Guyer & Regules
The following law(s) specifically govern personal data / information:
Law No. 18.331(“Ley de Protección de Datos Personales y Acción de Habeas Data”) which entered in force on August 18, 2008, and its regulatory Decree No. 414/009, dated August 31, 2009, established in Uruguay a general legal framework with the purpose of assuring the fundamental right to protection of personal data and intimacy/privacy.
Furthermore, new provisions have recently been incorporated by Budget Law No. 19.670 (articles 37 to 40) dated October 25, 2019 and its regulatory Decree No. 64/020 dated February 21, 2020.
The key data protection principles in this jurisdiction are:
- Legality: All databases shall be properly registered and shall observe the principles provided for by applicable regulations.
- Veracity: Personal data collected must be truthful, adequate, fair and not excessive regarding the purpose for which it has been obtained. Personal data collection may not be made by unfair, fraudulent, abusive, extortive means or in a manner contrary to applicable regulations.
- Personal data must be accurate and updated, if necessary.
- Purpose: Personal data may not be used for other purposes than those that motivated its collection. Personal data must be removed when it is no longer necessary or relevant to the purposes for which it was collected.
- Prior and Informed Consent: The treatment and processing of personal data must be preceded by the person’s (“data subject”) free, prior, express and informed consent, which must be documented. There are some exceptions to this principle.
- Security of Data: All the steps necessary to guarantee the security and confidentiality of personal data shall be taken.
- Confidentiality: Persons who legitimately obtained information from a database shall be obliged to use it in a reserved manner, and exclusively for their regular course of business.
- Proactive responsibility: The data controller or the data processor shall assume a proactive role in view of the nature of the data, the processing carried out and the risks involved.
The supervisory authority / regulator in charge of data protection is:
The Personal Data Regulatory and Control Unit (Unidad Reguladora y de Control de Datos Personales ) (the “URCDP”).
The URCDP is a decentralized agency from the Agency for the Development of the Electronic Management Government and the Information Society of Knowledge (Agencia para el Desarrollo del Gobierno de Gestión Electrónica y la Sociedad de la Información del Conocimiento) (the “AGESIC”), an entity which is in charge of advising governmental entities in connection with issues related to IT.
Is there a requirement to register with a supervisory authority / regulator?
Yes, all databases must be registered before the URCDP and keep them updated.
Databases are defined as any organized set of personal data subject to processing, whether electronically or otherwise, in whatever form of collection, storage, organization or access.
Generally, entities register the following data bases: employees; customers; providers and video surveillance.
The registry implies the requirement to provide information about the entity responsible for the database, its location, its content and purpose, the number of data subjects whose data is stored, where these data subjects may exercise their rights, the security measures taken, etc.
The registration is done online and for free.
Section 20 of Decree 414/009 regulates the obligation to update databases’ registrations on a quarterly basis. However, we understand that such an update must be made when relevant changes occur. In line with the aforesaid according to the "Guide for the Registration of Databases" issued by the URCDP (document that is not binding but serves as a reference), it is stated that the changes that must be informed are those "structural changes that affect the database and thus affect what was previously declared to the URCDP". Likewise, it is clarified that “the change in the number of people whose data are subjected to treatment is not considered a structural change, unless the number is increased or reduced by twenty percent.”
Other items that may be registered are company codes of conduct, and data protection officers, when applicable (see below for further details).
Is there a requirement to notify the supervisory authority / regulator?
Yes, in certain cases to transfer personal data abroad to non-adequate countries (unless an exception applies) it may be necessary to request URCDP’s prior approval. Further, databases registration forms require to inform whether the personal data included in the same are transferred to any third parties or not. Therefore, if a transfer takes places after the registration of the corresponding database is concluded, the same should be updated since this is considered a relevant change.
For further details see our reply to the question “Does your jurisdiction specifically restrict the transfer of personal data out of the jurisdiction? If so, please provide an overview of the restrictions and what transfer tools / mechanisms can be utilised to allow a lawful transfer of personal data.” below.
Is it possible to register with / notify the supervisory authority / regulator online?
Link to register and update databases.
The key data subject rights under the data protection laws of this jurisdiction are:
The main rights of data subjects in Uruguay are the following:
- Right to information regarding data collection,
- Right to Access.
- Right of Rectification, Updating, Inclusion.
- Right to Deletion.
Is there a requirement to appoint a data protection officer (or equivalent)?
Private entities that must appoint a data protection officer (DPO):
- If they process sensitive data as their main business; or
- If they process large volumes of personal data. Large volumes of data are defined as data processing of more than 35,000 people.
The URCDP, on its own initiative or at the request of a party, may determine the need to appoint a DPO in specific cases.
DPOs must demonstrate adequate knowledge of the law and in the field of personal data protection.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Yes, as a consequence of the principle of proactive responsibility.
