Page 1

Regulations and Legal Notices of Uruguay
Return

Law No. 18331

PERSONAL DATA PROTECTION LAW
Actualized document

Promulgation: 08/11/2008
Publication: 08/18/2008
National Registry of Laws and Decrees:
Volume 1
Semester: 2
Year 2008
Page: 378

Regulated by: Decree No. 414/009 of 08/31/2009.
See: Law No. 19,438 of 10/14/2016 article 189 (declares that it is exempted from
UTE, ANTEL and OSE, of the limitations to provide information to the
Departmental Governments).
References to the entire standard

CHAPTER I - GENERAL PROVISIONS

Article 1
Human Right.- The right to the protection of personal data is
inherent to the human person, for which it is included in the article
72 of the Constitution of the Republic.
References to the article

Article 2
Subjective scope.- The right to the protection of personal data is
It will apply by extension to legal persons, as appropriate.
References to the article

Article 3
Objective scope.- The regime of this law will be applicable to the
personal data registered in any medium that makes them
susceptible to treatment, and to any modality of subsequent use of these
data by the public or private spheres.
It will not apply to the following databases:
A) Those maintained by natural persons in the exercise of
exclusively personal or domestic activities.
B) Those whose objective is public security, defense,
State security and its activities in criminal matters, investigation
and repression of crime.
C) To the databases created and regulated by special laws.

(*) Notes:

Letter C) regulated by: Decree No. 437/009 of 09/28/2009 .
References to the article

Article 4
Definitions.- For the purposes of this law, it is understood by:
A) Database: indistinctly, they designate the organized set of
personal data that are subject to treatment or processing,
electronic or not, whatever the modality of their training,
storage, organization or access.
B) Data communication: any disclosure of data made to a
person other than the owner of the data.
C) Consent of the holder: any manifestation of will, free,
unequivocal, specific and informed, by which the owner
consent to the processing of personal data that concerns you.
D) Personal data: information of any kind referring to people
physical or legal determined or determinable.
E) Sensitive data: personal data that reveal racial and ethnic origin,
political preferences, religious or moral convictions, affiliation
union and information regarding health or sexual life.
F) Recipient: natural or legal person, public or private, who
receives data communication, whether or not it is from a third party.
G) Data disassociation: all processing of personal data of
so that the information obtained cannot be linked to a person
determined or determinable.
H) Responsible for the treatment: natural or legal person, public or
private, that alone or in conjunction with others treats personal data by
account of the person responsible for the database or treatment.
I) Sources accessible to the public: those databases whose
consultation can be made by anyone, not impeded by a
limiting norm or without any other requirement than, where appropriate, the payment of a
consideration.
J) Third: the natural or legal person, public or private, different
of the owner of the data, of the person in charge of the database or
treatment, the person in charge and the persons authorized to treat
the data under the direct authority of the person in charge or the person in charge of the
treatment.
K) Responsible for the database or the treatment: natural person or
legal, public or private, owner of the database or that
decide on the purpose, content and use of the treatment.
L) Owner of the data: person whose data is the subject of a
treatment included within the scope of action of this law.
M) Data processing: systematic operations and procedures,
automated or not, that allow data processing
personal, as well as its assignment to third parties through
communications, consultations, interconnections or transfers.
N) Data user: any person, public or private, who makes their
arbitrary data processing, either in its own database or
through connection with them.
Ñ) Biometric data: personal data obtained from a
specific technical treatment, relative to the characteristics
physical, physiological or behavioral of a natural person who
allow or confirm the unique identification of said person such
such as fingerprint data, image or voice recognition. (*)

(*) Notes:

Literal Ñ) see validity: Law No. 19,924 of 12/18/2020 article 3 .
Literal Ñ) added by: Law No. 19,924 of 12/18/2020 article 86 .
References to the article

CHAPTER II - GENERAL PRINCIPLES

Article 5
Value and strength.- The actions of those responsible for the databases,
both public and private, and, in general, of all those who act in
In relation to personal data of third parties, you must comply with the following
general principles:
A) Legality.
B) Truthfulness.
C) Purpose.
D) Prior informed consent.
E) Data security.
F) Reserve.
G) Responsibility.
These general principles will also serve as interpretive criteria.
to resolve the issues that may arise in the application of the
relevant provisions.
References to the article

Article 6
Principle of legality.- The formation of databases will be lawful
when they are duly registered, observing their operation
the principles established by this law and the regulations that
are dictated accordingly.
The databases cannot have purposes that violate rights
human or contrary to laws or public morals.
References to the article

Article 7
Principle of truthfulness.- The personal data that is collected from
The effects of their treatment must be truthful, adequate, fair and not
excessive in relation to the purpose for which they were obtained.
Data collection may not be done by unfair means,
fraudulent, abusive, extortionate or in a manner contrary to the
provisions of this law.
The data must be exact and updated in the event that this is
necessary.
When the inaccuracy or falsity of the data is verified, the person in charge
of the treatment, as soon as you have knowledge of said circumstances,
You must delete, replace or complete them with exact, truthful data
and updated. Likewise, those data that have
expired in accordance with the provisions of this law.
References to the article

