification numbers, contact details, financial records, and any other information that can be linked to a specific person or entity.

Sensitive data receives heightened protection under the law. It includes information revealing racial or ethnic origin, political opinions, religious or philosophical convictions, moral beliefs, trade union membership, and data concerning health or sexual life. Following Argentina's ratification of Convention 108+ and the AAIP's Resolution 255/2022, genetic data and biometric data are now also expressly classified as sensitive.

Database is defined as any organized set of personal data that is subject to processing, whether electronic or non-electronic, regardless of the manner in which it was created, stored, organized, or accessed.

The pending reform bills would expand these definitions to expressly include pseudonymization, anonymization, profiling, and automated decision-making, bringing Argentine terminology into alignment with the GDPR's vocabulary.

General Principles of Data Processing

The PDPL establishes several foundational principles that govern all personal data processing in Argentina:

Lawfulness: Databases may not have purposes that violate the law or public morality.

Purpose limitation: Data collected for one purpose cannot be used for a different, incompatible purpose without the data subject's consent.

Data quality: Personal data must be accurate, complete, and kept up to date. Inaccurate or incomplete data must be corrected or deleted.

Proportionality: Only data that is adequate, relevant, and not excessive in relation to the purpose of the database may be collected.

Data retention limits: Personal data must be destroyed once it is no longer necessary for the purpose for which it was collected, unless required by law to be retained.

Security obligation: Data controllers must adopt technical and organizational measures to ensure the security and confidentiality of personal data, preventing unauthorized alteration, loss, consultation, or processing.

Consent Requirements Under the PDPL

Consent is the primary legal basis for processing personal data in Argentina. The PDPL requires that consent be:

• Prior: Obtained before data processing begins.
• Free: Given voluntarily, without coercion or undue pressure.
• Express: Clearly and affirmatively communicated. Silence or inaction does not constitute consent.
• Informed: The data subject must be told the purpose of the data collection, who will process the data, and the consequences of providing or refusing to provide the data.

For sensitive data, consent must be explicit and cannot be presumed under any circumstances. The data subject must expressly agree to the processing of health, biometric, genetic, political, religious, or other sensitive categories of information.

The data subject retains the right to revoke consent at any time without needing to provide justification. Revocation does not have retroactive effect.

Exceptions to Consent

The PDPL recognizes several situations where personal data may be processed without consent:

• Data obtained from publicly accessible sources.
• Data collected in the exercise of functions proper to the powers of the State or pursuant to a legal obligation.
• Data limited to name, national identity document number, tax or social security identification, occupation, date of birth, and domicile.
• Data arising from a contractual, scientific, or professional relationship with the data subject, where the processing is necessary for the relationship's performance.
• Operations carried out by financial entities in relation to data from their customers, following Central Bank rules.

The pending reform bills would introduce multiple lawful bases beyond consent (including legitimate interest and legal obligation as standalone grounds), which would reduce consent-dependency for commercial processing activities.

Data Subject Rights

The PDPL grants data subjects a comprehensive set of rights that data controllers must respect.

Right of Access

Any person may request confirmation of whether their personal data is being processed and obtain a copy of the information held. The data controller must respond within 10 calendar days of receiving the request. The right of access may be exercised free of charge at intervals of no less than six months, unless the data subject demonstrates a legitimate interest in doing so more frequently.

Right of Rectification

Data subjects may demand correction of inaccurate, outdated, or incomplete personal data. When incorrect data has been transferred to a third party, the data controller must notify the third party of the rectification within five business days.

Right of Deletion (Suppression)

Data subjects can request the deletion of their personal data when it is no longer necessary for the purpose for which it was collected, when consent has been revoked, or when the data is being processed unlawfully. Deletion may be refused if it would harm the rights of third parties, serve public interest purposes, or be necessary for legal compliance.

Right of Confidentiality

Data subjects may request that their data be treated as confidential and not disclosed to third parties.