Article 6 of Decree No. 64/020 regulating certain aspects of Laws No. 18.331 establishes that, prior to the start of the processing, the controller and the processor, as the case may be, shall carry out an impact assessment on the protection of personal data, when their processing operations may:
- Use sensitive data as core business.
- Imply the permanent or stable processing of sensitive data.
- Involve an evaluation of personal aspects of the data subjects for the purpose of creating or using personal profiles, in particular by analysing or predicting aspects related to their work performance, economic situation, health, personal preferences or interests, behavioural reliability and financial solvency and location.
- Carry out the processing of data of groups of persons in a situation of special vulnerability and, in particular, of minors or persons with disabilities.
- Processing of large volumes of personal data.
- Transfer of personal data to other jurisdictions or international organizations for which there is no adequate level of protection.
- Others determined by the Regulatory and Control Unit of Personal Data.
Article 7 of the same decree provides that the impact assessment shall cover at least:
- A systematic description of the processing to be carried out and its purpose.
- An assessment of the processing in relation to compliance with the regulations on the protection of personal data.
- An assessment of the risks to the rights of the data subjects.
- A detail of the security measures and mechanisms to demonstrate compliance with personal data protection regulations.
If a potential and significant risk to the rights of the data subjects arises from the result of the corresponding assessment, the data controller and the data processor, as the case may be, shall inform the URCDP with detailed information on the measures adopted or to be adopted, and in the latter case, the respective deadline.
The URCDP has published special guidance (in collaboration with the Argentine regulator) on this topic.
Does this jurisdiction have any specific data breach notification requirements?
In the event of a security incident, understood in the broadest sense, which results in, among other things, the accidental or unlawful disclosure, destruction, loss or alteration of personal data or the unauthorized communication of or access to such data, the persons responsible for and in charge of the processing must comply with the following:
- Data controllers or processors must implement procedures to minimize the impact of incidents within the first 24 hours.
- Data controllers must report the breach to the URCDP within 72 hours.
- Data controllers must communicate the data breach to the data subjects who have suffered a significant impact on their rights.
Once the data breach has been resolved, the data controller must prepare a report detailing the breach and the measures taken, and the URCDP must be notified.
The following restrictions apply to the international transfer of personal data / information:
As a general rule, in order to transfer personal data, it is necessary to have the prior consent of the data subject. In this sense, Article 17 of Law No. 18.331 on Personal Data Protection establishes that in addition to the legitimate interest, the prior informed consent of the data subject is required.
However, there are certain exceptions:
Article 17. Rights concerning the communication of data - Personal data subject to processing may only be communicated for purposes directly related to the legitimate interest of the sender and the recipient and with the prior consent of the data subject, who must be informed of the purpose of the communication and identify the recipient or the elements that allow doing so.
The prior consent for the communication is revocable. Prior consent shall not be required when:
- it is so provided by a law of general interest
- in the cases provided for in article 9 of the present law.
it concerns personal data relating to health and its communication is necessary for health reasons, emergency or for the performance of epidemiological studies, preserving the identity of the data subjects by means of appropriate dissociation mechanisms when relevant.
a procedure of disassociation of the information has been applied, so that the data subjects are not identifiable.
The recipient shall be subject to the same legal and regulatory obligations as the sender and the latter shall be jointly and severally liable for the observance thereof before the supervisory body and the owner of the data in question.
- Art. 9. Principle of prior informed consent. "Prior consent shall not be required when: i) The data come from public sources of information, such as records or publications in mass media; ii) They are collected for the exercise of functions of the powers of the State or by virtue of a legal obligation; iii) They are lists whose data are limited in the case of natural persons to names and surnames, identity card, nationality, domicile and date of birth. In the case of legal persons, corporate name, fantasy name, single taxpayer registry, address, telephone number and identity of the persons in charge of the same; iv) Deriving from a contractual, scientific or professional relationship of the data subject, and necessary for its development or fulfillment; and v) Is made by natural persons for their exclusive personal, individual or domestic use."
In addition, when personal data is transferred abroad, there are additional limitations based on the country of destination. In this sense, the transfer of personal data of any kind to countries or international organizations that do not provide adequate levels of protection according to the standards of international or regional law on the matter is prohibited.
According to the URCDP countries providing "adequate protection" are: the members of the European Union and the European Economic Area, Principality of Andorra, Republic of Argentina, the private sector of Canada, the organizations included in the "Privacy Shield" framework of the United States of America, Guernsey, Isle of Man, Faroe Islands, State of Israel, Japan, Jersey, New Zealand, United Kingdom of Great Britain and Northern Ireland, and Swiss Confederation. Please note that the URCDP has not pronounced itself on Europe's challenge to the Privacy Shield after the Max Schrems II case.
The above prohibition does not apply in the following cases:
- International judicial cooperation, in accordance with the respective international instrument, whether Treaty or Convention, taking into account the circumstances of the case.
- Exchange of medical data, when so required by the treatment of the affected person for reasons of public health or hygiene.
- Banking or stock exchange transfers, in relation to the respective transactions and in accordance with the applicable legislation.
