What is Uruguay PDPL?
Uruguay’s Personal Data Protection Law, also known as Law 18,331, is the main legal document regulating the way personal information is to be handled, as well as establishing the right of data subjects to seek legal course of action for violation of their data subject rights, called habeas data. Although it is greatly modeled after the GDPR, and with Uruguay being an adequacy country recognized by the EU Commission, this data privacy law links to a few other national laws or decrees that complete its legal framework. These are
- Decree No. 414/009, regulating Law 18,331 as regards the protection of personal data; and
- Decree No. 64/2020, regulating Articles 37 to 40 of Law 19,670 and Article 12 of Law 18,331, which addresses the principle of proactive responsibility and the obligation to appoint a Data Protection Officer.
What is Personal Information and what are other key definitions?
According to the text of the law, ‘personal data’ is any type of information that refers to an identified or identifiable natural or legal person. As far as ‘sensitive data’ is concerned, same as with other legislations, this is defined as personal data which reveals about an individual their racial or ethnic origin, religious or moral convictions, political preference, union affiliation or information about the individual's health or sex life.
Because the law covers databases containing such types of data, it defines a database as an organized set of personal data that is collected, processed, in either electronic format or not, regardless of the way it is formed, stored, organized or accessed.
The law does not mention either ‘data controllers’ as such, instead referring to a ‘responsible for the database or processing: natural person or legal, public or private, owner of the database or that decides on the purpose, content and use of the treatment” and defines a ‘data processor’ as a natural or legal person, public or private, that alone or in conjunction with others processes personal data by account of the person responsible for the database or the processing.
Who has to comply with the Uruguay PDPL?
Uruguay’s personal data protection applies to personal data that is recorded in any environment that makes it subject to processing and to any way in which this data is subsequently used by public or private entities. Given that the right to the protection of personal data is a fundamental right granted by the Constitution of Uruguay, the law further clarifies in Decree 414 that this right applies to both legal persons, as appropriate, and to natural persons, directly or indirectly, and to any format of the personal data referring to them (numerical, alphabetical, photographic, geographical, audio, etc.).
Territorially, Law 18,331 applies in the following cases:
- the processing is carried out in Uruguay by a data controller or processor established in Uruguay;
- the data controller or processor is not established in Uruguay but still meets the following criteria:
- the data processing relates to the offering of goods or services addressed to inhabitants of Uruguay;
- the data processing relates to the analysis of behavior of inhabitants of Uruguay, including for profiling purposes;
- the data processing is conducted on the basis of public international law or on the basis of a contract;
- the processing of personal data is done by using media located in the country, i.e. communication networks, data centers or computer infrastructures in general.
Who is excluded from Uruguay PDPL compliance?
Uruguay’s PDPL excludes from coverage the following databases:
- those that are maintained by natural persons for exclusive personal or domestic use;
- those that are maintained for the purpose of public safety, State security, defense, in matters of criminal investigation or for the prevention of crimes;
- those that were created and regulated by special laws.
How can I keep my organization Uruguay PDPL compliant?
There are several principles that the law establishes in order for your organization to be compliant:
Lawfulness: forming databases has to be lawful, these have to be registered, and data processing has to be done within the legal framework established by the law.
Accuracy: the data has to be true, complete, accurate, verifiable, understandable, and up to date.
Purpose: data processing has to have legitimate purposes, and it cannot be used for purposes other than those for which it was collected.
Prior informed consent: data collection and processing has to be done with the consent of the data subject which was obtained prior to the collection/processing.
Data security: in the course of data processing, you are required to ensure the implementation and use of any necessary measures to ensure the security of the data, preventing its corruption, loss, or unauthorized access, as well as detect any potential risks. The data has to be stored in such a way so as to allow for the exercising of the right of access.
Confidentiality: any person or persons involved in personal data processing are required to observe the principle of confidentiality, even after the cessation of their relationship with the data processing entity, i.e. even after they are no longer employees of the data processor, being responsible for observing this law and its regulations.
