February 2024

1. Governing Texts

Uruguay has a data protection system that follows European Union data protection rules and has regulations that adapt its data protection system to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

In 2012, it was the second country in Latin America to be declared adequate by the European Commission with regards to Article 25(6) of the Data Protection Directive 95/46/EC ('the Directive').

In 2013, Uruguay ratified the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108') of the Council of Europe. It was the first non-European country to do so, and the 45th country to be part of Convention 108.

In 2021, Uruguay ratified the Modernised Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108+') of the Council of Europe, which did not come into effect yet.

1.1. Key acts, regulations, directives, bills

Data protection in Uruguay is regulated by Law No. 18.331 on the Protection of Personal Data and Habeas Data Action (only available in Spanish here) ('the Law') and Decree No. 414/009 Regulating Law 18.331 on the Protection of Personal Data (only available in Spanish here) ('the Decree').

In 2018, Uruguay began the process of modifying its legislation to adapt to the GDPR. As part of this effort, Law No. 19.670 on Accountability and Budgetary Execution Balance Exercise 2017 (only available in Spanish here) ('Law No. 19.670'), which includes provisions relating to data protection in its Articles 37 to 40, was approved on October 15, 2018, by the Parliament of Uruguay. Following the principles of Law No. 19.670, on February 17, 2020, Decree 64/2020 was passed (only available in Spanish here) ('Decree 64/2020').

Moreover, Decree 664/008 on the Creation of a Personal Data Database Registry (only available in Spanish here) ('the Database Decree'), regulates the registration of personal databases that provide objective reports of a commercial nature.

In addition, Law No. 19.889 of 2020 (only available in Spanish here) ('Law 19.889') under Chapter II 'Portabilidad Numerica' regulates the right to data portability partially in regards to cell phone numbers when changing providers.

Resolution No. 32/020 (only available in Spanish here) ('Resolution 32/020') provides clarification on the requirements for the appointment of a data protection officer ('DPO').

Jointly, the Argentinian data protection authority and the Uruguayan data protection authority ('URCDP') approved the Guide on Data Protection Impact Assessments ('DPIA's) (only available in Spanish here) ('the DPIA Guide').

Resolution No. 23/021 (only available in Spanish here) and Resolution 63/023 (only available in Spanish here) regulate 'adequate' countries for safe data transfers according to the URCDP.

Resolution No. 41/021 (only available in Spanish here) approves guidelines for the adoption of contractual clauses in international data transfers to inadequate countries as a mechanism to demonstrate due diligence.

Furthermore, on October 20, 2022, Uruguay passed Law No. 20.075 on Accountability and Budgetary Execution Balance Exercise 2021 (only available in Spanish here), whose Article 62 modifies the right to be informed under Article 13 of the Law, and Article 63 adds powers to the URCDP, modifying Article 34 of the Law. Law 20.075 entered into force on January 1, 2023.

A new Law No. 20.212 on Accountability and Budgetary Execution Balance Exercise 2022, dated November 6, 2023, establishes, in Articles 74 and 75 (only available in Spanish here) that the URCDP and the National Agency for e-Government and Information Society ('AGESIC') have the task of designing a national data and artificial intelligence ('AI') strategy based on international standards. The aim is to identify and propose measures to promote innovation while respecting the principles of privacy and personal data protection. This law will enter into force on January 1, 2024.

1.2. Guidelines

Additional guidelines published by the URCDP include:

• a working paper on DPOs (available to download only in Spanish, here);
• guidelines on data processing by telecommunications operators (only available in Spanish here);
• guidelines on video surveillance in commercial vehicles (only available in Spanish here);
• guidelines on education and personal data guide (only available in Spanish here);
• guidelines on drones (only available in Spanish here);
• guidelines on video surveillance in the workplace (only available in Spanish here);
• guidelines for personal data regarding public administration (only available in Spanish here);
• guidelines on video surveillance in buildings and housing complexes (only available in Spanish here);
• guidelines on video surveillance regarding public administration (only available in Spanish here);
• guidelines on bring your own device ('BYOD') (only available in Spanish here);
• guidelines on personal information and its protection (only available in Spanish here);
• guidelines on cookies and profiles (only available in Spanish here);
• guidelines on health data protection (only available in Spanish here);
• guidelines on criteria for the dissociation of personal data (only available in Spanish here);
• guidelines for the inscription of databases at the registry, codes of conduct, and DPOs (only available in Spanish here) ('User Guide');
• guidelines for the management, documentation, and communication of security breaches regarding personal data (only available in Spanish here); and
• guidelines for the fulfillment of obligations by foreign entities data (only available in Spanish here).