- Agreements within the framework of international treaties to which the Oriental Republic of Uruguay is a party.
- International cooperation between intelligence agencies for the fight against organized crime, terrorism and drug trafficking.
It will also be possible to carry out the international transfer of data in the following cases:
- That the data subject has unequivocally consented to the intended transfer.
- The transfer is necessary for the performance of a contract between the data subject and the controller or for the performance of pre-contractual measures taken at the request of the data subject.
- The transfer is necessary for the conclusion or performance of a contract concluded or to be concluded in the interest of the data subject between the controller and a third party.
- The transfer is necessary or legally required for the safeguarding of an important public interest, or for the recognition, exercise or defense of a right in legal proceedings.
- The transfer is necessary to safeguard the vital interest of the data subject.
- That the transfer takes place from a registry that, by virtue of legal or regulatory provisions, is designed to provide information to the public and is open to consultation by the general public or by any person who can demonstrate a legitimate interest, provided that the conditions established by law for consultation are met in each particular case.
In addition to the exceptions mentioned above, the URCDP may authorize transfers when:
- an authorization is expressly requested to the URCDP in which sufficient guarantees on the processing of personal data are offered, such guarantees may arise from contracts, or
- with respect to entities of the same group when a code of conduct on the processing of personal data approved and registered with the URCDP exists with respect to the same group.
Access by a data processor, which is necessary for the provision of a service to the data controller, is not considered communication or transfer of data, unless this access implies the existence of a new link between the data processor and the data subject. However, we understand that in order for the consent of the data subject or authorization of the URCDP not to be necessary, it is required that the data processor be located in Uruguay or in a country offering "adequate protection" (see above).
Finally, if sensitive data is transferred, defined as "personal data revealing racial and ethnic origin, political preferences, religious or moral convictions, trade union membership and information concerning health or sex life", written consent is required for the transfer of information. Biometric data are also considered sensitive data.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
The processing of personal data is covered by Uruguayan data protection regulations when it is carried out by a person in charge (controller) or in charge of processing (processor) established in the Uruguayan territory.
In case the controller or processor is not established in the Uruguayan territory, Uruguayan data protection regulations are also applicable in the following cases:
- if the data processing is related to the supply of goods or services to inhabitants of Uruguay;
- If the data processing is related to the analysis of the behaviour of the inhabitants of Uruguay, including the elaboration of profiles;
- If it is provided for by the rules of public international law or a contract; or
- If the processing uses means located in the country.
The following rules specifically deal with marketing:
The consumer relations law (Law No. 17.250) states in its Section 6 as an essential right of the consumer the protection against misleading advertising. In this regard, in its Chapter IX sets forth the regulation regarding advertising, containing specific rules regarding marketing. Specifically, Section 24 states that the advertising must be made in a way that the consumer identifies it as an advertisement, and prohibits any kind of misleading advertising. This section states a broad definition of what would be encompassed within misleading advertising. Moreover, all the information given by the offeror in advertising forms part of the agreement with the consumer and is binding to the offeror (Section 14). Our regulation also sets forth specific rules regarding the offer (Sections 12 to 17 and Sections 19 to 21) made of goods and services, and should also be taken into account if the offer is made through advertising. In addition, Section 51 sets forth specific sanctions for misleading advertising.
Specifically in relation to data protection regulations, Section 21 of Law No. 18.331 provides as follows: “In the collection of addresses, distribution of documents, advertising, sale or other similar activities, there may be processed data suitable to determine certain profiles for promotional, commercial or advertising purposes, or that allow to establish consumption habits, when they appear in documents accessible to the public or have been provided by the data subjects themselves or obtained with their consent.
Data subject may at any time request the withdrawal or blocking of the relevant data from databases referred to in this section”.
Do different rules apply to business-to-business and business-to-consumer marketing?
Our consumer relations law (Law No. 17.250) sets forth a definition of what is understood as a consumer in its Section 2. If the business falls within the scope of Section 2, then it will be considered a consumer and will be granted the same protections set forth. Scholars and caselaw have discussed the scope of Sections 2 and have set forth when a business can be considered as a consumer.
However, we point out that there are no differences from a data protection perspective.
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
There are no rules specifically for electronic marketing. The rules stated above regulate advertising made through any means, including electronic marketing.
The following rules specifically deal with cookies:
Yes, the URCDP published guidance on dealing with cookies and profiling in 2018.
The consequences of non compliance with data protections laws (including marketing laws) are:
The URCDP can apply sanctions in cases of violation of the regulatory framework.
Legally, these sanctions may range from a mere warning to fines up to 500 000 Indexed units (approx. USD 60 000 in February 2021).
The URCDP may also suspend the use of a given database.
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
Nothing unique, multinationals should consider Uruguay as a jurisdiction with a legal framework very similar to the EU’s GDPR when it comes to data protection.
Multinational organisations should be aware of the following upcoming data protection developments: