HomeAnalyticsAlertsData Protection Enforcement in Argentina: Recent Regulatory Actions

Data Protection Enforcement in Argentina: Recent Regulatory Actions

Argentina's data protection authority has sharply intensified its enforcement activity. Investigations are being opened at a notably faster pace than in previous years. International companies operating in Argentina – or processing personal data of Argentine residents from abroad – face real exposure if their compliance programmes have not kept pace with the regulator's current expectations.

Argentina's Agencia de Acceso a la Información Pública (Agency for Access to Public Information, the national data protection authority. Alternatively. DPA) has issued a series of enforcement resolutions and compliance directives in 2025 and early 2026 under the country's personal data protection legislation. These actions target failures by both data controllers and data processors across multiple sectors. Companies processing personal data in Argentina must assess their consent mechanisms, cross-border data transfer arrangements, and internal governance records without delay.

This alert sets out what has changed, which businesses are affected, and the immediate steps required to reduce enforcement risk.

What the DPA has changed – and when it takes effect

Argentina's personal data protection legislation has long recognised the rights of data subjects and imposed obligations on those who collect and process personal data. The framework predates the EU's General Data Protection Regulation (GDPR). However, the DPA has now issued updated compliance directives that expand its interpretation of existing rules in several material respects.

First, the DPA has clarified its position on consent mechanisms. A valid consent mechanism must be freely given, specific, and documented. Pre-ticked boxes and bundled consents are now explicitly identified as non-compliant. This position takes practical effect immediately – the DPA has already cited defective consent in several recent enforcement resolutions.

Second, the DPA has tightened its requirements for cross-border data transfers. Transfers to countries that Argentina does not recognise as providing adequate protection now require either express contractual safeguards or documented case-by-case authorisation. The DPA has indicated that it will apply these requirements to transfers already in progress, not only to new arrangements established after the directives were issued.

Third, the authority has reinforced the obligations of data processors. A data processor that operates under contract with a data controller is not shielded from direct scrutiny. The DPA can investigate the processor independently and issue sanctions where the processor has acted outside the scope of its mandate or failed to maintain required security standards.

Companies should treat the directives as currently operative. The DPA has not announced a formal grace period for correcting existing non-compliance.

Which businesses are affected – and the threshold criteria

The enforcement actions are not sector-specific. The DPA has opened investigations across financial services, e-commerce, healthcare, technology platforms, and business process outsourcing. Any entity that qualifies as a data controller or data processor under Argentine data protection legislation falls within scope.

For international companies, the jurisdictional reach is broad. An entity incorporated outside Argentina is nonetheless subject to Argentine data protection legislation if it processes personal data of Argentine residents – regardless of where the processing takes place. This extraterritorial dimension means that a European or US-headquartered company running a regional operation from Buenos Aires, or offering services to Argentine consumers online, is directly exposed.

The threshold criteria for heightened scrutiny include:

  • Processing sensitive personal data, including health, financial, or biometric information
  • Operating a database of Argentine residents registered – or required to be registered – with the DPA
  • Conducting cross-border data transfers to jurisdictions without an adequacy finding
  • Using third-party data processors without compliant data processing agreements in place
  • Receiving or responding to data subject access, rectification, or deletion requests

Companies that meet any of these criteria are already within the DPA's current enforcement focus. The risk is not theoretical – sanctions under Argentine data protection legislation include administrative fines and, in serious cases, suspension of processing activities.

Practitioners advising clients in Argentina note that the DPA has recently placed particular emphasis on database registration obligations. Many international companies are unaware that Argentine legislation requires formal registration of personal data databases with the authority. Failure to register is itself a sanctionable breach, separate from any substantive non-compliance. For companies considering how AI and technology regulation in Argentina intersects with personal data obligations, this registration requirement has direct implications for automated decision-making systems that rely on personal data inputs.

To receive an expert assessment of your data protection exposure in Argentina, contact us at info@ferrazwhitmore.com.

Immediate actions required for international companies

The absence of a formal grace period means that remediation must begin now. The following actions should be prioritised in the coming weeks.

Audit consent mechanisms. Review every point at which personal data is collected from Argentine residents. Confirm that consent is freely given, specific to the stated purpose, and recorded in a form that can be produced to the DPA on request. Replace any bundled, implied, or pre-ticked consent with compliant alternatives.

Map and document cross-border data transfers. Identify all transfers of personal data originating in Argentina to processors, affiliates, or service providers in third countries. For each transfer to a country without an adequacy determination, confirm that contractual safeguards are in place and documented. GDPR-standard clauses do not automatically satisfy Argentine requirements – local counsel should verify the adequacy of each arrangement.

Review data processing agreements. Where your company acts as a data controller engaging third-party data processors, confirm that written agreements govern the relationship and specify permitted processing activities, security standards, and breach notification obligations. The DPA's recent enforcement actions demonstrate that gaps in processor agreements create direct liability for both parties.

Verify database registration status. Confirm whether your company's personal data databases are required to be registered with the DPA under Argentine data protection legislation. If registration is overdue, obtain local legal advice on the voluntary disclosure and remediation options available before an investigation is opened.

Establish a data subject request protocol. Argentine legislation grants data subjects rights of access, rectification, and deletion. The DPA has cited failure to respond to these requests within required timeframes as a basis for sanctions. Implement or update internal procedures to ensure requests are identified, triaged, and answered within the legally prescribed period.

For detailed guidance on structuring a compliant data protection programme in Argentina, the firm's data protection practice in Argentina covers the full range of obligations applicable to international companies. Businesses navigating parallel enforcement risks in other jurisdictions may also find it useful to review the corresponding regulatory alert on data protection enforcement in the United States.

About Ferraz & Whitmore

Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our team combines Portuguese civil law expertise with English common law tradition to deliver cross-border legal solutions in data protection, privacy regulation, and cross-border data transfer compliance. Engaging a lawyer in Argentina with cross-border experience is particularly important when enforcement directives apply simultaneously across multiple jurisdictions and legal systems. As a law firm in Argentina matters context, we advise international entrepreneurs, institutional investors, and in-house legal teams operating across civil law and common law systems in Latin America and Iberian markets. Our attorneys have advised data controllers and data processors on compliance programmes before the DPA and across equivalent authorities in Europe and the Americas. The firm's Lisbon base provides direct access to EU regulatory frameworks, while our Americas practice supports clients facing enforcement risk in Argentina and across the region. To discuss your situation, contact us at info@ferrazwhitmore.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.