Responsibility: data controllers and processors are responsible for any violation of the provisions of the law. As such, for the purpose of proactive responsibility, they are required to adopt the necessary technical and organizational measures to ensure proper data processing and demonstrate effective implementation of these. Such measures entail adopting privacy by design, privacy by default, or conducting data protection impact assessments.
In addition to the above, the law and the decrees offer further clarification on steps to be taken towards compliance:
- sensitive data cannot be coerced out of the data subject and its processing can only be done with the consent of the data subject, unless specific exceptions apply, as outlined in Article 18;
- health related data may be collected and processed by health institutions and professionals but only in relation to the physical or mental health of patients, whether current or former ones, but the principles of professional secrecy has to be maintained;
- telecommunications operators that operate public networks or provide electronic communication services available to the public have to observe the regulations of this law;
- data related to databases created for advertising purposes may only be processed for the specific purpose of creating specific promotional, commercial or advertising profiles, or to determine consumption habits, but only when said data appears in publicly accessible documents or when it has been provided by the data subject(s) along with consent for processing;
- international transfers can only be done with countries and organizations that provide adequate levels of protection in accordance with the law;
- in the event of a security breach, data controllers have to notify the regulatory authority within 72 hours of the breach. The report has to outline relevant information about the estimated date of the breach, its nature, the data affected and possible impacts it may have. Additionally, the affected data subject has to be notified in clear and simple language if they have suffered a significant impact on their data rights. Once the data breach has been resolved, data controllers have to prepare a detailed report of it as well as of the security measures adopted. This report has to then be communicated to the regulatory authorities.
- according to Article 29, all public or private databases that meet a series of criteria, have to be registered in the Registry that the regulating authority creates for this purpose, no later than 90 after the creation of the database. The criteria and who it applies to are further expanded upon in Decree 414, Article 15, which who has to be registered:
- natural persons who create, modify or delete databases of personal data, which are not exclusively for personal or domestic use;
- public legal entities, state or not, and private entities, that create, modify or delete personal databases, except for the exceptions provided for in the Law;
- codes of conduct of professional practices which establish the personal data processing regime;
- authorisations for international transfers of personal data.
- Decree 64 establishes in Article 10 the situations where a Data Protection Officer has to be appointed as follows:
- for state, public, or non-state entities, as well as private entities, either entirely or partially state-owned;
- private entities that process sensitive data as their main business;
- private entities processing large volumes of personal data (the personal data of more than 35,000 people).
What data access rights does Uruguay PDPL grant?
Uruguay’s data privacy law grants data subjects the following rights:
- The right to access
- The right to correct, update, include or delete
- The right to not be subject to automated decision making, based on automated or non-automated processing.
In addition, the law grants data subjects rights relating to the communication of data, meaning that any personal data that is subject to processing may be communicated only for the purpose of fulfilling the purposes directly related to the legitimate interest of the issuer and the recipient and with the prior consent of the data subject, which must be informed of the purpose of the communication and identify the addressee or the elements enabling it to do so.
How to address data subject access requests under Uruguay PDPL?
The law mandates that for any data subject request you have five days to reply to the data subject, whether with the requested information or with a reason for refusal.
In the case of the right of access, the law states that the information has to be provided in a clear format, and, where appropriate, accompanied by an explanation, in language accessible to the average knowledge of the population, of the terms that are used. The information must be comprehensive and in no case can it reveal data about a third party. At the request of the data subject, this can be provided in writing, electronically, via phone or any other means suitable for the purpose of satisfying the request.
If the five days deadline is passed without a reply from your organization, the data subject has the right to seek legal action against you.
Enforcement and penalties
The regulating authority is the Unidad Reguladora y de Control de Datos Personales (the Regulatory and Personal Data Control Unit), also known as the URCDP.
As far as penalties are concerned, the URCDP may apply the following:
- a warning;
- a fine up to 500,000 indexed units (approx. $72,000); or
- a suspension of the database in violation of up to 6 business days, while an investigation is underway.
Data Subject Rights - GDPR vs. Law 18,331
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
- The right to access
- The right to correct, update, include or delete
- The right to not be subject to automated decision making
How can Clym help?
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Custom branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customize their individual experience.