Law N° 18.331 (“Law”) dated August 11, 2008, and its regulatory Decree N° 414/009 dated August 31, 2009, established a general legal framework in Uruguay with the purpose of assuring the fundamental right of protection of the personal data and intimacy/privacy. 

Further, Law N° 19.670 (articles 37 to 40) (“LRC”) dated October 15, 2018, introduced certain changes in relation to data protection matters such as the extraterritorial scope of the Law and included additional obligations for those responsible for databases or their treatment and its regulatory Decree No. 64/020 dated February 21, 2020. 

In 2021, some regulatory changes were enacted, including a new regulation on biometric data (Law No. 19,924 of December 18, 2020), amending Law No. 18,331, defining this type of data and legally establishing the obligation to carry out data protection impact assessments.

In addition, the European General Data Protection Regulation (“GDPR”) could be applicable to entities located in Uruguay, due to its extraterritorial scope of applicability, provided the scenarios described in the GDPR occur.

Note: In order to control compliance with the said regulatory framework, the Law created the Personal Data Regulatory and Control Unit (“URCDP”).

All types of information related to individuals or legal entities are protected.  

Notes: “Personal data” is defined in section 4 of the Law as any kind of information related to individuals or legal entities.

All individuals or legal entities to whom the Uruguayan legal frameworks apply are subject to privacy obligations. 

Note: The Uruguayan personal data regulatory framework applies:

• if the processing of personal data is conducted by a controller or processor located in Uruguay (that being the country where said controller or processor conducts its activities). Decree 64/020 now clarifies that a data controller or processor will be understood to be established in Uruguayan territory when they carry out a stable activity in the country regardless of the legal form adopted.; or
• if the processing of personal data is conducted by a controller or processor located outside of Uruguay, but if: 
  • the processing activities are related to the offering of goods and services directed to Uruguayan inhabitants or to the monitoring of their behavior, including the elaboration of profiles. Regulatory Decree No. 64/020 further provides that in order to determine whether such regularly frameworks apply elements such as the language used (i.e. Spanish), the reference to the payment in local money (i.e.: Uruguayan pesos) or the offer of other related services in Uruguayan territory shall be considered to make the assessment; 
  • if established by international public law dispositions. Decree No. 64/020 clarifies that in no circumstances may the contracting parties exclude the application of national law where it should have been applicable under Uruguayan international private law rules; and/or 
  • if means located in Uruguay are used for said processing. Decree No. 64/020 cites the following as examples: information and communication networks, data centers and computer infrastructure in general. 

In order to process personal data, the prior and express consent of the data subject is required.

Exceptions to such consent are established under section 9 of the Law.

Note: As a general rule, the processing of personal data requires the prior and express consent of the data subject. However, such consent is not required in certain cases which are established under section 9 of the Law, and are among others, the following:

• data arising from a public source;
• listings containing the following limited data:
  • in the case of individuals, the names and surnames, identity documents, nationality, address and date of birth;
  • in the case of legal entities, the name of the company, commercial name (if applicable), taxpayers’ identification number, address, telephone number and identity of representatives;
• data arising from a contractual, scientific or professional relationship with the data subject, if such data is necessary for the performance or development of the said relationship.

Any database containing personal information must be registered as a database before the URCDP.
Disclosure of personal data is only authorized when complying with the following requirements:

• The legitimate interest of the issuer and recipient;
• Prior consent of the data owner (unless an exception applies). The consent must be informed, explicit and documented; and
• The recipient shall be subject to the same legal and regulatory obligations of the issuer.

Note: The Law provides that all databases (as defined below) -except for those which do not fall within the scope of the mentioned regulatory framework or which the Law expressly provides that are not covered by the same- must be registered before the URCDP.

“Database” is defined under the Law as an organized group of personal data, subject to processing or treatment, in electronic form or otherwise, whatever is the way in which such database is formed, stored, organized or accessed.

As a consequence of the above, any organized group of data referring to individuals or legal entities held by those who are subject to the Law must be registered as a database before the URCDP.
The registration must be filed through the website www.datospersonales.gub.uy.

