On 21 August 2012, the European Commission issued an Implementing Decision (the “Decision”) confirming that the Eastern Republic of Uruguay provides an adequate level of protection for personal data transferred from the European Union. The effect of the Decision is to allow organizations established in European Member States to transfer personal data to organizations in Uruguay without additional protective measures being necessary. It comes nearly four years after the country enacted its data protection statute, Act no. 18.331 on the Protection of Personal Data and Habeas Data Action of 11 August 2008 (the “Act”).
Legal standards for the protection of personal data in Uruguay are based largely on the core principles of the European Framework Data Protection Directive 95/46/EC and include requirements for the proportionate processing of personal data and an obligation to inform data subjects about the processing of their information (“transparency principle”). Under the Act, data subjects also have a right of access with respect to their personal information. Application of data protection requirements is reinforced via the “Habeas Data” action, which is a mechanism that enables a data subject to take a data controller to court to enforce his or her rights of access, rectification and deletion.
Supervision of data protection standards is carried out by the Unit for Regulation and Control of Personal Data (Unidad Reguladora y de Control de Datos Personales (URCDP)), which is invested with powers to investigate, intervene and, where appropriate, impose sanctions.
The Commission Implementing Decision can be viewed here.