Duties of the data controller: New obligations established by the Data Protection Bill.

Current regulatory context v/s Data Protection Bill

The Data Protection Bill makes up for one of the main deficiencies of Law 19,628: the absence of explicit duties for data controllers.

Law 19,628Data Protection Bill
There is no section in the law regulating the duties or obligations of data controllers, but certain general duties are set out by the law, such as the obligation to keep secret (Article 7).    The data controller has a series of generic and specific obligations. These include: (i) the duty of secrecy or confidentiality; (ii) the duty of information or transparency; (iii) the duty of protection by design and by default; and (iv) the duty to adopt security measures; among others.  

Duties of the data controller in the Data Protection Bill

The duties or obligations of the data controller involve all the actions that data controllers must fulfill with respect to the processing of personal data. The Data Protection Bill establishes and introduces major changes and innovations in this matter, since many of the duties of data controllers are now broader and relate to various matters.

A great novelty is the introduction of the principle of responsibility, by virtue of which those who process personal data will be legally responsible for compliance with the principles, obligations and duties according to the law.

These duties are present throughout the entire Bill, but especially in Title II, where certain obligations and duties of the data controller are more directly regulated.

General obligations of the data controller

The Bill establishes several “general” obligations for data controllers, among others:

  • Inform and make available to the data subject the background information that proves the lawfulness of the data processing it carries out.
  • Ensure that personal data is collected from lawful sources for specific, explicit and lawful purposes, and that its processing is limited to the fulfillment of these purposes.
  • Communicate or transfer personal data in accordance with the provisions of the law.
  • Eliminate or anonymize the data subject’s personal data when it was obtained for the execution of pre-contractual measures.
  • Comply with all the duties, principles and obligations of the law.


Specific duties

Additionally, the data controller must comply with a series of specific duties set out in the law, among other: (i) the duty of secrecy or confidentiality; (ii) the duty of information or transparency; (iii) the duty of protection by design and by default; (iv) the duty to adopt security measures; etc.

Duty of secrecy or confidentiality

The data controller is obliged to maintain secrecy or confidentiality of personal data concerning a data subject, except when the data subject has manifestly made such data public. This duty subsists even after the relationship with the data subject has ended.

Duty of information or transparency

The data controller must provide and keep permanently available to the public certain information indicated in the law for the fulfillment of this duty, including the rights of data subjects, the data controller’s contact details, among other.

Duty of protection by design and by default

The data controller must implement technical and organizational measures in order to comply with the principles and rights of data subjects established by law and to ensure that, by default, only personal data that is specific and strictly necessary for such activity is processed.

Duty to adopt security measures

The data controller must adopt the necessary measures to safeguard compliance with the security principle established in the law, considering the current state of the art and the costs of implementation, together with the nature, scope, context and purposes of the processing, as well as the likelihood of the risks and the seriousness of their effects in relation to the type of data processed.

Duty to report breaches of security measures to the Agency

Finally, data controllers must report to the Data Protection Agency, by the most expeditious means and without delay, any breaches of security measures that result in the accidental or unlawful destruction, filtering, loss or alteration of the personal data processed or its unauthorized communication or access, when there is a reasonable risk to the rights and freedoms of data subjects.

error: Contenido protegido