To such end, the database owner must fill in an online registration form submitting among others, the following information:

• identification of the database, data that will be processed, and the person responsible for it;
• procedures to obtain and process the data;
• security measures and technical description of the database;
• destination of the data and individuals or legal entities that could access the data;
• the period for which the data will be kept;
• terms and conditions under which a person can access data relating to him/her and promote procedures aimed at correcting or updating such data; and 
• establish a special address and e-mail for notifications.

Personal data may only be disclosed for the purposes directly related to the legitimate interest of the issuer and the recipient, and with the prior consent of the data owner (except in cases where an exception applies and the consent is not required).

Prior consent is not required to disclose data to third parties in the following cases: (i) It is so provided by a law of general interest; (ii) In the cases of section 9 of the Law (please refer to our answer regarding the regulation of the collection of personal data); (iii) It is related to personal data connected to health issues and for reasons of public health and hygiene, emergency or to carry out epidemiological studies, as long as the identity of the individual is preserved through appropriate mechanisms of dissociation; and (iv) When it is not possible to individualize anyone as part of the database because a dissociation procedure had been previously applied.

The consent of the data owner shall be prior, informed, explicit, and documented. Consent, together with other statements, shall clearly and expressly be issued upon due notice of the following information: (i) the purpose for which data shall be processed and who the recipients or classes of recipients thereof shall be; (ii) the existence of the relevant database, electronic or otherwise, and the identity and address of the responsible person; (iii) the mandatory or optional nature of the answers to the questions posed, especially regarding sensitive data (if applicable); (iv) the consequences of providing data and of the refusal to do so, or of their inaccuracy (if applicable); and, (v) the possibility of the data owner to exercise the right to access, modify and delete data

The recipient shall be subject to the same legal and regulatory obligations of the issuer who shall be jointly and severally liable for the compliance.

The LRC modifies section 12 of the Law introducing the principle of proactive responsibility, stating that data controllers and data processors shall adopt adequate technical and organizational measures: privacy since the design, privacy by defect, impact evaluation of data protection, among others, for the purposes of securing adequate processing of personal data. To this end, and according to Decree No. 64/020, all necessary measures must be taken, must be documented, reviewed periodically and evaluated in terms of their effectiveness. The aforementioned documentation must be made available to the URCDP.

Regarding the retention period, the Law established that personal data must be removed when it is no longer necessary or relevant to the purposes for which it was collected or if said purpose ceases to exist.  

Note: According to the legal framework, the data controller and processor must take all necessary measures to assure the security and confidentiality of the database, this includes the storage and processing of personal data. In this sense, the data controller must prevent the loss and the non-authorized treatment of the data. 

The LRC establishes that data processors and controllers must adopt an active role in implementing adequate technical and organizational measures, which include “privacy by design” and “privacy by defect” and assuring an adequate treatment of personal data. The adopted measures need to be documented in order to prove their execution. In this sense the Decree No. 64/20 also provides that the adoption of national and international standards on information security will be assessed, such as the adoption of the Cybersecurity Framework developed by AGESIC (with principles including data minimization, pseudonymization, consent, etc.). 

Below is a link to this framework: 

https://www.gub.uy/unidad-reguladora-control-datos-personales/comunicacion/publicaciones/guia-evaluacion-impacto-proteccion-datos.

Further,  Decree No. 64/020 provides that prior to the start of the processing of the data, or with respect to the processing of data already under execution within a period of 1 year as from the publication of the decree, i.e. before February 21, 2021, the data controller and the data processor must carry out a personal data protection impact assessment, when:

• sensitive data are used as a core business; 
• specially protected data referred to in Chapter IV of the Law (e.g. health data, advertising, etc.) or data linked to the commission of criminal, civil or administrative offenses are permanently or usually processed; 
• involve the evaluation of personal aspects of data subjects for the purpose of creating personal profiles, in particular by analyzing or predicting aspects relating to their performance at work, financial situation, health, personal preferences or interests, reliability of behavior and financial solvency, and location; 
• processing of data relating to groups of persons in a situation of vulnerability, in particular minors or persons with disabilities;  
• processing of large volumes of data. With respect to the concept of large volumes of data, we point out that according to the Decree 64/020, this is understood to mean the processing of data of more than 35,000 people; 
• international transfers are made to countries that do not have an adequate level of protection; and 
• when determined by the URCDP (e.g. treatment of biometric data).