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The Law applies to identified or identifiable natural persons and to legal persons, when applicable, that can be private or public.

Regarding the data of the deceased, Article 14 of the Law states that the right of access can be exercised by any full legal successor.

2.2. Territorial scope

The Law applies when the processing of personal data is performed by controllers located in Uruguay when they execute their activities in Uruguay (Article 3(a) of the Decree).

When the activities do not take place in Uruguay, the Law applies in the following cases:

• if the activities are related to the offer of goods or services to individuals residing in Uruguay, or intended to monitor their behavior;
• if private international laws or contractual agreements so establish it; and
• if the processing is made using means established in the country, with the exceptions of the cases in which those means are used for the sole purpose of transit, and there is a person responsible for the processing with residency in Uruguay, appointed by the controller before the URCDP.

2.3. Material scope

The Uruguayan data protection regime applies to registered personal data, in any form, that makes data likely to be collected, processed, or subsequently used in any way, within public or private domains (Article 3 of the Law). If applicable, the same regime shall be used for the data of legal persons (Article 2 of the Law).

Article 3 of the Law and Article 2 of the Decree provide that the regime regulated by the Law shall not be applicable in three situations:

• to domestic databases, defined by the Decree as those developed in a strictly private sphere, such as files of letters or personal diaries;
• to databases that were created under, or are regulated by specific regulations; and
• to databases created for purposes of public security, defense, state security, and the investigation and prevention of crime.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The URCDP, as the data protection authority created by the Law, is directed by a board of three members which includes one representing AGESIC which further depends on the Presidency of the Uruguayan Republic.

3.2. Main powers, duties and responsibilities

The URCDP is the supervisory authority that provides assistance and advice to data subjects, establishes rules and regulations, is in charge of the registration of databases and their statistics, and monitors compliance with security, integrity, and veracity requirements for personal data contained in databases. The URCDP also issues opinions, has the power to request information and investigate compliance with privacy and data protection, can carry out inspections and enforce the Law, and provides legal counseling to authorities regarding the regulation of issues related to data protection.

Article 63 of Law No. 20.075 adds new powers to the URCDP. Additionally, the same modifies Article 34 of the Law, adding to the list of powers and functions the power to establish criteria and procedures for controllers and processors in the automated processing of personal data, aimed at evaluating certain aspects of the personality of the data subject, that make decisions with legal effects that significantly affect them, as indicated in Article 16 of the Law.

4. Key Definitions

Data controller: Natural or legal person, public or private, who is the owner of the database or who decides on the purpose, content, and use of the processing (Article 4(k) of the Law).

Data processor: Natural or legal person, public or private, that either alone or in conjunction with others processes the personal data on behalf of the data controller (Article 4(h) of the Law).

Personal data: Information referring to an identified or identifiable person. This definition includes information relating to legal persons (Article 4(d) of the Law).

Sensitive data: Data that reveals the data subject's racial or ethnic origins, political preferences, moral or religious beliefs, trade union affiliations, and information related to health or sexual life (Article 4(e) of the Law).

Health data: Past, present, or future physical or mental information concerning the health of a person, including disability degrees as well as genetic information (Article 4(d) of the Decree).

Biometric data: Personal data obtained by a specific technical procedure related to physical, physiological or behavioral characteristics of a natural person that allow or confirm a unique identification of the person (Article 4 (ñ) of the Law).

