Investment in data protection measures and enforcement of compliance by laws of data regulatory authority brings in lot of trust, business value, brand reputation and protection from penalties that hurt businesses. Uruguay is a digitally advanced nation. The ICT system have wide presence and collect considerable amount of Uruguayan data to deliver service and goods.
Keeping in interest of citizen, Government of Uruguay has instituted National Data Protection Authority (Unidad Regulador y de Control de Datos Personales – URCDP). URCDP is responsible for administering Data Protection Act that came into force on Aug 31, 2009.
The Act defines sensitive personal data of individuals as those evidences that indicate racial or ethnic origin, political preferences, religious or moral beliefs, trade union beliefs or any kind of information concerning health or sexual life.
“The digital economy, powered by frontier technologies such as the Internet of Things and Artificial Intelligence, has led to a shift in the data landscape where personal data of individuals is increasingly used to gain new business and behavioral insights for provision of better products and services to customers. As organisations harness the value of data, it is crucial that they understand the importance of using personal data responsibly and putting in place adequate safeguards to prevent abuse or unauthorized disclosure or access to the information.”
The entities that are processing personal data are required to comply by regulations of Data Protection Authority. Some of the compliance are mentioned as under:
Registration of Databases
All databases where data processing is carried out by a person in Uruguayan territory must be registered with URCDP. In case database is located abroad, it should still be registered with Data Protection Authority if,
- Processing activities occur in connection with goods/ services offered to Uruguayan people
- Processing activities are related to analysis of behavior (profiling) of individuals living in Uruguay.
- Data is processed by means located in Uruguay
- Required by international law.
Appointment of Data Protection Officers
Certain entities such as public/ private entities owned by government or private entities which are in the business of processing sensitive data are required to appoint data protection officers. The Data Protection Officers are responsible for:
- Formulating, designing and implementing data protection practices/ policies in the organization.
- Monitoring the compliance with legislation and regulations laid down by Data Protection Authority/ Government of Uruguay.
Collection and Processing
To collect and process personal data, the data processor is required to take a documented consent of the person or the entity whose information is being processed. The processor is also required to present the legitimate purpose of data acquisition, and it cannot use the data for any other purpose. Once the objectives to process the personal data are no longer present, the acquired data must be deleted.
Personal data which is publicly available does not requires consent. Examples of such data are:
- Personal data obtained from public sources
- Personal data obtained from public bodies
- Personal data based on contractual or professional relationship.
- Personal data limited to
- corporation name, commercial name, domicile address, telephone number, tax identification number, and
- name and surname, ID number, nationality, domicile address, and date of birth (in the case of individuals)
Transfer of Personal Data
With the prior consent of data provider and for a legitimate interest, the data may be transferred by collecting agency to a third party. The data subject must be informed of the purpose and the data recipient before the data is transferred. However, this consent is revocable.
Upon transfer, the third-party recipient along with the original recipient jointly remain liable for complying with Data Protection Act, and/ or as mandated by Data Protection Authority.
If it is not a public data, the Act forbids transfer of data to entities in other countries which do not provide adequate levels of data protection as per European Standard unless consented through a contract.
It is prohibited to register database with URCDP that carry personal data and do not meet safety conditions. Data processors must implement needed technical and procedural measures to ensure safety of data in rest and in motion. Additionally, the processor must have means to detect unauthorized data leakage, data access and data loss.
In case of breach, the data processor must immediately inform the breach and the security measures to the affected person and the Data Protection Authority, who will coordinate with the National Computer Security Incident Response Center of Uruguay (CERTuy).
Enforcement by Data Protection Authority
URCDP has broad investigatory powers including audit and inspection, subpoena, search and seizure rights. The authority may also impose penalties against data processor through warning, admonition, fines up to $60,000, suspension of database for five days, and closure of database.
In August 2012, the European Parliament and the Council on adequate protection of personal data deemed that Uruguay’s data protection framework is at an adequate level, meaning that it meets or exceeds the requirements stipulated in the EU’s Data Protection Directive 94/46/EC. The adequacy finding means the EU member states can freely transfer personal data to Uruguay without additional guarantees.