On September 11, 2025, Division Chamber D of the National Court of Appeals in Commercial Matters issued a ruling in the case “Valdez, Claudia Graciela v. FCA S.A. de Ahorro para Fines Determinados et al. s/ ordinary proceedings,” holding a company liable as a consequence of a data breach.
The plaintiff was the victim of a scam carried out by third parties who, using detailed information about her savings plan, induced her to transfer funds to an unrelated account. Accordingly, she filed a complaint against the administrator of said plan and the car dealership that acted as its agent. The District Court dismissed the claim on the grounds that it had not been proven that fraud originated in a data breach attributable to the defendants. The plaintiff appealed against the decision, giving rise to the ruling discussed here.
The Court of Appeals looked at the case through the doctrine of false representation, noting that companies are not responsible for the actions of individuals pretending to be their agents, unless the company itself played a role in enabling that misrepresentation.
In this case, the judges highlighted that the scammers were neither employees nor former employees of the defendants, and there was no evidence of improper disclosure by the plaintiff. The conclusion: the fraud most likely resulted from unauthorized access to data managed by the savings plan administrator.
The Court pointed to Resolution No. 8/2015 of the Public Registry of Commerce that requires these entities to maintain a Register of Awarded Contracts stressing that custody of this register must be safeguarded against improper access. In doing so, the Court tied this obligation to Article 9 of the Personal Data Protection Law, which imposes controllers the duty to adopt adequate technical and organizational measures to ensure data security.
The Court held that, in the event of a data breach, the controller may only be exempt from liability if it demonstrates that the incident was due to an external event akin to force majeure. Effectively, the ruling sets a strict liability regime for data controllers whenever personal data under their custody is compromised.
In this specific case, the administrator of the savings plan -who also acted as data controller- made no attempt to prove that it had adopted adequate measures to prevent unauthorized access to the plaintiff’s data. As a result, it could not rely on force majeure as a defense. The Court therefore held the defendant strictly liable for the harm, though it limited damages to half of the requested amount in light of the plaintiff’s own role in enabling the fraud.
As for the dealership, sued as an agent of the savings plan company, the Court held that such status was not enough to share liability for a breach that, in any case, the controller alone was responsible for preventing.
Este fallo en particular pone de relieve que podría configurarse un criterio bajo el cual los responsables de bases de datos en Argentina estén sujetos a un régimen de responsabilidad objetiva en caso de una filtración, aunque todavía no está claro si este enfoque será adoptado por otros tribunales.
The full text of the ruling in Spanish can be found here.