Article 8
Principle of purpose.- The data object of treatment may not be
used for purposes other than or incompatible with those that
motivated its obtaining.
The data must be deleted when they are no longer necessary or
relevant to the purposes for which they were collected.
The regulations will determine the cases and procedures in which, for
exception, and taking into account the historical, statistical or scientific values,
and in accordance with the specific legislation, personal data is kept
even when you have allowed such need or relevance.
Nor can data be communicated between databases, without the mediation of law or
prior informed consent of the owner.
References to the article

Article 9
Principle of prior informed consent.- Data processing
personal is lawful when the owner has given his consent
free, prior, express and informed, which must be documented.
The aforementioned consent given with other statements, must include
expressly and prominently, prior notification to the required data, of
the information described in article 13 of the present
law. (*)
Prior consent will not be necessary when:
A) The data comes from public sources of information, such as
records or publications in mass media.
B) They are collected for the exercise of functions of the powers
of the State or by virtue of a legal obligation.
C) In the case of lists whose data is limited in the case of people
physical names and surnames, identity document, nationality,
address and date of birth. In the case of legal persons,
company name, fantasy name, unique taxpayer registry,
address, telephone number and identity of the persons in charge of it.
D) They derive from a contractual, scientific or professional relationship of the
owner of the data, and are necessary for its development or
compliance.
E) It is carried out by natural persons for their exclusive personal use,
individual or domestic. (*)

(*) Notes:

Subsection 2) wording given by: Law No. 18,719 of 12/27/2010 article 152 .
Subsection 3º) literal E) wording given by: Law Nº 18,719 of 12/27/2010
Article 156 .
See in this standard, articles: 17 and 18 - BIS .
See: Law No. 19,355 of 12/19/2015 article 84 (interpretative).
ORIGINAL TEXT: Law No. 18,331 of 08/11/2008 article 9 .
References to the article

Article 9-BIS
For the purposes of the provisions of literal I) of article 4, by
literal A) of the third paragraph of article 9 and by articles 11,
21 and 22 of this law, are considered public or accessible to the
public, the following sources or documents:
A) The Official Gazette and official publications, whatever their
registration support or communication channel.
B) Publications in mass media, understanding
for such those from the press, whatever the medium
in which they appear or the channel through which the
communication.
C) The guides, yearbooks, directories and the like in which they appear
names and addresses, or other personal data that have been
included with the consent of the owner.
D) Any other record or publication in which the interest prevails
general in that the personal data contained therein
may be consulted, disseminated or used by
third parties. Otherwise, you can use the registry or
publication using techniques of dissociation or concealment of
personal information.
The Regulatory Unit for the Control of Personal Data, ex officio or
request of any interested party, it will be issued on the right to
protection of personal data, in situations related to the sections
literal precedents A) and B) of the first paragraph of Article 34 of the
present law. (*)

(*) Notes:

See validity: Law No. 18,996 of 11/07/2012 article 2 .
Added / s by: Law No. 18,996 of 11/07/2012 article 43 .

Article 10
Principle of data security.- The person responsible or user of the database
data must adopt the measures that are necessary to
guarantee the security and confidentiality of personal data. Said
measures shall be aimed at preventing their adulteration, loss, consultation or
unauthorized treatment, as well as detecting deviations of information,
intentional or not, whether the risks stem from human action or
of the technical medium used.
The data must be stored in a way that allows the exercise of the
right of access of its owner.
It is forbidden to record personal data in databases that do not collect
technical conditions of integrity and security.
References to the article

Article 11
Principle of reservation.- Those natural or legal persons who
legitimately obtain information from a database that
treats them, they are obliged to use it in a reserved manner and
exclusively for the usual operations of its business or activity,
any dissemination of the same to third parties is prohibited.
People who, due to their employment situation or other form of relationship with the
responsible for a database, have access or intervene in
any phase of the processing of personal data, they are obliged to
maintain strict professional secrecy regarding them (Article 302 of the
Penal Code), when they have been collected from sources not accessible to the
public. The provisions will not apply in cases of order of the
Competent justice, in accordance with the regulations in force in this matter or
If there is the consent of the owner.
This obligation will subsist even after the relationship with the
responsible for the database.
References to the article

Article 12
(Principle of responsibility) .- The person responsible for the database or
treatment and the person in charge, where appropriate, will be responsible for the violation
of the provisions of this law.
In the exercise of proactive responsibility, they must adopt the
appropriate technical and organizational measures: privacy by design,
default privacy, data protection impact assessment,
among others, in order to guarantee an adequate treatment of the data
personal data and demonstrate its effective implementation.
The regulations will determine the corresponding measures according to the
types of data, treatments and responsible parties, as well as the opportunity to
its review and update. (*)

(*) Notes:

