Dr. Felipe Rotondo, President of the Executive Board Uruguayan Data Protection Authority, Uruguay

The ‘Regulator Spotlight’ interview series by OneTrust DataGuidance documents jurisdictional focuses, legal developments, and guidance direct from data protection authorities, regulators, and supervisory bodies and brings poignant commentary to the rapidly changing data privacy landscape. Over the past 12 months, OneTrust DataGuidance has sat down with leading figures from organizations including the European Data Protection Supervisor’s Office, the UK ICO, and the United Nations.  

In October 2019, we met with Felipe Rotondo, President of the Executive Board at the Uruguayan Data Protection Authority. We spoke with Felipe about the key considerations that organizations should take into account regarding recent amendments to Uruguayan data protection law, the priorities of Ibero-American network of DPAs, as well as the authority’s priorities for 2020. 

Key amendments to the data protection law in Uruguay 

There were four adjustments to the Uruguayan data protection law that came into force at the beginning of 2019. These revisions aligned the existing legislation with the Ibero-American Standards that were issued in 2017 and also brought it in line with the GDPR.  

As Felipe explains, the adjustments saw the responsibility principle evolve into an accountability principle, and the appointment of data protection officers becoming a mandatory requirement in all public and private entities that process sensitive data or large volumes of data. 

There were also new provisions establishing a deadline for the notification of a data breach, measures that controllers must adopt in case of data breaches, as well as the regulation of Data Protection Impact Assessments. 

Related: Uruguay: Data Protection Overview Guidance Note 

Priorities for the Ibero-American Data Protection Network 

The main objective for the Network is to promote adequate data protection legislation across all of its members where, in some cases, there is out-dated legislation or even no legislation at all.  

Felipe explains, “The Network has been, for a long time, indicating that the members should accede Convention 108 of the Council of Europe. Uruguay was the first non-European country to become a member of Convention 108 in 2013 […] Last year Mexico became a member of Convention 108 and this year Argentina did the same.” 

Many jurisdictions within the network are in the process of formal ratification of Convention 108+. Using several principles from both Convention 108 and the GDPR, the Mexican DPA prepared the Standards that were approved by the Network in 2017, which provide a framework that supports the key priorities of the Ibero-American DPAs.being promoted as an investment for those who adopt corporate responsibility. 

Related: Sophie Kwasny, Head Of The Data Protection Unit At The Council Of Europe 

Watch the full interview where Felipe talks further about the requirements and expectations from organizations regarding DPO appointment and notification and other issues that the Uruguayan data protection authority been working on.