The Decree No. 64/020 (‘the Decree’) on the Regulation of Articles 37-40 of Law No. 19.670 of 15 October 2018 and Article 12 of Law No. 18.331 of 8 November 2008 (‘the Law’) was published, on 21 February 2020, in the Official Gazette and has been approved by the Council of Ministers. In particular, the Decree contains new provisions on the protection of personal data and seeks to provide people with a level of protection in line with new technological developments and evolution of forms of data processing.

In addition, the Decree amends the Law with regards to:

territorial scope;

personal data breaches;

data protection officers (‘DPOs’);

proactive responsibility; and

security measures.

The Decree also implements the notion of Privacy by Design to ensure that the design of databases, processing operations, applications, and computer systems is made in line with principles including data minimisation, pseudonymisation, consent, and other measures established by the Uruguayan data protection authority (‘URCDP’).

Security measures

Florencia Castagnola, María Sofía Anza, and Ángeles Castaingdebat Castro, Partner, Senior Associate and Junior Associate at Guyer & Regules respectively, told OneTrust DataGuidance, “Data processors and controllers must adopt an active role in implementing adequate technical and organisational measures and must assure an adequate treatment of personal data. The adopted measures will need to be documented, periodically reviewed, and evaluated in order to prove their effectiveness. This document will need to be available upon URCDP’s request”.

In particular, the Decree introduces the concept of Privacy by Design and notes that the person in charge of processing must incorporate into the design of databases, processing operations, applications and computer systems, measures aimed at complying with personal data protection regulations. For instance, the technical and organisational measures adopted can include pseudonymisation, data minimisation, mechanisms to ensure the exercise of the data subject rights, and documentation of consent or other fundamental legal basis to the treatment of personal data. Moreover, the Decree notes that, due to the importance and volume of information processed by multiple organisations and possible security breaches, it is essential to establish a clear regime regarding the procedures to be performed in the event of such a breach.

Guillermo Duarte, Senior Associate at Bergstein Abogados, told OneTrust DataGuidance, “According to the Decree, the party responsible for the treatment of the data affected must communicate the breach to the URCDP within the next 72 hours of having become aware of the breach. This communication must contain relevant information such as the date of the breach, its nature, the personal data affected and the possible impacts. Further, a notification must be made to the data owners in a clear and simple language. Finally, once the breach has been solved, a detailed brief must be filed with the URCDP describing the breach ant the security measures adopted. This applies both to public and private entities without distinction.”

Scope of Application

Castagnola, Anza, and Castaingdebat Castro added “In accordance with the Law and the Decree, the Uruguayan legal and regulatory framework is applicable in the following cases if the processing of personal data is conducted by a processor or controller located in Uruguay. The Decree specifically sets forth that the person or entity responsible will be deemed as located in Uruguay when a stable activity is conducted within the country. The Uruguayan legal and regulatory framework [also applies] if the processing of personal data is conducted by a processor or controller located outside of Uruguay, if:

the processing activities are related to the offering of goods and services directed to Uruguayan inhabitants (according to the Decree, this will be evaluated through elements like the use of language, references to payment in national currency or references to related services offered in Uruguayan territory);

the processing activities are related to the monitoring of the behaviour of Uruguayan inhabitants;

established by international public law dispositions or set forth in a contract (contracting parties cannot exclude the application of the Law when processing activities fall within its scope); or

means located in Uruguay are used for said processing (such as information and communication networks, data centres, and informatics infrastructure in general as stated in the Decree.

As a consequence of the above, entities from the private sector which did not previously fall within the scope of the Law will now have to comply with its obligation (including the registration of data bases before URCDP).”

Data Protection Impact Assessment (‘DPIA’)

Under the Decree, the person or entity in charge of the treatment on personal data must carry out, prior to the start of the treatment and if necessary, an evaluation of the impact on the protection of personal data if the treatment involves, among other things, sensitive data as main business, personal information from vulnerable groups, treatment of personal data for purposes of data subject profiling, international transfers of data for which there is no adequate level of protection and large volume of personal data.

In addition, the Decree notes that DPIAs must contain, at a minimum:

a systematic description of the treatment performed and its purpose;

an evaluation of the treatment in relation to compliance with personal data protection regulations;

an evaluation of the risks to the rights of the data subject; and

a detailed list of security measures and mechanisms to demonstrate compliance.

DPO appointment

Duarte continued, “The DPO is responsible for formulating, designing and implementing data protection policies, monitoring the compliance with local legislation and regulation, and serving as a link to the URCDP. The Decree restated the requirements of the Law. That is, the entities required to appoint a DPO are public bodies (state or non-state) and private entities owned fully or partially by the State, private companies whose core business entails treating sensitive data (race and ethnic heritage, political preferences, religion, union affiliation, and information relative to health or sexual preference), and private companies who treat large amounts of data (i.e. more than 35,000 individuals). The Decree clarifies the Law’s reference to sensitive data and sets forth what is understood as large amounts of data. The appointment of a DPO must be communicated to the URCDP within the first 90 days, from the date in which the data processing activities started.”

The Decree entered in force on 21 February 2020.

Mona Benaissa Privacy Analyst

[email protected]

Comments provided by:

Florencia Castagnola, María Sofía Anza and Ángeles Castaingdebat Castro Partner, Senior Associate, and Junior Associate

[email protected]

[email protected]

[email protected]

Guyer & Regules

Guillermo Duarte Senior Associate

[email protected]

Bergstein Abogados