Key Aspects of the Law
First, it is important to emphasize that all individuals or legal entities engaged in activities related to the processing of personal data are subject to the provisions of the Data Protection Law.

A priority for companies is to ensure that ARCO-POL rights (Access, Rectification, Cancellation, Opposition, Portability, Forgetfulness, and Limitation) of data subjects are respected. This requires implementing accessible and effective mechanisms that allow individuals to exercise their rights whenever necessary. Additionally, it is essential for data subjects to be informed about who has access to their personal data and where it is stored.

Secondly, entities subject to this law must appoint a Data Protection Officer (DPO) within six months of the law’s enactment. The DPO will be responsible for managing and ensuring the exercise of ARCO-POL rights, handling data subject requests, and overseeing compliance with data protection regulations.

Regarding personal data-related activities, the following key elements should be highlighted:

Privacy Notices: These should be clear and concise documents explaining the terms and conditions for processing personal data. They may be physical or digital and must be provided to the data subject. If available on a website, they must include a notice about the use of cookies. In cases of security breaches, such as attacks or leaks, companies must notify the State Cybersecurity Agency (ACE), the Office of the Attorney General, and affected data subjects within 72 hours, detailing the compromised data and measures taken.

Informed Consent: Obtaining informed consent is critical. This may be granted verbally, in writing, or through unequivocal signs, depending on the nature of the data. However, for sensitive data processing, written consent from the data subject is mandatory.

For personal data processing, companies are required to comply with the standards established by the law and policies issued by the ACE. These policies will regulate operational aspects and ensure comprehensive data protection. Additionally, if companies transfer data to third parties, they must sign a contract meeting the law’s requirements, including the obligations established in the legislation. The ACE will provide additional guidelines for defining the formalities and conditions applicable to these operations.

Finally, it is crucial for companies and DPOs to be aware of the law’s infractions to avoid financial penalties ranging from one to forty times the minimum wage in the commercial sector. Awareness will enable preventive measures and ensure regulatory compliance, protecting both data subjects and the organization.

Actions Businesses Must Implement
Businesses must take necessary steps in the next six months to ensure full compliance with the Data Protection Law. The following priority actions are outlined:

1. Appointment of a Data Protection Officer: It is essential to designate a trained DPO to lead the implementation of compliance processes. The DPO must execute concrete actions, such as managing ARCO-POL rights, supervising personal data processing, and serving as a liaison with relevant authorities.
2. Drafting and Publishing a Privacy Notice: Companies must prepare a clear privacy notice in line with the law, detailing the terms and conditions of personal data processing. This document should be available on their website, digital platforms, or in physical format, ensuring accessibility to all users.
3. Establishing Mechanisms for Informed Consent: Effective mechanisms must be defined and implemented to collect the explicit consent of data subjects. These should include processes for verbal, written, or unequivocal consent, as determined by the law.
4. Facilitating ARCO-POL Rights: With the support of the DPO, companies must design and implement procedures enabling data subjects to efficiently exercise their ARCO-POL rights. This includes creating accessible systems for handling and resolving requests. Companies must also consider future ACE policies related to providing access to these rights.
5. Continuous Monitoring of ACE Policies: Through the DPO, businesses must stay informed about complementary policies and regulations issued by the ACE. These guidelines will clarify specific processes and ensure updated compliance.

Developing training programs for personnel focused on proper data handling and compliance with the new law would also be beneficial.

These actions will enable businesses to align with the requirements of the Data Protection Law, avoiding potential violations or non-compliance that could result in financial or legal sanctions impacting their operations.