Which are the infringements and penalties in the new Data Protection Law? How are the infringements and penalties graded, and how are amounts of fines determined? What penalties does your organization face if it does not comply with the new regulation on personal data?
Find out how the new Data Protection Law sets forth these infringements and what penalties they entail.
Law No. 19,628 v/s New Data Protection Law
The new regulation will represent a paradigm shift with respect to the level of effective enforcement of legal obligations related to personal data. Below is a brief comparative chart with the main new features and the impact that the new regulation will have:
| Law 19,628 | Data Protection Bill |
|---|---|
| 1) Fine of 1 to 10 Monthly Tax Units (Unidades Tributarias Mensuales or “UTM”) (78 to 780 USD, approx.), or 10 to 50 UTM (780 to 3,900.00 USD, approx.) in the case of financial or banking data. 2) No catalog of offenses is established. 3) Fine determined by a civil court judge. | 1) A catalog of infractions is established, which classifies them as minor, serious and very serious. 2) Penalties range from a written warning to a maximum of UTM 20,000 (USD 1,393,180.00, approx.). 3) Mitigating and aggravating circumstances of responsibility are set forth. 4) There are several criteria that the Data Protection Agency (the “Agency”) must apply prudently when determining the amount of a fine. 5) Accessory penalties are established in case of repeated very serious infringements. 6) A National Registry of Sanctions and Compliance will be created. |
Infringements of the Data Protection Bill
One of the most important changes in the new Data Protection Law is the complete restructuring of the system of infringements and the way in which they will be imposed by the future supervisory authority, i.e., the Agency.
Under the new law, there are three categories of infringements:
- Minor infringements
- Serious infringements
- Very serious infringements
By way of illustration, conducts such as fully or partially failing to comply with the duty of transparency information, omitting to respond to requests made by the data subject in accordance with the law, lacking an individualized postal address, mail or equivalent electronic means of communication with the data controller, among others, are considered minor infringements (Article 34 bis).
On the other hand, processing personal data without the data subject’s consent, or without a background or legal basis that grants lawfulness to the processing, communicating or transferring personal data without the consent of the data subject, among others, are conducts that constitute serious infringements (Article 34 ter).
Finally, conducts such as processing personal data fraudulently, maliciously using the data for a purpose other than that consented by the data subject or provided for in the law authorizing the processing, knowingly carrying out international data transfer operations in contravention of the provisions of the law, among others, are very serious infringements (Article 34 quarter).
Penalties
- In this order of ideas, minor infringements are punished with a written warning or a fine of up to 5.000 UTM (348,230.00 USD, approx.).
- In turn, serious infringements are punished with fines up to 10,000 UTM (697,000.00 USD, approx.).
- Finally, very serious infringements are punished with fines up to 20,000 UTM (1,393,180.00 USD, approx.).
The new law stipulates that the Agency will indicate the measures to remedy the causes that led to the sanction and that, if not adopted within 60 days, a 50% surcharge will be imposed on the fine, without prejudice to the provisions regarding infraction prevention models.
Furthermore, in recidivism, the Agency may fine up to three times the amount assigned to the committed infraction. Except in the case of smaller companies, if a company repeats a serious or very serious infraction, the fine may reach the higher of the following: (i) a fine of up to three times the amount assigned to the committed infraction, or (ii) up to 2% or 4% of the annual revenue from sales and services and other business activities in the last calendar year, depending on whether the infractions are serious or very serious, respectively.
Determination of the amount of fines
While in current Law 19,628 penalties may rise up to a maximum of 10 UTM (780 USD, approx.) or 50 UTM (3,900.00 USD approx.) (depending on whether the data are of an economic nature), in the case of the new Data Protection Law, the determination of the amount of the fine will depend, among others, on the following factors: (i) seriousness of the conduct; (ii) mitigating or aggravating circumstances of liability that may be present in relation to the sanctioned conduct; (iii) number of data subjects affected; (iv) economic capacity of the infringer; etc.
Accessory penalties
The Agency will be entitled to impose, as an accessory penalty to the fines, the suspension of the data processing operations and activities carried out by the data controller, for a term of up to 30 days, which may be extended if the data controller does not adopt the necessary measures to comply with the requirements set forth by the Agency.