Wording given by: Law No. 19,670 of 10/15/2018 article 39 .
See validity: Law No. 19,670 of 10/15/2018 article 2 .
Regulated by: Decree No. 64/020 of 02/17/2020.
ORIGINAL TEXT: Law No. 18,331 of 08/11/2008 article 12 .
References to the article

CHAPTER III - RIGHTS OF DATA HOLDERS

Article 13
Right of information against data collection.- When
collect personal data, their owners must be previously informed at
expressly, precisely and unequivocally:
A) The purpose for which they will be processed and who may be their
recipients or class of recipients.
B) The existence of the database, electronic or any other
type, in question and the identity and address of the person responsible.
C) The mandatory or optional nature of the responses to the
questionnaire that is proposed, especially regarding the data
sensitive.
D) The consequences of providing the data and of the refusal to
do it or its inaccuracy.
E) The possibility of the owner to exercise access rights,
rectification and deletion of data.
References to the article

Article 14
Right of access.- Any holder of personal data who previously
prove your identification with the identity document or power of attorney
respective, you will have the right to obtain all the information about yourself
same is in public or private databases. This right of
Access may only be exercised free of charge at intervals of six
months, unless a legitimate interest of
according to the legal system.
In the case of data of deceased persons, the exercise of the right to
which this article refers to, will correspond to any of its successors
universal, whose character will be duly accredited. (*)
Information must be provided within five business days of
have been requested. The deadline has expired without the order being satisfied or
if it was denied for reasons not justified in accordance with this law,
the habeas data action will be enabled.
The information must be provided in a clear manner, free of
encodings and, where appropriate, accompanied by an explanation, in language
accessible to the average knowledge of the population, of the terms
use.
The information must be comprehensive and cover the entire registry
belonging to the owner, even when the requirement only comprises a
aspect of personal data. In no case may the report reveal
data belonging to third parties, even when they are linked to the interested party.
The information, at the option of the owner, may be provided in writing, by
electronic, telephone, image, or other suitable means for this purpose.

(*) Notes:

Subsection 2) wording given by: Law No. 18,719 of 12/27/2010 article 152 .
ORIGINAL TEXT: Law No. 18,331 of 08/11/2008 article 14 .
References to the article

Article 15
Right of rectification, update, inclusion or deletion.- All
natural or legal person will have the right to request rectification,
updating, inclusion or deletion of the personal data that you
corresponding included in a database, when an error or
falsehood or exclusion in the information of which it is the owner.
The person responsible for the database or the treatment must proceed to
make the rectification, update, inclusion or deletion, through
the operations necessary for this purpose within a maximum period of five days
working days of receipt of the request by the owner of the data or, where appropriate,
Report the reasons why it does not apply.
The breach of this obligation by the person in charge of the database
of data or of the treatment or the expiration of the term, will enable the
owner of the data to promote the habeas data action provided for in this law.
The elimination or deletion of personal data proceeds in the following
cases:
A) Damages to the rights and legitimate interests of third parties.
B) Notorious error.
C) Contravention of what is established by a legal obligation. (*)
During the process of verification, rectification or inclusion of data
personal data, the person responsible for the database or treatment, before the
requirement of third parties to access reports on them, you must
to record that said information is under review.
In the case of communication or data transfer, the person responsible for
the database or the treatment must notify the rectification,
inclusion or deletion to the recipient within the fifth business day of
data processing has been carried out.
The rectification, update, inclusion, elimination or deletion of
personal data when applicable, will be made without charge for the
headline.

(*) Notes:

Subsection 4) wording given by: Law Nº 18,719 of 12/27/2010 article 152 .
ORIGINAL TEXT: Law No. 18,331 of 08/11/2008 article 15 .
References to the article

Article 16
(Right to challenge personal assessments) .- People have
right not to be subjected to a decision with legal effects that
significantly affect, which is based on an automated treatment of
data intended to assess certain aspects of your personality, such as your
job performance, credit, reliability, conduct, among others.
The affected party may challenge the administrative acts or decisions
that imply an assessment of their behavior, the sole
basis is a processing of personal data that offers a
definition of their characteristics or personality.
In this case, the affected party will have the right to obtain information from the
responsible for the database both on the evaluation criteria
as about the program used in the treatment that served to adopt
the decision made on the spot. (*)

(*) Notes:

Wording given by: Law No. 18,719 of 12/27/2010 article 152 .
ORIGINAL TEXT: Law No. 18,331 of 08/11/2008 article 16 .
References to the article

Article 17
Rights regarding data communication.- Personal data
object of treatment may only be communicated for the fulfillment of
the purposes directly related to the legitimate interest of the issuer and
of the recipient and with the prior consent of the owner of the data,
who must be informed about the purpose of the communication and
identify the recipient or the elements that allow it to be done.
The prior consent for communication is revocable.
The prior consent will not be necessary when:
A) as provided by a law of general interest.
B) in the cases of article 9 of this law.
C) it is personal data related to health and is necessary
your communication for health reasons, emergency or for the realization
epidemiological studies, preserving the identity of the
holders of the data through appropriate dissociation mechanisms when
it is relevant. (*)
D) a procedure of dissociation of the
information, so that the owners of the data are not
identifiable.
The recipient will be subject to the same legal obligations and
regulations of the issuer and the latter will be jointly and severally liable for
the observance of the same before the control body and the holder of
the data in question.

