The Agency for Access to Public Information – the supervisory authority of the Personal Data Protection Law (PDPL) (Law 25,326) – recently penalised Rappi Arg SAS, a company that provides delivery services, for failing to respond to a data removal request within the term provided for by the law.

The complainant, who was both a platform user and courier, claimed that a request to delete his personal data, which had been addressed to the company, had not been properly answered and that he had continued to receive advertising messages.

Among other defences, the company argued that, as a general rule, the data had been kept to comply with different legal obligations and that it reserved the right to keep personal data for 10 years in accordance with the Civil and Commercial Code.

The agency decided that Rappi had infringed the PDPL – specifically, Article 16 thereof – given that the information had not been deleted when it ceased to be relevant for the purposes that motivated its collection and that the deletion request had not been adequately addressed. Consequently, the agency imposed a fine of Ps80,000 (approximately $808).

In light of this decision, companies in Argentina should pay attention to the deadlines pertaining to data requests. Specifically, the deadline to answer access requests is 10 calendar days, while the deadline to answer requests relating to data updates, modifications, deletions and confidentiality treatment is five business days.