Pseudonymization: Chapter II of Resolution No. 68/2017 (only available in Spanish here) regarding the criteria of dissociation of personal data approved by the Executive Council of the URCDP, defines pseudonymization as a way to reduce the relationship between a data set and the original identity of the data subject, or the processing of personal data in such way that data cannot be linked to a data subject without additional information. This additional information must be kept separately under technical and organizational measures to guarantee the data is not linked to identified or identifiable persons.

Data Protection Impact Assessment: The Law does not define a DPIA. However, the DPIA Guide provides for 'Impact Assessments on Data Protection' ('EIPD') and defines this as the process that organizations must carry out to identify and treat the risks that their normal activities, their new projects or their corporate policies may produce when they involve the processing of personal data (Page 5, Paragraph 1.3 of the DPIA Guide).

5. Legal Bases

5.1. Consent

According to the Uruguayan Law, consent is the main legal base for the processing of personal data.

Data controllers must obtain the data subject's prior consent for the processing of their personal data and keep proof of such consent (Articles 5 and 6 of the Decree).

The data controller must also inform the data subject the information established on Article 13 of the Law, as stated below in section on the right to be informed.

5.2. Contract with the data subject

According to Article 9(d) of the Law, consent is not necessary when data comes from a contract, a scientific, or professional relationship of the data subject, and such data is necessary for its development or fulfillment.

5.3. Legal obligations

According to Article 9(b) of the Law, consent is not necessary when data is collected as a consequence of a legal obligation.

5.4. Interests of the data subject

According to Article 9(e) of the Law, consent is not necessary when the data is collected by natural persons for their personal, individual, or domestic use exclusively.

5.5. Public interest

According to Article 9(b) of the Law, consent is not necessary when data is collected for a task carried out in the exercise of official authority.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

According to Article 9 of the Law, consent is also not necessary in the following cases:

• when data is collected from public sources of information (Article 9(a));
• lists containing personal data of natural persons limited to name, surname, identity card, nationality, address, and date of birth (Article 9(c)); and
• lists containing personal data of legal persons limited to corporate name, trading name, taxpayer registry number, address, phone, and identity of the person in charge (Article 9(c)).

Direct marketing

In cases of direct marketing, Article 21 of the Law establishes that the processing of data is legal when such data comes from public sources of information, data was provided by the data subject, or the subject gave their consent to such processing. In the collection of addresses, distribution of documents, advertising, commercial prospecting, sale, or other analogous activities, data that is suitable to establish certain profiles for promotional, commercial, or advertising purposes may be processed or allow the establishment of consumption habits if said conditions are met. The data subject can request, at any time, that their data be blocked or withdrawn from the database.

Biometric data

A DPIA must be realized in order to process biometric data (Article 18 bis of the Law).

Health data

Public or private health establishments and health professionals can collect and process personal data related to the physical or mental health of their patient or patients who have been under their treatment, respecting the principles of professional secrecy, the specific regulations and the provisions of the Law (Article 19 of the Law).

Telecommunication data

This must be processed according to technical security measures and, in the event that there is a particular risk of security breach of the public electronic communications network, the operator that exploits the network or provides the electronic communications service will inform subscribers about the risk and the measures to be adopted (Article 20 of the Law).

Commercial data

The processing of data intended to inform about the patrimonial or credit solvency is expressly authorized in those cases in which it is obtained from publicly accessible sources, from information provided by the creditor, or in the circumstances provided for in the Law. In the case of legal persons, in addition to the circumstances provided for in the Law, the processing of all information authorized by current regulations is allowed. Personal data of natural persons may only be registered for a period of five years, which may be extended. Data should be processed in an objective way (Article 22 of the Law).

Databases of the police, intelligence agencies, or armed forces

The processing of such data without the prior consent of the owners is limited to those cases and categories of data that is necessary for strict compliance with the missions legally assigned to those for national defense, public security, or for the repression of crimes. The databases, in such cases, must be specific and established for this purpose, and must be classified by categories, depending on its degree of reliability (Article 25 of the Law).

Personal data contained in databases for police purposes must be deleted when it is no longer needed for this purpose.

