New guidelines for binding corporate rules (BCR) – Argentine Agency of Public Information
Resolution N° 159/2018 from the Argentine Agency of Public Information (“AAPI”) has been recently published in the Official Gazette. This Resolution implies new guidelines and basic contents for binding corporate rules (“BCR”).
The principal aim of the AAPI implies the establishment of certain basic rules for the design of the policy documents regarding company self-regulation of the same economic group for international personal data transfers. In other words, the Resolution provides in Annex I a reference document to design BCR.
In this way, every company that executes international data transfers to jurisdictions with non-adequate levels of protection, and have celebrate self-regulation rules in order to justify the transfer, must submit this rules before the AAPI for approval. The submission has to be done within 30 days following once the data transfer is executed.
In this context, the guidelines for the creation of binding corporate rules are the following:
On the one hand, with respect to the document´s characteristics, the Resolution establishes that the rules shall be mandatory and demandable for all the companies that integrate the economic group, their employees, subcontractors and third party beneficiaries (through specific clauses). In addition, the rules should provide judicial and administrative remedies.
On the other hand, the Resolution settles certain minimum contents for the drafting of the document, which are going to be interpreted according to Law N° 25,326 or amendments. The minimum contents are:
o Lawfulness of the data processing;
o Purpose of the data processing;
o Data accuracy;
o Security and confidentiality;
o Data subjects rights: access, rectification, updating and suppression;
o Restrictions on further transfers to third countries without adequate legislation.
• Specific protection due to sensitiveness of the matter:
o Prohibition to process sensitive data, except as required by law or with the prior consent of the data subject;
o Right of the data subject to be excluded from direct mail listings not consented;
o Right of the data subject to oppose being the subject of a decision based on automated processing of personal data that produces pernicious legal effects or affects it significantly in a negative way.
o Non-conformation of criminal and/or contravention records and prohibition to transfer third parties except with the consent of the data subject.
• Third party beneficiaries’ assignment: data subjects and the AAPI shall be assigned irrevocably as third party beneficiaries and through specific clauses for the exercise of their rights.
• Data subject rights: adequate recognition and design of procedures.
• Jurisdiction: the right to initiate a legal and administrative claim on the data subject´s jurisdiction must be respected.
• Responsibility: all the data processing companies shall be liable ahead of the data subject and the supervisory authority.
• Supervisory authority: in case international data transfers between companies from the same economic group take place, the AAPI may take action when the company that exports the data is located in Argentina.
• Guarantee commitment and justified explanation: guarantee and justify that self-regulation rules are applicable and demandable to all the companies from the economic group by the data subject and the AAPI.
• Training: it must be foreseen a continuous training of the employees assign for data processing activities.
This new dispositions related to BCR imply (with no doubt) good news for all the companies that operate in the region.
For further information on this topic please contact Pablo A. Palazzi