Files
wdmUI/docs/06-legal/retention-argentina.md
2026-05-09 18:45:50 +00:00

109 lines
5.1 KiB
Markdown

# Retention · Argentina
Regulatory baselines for video retention in Argentina. Used to set defaults in the first-boot wizard and to inform sales conversations.
**Disclaimer**: This is a working summary, not legal advice. Customers must consult counsel for binding interpretation in their context. Document drafted for internal Blocao Labs use.
## AAIP general guidance
The **Agencia de Acceso a la Información Pública** (AAIP) is the federal data protection authority in Argentina, applying Ley 25.326 (Ley de Protección de los Datos Personales).
**Key references**:
- Ley 25.326 (Protección de Datos Personales).
- Resolución AAIP 4/2019 — guidance on video surveillance.
**General principle**: video that captures identifiable people is personal data. Retention must be:
- **Limited in time** to what's strictly necessary for the stated purpose.
- **Proportional** to the risk being addressed.
- **Documented** in a privacy policy / register of processing activities.
**De-facto baseline**: 30 days is widely accepted as a starting point for general security purposes. Longer retention requires documented justification (insurance requirement, regulatory mandate, ongoing investigation).
## CABA Ley 5.688 (Sistema Integral de Seguridad Pública)
For the **City of Buenos Aires** specifically:
- Public-space surveillance cameras: up to **60 days** retention permitted.
- Longer retention requires judicial authorization.
- Operated by the city or by the city under contract.
For **private establishments** in CABA the AAIP general rule applies (~30 days default). The 60-day rule is for public-space cameras specifically.
## BCRA standards (banking)
The **Banco Central de la República Argentina** issues standards for the banking sector. For bank branches and ATMs:
- Minimum **90 days** retention for camera footage.
- Specific positions (entrance, ATM, teller area) may have additional requirements.
- Audit trails for who accessed footage, with retention of those logs.
Banks are usually the customers with the longest retention requirements in Argentina.
## Other sectors
- **Casinos / gambling**: provincial regulation, often 30-90 days.
- **Logistics / customs**: AFIP / customs authority may require specific retention for goods movement (typically 30-180 days).
- **Healthcare**: depends on jurisdiction; usually similar to general AAIP (30 days) plus medical record co-retention rules.
- **Education**: AAIP general; some provincial education ministries have specific guidance.
## How Blocao maps these to wizard defaults
In the first-boot wizard, when country = Argentina, the retention step offers:
| Preset | Duration | Use case label |
|---|---|---|
| Conservadora | 14 days | Minimal retention; AAIP-compliant for low-sensitivity sites |
| **Estándar** (default) | **30 days** | General purpose; AAIP-aligned |
| CABA pública | 60 days | City of Buenos Aires public surveillance |
| BCRA bancaria | 90 days | Banking sector minimum |
| Personalizada | configurable | Set numeric value with justification |
Selecting a preset writes:
- `frigate.config.yml`: per-camera retention.
- `site-config` repo: retention policy with regulatory basis annotation.
- HEALTH selftest: tests verify retention is not exceeded (oldest clip date matches policy ±1 day).
## Privacy notice / signage
Argentine law requires conspicuous signage informing people they are being recorded. Blocao does **not** generate signage — that's a customer responsibility — but the documentation reminds customers and points to AAIP's signage templates.
## Documenting purpose
Every Blocao deployment should have a documented purpose:
- "General security and theft prevention."
- "Compliance with [specific BCRA standard]."
- "Insurance documentation."
The wizard prompts for this purpose during retention setup. The text is stored in the `site-config` repo as `purpose.md`. This serves as the start of a "registro de actividades de tratamiento" required by AAIP.
## Subject access requests (DSAR)
A person captured on Blocao footage can request:
- Confirmation that they are recorded.
- A copy of their footage.
- Deletion (subject to legitimate-purpose exceptions).
Blocao's FORENSICS panel makes this tractable: search by face/identity (post-MVP for face recognition), by time + location, export.
The customer is responsible for handling DSARs. Blocao provides the tools.
## When this changes
AAIP and provincial regulators are actively updating guidance. Significant areas to track:
- **Facial recognition specific rules** — already discussed in CABA, federal-level under consideration.
- **Cross-border data flow** — if AAIP follows the EU's Schrems II direction, this strengthens Blocao's sovereignty positioning further.
- **Retention period harmonization** — possible federal standardization in coming years.
When new guidance lands, this document gets a new revision (commit history) and the wizard presets get updated via fleet-config.
## See also
- [`retention-eu.md`](retention-eu.md) — EU jurisdictions for comparison.
- [`../../decisions/0008-retencion-30d-default-argentina.md`](../../decisions/0008-retencion-30d-default-argentina.md) — the ADR setting the default.