6. Principles

Data protection principles provided under Uruguayan law include:

• legality;
• veracity;
• purpose;
• consent;
• security;
• data quality;
• proportionality;
• transparency;
• integrity;
• confidentiality;
• responsibility;
• principle of limitation of subsequent transfers; and
• autonomy of the URCDP.

7. Controller and Processor Obligations

Data controllers have the following obligations:

• to keep proof of the data subject's consent to the processing of their personal data (Article 5 of the Decree);
• to respond, at any time, to a data subject's request to access the information that concerns them, or to rectify all inaccurate data, or to update, include, or delete any data (Article 14 of the Law and Article 9 of the Decree)
• to inform the data subject at the moment of the data collection (or within five working days if data is not collected directly from the data subject) of the information stated in Article 13 of the Law, as explained in the section below on the right to be informed.
• for data relating to commercial or credit activity, data should be processed in an objective way (Article 22 of the Law);
• to register their databases and update them every three months (Articles 16 and 20 of the Decree);
• if applicable, to request the following from the URCDP:
  • authorization for international data transfers (Article 34 of the Decree);
  • the registry of codes of conduct (Article 36 of the Decree); and
  • authorization for the conservation of historical, statistical, or scientific data (Article 37 of the Decree);
• to adopt security measures (Article 10 of the Law) and act promptly in case of security breaches (Articles 3 and 4 of Decree 64/2020);
• to promptly report security breaches to the URCDP (Article 4 of Decree 64/2020);
• to explain in plain and simple terms the existence of the data breach to the data subjects directly involved (Article 4 of Decree 64/2020);
• once the data breach is over, a written report on the vulnerabilities and measures adopted must be presented to the URCDP (Article 4 of Decree 64/2020);
• to conduct DPIAs (Articles 6 and 7 of Decree 64/2020);
• to act proactively (Article 12 of the Law and Article 5 of Decree 64/2020);
• to act accordingly to the principles of responsibility and Privacy by Design and Default, appropriate accountability (Article 12 of the Law, Article 39 of Law 19.670, and Article 5 of Decree 64/2020); and
• to name a DPO when applicable (Article 40 of Law 19.670 and Articles 10 to 15 of Decree 64/2020).

Data processors have the following obligations:

• to adopt measures to protect the security, integrity, and confidentiality of personal data (Article 10 of the Law, Article 7 of the Decree, and Article 5 of Decree 64/2020);
• to act promptly in case of security breaches (Articles 3 and 4 of Decree 64/2020);
• any time the processor verifies the existence of a data breach, they are obliged to notify the breach to the data controller (Article 4 of Decree 64/2020);
• to act proactively (Article 5 of Decree 64/2020);
• to conduct DPIAs (Articles 6 and 7 of Decree 64/2020);
• to apply the Privacy by Design and Default principles; and
• to comply with the Law and its principles and respond to any violations by complying with the principle of proactive responsibility, appropriate accountability, including technical and organizational measures to guarantee adequate data processing and ensure its implementation (Article 12 of the Law, modified by Article 39 of Law No. 19.670).

7.1. Data processing notification

The Uruguayan legal system requires the registration of all databases containing personal data, whether they are private or public (Article 29 of the Law).

The following information must be submitted in the application for registration (Article 29 of the Law, Article 16 of the Decree, and Article 4 of the Database Decree):

• identification of the database and the data controller;
• the types of personal data contained in the database;
• the procedures for obtaining and processing personal data;
• a technical description of the database and the security measures in place;
• the destination of the data and the individuals or legal entities to which the data will be transmitted;
• the data retention period;
• the process through which individuals may access their personal data and the procedures used to rectify or update the data; and
• where the processing of data relates to commercial credit activity, the number of creditors of an individual and number of cancellations due to non-compliance with payment obligations in the last five years (Article 22 of the Law).

In addition, natural persons who create, modify, or delete databases of personal data, other than those used for personal or domestic purposes, codes of conduct for professional practice that establish rules for the processing of personal data, and authorizations granted for international transfers of personal data must also be registered with the URCDP (Article 15(a) and (d) of the Regulation).

