Skip to main content

Supermarket chain fined for breach of data security duty


Argentina’s data protection authority, the Agency of Access to Public Information, i.e. the controlling authority pursuant to Data Protection Law No. 25,326, sanctioned Cencosud S.A. for breaching the security duty established in the Personal Data Protection Law No. 25.326 (“PDPL”).

The facts are as follows. In November 2020 the DPA became aware of a security breach in Cencosud’ s computer systems, as a result of a computer attack known as “Egregor ransomware”.

During the investigation, the DPA also found out a second security incident by which Cencosud clients received fraudulent emails aiming at deceiving users and obtaining additional personal data from them.

Therefore, the DPA requested Cencosud to confirm the occurrence of the security breach and, in the affirmative,

  1. to detail the measures adopted by the company to mitigate any damages and in order to avoid future incidents;

  2. to report if there was indeed a leak of personal data of Argentine data subjets;

  3. to explain the measures adopted in order to guarantee the security and confidentiality of the data; and

  4.  to report the existence of ongoing judicial or criminal procedures related to the occurrence of the incident.

Cencosud replied and stated that it effectively suffered a malware that had slightly affected its Argentine infrastructure, confirming there was no damage. In addition, the company declared to have implemented new measures for vulnerability management.

The DPA considered Ceconsud’s response to be insufficient, noticing that the company did not implement the necessary security measures in order to prevent and manage security incidents recommended under the Resolution No. 47/2018, and article 9 of the PDPL.

On this basis, the DPA imposed a monetary fine of AR$ 290,000 for

  1. not having taken the preventive technical and organizational measures in order to guarantee its security duty, and not having taken the necessary corrective measures to guarantee the duty of security; and

  2. not having communicated to its clients that they could be victims of personal data leaks on either occasion. The decision was included in the Registry of Infringers to the PDPL.

Article provided by INPLP member: Diego Fernandez (Marval O’Farrell Mairal, Argentina)



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.