Data protection: relevant changes and new obligations

Decree approved by Council of Ministers regulates new personal data protection obligations with major changes.

Security incident reporting

All database owners and data controllers have the obligation to report security incidents involving personal data to the Personal Data Local Regulator (URCDP) within a maximum of 72 hours. They must also notify data subjects when their rights have been significantly affected.

Privacy impact assessment

The regulations establish the obligation to assess the impact when data processing involves: 

• Use of sensitive data as main business
• Specially protected data (health, telecommunications, advertising, economic solvency, etc.) and/or data of minors
• Preparation of profiles
• Processing of large volumes of personal data (over 35,000 persons)
• International data transfer to non-adequate countries 

The assessment must be prior and be documented. Regarding treatment initiated prior to the Decree, the assessment must be made retroactively, within a period of 1 year as of its publication.

Appointment of a Data Protection Officer

This obligation applies for private entities that (a) treat sensitive data as main business, or (b) treat large volumes of data, as well as for all public entities without exception.

The entities subject to this obligation must appoint and report the Officer to the URCDP within 90 days as of publication of the Decree.

The Officer, who must accredit knowledge of the Law and of personal data protection, shall have responsibilities including: supervising compliance with the regulations; assessing risks and proposing actions to address them; participating in and validating privacy impact assessments; and serving as liaison with the URCDP.  

Extension of the territorial sphere of the Law

Entities established abroad shall be subject to the Law when:

• they offer goods or services to inhabitants of Uruguay;
• they analyze the behavior of inhabitants of Uruguay, including preparation of profiles;
• they use means located in Uruguay, such as information or communication networks, data centers and IT infrastructure in general. 

At the date of this report the Decree has not yet been published in the Official Gazette.