Argentina Personal Data Protection Act (PDPA)
About the PDPA
In agreement with the Argentine National Constitution, the Personal Data Protection Act 25.326 (PDPA) (Ley de Protección de los Datos Personales) was executed in 2000 to help protect the privacy of personal data, and to give individuals access to any information stored in public and private databases and registries. The Argentine Agency of Access to Public Information (Agencia de Acceso a la Información Pública, AAIP) within the Chief of Ministries' Cabinet is responsible for enforcing this law.
The PDPA aligns with the European legislative model for protecting data privacy, and Argentina was the first country in Latin America to achieve an 'adequacy' qualification for data transfers from the EU.
In 2016, the AAIP issued a new regulation, Provision 60-E/2016 (Spanish), governing cross-border transfers of personal data. Under the rule, it approved model forms (partly based on the data transfer model in the EU) for such transfers to data controllers and data processors.
Microsoft and the PDPA
Microsoft contractually commits through the Microsoft Online Services Terms that our in-scope business cloud services have implemented technical and organizational security safeguards that can help our customers comply with the Argentine Personal Data Protection Act (PDPA) 25.326. Microsoft also makes a data-transfer agreement available to help with compliance with Provision 60-E/2016, which regulates the cross-border transfer of personal data. This means that Microsoft customers can use Microsoft Azure, Microsoft Dynamics 365, and Microsoft 365 in a manner that complies with the PDPA in Argentina.
The technical and organizational security measures implemented in the business cloud services would also support other rules in the PDPA such as the prohibition of any secondary use of a data subject's personal data and the prohibition against the transfer of personal data to countries that do not offer an adequate level of protection.
The Microsoft data-transfer agreement is an amendment (Amendment ID M314) to the data processing terms in our Online Services Terms. It adds important commitments, including that Microsoft notifies the customer of any legally binding request to disclose personal data; will submit its data processing facilities to audit at the customer's request either by the customer or an independent third party; and will get prior written consent for the use of subcontractors.
Microsoft in-scope cloud platforms & services
Office 365 and the PDPA
Office 365 environments
Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.
This section covers the following Office 365 environments:
- Client software (Client): commercial client software running on customer devices.
- Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
- Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
- Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
- Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.
Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article.
Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.
Office 365 applicability and in-scope services
Use the following table to determine applicability for your Office 365 services and subscription:
|Commercial||Azure Information Protection, Bookings, Exchange Online, Exchange Online Protection, Kaizala, Microsoft Analytics, Microsoft Booking, Microsoft Graph, Microsoft Teams, Microsoft To-Do for Web, MyAnalytics, Office 365 Cloud App Security, Office 365 Groups, Office Delve, OneDrive for Business, Planner, Power Apps, Power BI for Office 365, PowerApps, Power Automate, SharePoint Online, Skype for Business, StaffHub, Stream, Sway, Yammer Enterprise|
How to implement
- Privacy in Microsoft Cloud Services: Get details on Microsoft privacy principles and standards and on privacy laws specific to Argentina.
- Azure data protection: Azure offers customers strong data security, both by default and as customer options.
Frequently asked questions
How has the GDPR changed the Personal Data Protection Act?
In late 2018, Argentina has not yet enacted GDPR-related regulations, but it has drafted a new data protection bill — already submitted to Congress by the Executive Power and under revision by the House of Representatives — to bring its data protection law into alignment with the GDPR. It addresses such differences as the definition of data subjects and concerns over the cross-border transfer of personal information.
Use Microsoft Purview Compliance Manager to assess your risk
Microsoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.