You are here

Uruguay

Country:
Survey Answer:

The Data Protection Law creates the URCDP, which is an independent monitoring office that became operational in April 2009.
The functions and powers of the URCDP include, for example:
- Assisting and advising on the scope of the Data Protection Act and the legal instruments available to protect the rights that are guaranteed by the law;
- Issuing rules and regulations to be applied in carrying out the activities covered by the law;
- Conducting a census of the databases covered by the law and maintaining a permanent register of these databases;
- Monitoring compliance with the requirements governing the integrity, accuracy, and security of the data, including through controls and inspection;
- Requesting information from public and private entities relating to their processing of personal data;
- Issuing opinions when required to do so by the relevant authorities, including requests related to administrative penalties for infringement of the law or any regulations, or decisions governing the processing of personal data;
- Advising the Executive Branch on the consideration of bills that relate in whole or in part to the protection of personal data; and
- Providing information to any person, free of charge, about the existence of personal databases, their purposes, and the identity of the database controllers.
The December 2010 Amendment to the Data Protection Law granted additional powers and means for enforcement of the law. These include the ability to require access to information, files, and computers, seize items, and inspect property.
Regulating Decree 414/009 establishes the procedure for the URCDP to exercise its enforcement powers. The URCDP is able to:
- Carry out inspections that the Executive Council deems pertinent, based on a justified decision;
- Request the relevant court to take appropriate measures if there is a danger of evidence being lost. The request for such measures to be taken must require a justified decision from the Executive Council; and
- Communicate all actions to the database controller, so as to give the controller a period of ten days, counted from the day after notification, within which the controller can develop its case on the matters raised.
The URCDP is active in the enforcement of the data protection regulation. According to the Annual Report of 2016 (the last published and available to date) more than 8,000 databases have been registered since 2009 (when URCDP became operational) with the Authority. In addition, during the same year, the URCDP:
- received 20 queries and 89 complaints
- applied 6 notices of violation, 9 warnings and 10 fines.
- reviewed files and issued 34 resolutions, as well as 23 formal opinions.
- prepared 287 reports (including notary, legal and technical perspective).

Provided By:
Martin Pesce, Ferrere Abogados