(*) Notes:

Literal C) of subsection 3) wording given by: Law No. 18,719 of 12/27/2010
Article 153 .
See: Law No. 19,355 of 12/19/2015 article 84 (interpretative).
ORIGINAL TEXT: Law No. 18,331 of 08/11/2008 article 17 .
References to the article

CHAPTER IV - SPECIALLY PROTECTED DATA

Article 18
Sensitive data.- No person can be obliged to provide data
sensitive. These may only be processed with the
express and written consent of the owner.
Sensitive data can only be collected and processed
when there are general interest reasons authorized by law, or when the
requesting body has a legal mandate to do so. They may also be
treated for statistical or scientific purposes when dissociated from
their headlines.
The formation of databases that store information is prohibited
that directly or indirectly reveals sensitive data. Those are excepted
possessed by political parties, unions, churches, confessions
religious, associations, foundations and other non-profit entities
profit, whose purpose is political, religious, philosophical, trade union, that
refer to racial or ethnic origin, health and sexual life,
Regarding the data related to its associates or members, without prejudice
that the communication of said data will always require the prior
consent of the data owner.
Personal data related to the commission of criminal offenses,
civil or administrative can only be object of treatment by part
of the competent public authorities, within the framework of the laws and
respective regulations, without prejudice to the authorizations that the
law grants or will grant. Nothing established in this law will prevent
public authorities communicate or make public the identity of the
natural or legal persons that are being investigated by, or have
committed, violations of current regulations, in cases where other
norms impose it or in which they consider it convenient.
References to the article

Article 18-BIS
(Biometric data) .- The biometric data regulated in this law
may be subject to treatment within the framework of the provisions of article
9 of this law, after conducting an impact assessment on the
personal data protection. (*)

(*) Notes:

See validity: Law No. 19,924 of 12/18/2020 article 3 .
Added / s by: Law No. 19,924 of 12/18/2020 article 87 .

CHAPTER IV - SPECIALLY PROTECTED DATA

Article 19
Health-related data.- Public health establishments or
private and professionals linked to the health sciences can
collect and process personal data related to physical health or
mental health of the patients who come to them or who are or are
been under treatment of those, respecting the principles of secrecy
professional, the specific regulations and the provisions of this law.
References to the article

Article 20
Data related to telecommunications.- The operators that operate
public networks or that provide electronic communications services
available to the public must guarantee, in the exercise of their
activity, the protection of personal data in accordance with this
law.
Likewise, they must adopt the appropriate technical and management measures.
to preserve security in the operation of its network or in the provision
of its services, in order to guarantee its levels of protection of
the personal data that are required by the regulations for the development of
this law on this matter. In case there is a particular risk of
violation of the security of the public communications network
electronic devices, the operator that operates said network or provides the
Electronic communications will inform subscribers about said risk and
on the measures to be adopted.
The regulation contained in this law is understood without prejudice to the
provided for in the specific regulations on related telecommunications
with public security and national defense.
References to the article

Article 21
(Data related to databases for advertising purposes) .- In the
collection of addresses, distribution of documents, advertising, prospecting
commercial, sale or other similar activities, data that
are suitable to establish specific profiles for promotional purposes,
commercial or advertising; or allow to establish consumption habits, when
these appear in documents accessible to the public or have been provided
by the owners themselves or obtained with their consent. (*)
In the cases contemplated in this article, the owner of the
data may exercise the right of access without charge.
The owner may at any time request the withdrawal or blocking of their
data from the databases referred to in this article.

(*) Notes:

Subsection 1) wording given by: Law Nº 18,719 of 12/27/2010 article 152 .
ORIGINAL TEXT: Law No. 18,331 of 08/11/2008 article 21 .
References to the article

Article 22
(Data related to commercial or credit activity) .- It is expressly
authorized the processing of data intended to inform about the solvency
equity or credit, including those related to compliance or
breach of commercial or credit obligations that
allow evaluating the business agreement in general, the conduct
commercial or the payment capacity of the data owner, in those cases
in which they are obtained from publicly accessible sources or from
of information provided by the creditor or in the circumstances
provided for in this law. In the case of legal persons, in addition
of the circumstances provided for in this law, the treatment is allowed
of all information authorized by current regulations. (*)
Personal data related to commercial obligations of
Natural persons may only be registered for a period of five years
counted since its incorporation. In the event that at the expiration of said term
the obligation remains unfulfilled, the creditor may request the
responsible for the database, for one time, your new registration by
another five years. This new registration must be requested within the period of
thirty days prior to the original expiration date. Obligations
canceled or extinguished by any means, will remain registered,
with express mention of this fact, for a maximum period of five years, no
renewable, starting from the date of cancellation or termination.
Those responsible for the databases will limit themselves to carrying out the
objective treatment of the information recorded as it was
supplied, having to refrain from making subjective evaluations
about it.
When the cancellation of any unfulfilled obligation becomes effective
registered in a database, the creditor must within a maximum period of
five business days after the event occurred, notify the person responsible for
the corresponding database or treatment. Once the
communication by the person responsible for the database or treatment, this
You will have a maximum period of three business days to proceed with the
update of the data, establishing its new situation.

