Uruguay

Uruguay's data protection Act 18,331 (“Act on the Protection of Personal Data and Habeas Data Action,” commonly known as “Data Protection Law”) seeks to protect the privacy of both individuals and corporate entities, whose records are kept in databases managed by governmental, public, or private organizations.
Article 31 of the Data Protection Act establishes the Unidad Reguladora y de Control de Datos Personales (URCDP) (the Personal Data Regulatory and Control Unit) as the country’s data protection supervisory authority. The URCDP is an autonomous entity of the Agencia para el Desarrollo del Gobierno de Gestión Electrónica y la Sociedad de la Información y del Conocimiento (AGESIC) (Agency for the Development of Electronic Government and the Information Society).
In addition, there are other laws and regulations that supplement Data Protection Law 18,331, such as:
- Act 18,719 National Budget Act amending Act 18,331, passed on December 27, 2010
The most significant amendment provides the URCDP with increased enforcement powers.
- Act 18,996 National Budget Act amending Act 18,331, passed on November 11, 2012.
The most significant amendment introduces the types of sources that shall be considered as public sources of information or sources accessible to the public.
- Regulating Decree 414/009 of August 31, 2009 (“Decreto Reglamentario de la Ley 18.331 de Protección de Datos Personales y Acción de Habeas Data”).
The decree provides complementary provisions and guidance on the application of Data Protection Law 18,331.
- Regulating Decree 664/008 of December 22, 2008.
The decree defines the conditions for registering databases with the URCDP, and some of its provisions were superseded by Decree 414/009.
- Act 19,030 of January 7, 2013, through which Uruguay adhered to Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data.

Scope of the Law
The Data Protection Law protects the privacy of individuals and corporate entities whose records are included in databases managed by governmental, public, and private organizations. One of the unique characteristics of the Data Protection Act of Uruguay is that it applies to both individuals and legal entities.
Article 3 of the Act establishes as a general principle that “the regulations of this law shall be applied to personal data recorded on any means that allows their processing, and to any kind of subsequent use to which these data may be put by the public or private sectors”.

Geographical Scope
The processing of personal data is subject to the Data Protection Law of Uruguay when:
- The processing is performed by data controllers or processing controllers that are established in Uruguay, and that carry out their activities in Uruguay, whatever their legal forms; and,
- The data controller is not established in Uruguay, but processes the data by means or through media located within Uruguayan territory.
Main definitions
- Processing (Data Treatment)
The act regulates personal data treatment, which is defined to include “systematic operations and procedures, whether or not automated, allowing the processing of personal data, as well as the disclosure to third parties through communications, consultations, interconnections or transfers.”
- Personal Data
Under Uruguayan Regulations the term “personal data” is very broad. It is defined as “information of any kind relating to individuials or legal entities determined or determinable.”
Unlike many other data protection laws, the personal data of legal entities, such as a company, are also subject to the Uruguayan Data Protection Law. Article 2 of the Data Protection Act provides that “the right of protection of personal data shall apply by extension to legal entities, as appropriate.”
- Sensitive Data
Under Uruguayan Regulation, “Sensitive Data” is considered “Specially Protected”.
“Sensitive data” include personal data revealing racial or ethnic origin, political preferences, religious or moral beliefs, trade union membership, and information relating to health or sex life. The law provides a more restrictive regime for the treatment of this kind of data, establishing an obligation to obtain the data subject’s express written consent for such treatment.
- Data Controller
According to article 4 (k) of the Act, data controller is “the individual or legal entity, public or private, who owns the database or who decides on the purpose, content, and use of the data treatment.”