On February 2025, the Agency for Access to Public Information (the “AAPI”) fined a pharmaceutical company for failing to obtain the data subject´s explicit and unequivocal consent, in violation of Law No. 25,326, Regulatory Decree 1558/01, and its complementary regulations (hereinafter, the “PDPL”).
A data subject filed a complaint alleging that he received phone calls from an unknown number identified as a pharmaceutical company. During these initial calls, the data subject was informed that he was part of a patient program run by the pharmaceutical company. He was further informed that there was a signed document in which he had provided his consent to participate in the program, and he was asked to give additional personal data to access the program’s benefits.
In response, the complainant emailed the company requesting access to his personal data held by the pharmaceutical company. Additionally, he requested a copy of the alleged signed consent and information about the conditions of the program, including whether providing personal information was a mandatory requirement to access to the benefits. The company failed to respond to the request.
As a result, the data subject filed a complaint with the AAPI. In its defense, the pharmaceutical company argued that the program enrollment took place in 2011 through the complainant’s physician. According to the pharmaceutical company, the physician completed a form with the patient’s information and submitted it to the pharmaceutical company, after which the patient was contacted by phone.
The pharmaceutical company also voiced that the complainant had maintained ongoing communications with a third-party company responsible for managing the patient program. It submitted records of phone calls held by both the patient and the company regarding the delivery of pharmaceutical products. The company also contended that the complainant’s receipt of pharmaceutical products over an extended period showed that they had voluntarily provided consent, which had remained valid for the past 10 years. On this basis, the company considered that they fully complied with the PDPL.
After analyzing the case, the AAPI ruled that the pharmaceutical company had committed two serious infringements and one very serious infringement. These violations included processing sensitive personal data without the data subject’s proper consent, transferring the sensitive personal data without the appropriate authorization, and failing to respond to the access request within the legal timeframe.
The AAPI emphasized that the pharmaceutical company had failed to provide sufficient evidence demonstrating that it had obtained the complainant’s explicit and unequivocal consent for processing the personal data and for its subsequent transfer, thereby violating Articles 5 and 11 of the PDPL.
At this point, the AAPI further stressed that consent cannot be presumed or inferred from subsequent actions, such as receiving medications or interacting with a third-party company. Consent must be obtained in advance, explicitly, informed, and without ambiguity.
Additionally, although the defendant submitted a witness statement from an employee, the AAPI underscored that the only valid way to demonstrate consent is through its written granting or by another equivalent means. Other forms of evidence would be considered inconclusive and disregarded (Article 31, Section 3.e of Regulatory Decree No. 1558/01).
Finally, the AAPI also fined the company for violating Article 14 of PDPL, which guarantees data subjects’ right to access the personal data, as the company failed to respond to the complainant’s request.
This case underscores the importance for companies handling personal data to maintain clear and reliable records of consent granted and to implement proper procedures for responding to data subject’, in order to demonstrate compliance with the LPDP.
