Argentina Data Privacy
Argentina’s Personal Data Protection Law No. 25,326, including Executive Order No. 1558/2001 and supplementary regulations (“PDPL”) is an Argentine federal law that applies to the protection of personal data in Argentina and when personal data is transferred internationally for processing. In July 2018, the Argentine Data Protection Authority (Agencia de Acceso a la Información Pública, “ADPA”) issued Resolution 47/2018 (“Resolution 47”) under the PDPL, which repealed Disposition No. 11/2006 related to security measures that data controllers (i.e., AWS customers) needed to consider when processing personal data. Resolution 47 describes new, recommended security measures that are aligned with international best practices and standards, and aimed to protect the confidentiality and integrity of personal data during its processing – from data collection to data deletion. In particular, this new resolution updated the list of measures and controls recommended to manage, plan, control, and improve the security when processing personal data. These recommended security measures are divided by categories of processing related activities, including data collection, access controls, change controls, backup and recovery, vulnerability management, data removal or deletion, security incidents, and development environments. Furthermore, Resolution 47 includes a list of security measures applicable to “sensitive data” (as defined in the PDPL).
AWS is vigilant about your privacy and data security. Security at AWS starts with our core infrastructure. Custom-built for the cloud and designed to meet the most stringent security requirements in the world, our infrastructure is monitored 24x7 to ensure the confidentiality, integrity, and availability of our customers’ data. The same world-class security experts who monitor this infrastructure also build and maintain our broad selection of innovative security services, which can help you simplify meeting your own security and regulatory requirements. As an AWS customer, regardless of your size or location, you inherit all the benefits of our experience, tested against the strictest of third-party assurance frameworks.
AWS implements and maintains technical and organizational security measures applicable to AWS cloud infrastructure services under globally recognized security assurance frameworks and certifications, including ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1, and SOC 1, 2, and 3. These technical and organizational security measures are validated by independent third-party assessors, and are designed to prevent unauthorized access to or disclosure of customer content.
For example, ISO 27018 is the first International code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to Personally Identifiable Information (PII) processed by public cloud service providers. This demonstrates to customers that AWS has a system of controls in place that specifically address the privacy protection of their content.
These comprehensive AWS technical and organizational measures are consistent with the goals of the PDPL, and Resolution 47 under the PDPL, to protect personal data. Customers using AWS services maintain control over their content and are responsible for implementing additional security measures based on their specific needs, including content classification, encryption, access management and security credentials.
As AWS does not have meaningful visibility as to what type of content the customers choose to store in AWS, including whether or not that data is deemed subject to the PDPL, customers are ultimately responsible for their own compliance with the PDPL and related regulations. The content on this page supplements the existing Data Privacy resources to help you align your requirements with the AWS Shared Responsibility Model when you process personal data in international data centers.
What is the customer’s role in securing their content?
Under the AWS Shared Responsibility Model, AWS customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-premises data center. Customers can build on the technical and organizational security measures and controls offered by AWS to manage their own compliance requirements. Customers can use familiar measures to protect their data, such as encryption and multi-factor authentication, in addition to AWS security features like AWS Identity and Access Management.
When evaluating the security of a cloud solution, it is important for customers to understand and distinguish between:
- Security measures that AWS implements and operates – "security of the cloud", and
- Security measures that customers implement and operate, related to the security of their customer content and applications that make use of AWS services – "security in the cloud"
Who can access customer content?
Customers maintain ownership and control of their customer content and select which AWS services process, store and host their customer content. AWS does not have meaningful visibility into customer content and does not access or use customer content except to provide the AWS services selected by a customer or where required to comply with the law or a binding legal order.
Customers using AWS services maintain control over their content within the AWS environment. They can:
- Determine where it will be located, for example the type of storage environment and geographic location of that storage.
- Control the format of that content, for example plain text, masked, anonymized or encrypted, using either AWS provided encryption or a third-party encryption mechanism of the customer’s choice.
- Manage other access controls, such as identity access management and security credentials.
- Control whether to use SSL, Virtual Private Cloud and other network security measures to prevent unauthorized access.
This allows AWS customers to control the entire life-cycle of their content on AWS and manage their content in accordance with their own specific needs, including content classification, access control, retention and deletion.
Where will customer content be stored?
AWS data centers are built in clusters in various countries around the world. We refer to each of our data center clusters in a given country as a "Region."
AWS customers choose the AWS Region(s) where their content will be stored. This allows customers with specific geographic requirements to establish environments in the location(s) of their choice.
Customers can replicate and back up content in more than one Region, but AWS does not move customer content outside of the customer’s chosen Region(s), except to provide services as requested by customers or comply with applicable law.
How does AWS secure its data centers?
The AWS data center security strategy is assembled with scalable security controls and multiple layers of defense that help to protect your information. For example, AWS carefully manages potential flood and seismic activity risks. We use physical barriers, security guards, threat detection technology, and an in-depth screening process to limit access to data centers. We back up our systems, regularly test equipment and processes, and continuously train AWS employees to be ready for the unexpected.
To validate the security of our data centers, external auditors perform testing on more than 2,600 standards and requirements throughout the year. Such independent examination helps ensure that security standards are consistently being met or exceeded. As a result, the most highly regulated organizations in the world trust AWS to protect their data.
Learn more about how we secure AWS data centers by design by taking a virtual tour »
Which AWS Regions can I use?
Customers can choose to use any one Region, all Regions or any combination of Regions, including Regions in Brazil and the United States. Visit the AWS Global Infrastructure page for a complete list of AWS Regions.
The Argentine Data Protection Authority has determined that certain countries provide an “adequate level of protection” for personal data. Does AWS have Regions in any of these countries?
Under the PDPL, data controllers (i.e., AWS customers) are permitted to transfer personal data to jurisdictions that offer an “adequate level of protection” for personal data, as determined by the ADPA. According to Disposition 60-E/2016 published by the ADPA, the member states of the European Union (EU) and European Economic Community (EEC) are considered to offer adequate levels of protection to personal data.
AWS has Regions in many of the countries that the ADPA has found to provide an “adequate level of protection” under the PDPL, such as Germany, France, the UK and Ireland in the EU. Visit the AWS Global Infrastructure page for a complete list of AWS Regions.
Regardless of which Region you choose, AWS applies the same security standards to its data centers.
What international data transfer agreements does AWS offer to address protection of personal data transferred to any country, including Brazil and the U.S.?
In its agreements with customers, AWS makes specific security and privacy commitments that apply broadly to customer content in each Region the customer chooses to store its data. The commitments AWS makes are consistent with the goals of the PDPL, Disposition 60-E/2016 and Resolution 47/2018 under the PDPL to protect personal data.
AWS also offers an international Data Processing Addendum (DPA), also referred to as a data transfer agreement, which applies globally and includes specific contractual commitments to adequately address the roles and obligations of each party with respect to the privacy and security of personal data.
Customers may also have the option to enroll in an Enterprise Agreement with AWS, which may be further tailored to best suit specific customer needs. For additional information on AWS Enterprise Agreements or the DPA, please contact your AWS sales representative.