Support Centre



Law: Law No. 18.331 on the Protection of Personal Data and the Habeas Data Action 2008 (only available in Spanish here) ('the Law'), Decree No. 414/009 Regulating Law 18.331 Relating to the Protection of Personal Data (only available in Spanish here) ('the Decree'), and Decree No. 64/020 on the Regulation of Articles 37-40 of Law No. 19.670 of 15 October 2018 (only available in Spanish here) ('the 2020 Decree')

Regulator: The Uruguayan data protection authority ('URCDP')

Summary: Uruguay has often been near the forefront of data protection developments in Latin America and in 2012 became the second jurisdiction in the region, after Argentina, to obtain an adequacy decision from the EU. While the Law and the Decree established an essential data protection framework that enabled this adequacy finding, several further laws and decrees have since been issued which have brought Uruguay into closer alignment with the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). 

Furthermore, the 2020 Decree established new obligations relating to, among other things, breach notifications, Privacy by Design, data protection officer appointments, Data Protection Impact Assessments, and security measures. Law No. 20075 of 20 October 2022 (only available in Spanish here) ('Law No. 20075') entered into force on 1 January 2023 and amends the Uruguayan data protection system. Specifically, Law No. 20075 introduced amendments including disclosure to data subjects, as well as the powers of the URCDP. 


On 3 November 2022, the Official Information Center of Uruguay published Law No. 20075 of 20 October 2022 ('Law No. 20075/2022')1, which was enacted on the same day and which reforms the Uruguayan data protection system in place. Dr. Ana Brian Nougrères, Alejandra Saiz, Ignacio Martinez, and Magdalena Quintana, from Estudio Juridico Briann y Asociados, break down the changes introduced by Law No. 20075/2022, focussing on updated information provision obligations and new powers and functions of the Uruguayan data protection authority ('URCDP').

The Court of Justice of the European Union ('CJEU') published, on 16 July 2020, its highly anticipated judgment ('the Judgment') in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case') which impacted many data protection regimes around the world. The Uruguayan data protection authority ('URCDP') announced, in September 2021, changes to its data protection regime regarding international transfers of personal data, via Resolution No. 23/021 of 8 June 20211 ('Resolution 23/021'), which establishes important changes in the international data transfer regime in Uruguay, and Resolution No. 41/021 of 8 September 2021 ('Resolution 41/021'), which includes a guide for the drafting of contractual clauses2. Dr. Ana Brian Nougrères, Alejandra Saiz, and Ignacio Martinez, from Estudio Juridico Briann y Asociados, discuss the recent changes to international data transfer regulations and requirements, including adequacy status and exceptions to this.