Databases must be registered within 90 days of the commencement of the data controller's activities (Article 17 of the Decree). In addition, data controllers are responsible for keeping the registered data updated, by making the URCDP aware of any changes on a quarterly basis (Article 20 of the Decree). If applicable, data controllers must request the following from the URCDP:

• authorization for international data transfers (Article 34 of the Decree);
• the registry of codes of conduct (Article 36 of the Decree); and
• authorization for the conservation of historical, statistical, or scientific data (Article 37 of the Decree).

Registration is not required when the data processing is made through information and communication networks, data centers, or IT infrastructure only if its purpose is transit through Uruguayan territory and there is a designation of a representative residing in Uruguay appointed at the URCDP (Articles 1(d) and 2 of Decree 64/2020).

Moreover, databases used exclusively for personal or domestic purposes do not need to be registered (Article 15(a) of the Decree and Article 3 of the Law).

How To

Databases can be registered on the URCDP registry online (only available in Spanish here) ('the Digital Registry'), User Guide for step-by-step guidance is available.

7.2. Data transfers

International data transfers are only permitted if the country or international organization provides an adequate level of data protection. Following the European system, the Uruguayan regime provides several exceptions to this general rule (Article 23 of the Law and Articles 4, 34, and 35 of the Decree).

Resolutions No. 23/021 and 63/023 of the URCDP, state which countries provide an adequate level of data protection and establish that data transfers made to the entities subject to the South Korea Personal Information Protection Act 2011 (as amended in 2023) ('PIPA') and those made under the new EU-US Data Privacy Framework are valid, following the Council of Europe Adequacy Decisions of December 17, 2021 and July 10, 2023.

Resolution No. 70/023 establishes that in case of data transfers made under the new EU-US Data Privacy Framework, the controller or processor must make an express declaration to the URCDP, in which the importing organization declares to have extended the application of the safeguards of said framework to the data transferred from Uruguay, at the time of registration of the database or prior to the data transfer. If that declaration is not made, the transfer to these organizations may be based on contractual clauses presented, previously authorized by the URCDP, or based on other exceptions provided by the Law.

Data transfers to countries that do not provide an adequate level of protection can only be performed in the exceptions the Law establishes, or with the authorization of the URCDP. In this case, Resolution 41/021 establishes some guidelines for the adoption of contractual clauses as a mechanism to demonstrate due diligence in data protection.

For further information please see our Data Transfers Comparison.

7.3. Data processing records

The Law does not impose an explicit obligation to maintain data records, but the principle of purpose limitation establishes that data must be deleted when it is no longer necessary for the purpose it was collected.

7.4. Data protection impact assessment

The Law provides a mandatory requirement to undertake a DPIA (Article 12 of the Law). In addition, data controllers are obliged to conduct DPIAs when the law requires it (Articles 6 and 7 of Decree 64/2020). The Guide on DPIAs provides additional information on its implementation.

Moreover, the Law provides that, in the exercise of a proactive responsibility, in line with the principle of responsibility, the data controller and the data processor, where appropriate, must conduct a DPIA (Article 12 of the Law and Article 6 of the Decree 64/2020).

The data controller and data processor prior to the start of the processing must perform a DPIA, where the processing operations (Article 6 of the Decree 64/2020):

• use sensitive data as their main business operation;
• plan permanent or stable processing of the specially protected data listed in Chapter IV of the Law (sensitive data, biometric data, health data, telecommunications data, direct marketing, commercial data, data transferred internationally), or of data related to criminal, civil or administrative offenses;
• involve an evaluation and profiling, in particular by analyzing or predicting aspects related to their performance at work, economic situation, health, personal preferences or interests, reliability of behavior, financial solvency and location;
• processes data relating to groups of people in a situation of special vulnerability and, in particular, of minors or disabled people;
• processes large volumes of personal data;
• transfer personal data to other states or international organizations for which there is no adequate level of data protection; and
• other cases determined by the URCDP.

