Decree No. 662/2025 of the Ministry of Finance dated June 13, 2025 on models for the prevention of personal data infringements, is currently at the Office of the Comptroller General of the Republic for the process of taking of reason, which is the preventive control of legality that this institution performs on administrative acts.
Once the decree has been acknowledged, it will be published in the Official Gazette and will complement Law No. 21,719.
This Regulation establishes the requirements, modalities and procedures for the implementation, certification, registration and supervision of the Infringement Prevention Models regarding personal data.
A breach prevention model consists of a personal data protection compliance program that data controllers may voluntarily adopt, which is composed of instruments that together are a tool for the responsible management of risks associated with the processing of personal data protection.
The elements to be considered in the Infringement Prevention Model are:
– Individualization of the data controller.
– Register of Processing Activities (“RAT”): constitutes the central mechanism for the identification and characterization of all personal data processing activities carried out by the controller.
– Designation of a Data Protection Officer, defining his or her powers in accordance with the requirements of the Regulation.
– The characterization of the personal data that the controller processes, the categories of personal data and databases they manage, and the characterization of the processing operations performed by
– The identification of the entity’s data processing activities or processes, whether habitual or sporadic.
– Protocols, rules and specific procedures that allow the persons involved in the entity’s treatment activities or processes to program and execute their tasks or work in a way that prevents the commission of the aforementioned infractions.
– The mechanisms for internal reporting on compliance or the commission of breaches of the rules applicable to the protection of personal data.
– The internal administrative sanctions and sanctioning procedures applicable for the violation of the provisions of the rules applicable to the processing of personal data or the provisions of the compliance program.
– The internal complaint mechanisms for the commission of violations of the rules applicable to the processing of personal data, before the delegate.
The Personal Data Protection Officer is mandatory only when a compliance program is adopted and certified. It can be both identity-dependent and identity-independent.
With respect to his or her functions, the delegate must advise on regulatory compliance, participate in the preparation of the compliance program, as well as communicate breaches and act as an intermediary with the Personal Data Protection Agency.
The Regulations also describe the process of certification, registration and supervision of the Model.
The Agency may certify those Models that comply with the requirements of the Law and the Regulations.
The certification procedure is initiated at the request of the interested party, and must be processed in accordance with Law No. 19,880, and a subsequent general instruction from the Agency.
Once its conformity has been accredited, the certified Model must be registered in the National Registry of Sanctions and Compliance, identifying the responsible party, its legal representative, its date and term of validity. The certification procedure will be valid for three years.
The Agency may revoke the certification if the requirements established by the Law and the Regulations are not complied with, including the application of penalties for infringement.
