Progress is being made on the regulation of the model for the prevention of personal data protection infringements

• Decree N°662/2025 of the Ministry of Finance is in the process of being registered with the Office of the Comptroller General of the Republic. This decree approves the regulations governing the requirements, modalities and procedures for the implementation of the infringement prevention model provided for in Article 49 of Law No. 21.719 incorporated into Law No. 19.628.
• This regulation deepens the requirements established in the Law, providing concrete guidelines for organisations to design and implement compliance programmes aimed at preventing infringements in the processing of personal data.

Some of the key aspects developed in the decree are the following:

• Register of Processing Activities (RAT): establishes a mandatory minimum content that includes data categories, lawfulness bases, identification of sensitive data, sources of origin, international transfers, retention periods and the existence of automated decisions.
• Risk matrix: requires the identification and prioritisation of the processing activities with the highest probability of infringement, also considering the graduation of sanctions provided for in the law.
• Personal Data Protection Delegate: details functions, suitability requirements, guarantees of independence and provision of resources. The delegate may be dependent on the data controller or perform his or her functions by virtue of a service contract. The same person may even perform this role for several controllers.
• Protocols and internal rules: documentation should be drawn up taking into account the processing operations carried out, the amount and type of data processed, the associated risks and the characteristics of the entity, including its size and economic capacity.
• Reporting and whistleblowing mechanisms: there should be expeditious and permanent channels for reporting compliance or infringements. The programme should also contemplate reporting to the authority or to the licensees, in addition to self-reporting to the Agency. Internally, direct reporting to the delegate is incorporated, ensuring the confidentiality of the complainant's identity.
• Certification and expiry: it defines the certification procedure, with a three-year validity, grounds for revocation and a public register that will provide transparency in compliance.
• Internal regulation: the obligations generated by the model must be incorporated in employment contracts, service provision contracts and, where appropriate, in internal regulations, complying with the requirements of the Labour Code.
• Dissemination and supervision:the model must be known by all members of the organisation and will be subject to supervision by the Agency, which may require information, verify its implementation and, if appropriate, revoke certification.