Moreover, for the purposes of carrying out the DPIA, according to the type or volume of data and its processing, the URCDP will establish criteria that contribute to fulfilling the obligations under Article 7 of Decree 64/2020 (Article 7 of Decree 64/2020).

In addition, with respect to processing biometric data regulated under the Law, a DPIA must be conducted before such processing (Article 18-BIS of the Law).

Contents

The DPIA must contain, as a minimum, the following (Article 7 of the Decree 64/2020):

• a systematic description of the processing to be carried out and its purpose;
• an evaluation of the processing in relation to compliance with the personal data protection laws and regulations;
• an assessment of the risks to the rights of the data subjects; and
• a description of the security measures and mechanisms to demonstrate compliance with personal data protection regulations.

Furthermore, in respect of the processing of personal data which has already began, the controller and the processor, where appropriate, must carry the DPIA within a period of one year from the publication of the Decree in the Official Gazette (Article 7 of the Decree 64/2020).

Consultation

If there is a potential and significant risk to the rights of the data subjects arising from the corresponding DPIA, the data controller and the data processor, must inform the URCDP with detailed information on the measures they adopted, or the measures they will adopt and the period to adopt them (Article 7 of the Decree 64/2020).

7.5. Data protection officer appointment

Private and public entities, wholly or partially owned by the state, that process sensitive data as the main business activity or process large volumes of data are required to appoint a DPO (Article 40 of the Law No. 19.670). In addition, the URCDP can inform concerning the need for a private entity to designate a DPO.

The Decree 64/2020 states that, in accordance with the provisions of Article 40 of Law No. 19.670, the following must appoint a DPO (Article 10 of the Decree 64/2020):

• public, state, or non-state entities and private entities wholly or partially state-owned;
• private entities that process sensitive data as their main business, as defined under Article 40 of Law No. 19.670; and
• private entities that process large volumes of data.

Decree 64/2020 clarifies the concept of large-scale data processing by stating that the concept implies the processing of data of more than 35,000 people (Article 10 of Decree 64/2020). In addition, Article 14 of the Regulating Decree provides for an obligation to appoint a DPO, and the appointment must be communicated to the URDCP within 90 days from the start of the appointment (Article 14 of the Decree 64/2020).

Moreover, a set of entities with related tasks or activities may appoint a single DPO, if they can fully comply with the legally established functions in relation to every one of them (Article 15 of the Decree 64/2020). Furthermore, several public entities that are part of the same administrative structure may also designate a single DPO and the URCDP may require the appointment of additional DPOs in order to protect the rights of data subjects (Article 15 of the Decree 64/2020).

Role

The DPO's main functions are to (Article 40 of the Law No. 19.670 and Article 11 of the Decree 64/2020):

• provide advice on the development, design, and application of personal data protection policies;
• supervise compliance with the data protection framework within the entity;
• propose all measures rendered relevant for compliance with the data protection framework and international standards on data protection; and
• act as a point of contact between the entity and the URCDP.

The DPO must act in technical matters with autonomy (Article 40 of the Law No. 19.670).

Furthermore, the DPO is required to participate appropriately in all matters relating to the protection of personal data. Moreover, to enable the performance of their task, a DPO should be given full access to personal databases and processing operations. Additionally, the Role of a DPO is regarded as autonomous, and thus a DPO should not receive any instructions in the performance of specific functions as a DPO (Article 13 of the Decree 64/2020).

Moreover, a DPO is required to maintain confidentiality and they are allowed to perform other functions as long as there is no conflict of interest (Article 13 of the Decree 64/2020).

Professional qualifications

According to Uruguayan law, the DPO must meet the conditions required for the correct performance of its tasks and must act autonomously in technical matters (Article 40 of Law No. 19.670). If the DPO is a legal person, this must be informed to the URCDP, as well as its administrative organ, the data of its members, and the data of the people who will be in charge of the duty.

