You are here

Uruguay

Country:
Survey Answer:

There are no specific requirements regarding security measures.
However, the principles of Data Security and of Non-Disclosure, which are set forth in Articles 10 and 11 of the Data Protection Law, provide the general guidelines for the protection of processing.
(a) Confidentiality
The Principle of Data Security set forth in Article 10 requires the controller or user of a database to take all necessary measures to ensure the confidentiality of personal data. In addition, the Principle of Non-Disclosure requires individuals and organizations that hold personal data in their custody to keep the information confidential, and to use it exclusively for their normal activity. All dissemination of the data to third parties is prohibited. Employees and agents are subject to the same restrictions. This obligation continues after termination of the relationship with the data controller.
(b) Security Measures Required
Under the Principle of Data Security, “the controller or user of the database must take the necessary steps to ensure the security and confidentiality of personal data.” These measures will aim to prevent the alteration, loss, consultation, or unauthorized processing of the data. They must also provide the ability to detect when the personal data are transmitted or transferred to a third party, intentionally or not, whether the risks arise from human action or from the technical means used. The data must be stored in a manner that allows the data subjects to exercise their right of access. Further, the collection of personal information in databases that do not meet the technical conditions of integrity and security is prohibited.
Further, Article 7 of Decree 414/009 provides that both the data controller and the data processor must protect the personal data being processed by using the most suitable technical and organizational measures to ensure its integrity, confidentiality, and availability.
Please note that according to URCDP resolution 105/2015, the following infringements of the regulations are considered to be serious and a fine of from 12,001 to 90,000 Indexed Units (approximately USD 1,530 to USD 11,500) may be imposed:
(1) Processing or using personal data by breaching the principles, rights and guarantees set forth in both Act 18,331 and its Regulating Decree, as long as it does not constitute a very serious infringement.
(2) Keeping data bases, equipment or programs which contain personal data without the necessary conditions to guarantee their security and confidentiality.
Also, URCDP resolution 105/2015 states that processing personal data, by breaching the principles and guarantees set forth in Act 18,331 when it prevents the exercise of fundamental rights is considered to be a very serious infringement of the law. In this case, the following penalties apply:
- Fine of from 90,001 to 500,000 Indexed Units (approximately USD 11,500 to USD 64,000)
- Suspension of the database in question for 5 days
- Closing of the database.

Provided By:
Martin Pesce, Ferrere Abogados