Supermarket chain fined for breach of data security duty


Argentina’s data protection authority, the Agency of Access to Public Information, i.e. the controlling authority pursuant to Data Protection Law No. 25,326, sanctioned Cencosud S.A. for breaching the security duty established in the Personal Data Protection Law No. 25.326 (“PDPL”).

The facts are as follows. In November 2020 the DPA became aware of a security breach in Cencosud’ s computer systems, as a result of a computer attack known as “Egregor ransomware”.

During the investigation, the DPA also found out a second security incident by which Cencosud clients received fraudulent emails aiming at deceiving users and obtaining additional personal data from them.

Therefore, the DPA requested Cencosud to confirm the occurrence of the security breach and, in the affirmative,

  1. to detail the measures adopted by the company to mitigate any damages and in order to avoid future incidents;

  2. to report if there was indeed a leak of personal data of Argentine data subjets;

  3. to explain the measures adopted in order to guarantee the security and confidentiality of the data; and

  4.  to report the existence of ongoing judicial or criminal procedures related to the occurrence of the incident.

Cencosud replied and stated that it effectively suffered a malware that had slightly affected its Argentine infrastructure, confirming there was no damage. In addition, the company declared to have implemented new measures for vulnerability management.

The DPA considered Ceconsud’s response to be insufficient, noticing that the company did not implement the necessary security measures in order to prevent and manage security incidents recommended under the Resolution No. 47/2018, and article 9 of the PDPL.

On this basis, the DPA imposed a monetary fine of AR$ 290,000 for

  1. not having taken the preventive technical and organizational measures in order to guarantee its security duty, and not having taken the necessary corrective measures to guarantee the duty of security; and

  2. not having communicated to its clients that they could be victims of personal data leaks on either occasion. The decision was included in the Registry of Infringers to the PDPL.


Article provided by INPLP member: Diego Fernandez (Marval O’Farrell Mairal, Argentina)



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.