Moreover, and in accordance with the Regulating Decree, the DPO must be specialized in Law and of personal data protection which must be accredited (Article 12 of the Regulating Decree). In addition, Resolution 32/020 highlights that the DPO must have knowledge of law and data protection regulations. The accreditation of this knowledge can be made by means of participation in activities organized by the URCDP or other entities, that can be either domestic or international. In regard to sensitive data, data with a statute of special protection, or data that the URCDP may determine later, the DPO must have knowledge or experience within the sectors they are operating in and have knowledge of information security tools.

Notification

There is a Digital Registry which establishes a digital database registration system where all entities responsible for or in charge of data processing can inform the URCDP of the appointment of a DPO. A DPO can be registered at the Digital Registry by selecting the corresponding option and indicating the requested data, such as the following:

• the name of the person in charge or the person in charge of the processing appointed by the DPO; 
• identification data; and
• documentation proving appointment.

7.6. Data breach notification

In case of a data breach concerning data protection, the data controller must notify the URCDP of the existence of a data breach within 72 hours of becoming aware of such data breach (Article 4 of Decree 64/2020).

The data controller must also notify the data subjects directly involved and explain in plain and simple terms the existence of the data breach.

If the processor is the one who becomes aware of the data breach, they must promptly notify the data controller.

7.7. Data retention

Not applicable.

7.8. Children's data

Not applicable.

7.9. Special categories of personal data

Sensitive data

For the processing of sensitive data, the express and written consent of the data subject is needed. It can only be collected and processed when there are reasons of general interest authorized by law, or when the requesting body has a legal mandate to do so. They may also be processed for statistical or scientific purposes when they are dissociated from their owners (Article 18 of the Law).

Databases that store information that directly or indirectly reveal sensitive data are prohibited, with the exception of those owned by political parties, unions, churches, religious confessions, associations, foundations, and other non-profit entities, whose purpose is political, religious, philosophical, or a trade union, which make reference to racial or ethnic origin, health, or sex life, regarding the data related to its associates or members, without prejudice that the communication of said data will always require the prior consent of the data owner.

Criminal conviction data

This can only be processed by the corresponding public authorities according to the Law. Public authorities might communicate or make public the identity of the natural or legal persons that are being investigated by or have committed infractions to current regulations, in cases where the Law imposes it (Article 18 of the Law).

As outlined in Article 4 of Decree No. 250/020, dated September 10, 2020 (only available in Spanish here), when private individuals request certificates about individuals included in the National Registry of Rapists and Sexual Abusers ('the Registry'), established by Article 104 of Law No. 19.889, dated July 9, 2020, (only available in Spanish here), they must do so in person, confirm their identity with a valid legal document and a photocopy, complete the relevant form, and provide their full name and other necessary details. In accordance with Article 4 of Decree No. 17/020, dated January 22, 2020 (only available in Spanish here) ('Decree No. 17/020'), the certification will only confirm whether or not the applicant has a record, as specified in Law No. 19.791 dated September 24, 2019 (only available in Spanish here) ('Law No. 19.791'). Article 6 of Decree No. 17/020 mandates that institutions receiving this information must maintain its confidentiality.

7.10. Controller and processor contracts

Not applicable.

8. Data Subject Rights

8.1. Right to be informed

Data subjects have the right to be informed of (Article 13 of the Law, Articles 5 and 14 of the Decree, and Resolution 70/023, only available in Spanish here):

• the reason for the collection of the personal data;
• the recipient of the database or the type of recipients;
• the existence of the database;
• who the data controller is, its type of activity, and address;
• if it is mandatory to answer all the questions proposed, especially concerning sensitive data;
• the effect of providing personal data or of not providing it;
• how to exercise their rights of access, rectification, update, inclusion, or deletion of any personal data, as well as the right to challenge personal assessments;
• the existence, or not, of international data transfers, where the data will be transferred, the role of the importer, the term of the transfer, the legal basis for the transfer, and the processing operations carried out by the importer.
• in case of data transfers, the recipient of the transfer and the activity they undertake, as well as the purpose of the transfer; and
• when using automated processing of personal data, aimed at evaluating certain aspects of the personality of the data subject, to reach decisions with legal effects that significantly affect them, as indicated in Article 16 of the Law, the data subjects have the right to be informed about the evaluation criteria, the computer system processes, and the program used to do so.

