diff --git a/docs/06-legal/retention-argentina.md b/docs/06-legal/retention-argentina.md new file mode 100644 index 0000000..f016d08 --- /dev/null +++ b/docs/06-legal/retention-argentina.md @@ -0,0 +1,108 @@ +# Retention · Argentina + +Regulatory baselines for video retention in Argentina. Used to set defaults in the first-boot wizard and to inform sales conversations. + +**Disclaimer**: This is a working summary, not legal advice. Customers must consult counsel for binding interpretation in their context. Document drafted for internal Blocao Labs use. + +## AAIP general guidance + +The **Agencia de Acceso a la Información Pública** (AAIP) is the federal data protection authority in Argentina, applying Ley 25.326 (Ley de Protección de los Datos Personales). + +**Key references**: + +- Ley 25.326 (Protección de Datos Personales). +- Resolución AAIP 4/2019 — guidance on video surveillance. + +**General principle**: video that captures identifiable people is personal data. Retention must be: + +- **Limited in time** to what's strictly necessary for the stated purpose. +- **Proportional** to the risk being addressed. +- **Documented** in a privacy policy / register of processing activities. + +**De-facto baseline**: 30 days is widely accepted as a starting point for general security purposes. Longer retention requires documented justification (insurance requirement, regulatory mandate, ongoing investigation). + +## CABA Ley 5.688 (Sistema Integral de Seguridad Pública) + +For the **City of Buenos Aires** specifically: + +- Public-space surveillance cameras: up to **60 days** retention permitted. +- Longer retention requires judicial authorization. +- Operated by the city or by the city under contract. + +For **private establishments** in CABA the AAIP general rule applies (~30 days default). The 60-day rule is for public-space cameras specifically. + +## BCRA standards (banking) + +The **Banco Central de la República Argentina** issues standards for the banking sector. For bank branches and ATMs: + +- Minimum **90 days** retention for camera footage. +- Specific positions (entrance, ATM, teller area) may have additional requirements. +- Audit trails for who accessed footage, with retention of those logs. + +Banks are usually the customers with the longest retention requirements in Argentina. + +## Other sectors + +- **Casinos / gambling**: provincial regulation, often 30-90 days. +- **Logistics / customs**: AFIP / customs authority may require specific retention for goods movement (typically 30-180 days). +- **Healthcare**: depends on jurisdiction; usually similar to general AAIP (30 days) plus medical record co-retention rules. +- **Education**: AAIP general; some provincial education ministries have specific guidance. + +## How Blocao maps these to wizard defaults + +In the first-boot wizard, when country = Argentina, the retention step offers: + +| Preset | Duration | Use case label | +|---|---|---| +| Conservadora | 14 days | Minimal retention; AAIP-compliant for low-sensitivity sites | +| **Estándar** (default) | **30 days** | General purpose; AAIP-aligned | +| CABA pública | 60 days | City of Buenos Aires public surveillance | +| BCRA bancaria | 90 days | Banking sector minimum | +| Personalizada | configurable | Set numeric value with justification | + +Selecting a preset writes: + +- `frigate.config.yml`: per-camera retention. +- `site-config` repo: retention policy with regulatory basis annotation. +- HEALTH selftest: tests verify retention is not exceeded (oldest clip date matches policy ±1 day). + +## Privacy notice / signage + +Argentine law requires conspicuous signage informing people they are being recorded. Blocao does **not** generate signage — that's a customer responsibility — but the documentation reminds customers and points to AAIP's signage templates. + +## Documenting purpose + +Every Blocao deployment should have a documented purpose: + +- "General security and theft prevention." +- "Compliance with [specific BCRA standard]." +- "Insurance documentation." + +The wizard prompts for this purpose during retention setup. The text is stored in the `site-config` repo as `purpose.md`. This serves as the start of a "registro de actividades de tratamiento" required by AAIP. + +## Subject access requests (DSAR) + +A person captured on Blocao footage can request: + +- Confirmation that they are recorded. +- A copy of their footage. +- Deletion (subject to legitimate-purpose exceptions). + +Blocao's FORENSICS panel makes this tractable: search by face/identity (post-MVP for face recognition), by time + location, export. + +The customer is responsible for handling DSARs. Blocao provides the tools. + +## When this changes + +AAIP and provincial regulators are actively updating guidance. Significant areas to track: + +- **Facial recognition specific rules** — already discussed in CABA, federal-level under consideration. +- **Cross-border data flow** — if AAIP follows the EU's Schrems II direction, this strengthens Blocao's sovereignty positioning further. +- **Retention period harmonization** — possible federal standardization in coming years. + +When new guidance lands, this document gets a new revision (commit history) and the wizard presets get updated via fleet-config. + +## See also + +- [`retention-eu.md`](retention-eu.md) — EU jurisdictions for comparison. +- [`../../decisions/0008-retencion-30d-default-argentina.md`](../../decisions/0008-retencion-30d-default-argentina.md) — the ADR setting the default.