Uruguay
Summary
Law: Law No. 18.331 on the Protection of Personal Data and the Habeas Data Action 2008 (only available in Spanish here) ('the Law'), Decree No. 414/009 Regulating Law 18.331 Relating to the Protection of Personal Data (only available in Spanish here) ('the Decree'), and Decree No. 64/020 on the Regulation of Articles 37-40 of Law No. 19.670 of 15 October 2018 (only available in Spanish here) ('the 2020 Decree')
Regulator: The Uruguayan data protection authority ('URCDP')
Summary: Uruguay has often been near the forefront of data protection developments in Latin America and in 2012 became the second jurisdiction in the region, after Argentina, to obtain an adequacy decision from the EU. While the Law and the Decree established an essential data protection framework that enabled this adequacy finding, several further laws and decrees have since been issued which have brought Uruguay into closer alignment with the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
Furthermore, the 2020 Decree established new obligations relating to, among other things, breach notifications, Privacy by Design, data protection officer appointments, Data Protection Impact Assessments, and security measures. Law No. 20075 of 20 October 2022 (only available in Spanish here) ('Law No. 20075') entered into force on 1 January 2023 and amends the Uruguayan data protection system. Specifically, Law No. 20075 introduced amendments including disclosure to data subjects, as well as the powers of the URCDP.