South America

Global Privacy Regulations


BDO Local Resources

Joelys Gonzalez-Mendez | Email | Phone

Law: Personal Data Protection Act, Act No. 25.326 of 2000, Argentinian Constitution and Regulatory Decree 1558/2001

Regulator: Dirección Nacional de Protección de Datos Personales (English: National Directorate for Personal Data Protection)

Adequacy Agreement with GDPR: Yes

Measures Announced


The primary law in Argentina is Personal Data Protection Act, Act No. 25.326 of 2000. However, the Argentinian Constitution and Regulatory Decree 1558/2001 (‘DP Decree’) and provisions issued by the National Directorate for Personal Data Protection (‘NDPDP’) also are part of Argentina’s data privacy landscape.

Legislatively, there have not been any substantial changes made to Argentina’s current data privacy laws. Argentina attempted to draft a new data protection law following the passage of the GDPR, however, sweeping legislative changes are yet to occur.

In 2018, the Argentine Executive Branch proposed a draft privacy bill to replace the current Personal Data Protection Act, Act Not. 25.326 of 2000.[1] The purpose of the Bill was to update the current legislation to align with contemporary international standards. This bill would be an important tool for the country to maintain its adequacy standard. In 2020, the Bill lost its parliamentary status, and therefore, Congress cannot discuss it.[2]

Even with the loss of parliamentary status, the Argentinian Data Protection Authority (‘AAIP’) has not been discouraged regarding updating Argentina’s data privacy landscape. The AAIP regularly updates the practical application and interpretation of the Data Protection Act through several dispositions and resolutions. 

Data Protection Authority Focus

The AAIP aims to fill in legislative gaps in the current Data Protection Act through disposition and resolutions.

The Agency does not regularly take on enforcement actions. However, it periodically practices audits and imposes sanctions every week[3].  Most of these sanctions are for failure to register or renew a Database registration. Others pertain to unauthorized data processing, to not provide access, rectification, or suppression of the personal data of the data subject, not provide notice of the purpose of data collection, and not follow data protection rules.

The AAPI also has an emphasis on legal opinions, which are issued yearly. The purpose of administering these frequently includes helping relevant parties understand how the Agency interprets data protection laws.





BDO Local Resources

Toni Hebert | Email | Phone

Law: Lei Geral de Proteção de Dados Pessoais (LGPD) – Brazilian Data Protection Law

Data Protection Authority: Autoridade Nacional de Proteção de Dados – Brazilian Data Protection Authority (ANPD)  

Adequacy Agreement with GDPR: No

Measures Announced


The LGPD passed in 2018 and went into effect in 2020. Enforcement began on August 1, 2021.

The comprehensive law covers the activities of data controllers and processors. The law requires companies to:

  • Appoint a Data Protection Officer.
  • Conduct Data Protection Impact Assessments (‘DPIAs’).
  • Notify individuals of a data breach.
  • Evaluate data transfers and the adequacy of third-country company controls.

On August 10, 2021, the President of Brazil appointed the National Council for the Protection of Personal Data and Privacy (‘CNPD’) of the ANPD board members and surrogates.

The LGPD plays a significant role for the ANPD. The ANPD ensures that personal data is protected under the LGPD (Article 55-J-I) and issues technical opinions and guidance (Article 55-J-XX), education (Article 55-J-VI), enforcement (Article 55-J-IV), complaint handling (Article 55 J-V), international facilitation (Article 55 J-IX), and drafting and updating rules and regulations (Article 55-J-XIII)[1].

Brazilian companies focus on the improvement of their data governance environments, which were previously non-existent for many of them.

Data Protection Authority Focus

The ANPD has not yet issued guidance to companies, but under Articles 9 and 6(IV) of the LGPD data subjects have the right to be informed concerning the processing of their personal data. However, the timing is unclear. Generally, data subjects have a right to access the specific purpose of the processing, which includes:

  • type and duration of the processing.
  • identity and contact information of the data controller.
  • data shared by the controller and the purpose for sharing.
  • data subject’s rights, which is outlined in Article 18.

When a company changes the purpose of processing, consent is required under Articles 7 and 11 if the processing is not consistent with the original intent. Data subjects must be informed of these changes and have the right to revoke consent if the individual disagrees with the new purpose (Articles 8(6) and 9(2).

Under Article 18 of the LGPD, the data subject can receive:

  • confirmation of the existence of processing.
  • access to the data.
  • information about public and private entities with which the controller has shared data.
  • information about the possibility of denying consent and the consequences of such denial.

Data subjects also have a right to correct incomplete, inaccurate, or outdated information (Article 18(III)), and the data controller must notify the data subject of these corrections.

Interestingly, the LGPD does not explicitly require identity verification before fulfilling data subject requests, nor does the LGPD need companies to comply within a specified timeframe.

With the development of the CNPD, we believe that the LGPD will continue to evolve, and enforcement actions will continue to increase.

[1] Centre for Information Policy (CIPL) and Centro de Direito, Internet e Sociedade of Instituto Brasiliense de Direito Público (CEDIS-IDP), The Role of the Brazilian Data Protection Authority (ANPD) under Brazil’s New Data Protection Law (LGPD), April 2020


BDO Local Resources

Paula Giraldo Gutierrez | Email | Phone

Law: Disposiciones Generales para la protección de datos personales, Statutory Law 1581 of 2012, Decree 1377 of 2013

Regulator(s): Colombian Data Protection Authority (‘SIC’)

Adequacy Agreement with GDPR: No

Measures Announced


On 16 July 2021, the Ibero-American Data Protection Network (‘RIPD’) announced that SIC updated the implementation guide for international transfers of personal data. The guide contains specialized recommendations for cross-border data transfer about the rights of data subjects’ information sent to third countries. The goal is to improve its content and consider the Implementing Decision (EU) 2021/914 regarding standard contractual clauses (‘SCCs’) for the transfer of personal data to third countries.

The updates recommend companies to:

  • Incorporate privacy, ethics, and security by design and default into their practices.
  • Carry out Privacy Impact Assessments before transferring data to a third country.
  • Ensure compliance to comply with accountability obligations.
  • Articulate the accountability mechanisms in a contract are specific to each transfer.
  • Establish accountability measures when transferring data.
  • Replicate proactive measures for the processing of data for international transfers of personal information.

The RIPD implemented SIC Facilita, an alternative dispute resolution mechanism between data controllers and data subjects. The SIC Facilita is a virtual tool where the SIC acts as a facilitator to allow data subjects and controllers to agree on claims. The SIC highlights the following benefits of the SIC Facilita.

  • Resolve data privacy complaints quickly.
  • Reduce costs, resources, and human capital associated with resolving data privacy complaints.
  • Reduce risks for organizations to resolve judicial or administrative conflicts over data subject rights.
  • Increase levels of satisfaction and trust between the data subject and the company.

Data Protection Authority Focus

The SIC ensures the protection of the consumers’ rights and is responsible for ‘inspecting, monitoring, and controlling market agents so that the rights and interests of consumer are not violated when the commercial exchange has been made[1]‘.

The focus of SIC is to investigate complaints and violations of Colombia’s data subjects’ data privacy, and data protection rights and ensure the protection of consumers’ rights. The primary focus of the SIC is on the protection of consumers from health and safety hazards, access to personal information, education, freedom to build consumer organizations, and the protection for children’s data[2].

[1] Superintendencia de Industria y Comercio, International Community, Consumer Protection

[2] Ibid.


BDO Local Resources

Simone Mitil | Email | Phone

Law: Law No. 81 on Personal Data Protection 2019

Regulator: National Authority for Transparency and Access to Information ('ANTAI')

Adequacy Agreement with GDPR: No

Measures Announced


Law No. 81 on Personal Data Protection 2019 entered into force on 29 March 2021. In July 2021, the Executive Decree passed, which governs Panama's personal data protection principles, rights, obligations, and procedures. The Law provides consent procedures, responsibilities for cross-border data processing originating in Panama, and a Personal Data Protection Council.

The National Constitution of the Republic of Panama ('the Constitution') is another law regulating personal data protection. The Constitution outlines the right to the privacy of personal communications and documents, the right to access information contained in databases held by public bodies or by private persons providing public services, and the right to correct, rectify, and delete personal data.

Data Protection Authority Focus

In November 2020, the National Authority of Transparency and Access to Information (‘ANTAI’) joined the Ibero-American Data Protection Network (‘RIPD’). Panama is one of the first countries in Central America to have a personal data protection law.

Since the passing of the Executive Decree, Panama focuses on topics such as:

  • Legal conditions for data processing
  • Consent
  • Regulator obligations
  • Data breach notifications
  • International data transfers