(*) Notes:

Subsection 1) wording given by: Law Nº 18,719 of 12/27/2010 article 152 .
See in this standard, article: 29 .
ORIGINAL TEXT: Law No. 18,331 of 08/11/2008 article 22 .
References to the article

Article 23
Data transferred internationally.- The transfer of data is prohibited
personal data of any kind with countries or international organizations
that do not provide adequate levels of protection according to the
standards of International or Regional Law on the matter.
The prohibition will not apply when it comes to:
1) International judicial cooperation, according to the respective
international instrument, be it a Treaty or a Convention, taking into account the
circumstances of the case.
2) Exchange of medical data, when required by the
treatment of the affected person for reasons of public health or hygiene.
3) Bank or stock transfers, in relation to the
respective transactions and in accordance with the legislation that results
applicable.
4) Agreements within the framework of international treaties in which the
Oriental Republic of Uruguay is a party.
5) International cooperation between intelligence agencies for the
fight against organized crime, terrorism and drug trafficking.
It will also be possible to carry out the international transfer of data in
the following assumptions:
A) That the interested party has unequivocally consented to the
planned transfer.
B) That the transfer is necessary for the execution of a contract
between the interested party and the person responsible for the treatment or for the
execution of pre-contractual measures taken at the request of the
interested.
C) That the transfer is necessary for the celebration or execution
of a contract entered into or to be entered into in the interest of the interested party,
between the person responsible for the treatment and a third party.
D) That the transfer is necessary or legally required for the
safeguarding an important public interest, or for the
recognition, exercise or defense of a right in a procedure
judicial.
E) That the transfer is necessary to safeguard the interest
vital of the interested party.
F) That the transfer takes place from a registry that, by virtue of
of legal or regulatory provisions, is designed to
provide information to the public and is open to consultation by the

Page 2

the general public or by anyone who can demonstrate a
legitimate interest, provided that, in each particular case, the
conditions established by law for consultation.
Without prejudice to the provisions of the first paragraph of this article, the
Regulatory and Control Unit for the Protection of Personal Data may
authorize a transfer or series of data transfers
to a third country that does not guarantee an adequate level of
protection, when the data controller offers guarantees
sufficient regarding the protection of privacy, rights and
fundamental freedoms of people, as well as regarding the exercise
of the respective rights.
Said guarantees may be derived from appropriate contractual clauses.

References to the article

CHAPTER V - PUBLIC OWNED DATABASES

Article 24
Creation, modification or deletion.- The creation, modification or
deletion of databases belonging to public bodies must
register as provided in the following chapter.

Article 25
Database corresponding to the Armed Forces, Organizations
Police or Intelligence.- They will be subject to the regime of the present
law, personal data that have been stored for purposes
administrative, must be subject to permanent registration in the databases of
data from the armed forces, police or intelligence agencies; Y
those on personal antecedents that provide said bases of
data to the administrative or judicial authorities that require them in
under legal provisions.
The processing of personal data for national defense purposes or
public security by the armed forces, police agencies
or intelligence, without the prior consent of the owners, is limited
to those assumptions and category of data that are necessary for the
strict compliance with the missions legally assigned to those to
national defense, public security or for the repression of the
crimes. The databases, in such cases, must be specific and
established for this purpose, and must be classified by categories, depending on
its degree of reliability.
Personal data recorded for law enforcement purposes will be canceled when
are not necessary for the inquiries that led to your
storage.

(*) Notes:

See in this standard, article: 26 .

Article 26
Exceptions to the rights of access, rectification and cancellation.- The
responsible for the databases that contain the data to which they are
The second and third subparagraphs of the previous article refer to
deny access, rectification or cancellation based on the
dangers that could arise for the defense of the State or security
public, the protection of the rights and freedoms of third parties or the
needs of the investigations being carried out.
Those responsible for the databases of the Public Treasury may,
likewise, deny the exercise of the rights referred to in the
previous paragraph when it obstructs the proceedings
administrative procedures aimed at ensuring compliance with the obligations
tax and, in any case, when the owner of the data is being subject to
of inspection actions.
The owner of the data to which the exercise is totally or partially denied
of the rights mentioned in the previous paragraphs, you can put it in
knowledge of the Control Body, who must ensure the
provenance or inadmissibility of the denial.