When data is collected directly from the data subject, this information must be given prior to the collection of personal data. In cases where data is not collected directly from the data subject, the data subject must be informed within five working days.

8.2. Right to access

Data subjects have the right to access all the information that concerns them (Article 14 of the Law).

The controller must provide the information in a clear, not codified way, and, if necessary, accompanied by an explanation of the terms used in a way that can be understood by the average population.

The data controller has five days to provide the information requested to the data subject. If a data controller does not comply with the data subject's request, the URCDP can order them to do so.

The Law provides for enforcement mechanisms if the URCDP's order is not complied with, by which the complainant is entitled to use judicial remedies, such as the habeas data action, which is a very quick procedure that enables the data subject to take the data controller to court (Articles 37 to 45 of the Law).

8.3. Right to rectification

Data subjects have the right to rectify all inaccurate data, and the rights to update and include information to their data (Article 15 of the Law and Articles 10, 11, and 12 of the Decree).

Any rectification, update, or inclusion of personal data held in a database must be provided free of charge.

The data controller has five days to rectify, update, or include the data or to inform the data subject the reasons why it does not apply. If a data controller does not comply with the data subject's request, the URCDP can order them to do so. The Law provides for enforcement mechanisms, by which the complainant is entitled to use judicial remedies, such as the habeas data action (Articles 37 to 45 of the Law).

8.4. Right to erasure

Data subjects have the right to have their data deleted from a database in case it is being used by third parties illegitimately, or it is considered to be inadequate or excessive, with certain exceptions. This procedure must be documented (Article 15 of the Law and Article 13 of the Decree).

Deletion is mandatory in the following cases:

• damages to the rights and legitimate interests of third parties;
• notorious error; and/or
• breach of a legal obligation.

Any deletion of personal data held in a database must be provided free of charge.

The data controller has five days to delete the data or to inform the data subject the reasons why it does not apply. If a data controller does not comply with the data subject's request, the URCDP can order them to do so (Article 15 of the Law). The Law provides for enforcement mechanisms, by which the complainant is entitled to use judicial remedies, such as the habeas data action (Articles 37 to 45 of the Law).

8.5. Right to object/opt-out

The right to opt-out is established in cases of direct marketing, where the data subject can request, at any time, that their data be blocked or withdrawn off a database (Article 21 of the Law).

8.6. Right to data portability

Uruguay implemented the right to data portability regarding cell phone numbers on 12 January 2022. According to Article 471 of Law 19.889 and to Decree 26/2021 (only available in Spanish here), cell phone number portability is a consumer right that all cell phone companies must respect and comply with.

Decree 26/2021 introduces a guide on the technical and legal implementation of the right to cell phone number portability from the controller to a new one without the data subject's intervention.

8.7. Right not to be subject to automated decision-making

The data subject has the right not to be subjected to a decision with legal effects that significantly affects them, based on automated data processing, aimed at evaluating certain aspects of their personality, such as job performance, credit, reliability, conduct, among others (Article 16 of the Law).

The data subject has the right to be informed, at the moment of the data collection, the evaluation criteria, the computer system processes and program used to do so. In cases where data is not collected directly from the data subject, the data subject must be informed within five working days (Article 13(G)).

8.8. Other rights

The right of the data subject to consent to the communication of their data to a third party, with some exceptions, and to be informed about the purpose of such communication and the third party to whom the data will be communicated to, or to be given the elements necessary to identify the third party. This consent may be revoked (Article 17 of the Decree).

The right to have sensitive data processed only with the express and written consent of the data subject, with certain exceptions established by law (Article 18 of the Law).

9. Penalties

The URCDP is responsible for issuing coercive measures and sanctions when databases do not comply with the Law or the Decree. These measures include warnings, fines, and the suspension of a database. The URCDP may also request the Judiciary of Uruguay for the closure of a database (Article 35 of the Law and Article 32 of the Decree).

9.1 Enforcement decisions

Not applicable.