Right to Object

Individuals may object to the processing of their personal data when they have legitimate grounds relating to their particular situation.

If a data controller does not comply with an access, rectification, or deletion request, the data subject may file a complaint with the AAIP or bring a habeas data action before the courts.

Rights Pending Under Reform Bills

The pending comprehensive reform bills would add two significant rights not currently in Law 25.326:

Data portability: The right to receive personal data in a structured, commonly used, machine-readable format and to transmit it to another controller without hindrance.

Protection against automated decision-making: The right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significant impacts, including profiling. Under the S-0644/2025 and 1948-D-2025 proposals, controllers would need to provide meaningful information about the logic involved in such decisions and offer human review.

The AAIP: Argentina's Data Protection Authority

The Agencia de Acceso a la Informacion Publica (AAIP) is the independent authority responsible for enforcing the PDPL. Originally, enforcement was handled by the Direccion Nacional de Proteccion de Datos Personales (DNPDP), but the AAIP assumed these functions and has since expanded its regulatory role.

The AAIP's key responsibilities include:

• Overseeing compliance with the PDPL across public and private sectors.
• Administering the National Registry of Databases (Registro Nacional de Bases de Datos, or RNBD).
• Investigating complaints filed by data subjects.
• Imposing administrative sanctions for violations.
• Issuing resolutions, guidelines, and recommendations on data protection matters.
• Representing Argentina in international data protection forums.

National Registry of Databases (RNBD)

All organizations that maintain databases containing personal information of Argentine residents must register with the RNBD. This requirement applies to both domestic and foreign entities. Following Resolution 132/2018, foreign data controllers that process personal data of Argentine citizens must register even if they have no physical presence in Argentina.

The registration must be completed online and includes information about the purpose of the database, the types of data processed, the security measures in place, and whether international data transfers occur. Failure to register a database is itself a violation of the PDPL and can result in administrative sanctions.

AI and Emerging Technology Oversight

The AAIP has moved to address the challenges posed by artificial intelligence. In September 2023, it launched the Program for Transparency and Personal Data Protection in the Use of Artificial Intelligence through Resolution 161/2023. This program established:

• An AI Observatory to monitor developments across government, industry, and academia.
• Non-binding guidelines covering the entire AI lifecycle.
• A multidisciplinary Advisory Council to develop regulatory consensus.
• A requirement for public agencies to document automated decision-making systems on a Transparency Portal.

Administrative Decision 750/2023 created an Interministerial Roundtable on AI Use, coordinating policy development across government agencies.

Resolution 145/2025: Strengthening Public-Sector Data Protection

On August 4, 2025, the AAIP published Resolution 145/2025, creating the Program for Strengthening Personal Data Protection in the National Public Administration. This three-year program requires federal agencies to:

• Adopt privacy policies aligned with the PDPL.
• Appoint and train data protection officers within the administration.
• Complete registration of all government databases in the RNBD.
• Train staff on data handling obligations.
• Implement effective safeguards for citizens' data protection rights.

Resolution 145/2025 superseded the older Disposition 7/2008 and represents a significant step toward institutionalizing privacy governance within the federal government. It falls within the framework of the AAIP's Strategic Plan 2022-2026.

Penalties and Enforcement

The PDPL establishes a tiered system of administrative sanctions. The AAIP's Resolution 126/2024, published on May 24, 2024, unified the sanctions regime under both the PDPL and the National Do Not Call Registry Law (Law 26.951).

Administrative Sanctions

Violations are classified into three levels:

Minor infractions: Up to two warnings and fines ranging from ARS 1,000 to ARS 80,000 per infraction. Where multiple violations arise from identical conduct, the total fine is capped at 500 times the applicable tier maximum, meaning a ceiling of ARS 40,000,000 for minor violations.

Serious infractions: Up to four warnings, suspension of database operations for 1 to 30 days, and fines from ARS 80,001 to ARS 90,000 per infraction. The 500x accumulation cap produces a ceiling of ARS 45,000,000 for serious violations.