In the event that the outcome of the assessment results in potential and significant risk to the rights of the data subjects, the data controller or data processor must inform the URCDP. 

In line with the above, we point out that the URCDP together with the Argentinean Agency of Access to Public Information published the Guide for Data Protection Impact Assessment. Below is a link to this guide:
https://www.gub.uy/unidad-reguladora-control-datos-personales/comunicacion/publicaciones/guia-evaluacion-impacto-proteccion-datos. 

Further, the LRC provides that public entities and those private that treat large volumes of personal data or sensitive data as the main business must appoint a Data Protection Officer ("DPO"). In this sense, the Decree Nº 60/24 clarifies that large volumes of data are defined as data processing of more than 35,000 people. The decree also establishes that in certain cases the URCDP, on its own initiative or at the request of a party, may determine the need to appoint a DPO in specific cases. The DPO will be the link between the entity and the URCDP, and will mainly have to advise on the formulation, design and application of the data protection policies, supervising compliance with the regulations and proposing the necessary measures to adapt to the regulations and standards on the matter. 

The URCDP periodically offers training to DPOs. Furthermore, according to section 8 of the Law, personal data must be removed when they are no longer necessary or relevant to the purposes for which they were collected.

Data owners are entitled to obtain all information regarding themselves and to request its rectification, update, inclusion or deletion.

Note: Data owners are entitled to obtain all information about themselves in any given database. The information must be provided within five working days of being requested if said term expires without having provided the requested information, the data owner is entitled to the habeas data action, as regulated under the Law. The information must be provided in a clear manner, free from codifications and using accessible language to average persons. At the option of the data owner, it may be supplied in writing, by electronic, telephone, image or any other means suitable for this purpose.

Every data owner is entitled to request rectification, update, inclusion or deletion of personal data included in a database, upon discovery of any error, falsehood or exclusion in the information. The person responsible for the database or its processing shall proceed to the rectification, update, inclusion or deletion of data in a period not exceeding five working days.

The above-mentioned modifications of databases shall be done free of charge for the data owner.

International transfer of personal data to countries or international organizations that do not provide adequate protection levels is prohibited under Uruguayan law with certain exceptions.

Note: International transfer of personal data to any country or international organization that does not provide adequate protection levels is prohibited under Uruguayan law with certain exceptions listed below:

• international judicial cooperation and international cooperation between intelligence agencies fighting against organized crime, terrorism and drug trafficking;
• when the transfer is necessary for the performance or development of an agreement between the individual and the person responsible for the database;
• when the transfer is necessary for the execution or performance of an agreement between the person responsible for the database and a third party, signed or to be signed in the interest of the data subject;
• when the transfer is deemed necessary or legally required to safeguard an important public interest, or for the recognition, exercise or defense of a right in a legal procedure;
• when the transfer is necessary for safeguarding the vital interests of the interested party; and 
• when there is prior consent of the person to whom the data refers, etc.

The countries considered by the URCDP as holding an adequate protection level are according to Resolution 23/2021 of the URCDP: the EEA countries, as well as the non-EEA countries that according to the European Commission ensure an adequate data protection level: Andorra, Argentina, Canada (limited to commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Great Britain and Northern Ireland, Switzerland and Uruguay. On June 8, 2021, the URCDP announced that, as a consequence of the invalidation of the Privacy Shield by the European Court of Justice in the Max Shrems II case, it would no longer recognize international data transfers to the United States, even to entities under the so-called Privacy Shield. The URDCP announced that after a 6 months tolerance period, such international transfers would need to be justified according to the applicable legal framework.

