Uruguay’s Law No. 18.331 on the Protection of Personal Data

Uruguay’s Law No. 18.331 on the Protection of Personal Data, also known as the Data Protection Law, is a privacy policy that was passed in 2018. With respect to data protection the country, Uruguay was the second Latina American country to be declared adequate by the European Commission, after the commission reviewed the country’s data protection policies in 2012. What’s more, Uruguay was the first non-European nation to ratify the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, or the original Convention 109 for short. Given this context, the Data Protection Law was passed to provide Uruguayans with a level of data protection on par with the EU’s General Data Protection Regulation or GDPR.

What is the scope and application of the Data Protection Law?

In terms of the personal scope of the law, the Data Protection Law applies to any identified or identifiable natural persons, as well as to legal persons when applicable, whether said persons are private or public. “Regarding the personal data of the deceased, Article 14 of the law states that the right of access can be exercised by any full legal successor”. In terms of the territorial scope of the law, the Data Protection Law “applies when the processing of personal data is performed by controllers located in Uruguay, when they execute their activities in Uruguay (Article 3(a) of the Decree)”.

In terms of data processing activities that take place outside of Uruguay, the law applies under the following circumstances:

• If the data processing activities are related to the offering of goods or services to individuals residing within Uruguay, or are intended to monitor the behavior of Uruguayan citizens.
• If private international laws or contractual obligations mandate such.
• If data processing activities are undertaken using means established within the country, with the exception of instances in which said means are used for the sole purpose of transit, and there is a person who is responsible for the processing of residency in Uruguay, as appointed by the applicable data controller before the URCDP (The Uruguayan Data Protection Authority).

What are the requirements of data controllers under the Data Protection Law?

As is the case with many other data privacy laws around the world, the Data Protection Law mandates that data controllers adhere to a variety of principles as it pertains to the processing of personal data. These principles include legality, veracity, purpose, consent, security, data quality, proportionality, transparency, integrity, confidentiality, responsibility, the principle of limitation of subsequent transfers, and the autonomy of the URCDP. Additionally, there are also a multitude of other obligations that data controllers must abide by under the Data Protection Law. Some of these obligations include:

• Data processing notifications– the Data Protection Law requires the registration of all databases containing the personal data of data subjects, whether it be private or public. Moreover, this database must also detail the categories of data, how the data is collected and processed, the databases name, the data controller, the storage location and retention periods, the security measures that are in place to protect personal data, how a data subject’s right to access, rectify, update, include, or delete any personal data can be exercised.
• Data transfers– Under the law, international data transfers are only permitted if the country or international organization in question is within a country that provides an adequate level of data protection.
• Data Protection Officer appointment- Under certain circumstances, business agencies and organizations may be required to appoint a Data Protection Officer or DPO in accordance with the law.
• Data protection impact assessments– Under the Data Protection Law, data controllers are required to conduct data protection impact assessments, or DPIA’s for short, in accordance with guidelines issued by the law.
• Data breach notifications– In instances where data breaches occur, the applicable data controller must provide notice to both the URCDP, as well as any data subjects who have been subsequently affected within 72 hours.

What are the rights of data subjects under the Data Protection Law?

In relation to the rights of data subjects under the law, the Data Protection Law provides Uruguayan citizens with various protections in regard to their personal privacy. These rights include:

• The right to be informed.
• The right to have access.
• The right to rectification.
• The right to erasure.
• The right to object/opt-out.
• The right to data portability.
• The right not to be subject to automated decision-making.
• The right to consent to the further use of personal data by a third party.
• The right to express written consent in relation to sensitive data.

In terms of enforcement of the law, the Data Protection Law also established The Uruguayan Data Protection Authority, or URCDP for short, for the purposes of overseeing the principal and obligations of the law. To this end, data controllers who are found to be in violation of the law are subject to a variety of coercive sanctions and measures including warnings, administrative fines, and the suspension of a data controllers database. Furthermore, the URCDP also has the authority to request the judiciary closure of a data controllers database.

With the passing of the Data Protection Law, Uruguay provided even further data protection rights to a country that had already been at the forefront of the topic within its region. This proactive approach to data protection has been reflected in the country’s decision to ratify the original Convention 108 in 2013, as the country has strived to put its privacy legislation on pace with that of the EU’s General Data Protection Regulation. As such, Uruguay serves as a model for the ways in which other countries within South America can go about providing enhanced data privacy rights to their respective citizens.