(*) Notes:

Regulated by: Decree No. 664/008 of 12/22/2008.
References to the article

Article 27
Exceptions to the right to information.- The provisions of this law
will not be applicable to data collection, when the information of the
incumbent affects national defense, public security or the
prosecution of criminal offenses.

CHAPTER VI - PRIVATE OWNED DATABASES

Article 28
(Creation, modification or deletion) .- Individuals or legal entities
private companies that create, modify or delete databases of
personnel, must be registered in accordance with the provisions of the following article.
(*)

(*) Notes:

Wording given by: Law No. 18,719 of 12/27/2010 article 152 .
ORIGINAL TEXT: Law No. 18,331 of 08/11/2008 article 28 .

Article 29
Registry registration.- Any public or private database must
register in the Registry that enables the Control Body for this purpose,
according to the established regulatory criteria.
By regulation, detailed regulation of the
different points that the inscription must contain, among which
the following will necessarily appear:
A) Identification of the database and the person responsible for it.
B) Nature of the personal data it contains.
C) Procedures for obtaining and processing data.
D) Security measures and technical description of the database.
E) Protection of personal data and exercise of rights.
F) Destination of the data and natural or legal persons to whom
they can be transmitted.
G) Data retention time.
H) Form and conditions in which people can access the data
referred to them and the procedures to be carried out for rectification
or updating the data.
I) Number of creditors natural persons who have reached the 5
years provided for in article 22 of this law.
J) Number of cancellations due to compliance with the obligation of
payment, if applicable, in accordance with the provisions of article 22 of
this law. (*)
No data user may possess personal data of the nature
different from those declared in the registry.
Failure to comply with these requirements will lead to sanctions
administrative provisions provided for in this law.
Regarding commercial databases already registered in the
Regulatory Body, the provisions of this law will be followed with respect to the
adaptation period.

(*) Notes:

Literal J) wording given by: Law No. 18,719 of 12/27/2010 article 154 .
ORIGINAL TEXT: Law No. 18,331 of 08/11/2008 article 29 .

Article 30
Provision of computerized services of personal data.- When for
third party account data processing services are provided
personal data, these may not be applied or used for a purpose other than
that appears in the service contract, or assign them to other people, or
still for conservation.
Once the contractual provision has been completed, the personal data processed
must be destroyed, unless expressly authorized by the former by
account of whom such services are provided when reasonably
presumes the possibility of further commissions, in which case it may be
store in safe conditions for a period of up to
two years.

CHAPTER VII - CONTROL BODY

Article 31
Control Body.- It is created as a decentralized body of the Agency for
the Development of the Government of Electronic Management and the Society of the
Information and Knowledge (AGESIC), endowed with the widest autonomy
technical, the Regulatory and Control Unit of Personal Data. Will be
directed by a Council composed of three members: the Executive Director
AGESIC and two members appointed by the Executive Power from among persons
that due to his personal, professional and knowledge background in the
matter ensure independence of criteria, efficiency, objectivity and
impartiality in the performance of their duties.
With the exception of the Executive Director of AGESIC, the members will last
four years in office, and may be reappointed. Alone
shall cease upon the expiration of their mandate and the appointment of their successors, or
for their removal ordered by the Executive Power in cases of
ineptitude, omission or crime, in accordance with the guarantees of due process.
During their tenure they will not receive orders or instructions on the plane
technical.
References to the article

Article 32
Advisory Council.- The Executive Council of the Regulatory Unit and of
Control of Personal Data will work assisted by an Advisory Council,
which will be made up of 5 members:
* A person with a recognized track record in promoting and defending
human rights, designated by the Legislative Power, which does not
may be an active Legislator.
* A representative of the Judiciary.
* A representative of the Public Ministry.
* A representative from the academic area.
* A representative of the private sector, to be elected in the form
established by regulation.
It will be chaired by the President of the Regulatory and Control Unit
Protection of Personal Data.
Its members will last 4 years in their positions and will meet at a call
of the President of the Regulatory and Control Unit of Personal Data or
of the majority of its members.
May be consulted by the Executive Council on any aspect of
its competence and must be consulted by it when exercising powers
regulatory.
References to the article

Article 33
Resources.- The Regulatory and Control Unit of Personal Data
formulate its budget proposal in accordance with the provisions of the
Article 214 of the Constitution of the Republic.

