Law 18.331 - Personal Data Protection Law (PDPL) Uruguay

    Overview

    Uruguay's Personal Data Protection Law - Law 18,331 - establishes comprehensive regulations for the protection of personal data and privacy rights. Promulgated in 2008, this law is applicable to the collection, processing, and use of personal data in both public and private sectors. It aims to safeguard individuals' privacy rights by imposing obligations on data handlers and ensuring data subjects' rights are respected, incorporating principles like legality, accuracy, data security, and informed consent. The law is complemented by Decree 414/009, which provides detailed regulations for its implementation, and Decree 64/020, which introduces updates to align with international data protection standards.

    Uruguay has also been recognized by the European Commission as providing an adequate level of data protection under the General Data Protection Regulation (GDPR). This adequacy decision facilitates the free flow of personal data between Uruguay and the European Economic Area (EEA) without requiring additional safeguards, reinforcing Uruguay’s strong data protection framework.

     

    Regulation Summary

    Timeline
    • August 11, 2008: Enactment date.
    • August 18, 2008: Enforcement date
    • December 22, 2008: Regulation via Decree Nr. 664/008.
    • August 31, 2009: Further regulation under Decree Nr. 414/009.
    • October 20, 2022: Latest amendments via Law Number 20.075.
    What Businesses Are Affected
    • All entities processing personal data within Uruguay.
    • Foreign businesses targeting or monitoring individuals in Uruguay.
    • Both public and private sector organizations managing personal data.
    Exemptions
    • Personal data used for exclusively personal or domestic purposes.
    • Data related to public safety, national defense, or crime prevention.
    • Data governed by sector-specific laws.
    Responsibilities for Businesses
    • Obtain explicit, informed consent from data subjects.
    • Limit processing to specific, lawful purposes.
    • Implement robust security measures to protect personal data.
    • Ensure data accuracy and relevance.
    • Notify the URCDP of any data breaches.
    • Register personal data databases with the URCDP.
    Specific Responsibilities for Website Owners
    • Implement cookie consent mechanisms.
    • Display clear, accessible privacy policies.
    • Securely manage online forms collecting personal data.
    • Provide users with an interface to exercise their data rights.
    Additional Requirements
    • International Transfers: Permitted only to countries with adequate data protection standards or under approved safeguards (e.g., contractual clauses or explicit consent).
    • High-Risk Processing: Requires prior impact assessments.
    • Data Protection Officers (DPOs): Mandatory for organizations processing large-scale or sensitive data.
    Data Subject Rights
    • Access: Obtain information on personal data held.
    • Rectification: Correct inaccuracies or incomplete data.
    • Deletion: Request removal of data when no longer necessary.
    • Objection: Oppose data processing for specific purposes.
    • Portability: Request transfer of data in a structured format.
    Enforcement
    • Regulatory Authority: Regulatory and Personal Data Control Unit (URCDP).
    • Penalties: Fines up to 500,000 UI (approximately $60,000 USD).
    • Sanctions: Suspension or closure of non-compliant databases.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596