Notwithstanding the prohibition referred above, the URCDP may authorize the international transfer of personal data to countries that fail to provide an adequate protection level, provided that the exporter of data offers sufficient safeguards as to the protection of privacy, rights and freedoms of individuals, and the exercise of their respective rights. Such guarantees may arise from a written agreement with specific contractual clauses. For this purpose, the URCDP issued Resolution No. 41/021, dated September 8, 2021, establishing a minimum content for such clauses.

In addition, and in accordance with Article 6 of Decree 64/020, any transfer to an unsuitable country or organization must be preceded by a data protection impact assessment.

Further, if personal data is transferred to the head office of a company or any affiliated entity or branch, it may be possible to avoid obtaining the prior authorization of the URCDP each time a transfer is made within such entities if a Code of Conduct of Professional Practice which contains provisions for the processing of the information is registered before the URCDP.

The LRC provides that the data processor or controller that becomes aware of a data breach must immediately inform the URCDP and the data subject (without making exceptions). In this sense, the Decree Nº 64/20 provides that in the event of a security incident, understood in the broadest sense, which results in, among other things, the accidental or unlawful disclosure, destruction, loss or alteration of personal data or the unauthorized communication of or access to such data, the persons responsible for and in charge of the processing must comply with the following:

• Data controllers or processors must implement procedures to minimize the impact of incidents within the first 24 hours;
• Controllers must report the breach to the URCDP within 72 hours. To this end, processors who become aware of the occurrence of a breach must immediately inform the controllers concerned. The communication must contain relevant information such as the true or estimated date of the breach, its nature, the personal data affected and the possible impacts generated. There is currently no standard form for this communication.  
• The persons responsible must communicate the data breach to the data subjects who have suffered a significant impact on their rights. The decree clarifies that the communication to the data subjects only proceeds in case their rights are significantly infringed.
• Once the data breach has been resolved, the controller must prepare a report detailing the breach and the measures taken, and the URCDP must be notified.

In line with the above, we point out that the URCDP published a Guide for Data Breaches. Below is a link to this guide:

https://www.gub.uy/unidad-reguladora-control-datos-personales/sites/unidad-reguladora-control-datos-personales/files/documentos/publicaciones/GUIA%20PARA%20LA%20GESTI%C3%93N%2C%20DOCUMENTACI%C3%93N%20Y%20COMUNICACI%C3%93N%20DE%20VULNERACIONES%20DE%20SEGURIDAD%20EN%20DATOS%20PERSONALES.pdf

Note: In certain cases and when the processor or the person responsible for a database or of its use is under the control of a specific entity, such as the Central Bank of Uruguay, such incidents must also be notified to the competent regulator.

The URCDP is the privacy regulator.

Note: The URCDP was created by the Law. Its attributions are regulated under the Law.   

Even if there is no specific provision concerning the consequences of a privacy breach, any of the following sanctions may be applied:

• warning;
• fine; 
• suspension of the database; or
• cancellation of the database.  

Note: Even though there is no specific provision concerning the consequences of a privacy breach, any of the following sanctions may be applied by the URCDP to those responsible for the databases or the processors of personal data for the violation of the rules of the Law (privacy breach included among them):

• warning;
• a fine of up to five hundred thousand indexed units (approximately USD 58,000 as of the date hereof);
• a five-day suspension of the corresponding database; and 
• the cancellation of the database.

The above-mentioned sanctions may be applied on the grounds that data controllers shall take all necessary measures to assure the security and confidentiality of the database. In this sense, the data controller must prevent the loss and the non-authorized treatment of the data. Please note that the sanctions are gradual and in some cases based on the previous behavior of the company.

Not regulated in reference to data protection matters.

Note; The Uruguayan data protection legal framework does not include any reference to electronic marketing.

However, as a general rule, no personal data may be transferred or disclosed without the prior, informed, express and documented consent of the data owner.

Therefore non-solicited marketing (except when the marketing relates to services already provided to the data subject, or if the information utilized for marketing purposes becomes from public sources, has been provided by the data subject or has been obtained whit his/her consent) may not be directed to individuals or legal persons.

Not at this time.