Very serious infractions: Up to six warnings, suspension for 31 to 365 days, closure or cancellation of the database, and fines from ARS 90,001 to ARS 100,000 per infraction. The 500x accumulation cap produces a ceiling of ARS 50,000,000 for very serious violations.

The AAIP may also order the deletion of an entire database as a sanction for the most severe violations.

A critical practical note: on a per-infraction basis the fine ceilings appear modest (ARS 80,000 to ARS 100,000), but Resolution 126/2024's 500x accumulation cap means a single enforcement action involving multiple violations can reach ARS 40,000,000 to ARS 50,000,000 (roughly USD 28,000 to USD 36,000 at May 2026 official exchange rates). That still lags behind GDPR-scale fines, and commentators have identified the overall penalty framework as an enforcement gap. The pending reform bills address this directly, proposing fines of up to 4% of global annual turnover.

Criminal Penalties

The PDPL includes criminal provisions. Knowingly inserting false information into a personal data file carries a sentence of one month to two years in prison. Knowingly providing false data stored in a database to a third party is punishable by six months to three years of imprisonment. Illegally accessing a personal database, or violating the confidentiality and security obligations imposed by the law, may result in one month to two years in prison.

Enforcement Approach

Historically, the AAIP has functioned more as an educational and advisory body than an aggressive enforcement agency. However, the AAIP's Strategic Plan 2022-2026 signals a shift toward more proactive enforcement. Resolution 126/2024's unification of the sanctions regime and Resolution 145/2025's public-administration compliance program both reflect this direction.

Data Breach Notification

This is an area where Argentina's current law shows its age. The PDPL does not contain a mandatory data breach notification requirement. There is no legal obligation under Law 25.326 to report data breaches to either the AAIP or affected data subjects.

However, the AAIP has addressed this gap through soft regulation. Resolution 47/2018 establishes recommended security measures and encourages breach notification as a best practice. Under this resolution, data controllers are advised to:

• Prepare a breach report including the nature of the incident, categories of personal data affected, identification of affected individuals, measures adopted to mitigate the breach, and measures to prevent future incidents.
• Notify the AAIP of the security incident and attach the report.
• Inform affected data subjects in clear, simple terms.

While this is technically voluntary, failing to follow the AAIP's recommended practices may be considered in any enforcement proceeding as evidence of inadequate security measures.

Breach Notification Under the Pending Reform Bills

The comprehensive reform bills diverge on breach notification timelines:

• Bills S-0644/2025 and 1948-D-2025 require notification to the AAIP within 72 hours of becoming aware of a breach likely to result in a risk to data subjects' rights, with mandatory individual notification when there is high risk of harm.
• Bill 0904-D-2025 (Representative Yeza's innovation-oriented proposal) requires notification "within a reasonable time" to the AAIP and requires individual notification only when there is a "significant probability of concrete harm."

Organizations planning for future compliance should model against the stricter 72-hour standard, as the rights-focused bills have more legislative co-sponsors.

International Data Transfers and EU Adequacy

The PDPL restricts cross-border transfers of personal data to countries or international organizations that provide an adequate level of protection. The AAIP maintains a list of jurisdictions deemed adequate, which includes EU and EEA member states and other countries recognized by the European Commission.

Transfers to countries without adequate protection are prohibited unless one of the following exceptions applies:

• The data subject gives express consent to the transfer.
• The transfer is necessary for international judicial cooperation.
• The transfer involves medical data exchanges necessary to protect the data subject's health.
• The transfer relates to banking or stock exchange operations in accordance with applicable legislation.
• The transfer is governed by an international treaty to which Argentina is a party.
• The transfer is necessary for intelligence cooperation against organized crime, terrorism, or drug trafficking.

Organizations may also rely on contractual clauses approved by the AAIP (similar to the EU's standard contractual clauses) to legitimize transfers to non-adequate jurisdictions.

