1. Governing Texts

1.1. Legislation

• Law No. 18.331 on the Protection of Personal Data and the Habeas Data Action 2008 (only available in Spanish here) ('the Law')
• Law No. 19.670 on Accountability and Budgetary Execution Balance Exercise 2017 (only available in Spanish here) ('Law No. 19.670')
• Decree No. 64/020 on the Regulation of Articles 37-40 of Law No. 19.670 and Article 12 of Law No. 18.331 (only available in Spanish here) ('the 2020 Decree')

1.2. Regulatory authority guidance

The Uruguayan data protection authority ('URCDP'), published the following guidance:

• guidelines on personal information and its protection (only available in Spanish here); and
• User Guide for the Registration of Databases in the Registration System, Codes of Conduct and Personal Data Protection Delegates (only available in Spanish here).

1.3. Regulatory authority templates

The URCDP has not published templates in relation to vendor privacy contracts.

2. Definitions

Data controller: The 'person responsible for the database or processing' is the natural or legal person, public or private, who is the owner of the database or who decides on the purpose, content, and use of the processing (Article 4(k) of the Law).

Data processor: The 'person in charge of the processing' is a natural or legal person, public or private, that either alone or in conjunction with others processes the personal data on behalf of the data controller (Article 4(h) of the Law).

3. Contractual Requirements

3.1. Are there requirements for a contract to be in place between a controller and processor?

The Law does not explicitly provide requirements for a contract to be in place between a controller and processor.

3.2. What content should be included?

Although there is no requirement for a contract under the Law it should be noted that processors are required to ensure the following:

• adopt measures to protect the security, integrity and confidentiality of the personal data (Article 10 of the Law and Article 5 of the 2020 Decree);
• any time the processor verifies the existence of a data breach, he/she is obliged to notify the breach to the controller (Article 4 of the 2020 Decree);
• act proactively (Article 5 of the 2020 Decree);
• conduct Data Protection Impact Assessments ('DPIA') (Articles 6 and 7 of the 2020 Decree);
• apply the Privacy by Design and Privacy by Default principles (Articles 8 and 9 of the 2020 Decree);
• comply with the Law and its principles and respond to any violations by complying with the principle of proactive responsibility, including technical and organisational measures such as Privacy by Design, Privacy by Default, and DPIAs among other things, to guarantee adequate data processing and ensure its implementation (Article 12 of the Law, modified by Article 39 of Law No. 19.670); and
• the principle on responsibility also states  processor requirements on providing services of Privacy by Design, Privacy by Default, appropriate accountability, and DPIAs, according to Articles 5, 6, and 7 of the 2020 Decree.

4. Data Subject Rights Handling & Assistance

4.1. Are processors required to assist controllers with handling of data subject requests?

The Law does not explicitly provide that processors must assist controllers with data subject requests.

For further information see Uruguay - Data Subject Rights.

5. Processor Recordkeeping

5.1. Are processors required to keep records of their processing activities?

Natural persons, public legal entities, and private entities who create, modify, or delete databases of personal data, other than those used for personal or domestic purposes are required to register with the URCDP (Article 15(a) and (b) of the 2020 Decree).

6. Security Measures

6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?

As noted in section 3.2. above, processors must adopt the necessary measures to guarantee the security and confidentiality of personal data. These measures should aim to prevent the alteration, loss, consultation, or unauthorised processing of data, as well as detect deviations of information, intentional or not, and regardless of whether the risks come from human action or the technical means used. The data must be stored in a way that allows the exercise of the right of access. It is forbidden to record personal data in databases that do not meet technical integrity and security conditions (Article 10 of the Law).

In order to adopt these measures, the state of the art, and the cost of its application and the nature, scope, context and purposes of the processing must be taken into account, as well as the risks of varying probability and severity for the rights of people. The measures adopted must be documented, periodically reviewed, and their effectiveness evaluated as well as being available to the URCDP upon request (Article 5 of the 2020 Decree).

7. Breach Notification

7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?

Where a security incident has been discovered by the data processor, the data processor must inform the data controller immediately (Article 4 of the 2020 Decree).

For further information see Uruguay - Data Breach.

8. Subprocessor

8.1. Are subprocessors regulated? If so, what obligations are imposed?

The Law does not explicitly provide for the regulation of subprocessors.

9. Cross-Border Transfers

9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?

Data transfers or communications can only be made with the prior and written consent of the data subject. In addition, the Law states that it is not permitted to communicate data from one database to another without the aforementioned consent (Article 23(a) of the Law).

Data transfers are not permitted unless the country where the data is intended to be transferred provides adequate levels of protection. If not, an authorisation by the URCDP must be requested. Moreover, guarantees made for the protection of private life, the fundamental rights and freedoms of individuals, as well as the exercise of their respective rights can be supported through contractual clauses (Article 23 of the Law).

Uruguayan law establishes a series of exemptions to the general rule that international data transfers are prohibited to those countries that do not provide adequate levels of protection. These exceptions are the following (Article 23 of the Law):

• international judicial cooperation, in cases where there is a treaty or convention;
• exchange of medical information, whenever the data subject's health treatment requires so;
• stock exchange and bank transfers;
• agreements made within the scope of international treaties in which Uruguay is a part of;
• international cooperation between intelligence organisations in the fight against organised crime, terrorism, and drug trafficking;
• when the data subject gave its consent, unequivocally, for the data transfer;
• when the transfer is necessary for the execution of a contract between the data subject and the data controller or for the execution of pre-contractual measures taken at the data subject's request;
• when the transfer is necessary for the execution or delivery of a contract in the data subject's interest, between the data controller and a third party;
• when the transfer is necessary or legally required for the safeguarding of public interest, or for the recognition, exercise, or defence of a right in a judicial procedure;
• when the transfer is necessary for the safeguarding of a vital interest of the data subject; and
• when the transfer is made from a registry conceived to facilitate the access to information for the general public, and which is open for consultation.

For further information see Uruguay - Data Transfers.

10. Regulatory Assistance

10.1. Are processors required to assist controllers with regulatory investigations?

The Law does not provide for a requirement for processors to assist controllers with regulatory investigations.

11. Processor DPO / Representative

11.1. Are processors required to appoint a DPO / representative?

Private and public entities wholly or partially owned by the state, that process sensitive data as the main business activity or process large volumes of data, are required to appoint a DPO (Article 40 of Law No. 19.670 and Article 10 of the 2020 Decree).

For further information see Uruguay - Data Protection Officer Appointment.

12. Supervision & Monitoring

12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?

The Law does not explicitly provide for the obligation for controllers to supervise processors' compliance.

The Law establishes that the person responsible for the database or processing and/or the person in charge, where appropriate, will be responsible for the violation of the provisions of the Law (Article 12 of the Law).

Authored by OneTrust DataGuidance

DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.