Article 34
Duties.- The control body must carry out all the actions
necessary for the fulfillment of the objectives and other provisions of
this law. To this end, it will have the following functions and
attributions:
A) Assist and advise people who require it about the
scope of this law and the legal means available to them

for the defense of the rights that it guarantees.
B) Dictate the rules and regulations that must be observed in the
development of the activities covered by this law.
C) Carry out a census of the databases reached by law and
keep a permanent record of them.
D) Control the observance of the legal regime, in particular the regulations
on legality, integrity, veracity, proportionality and security of
data, by the subjects reached, being able for such purposes
carry out the pertinent control and inspection actions.
For this purpose, the Regulatory and Control Unit of Personal Data
will have the following powers:
1) Require those responsible and in charge of processing the
display of books, documents and files, computer or
conventional, own and others, and require their appearance before
the Unit to provide information.
2) Intervene the documents and files inspected, as well as take
security measures for their conservation, being able to copy them.
3) Seize said elements when the seriousness of the case
requires up to a period of six business days; the measure will be
duly documented and may only be extended by the organs
competent jurisdictions, when essential.
4) Carry out inspections on personal or real estate occupied by
any title by those responsible, in charge of treatment and
other subjects reached by the legal regime. They can only
private homes be inspected with prior judicial order of
break-in.
5) Request information from third parties, being able to give them your
appearance before the administrative authority when it
deems appropriate or when they are not presented in
time and form.
The Regulatory and Control Unit of Personal Data may
request the assistance of the public force for the development of their
committed.
When necessary for the due fulfillment of the proceedings
precedents, will require a search warrant. (*)
E) Request information from public and private entities, which
must provide the background, documents, programs or other
elements related to the processing of personal data that are given to you
require. In these cases, the authority must guarantee security
and confidentiality of the information and elements supplied.
F) Issue an opinion whenever it is required by the authorities
competent authorities, including requests related to the dictation of
administrative sanctions corresponding to the violation of the
provisions of this law, regulations or resolutions that
regulate the processing of personal data included in it.
G) Advise the Executive Power as necessary in considering
of the bills that refer totally or partially to protection
of personal data.
H) Inform anyone about the existence of databases
personal, their purposes and the identity of those responsible, in
free form.

(*) Notes:

Literal D) wording given by: Law No. 18,719 of 12/27/2010 article 155 .
ORIGINAL TEXT: Law No. 18,331 of 08/11/2008 article 34 .

Article 35
(Sanctioning powers) .- The control body may apply the
following sanctions to those responsible for the databases, responsible for
processing of personal data and other subjects reached by the regime
legal, in case the norms of this law are violated, which are
will graduate in attention to the seriousness, repetition or recidivism of the
offense committed:
1) Observation.
2) Warning.
3) Fine of up to 500,000 IU (five hundred thousand indexed units).
4) Suspension of the respective database for a period of five
days.
5) Closure of the respective database. For this purpose,
promote before the competent jurisdictional bodies the closure
of the databases that are found to be infringing or
violate this law. (*)
The constitutive facts of the infraction will be documented in
according to legal formalities. The closure must be decreed within
of the three days following the one in which the Unit requested it
Regulatory and Control of Personal Data, which will be enabled to
provide it by itself in the event that the Judge does not rule within said
finished.
In the latter case, if the Judge subsequently denies the closure,
This must be lifted immediately by the Regulatory and Control Unit of
Personal information.
The appeals that are filed against the judicial resolution that
cause the closure, they will not have suspensive effect.
To enforce said resolution, the Regulatory and Control Unit
Personal Data may require the assistance of the public force.
The jurisdiction of the acting Courts will be determined by the
Norms of the Organic Law of the Judiciary No. 15,750, of June 24,
1985, its amendments and concordant.
The firm resolutions of the Data Regulatory and Control Unit
Personal that impose pecuniary sanctions, constitute title
executive for its purposes. (*)

(*) Notes:

Wording given by: Law No. 18,719 of 12/27/2010 article 152 .
Numeral 5) wording given by: Law No. 19,355 of 12/19/2015 article 83 .
Numeral 5) see validity: Law No. 19,355 of 12/19/2015 article 3 .
ORIGINAL TEXT:
Law No. 18,719 of 12/27/2010 article 152 ,
Law No. 18,331 of 08/11/2008 article 35 .
References to the article

Article 36
Codes of conduct.- Associations or entities representing
managers or users of privately owned data banks may
develop codes of conduct for professional practice, which establish
rules for the processing of personal data that tend to ensure and
improve the operating conditions of information systems in
function of the principles established in this law.
Said codes must be registered in the registry that for this purpose carries
the control body, who may deny registration when
consider that they do not comply with the legal and regulatory provisions
on matter.

CHAPTER VIII - PERSONAL DATA PROTECTION ACTION

Article 37
Habeas Data.- Every person shall have the right to file a legal action
effective to take knowledge of the data referring to your person and
its purpose and use, recorded in public or private databases; Y
-in case of error, falsehood, prohibition of treatment, discrimination or
outdated- to demand its rectification, inclusion, deletion or whatever
understand reciprocate.
In the case of personal data whose registration is protected by a
legal norm that enshrines secrecy in this regard, the Judge will appreciate the
lifting of the same in attention to the circumstances of the case.

