Current regulatory context v/s Data Protection Bill
The bill substantially modifies the regulation applicable to the legal basis for the processing of personal data:
| Law 19,628 | Data Protection Bill |
|---|---|
| It establishes various legal basis that can be summarized in: (i) the law; and (ii) the consent of the data subject. In addition, it establishes that no authorization is required for the processing of personal data that (i) come from or are collected from sources accessible to the public; (ii) are of an economic, financial, banking or commercial nature; and (iii) are necessary for commercial communications of direct response or marketing or direct sale of goods or services, among others. | The catalogue of legal bases is extended. Consent is established as the general rule, and other legal basis are regulated, without the consent of the data subject, among which we can mention: (i) data related to economic, financial, banking or commercial obligations; (ii) execution or fulfillment of a legal obligation; (iii) execution or enforcement of a contract; (iv) satisfaction of legitimate interests of the data controller or a third party; (v) formulation, exercise or defense of a right before the courts of justice or public bodies. |
What is a legal basis for processing?
A legal basis for processing is a legal or contractual authorization that allows to carry out lawful processing of personal data. These derive from the principle of lawfulness, whereby data can only be processed lawfully.
In Law 19,628, the legal basis for processing were (i) the law and (ii) the consent of data subject Under the bill, new legal basis are regulated and introduced.
Which is the general rule regarding the lawfulness of data processing?
The Bill establishes that consent is the general rule for lawful data processing. The consent of the data subject must be free, informed and specific as to its purposes. In addition, consent must be expressed previously and unequivocally, through a verbal, written or expressed statement through an equivalent electronic means, or through an affirmative act that accounts for the data subject’s will.
What other legal basis are introduced?
The Bbll establishes other legal basis for processing of personal data, which allow the processing without requiring the consent of the data subject when:
- Processing is related to data on economic, financial, banking or commercial obligations.
- Processing is necessary for the performance or fulfilment of a legal obligation or as required by law.
- Processing is necessary to enter into, or perform, an agreement between the data subject and the party responsible, or to execute any pre-contractual measures upon the request from the data subject.
- Processing is necessary for the satisfaction of legitimate interests of the party responsible or of a third party, provided that this does not affect the rights and freedoms of the subject.
- Data processing is necessary for the formulation, exercise or defense of a right before the courts of law or a State instrumentality.