EU Adequacy Decision: January 2024 Confirmation

Argentina was the first Latin American country to receive an EU adequacy decision, originally granted under the Data Protection Directive. On January 15, 2024, the European Commission published its conclusions from the first review of 11 adequacy decisions and confirmed that Argentina continues to provide an adequate level of protection. The Commission cited Argentina's accession to Convention 108 and Convention 108+, its clear rules on public authority access to personal data, and its independent supervisory authority as factors supporting the finding.

The review report also recommended that Argentina enshrine in legislation protections that have so far been developed at the sub-legislative level and through case law. This recommendation is significant: if the reform process stalls and Argentina's framework falls too far behind the GDPR standard, the adequacy decision could be revisited in a future review cycle.

This adequacy status provides a significant competitive advantage for Argentine businesses. Organizations in Argentina can receive personal data from EU-based companies without needing to implement standard contractual clauses, binding corporate rules, or other transfer mechanisms required for transfers to non-adequate countries.

Convention 108+ Ratification

Argentina became a party to the Council of Europe's Convention 108 in 2019 and ratified the modernized Convention 108+ in April 2023 (through Law 27.699, approved by Congress in November 2022). This ratification strengthened Argentina's international data protection commitments by incorporating principles of data minimization, proportionality, expanded sensitive data categories (including genetic and biometric data), and updated international transfer rules. Argentina was the 23rd state to ratify Convention 108+, further reinforcing its position as a leader in data protection within Latin America.

Ley Olimpia: Digital Violence and Personal Data

Law 27.736, known as Ley Olimpia, was promulgated on October 23, 2023, by Decree 542/2023. It amended Law 26.485 (the Law on Comprehensive Protection to Prevent, Punish, and Eradicate Violence Against Women) to add digital or telematic violence as a recognized modality of gender-based violence.

Ley Olimpia defines digital or telematic violence as any conduct, action, or omission against women based on their gender that is committed, instigated, or aggravated through the use of information and communication technologies, with the objective of causing physical, psychological, economic, sexual, or moral harm to the victim or their family group.

Data Protection Dimensions of Ley Olimpia

Several forms of digital violence enumerated in Law 27.736 directly intersect with personal data protection:

• Non-consensual intimate imagery: The acquisition, digital reproduction, and non-consensual dissemination of intimate or nude content constitutes digital violence, regardless of whether the content was originally shared consensually.
• Unauthorized dissemination of personal data: Theft and non-consensual dissemination of personal data are expressly included as forms of digital violence.
• Digital espionage: Unauthorized access to devices or accounts is covered, overlapping with the PDPL's security and confidentiality obligations.

Judicial Remedies

Judges may order digital platforms, social networks, and websites to remove content constituting digital violence. The order must specifically identify the URL of the content in question. The Ministry of Education must incorporate information on digital violence and online safety into the comprehensive sex education curriculum for both public and private schools.

For organizations operating platforms in Argentina, Ley Olimpia creates a potential avenue for content removal orders that runs in parallel with PDPL deletion rights, and may be faster in practice because it provides for judicial orders directly against platforms.

AI Governance and Automated Decision-Making

Argentina's AI regulatory landscape is fragmented and rapidly evolving. Law 25.326 contains no provisions specifically addressing automated decision-making, algorithmic processing, or artificial intelligence. Several regulatory and legislative developments in 2023 through 2025 have begun to fill this gap.

AAIP Resolution 161/2023 and the AI Program

The AAIP's September 2023 program (Resolution 161/2023) established non-binding guidelines for responsible AI use and a Transparency Portal requirement for public agencies documenting automated decision-making systems. These guidelines are voluntary for private entities but represent the AAIP's interpretation of how the PDPL's general principles apply to AI systems.

Bill 4243-D-2025: AI-Specific Data Protection

Introduced in August 2025, Bill 4243-D-2025 proposes a dedicated legal framework for personal data protection in AI systems. Key features include:

• Applicability to any AI activity involving personal data within Argentina or directed at individuals in Argentina, regardless of where the operator is located.
• Classification of AI systems as low, medium, or high risk, with mandatory registration in a National Registry of Artificial Intelligence Systems for medium- and high-risk systems.
• Mandatory risk assessments considering the nature, scope, context, and mitigation measures of processing.
• Audit powers for the regulatory authority, including the power to suspend AI systems posing serious risks.
• Sanctions ranging from warnings to prohibition of use and fines proportionate to turnover, benefits, number of affected individuals, and intent or negligence.

Existing AI systems would have 180 days to comply after the bill is enacted. As of May 2026, this bill has not been enacted.

Milei Administration and AI Regulation

Argentina's current administration under President Javier Milei has embraced a generally pro-innovation, lighter-touch regulatory philosophy. The Milei government has signaled a desire to position Argentina as a regional AI hub and has been cautious about imposing heavy-handed AI regulation that could deter investment. This creates a practical tension with the rights-focused reform bills advancing through Congress, and suggests that the final shape of any AI or data protection reform will reflect negotiation between these competing priorities.

The Pending GDPR-Alignment Reform

Argentina's data protection community has recognized for years that Law 25.326 needs a comprehensive update. Multiple attempts have been made since 2017, but none have yet resulted in enacted legislation.

As of May 2026, several reform bills are pending in Congress:

Bills S-0644/2025 and 1948-D-2025 share substantially the same content. They were introduced in 2025 by senators and representatives respectively and prioritize a rights-based approach to data protection aligned closely with the GDPR.

Bill 0904-D-2025 (introduced by Representative Yeza) takes a more innovation-oriented approach. It introduces a novel classification of organizations based on their level of data processing (basic, intermediate, and advanced), with differentiated obligations and a special regime for startups and innovative projects.

Bills 3540-D-2025 and 2968-D-2025 focus on specific aspects, including algorithmic transparency guarantees and data subject protective mechanisms.

Bill S-0968/2025 addresses children's data consent protections, introducing age-appropriate design obligations and parental consent requirements.

Bill 4243-D-2025 (discussed above) addresses AI-specific data protection.

The AAIP has indicated it was preparing its own draft bill, largely inspired by a 2023 proposal that never advanced to debate. Legislative discussions were expected to advance in 2026, though the timing and final shape of any reform remain uncertain.

Key Features of the Comprehensive Reform Bills

The rights-focused bills (S-0644/2025 and 1948-D-2025) would introduce, among other things:

• Mandatory breach notification: 72 hours to the AAIP when breaches pose a risk to data subjects' rights; individual notification when the risk is high. The Yeza bill uses a "reasonable time" standard instead.
• Data Protection Officers (DPOs): Mandatory for public agencies and private controllers engaged in large-scale, high-risk, or sensitive data processing. The Yeza bill limits this to organizations classified as "advanced" data processors.
• Data portability: The right to receive and transfer personal data in a structured, machine-readable format.
• Automated decision-making protections: The right not to be subject to decisions based solely on automated processing producing legal or similarly significant effects, with a right to human review.
• Accountability and privacy by design: Organizations must demonstrate compliance proactively and build data protection into systems from the outset.
• Higher fines: Proposals range from ARS 50,000 to ARS 10 billion, or 2% to 4% of total annual global turnover, whichever is greater. This would represent an enormous increase over the current ARS 100,000 maximum.
• Expanded definitions: Expressly covering anonymization, pseudonymization, profiling, and automated decision-making in statutory text.

No reform bill had been enacted as of May 19, 2026. Organizations should monitor the Boletin Oficial for updates.

Sector-Specific Regulations

Beyond the PDPL, several sector-specific rules affect data processing in Argentina:

Financial sector: The Central Bank of Argentina (BCRA) issues regulations on the handling of customer data by financial institutions, including cybersecurity requirements.

Health data: Health-related personal data receives additional protection under the PDPL's sensitive data provisions and is subject to professional secrecy obligations under medical ethics regulations.

Telecommunications: Law 19.798 (National Telecommunications Law) establishes the secrecy of telecommunications and imposes obligations on service providers regarding subscriber data.

Do Not Call Registry: Law 26.951 created the National Do Not Call Registry (Registro Nacional No Llame), allowing individuals to opt out of telemarketing calls. The AAIP enforces this law alongside the PDPL. Resolution 126/2024 unified the sanctions regime for both laws.

Credit reporting: The PDPL contains specific provisions governing credit information databases, including limitations on data retention (negative credit information must be deleted after five years, or two years from the date the debt was settled).

Digital violence: Ley Olimpia (Law 27.736, 2023) adds a layer of obligations for platforms regarding non-consensual content removal, overlapping with but distinct from PDPL deletion rights.

If you need to understand how recording and audio-visual consent laws apply in Argentina alongside these data protection requirements, see our guide to Argentina recording laws.

Recent Developments (2024-2026)

• January 15, 2024: The European Commission confirmed Argentina's EU adequacy status after reviewing 11 existing adequacy decisions. The review recommended Argentina enshrine sub-legislative protections in statute.
• May 24, 2024: The AAIP published Resolution 126/2024, unifying the sanctions regime for violations of both the PDPL (Law 25.326) and the National Do Not Call Registry Law (Law 26.951).
• Early 2024: A Buenos Aires court set a hearing to determine terms for auditing the city's Fugitive Facial Recognition System (SRFP) before any possible reintroduction. The SRFP remained suspended, with city authorities and civil rights organizations negotiating an audit framework.
• 2025: A wave of reform bills was introduced in Congress. The most significant are S-0644/2025 and 1948-D-2025 (comprehensive GDPR-aligned reform), 0904-D-2025 (innovation-focused reform by Representative Yeza), and S-0968/2025 (children's data protections).
• August 4, 2025: The AAIP published Resolution 145/2025, creating a three-year program requiring federal agencies to appoint data protection officers, register databases, adopt privacy policies, and train staff.
• August 2025: Bill 4243-D-2025 was introduced in the Chamber of Deputies, proposing AI-specific data protection rules including a National AI Registry and mandatory risk assessments.
• December 2025: Commentary noted growing pressure on Law 25.326 from generative AI systems, which process personal data at a scale and in ways that the 2000 statute did not anticipate, increasing urgency for the reform bills to advance in 2026.

Practical Compliance Checklist for Organizations

Organizations processing personal data of Argentine residents should ensure they meet the following requirements:

• Register all databases with the RNBD, including from outside Argentina if processing data of Argentine residents (per Resolution 132/2018).
• Obtain prior, free, express, and informed consent before collecting personal data, unless a recognized exception applies.
• Provide clear privacy notices explaining the purpose of data collection, the identity of the data controller, and data subject rights.
• Implement technical and organizational security measures appropriate to the sensitivity of the data processed (per Resolution 47/2018).
• Respond to data subject access requests within 10 calendar days.
• Notify third parties of any rectification within five business days.
• Restrict international transfers to adequate jurisdictions or ensure an applicable exception exists.
• Follow the AAIP's recommended breach notification practices under Resolution 47/2018 and maintain breach records accessible to the AAIP.
• If operating a platform with user-generated content, have a process for responding to content removal orders under Ley Olimpia (Law 27.736).
• Begin planning for DPO appointment and 72-hour breach notification timelines, as these are likely to be enacted in some form by the reform bills advancing in 2026.
• If deploying AI systems that process personal data, document them on the AAIP's Transparency Portal (for public agencies) and monitor Bill 4243-D-2025 for registration and risk-assessment requirements.
• Monitor the Boletin Oficial for any reform bill enactment, as new obligations could take effect within 30 to 180 days of publication.