Article 38
Origin and jurisdiction.- The owner of personal data may initiate
the action of protection of personal data or habeas data, against all
responsible for a public or private database, in the following
assumptions:
A) When you want to know your personal data that is
registered in a database or similar and such information has
been denied, or had not been provided by the person responsible for
the database, in the opportunities and deadlines provided by law.
B) When you have requested the person responsible for the database or
treatment its rectification, updating, elimination, inclusion or
deletion and he had not proceeded to do so or given sufficient reasons
for which the request does not correspond, within the period provided for
effect in law.
They will be competent to learn about data protection actions
personal or habeas data:
1) In the Capital, the Legal Courts of First Instance in the
Administrative Litigation, when the action is directed against a
public person of the state, and the Courts of First Instance
in Civil Matters in the remaining cases.
2) The Legal Courts of First Instance of the Interior to whom
competence has been assigned in these matters.

Article 39
Legitimation.- The habeas data action may be exercised by the own
affected owner of the data or their representatives, either guardians or
curators and, in the case of deceased persons, by their successors
universal, direct or collateral line up to the second degree, by itself or
by proxy.
In the case of legal persons, the action must be filed by their
legal representatives or the attorneys-in-fact appointed for such purposes.

Article 40
Procedure.- The actions that are promoted for violation of the
rights contemplated in this law shall be governed by the rules
contained in the articles that follow the present. They will be applicable as
Relevant articles 14 and 15 of the General Code of the Process.

Article 41
First instance procedure.- Unless the action was manifestly
inadmissible, in which case the court will reject it without substantiating it and
will arrange the file of the proceedings, the parties will be summoned to a
public hearing within three days of the date of the
presentation of the claim.
At said hearing, the defendant's explanations will be heard, they will receive
the evidence and the allegations will be produced. The court, which may reject
manifestly impertinent or unnecessary evidence, will preside over the
hearing under penalty of nullity, and will question the witnesses and the parties,
notwithstanding that they are, in turn, cross-examined by the
lawyers. It will enjoy the broadest powers of the police and management of
the audience.
At any time you can order proceedings to better provide.
The sentence will be issued at the hearing or at the latest, within the
twenty-four hours of its celebration. Only in exceptional cases may
the hearing be extended for up to three days.
Notifications may be made through the authority
police. For the purposes of calculating the deadlines for compliance with the
ordered by the sentence, a record will be made of the time
made the notification.

Article 42
Provisional measures.- If the claim or at any other time of the
process will result, in the judgment of the court, the need for immediate
action, it will provide, on a provisional basis, the measures that
correspond in protection of the right or freedom allegedly violated.

Article 43
Content of the sentence.- The sentence that gives rise to habeas data
must contain:
A) The specific identification of the authority or individual to whom
is directed and against whose action, act or omission the habeas is granted
data.
B) The precise determination of what should or should not be done and the
term for which said resolution will govern, if applicable
fix it.
C) The term for compliance with the provisions, which will be set by
the court according to the circumstances of each case, and will not be greater
of fifteen consecutive days and uninterrupted, computed from the
notification.

Article 44
Appeal and second instance.- In the habeas data process
Only the final judgment and the one that rejects the action will be appealable
for being manifestly inappropriate.
The appeal must be filed in a well-founded writing, within the
peremptory period of three days. The court will raise the
files to the superior when he has dismissed the action for inadmissibility
manifests, and will substantiate it with a transfer to the counterpart, for three
peremptory days, when the sentence appealed was final.
The appeal court will resolve in agreement, within four days
following the receipt of the cars. The filing of the appeal does not
suspend the protection measures decreed, which will be complied with
immediately after notification of the sentence, without the need to have
to wait for the expiration of the term for its challenge.

Article 45
Summary. Other aspects.In habeas data processes, prior questions cannot be deduced,
counterclaims or incidents. The court, at the request of a party or
office, will correct procedural defects, ensuring, within the
summary nature of the process, the validity of the principle of
contradictory.
When unconstitutionality arises by way of exception or
official letter (articles 509 numeral 2 and 510 numeral 2 of the General Code of
Process) will proceed to the suspension of the procedure only after
the acting Magistrate has ordered the adoption of the measures
provisional provisions referred to in this law or, where appropriate, stating
given the reasons for considering them unnecessary.

CHAPTER IX - TRANSITIONAL PROVISIONS

Article 46
Adequacy of the databases.- The databases must be adapted to
this law within one year of its entry into force.

Article 47
Transfer of the control body regarding commercial data.
establishes a period of one hundred and twenty calendar days for the current
control body on the protection of commercial data, in charge of
of the Ministry of Economy and Finance, carry out the transfer of the
information and documentation to AGESIC.

Article 48
Repeal.- Law Nº 17,838 of September 24, 2004 is repealed.

Article 49
Regulation.- The Executive Power shall regulate this law.
within one hundred and eighty days of its promulgation.

TABARE VAZQUEZ - DAISY TOURNE - GONZALO FERNANDEZ - DANILO ASTORI - JOSE
BAYARDI - MARIA SIMON - VICTOR ROSSI - DANIEL MARTINEZ - EDUARDO BONOMI MARIA JULIA MUÑOZ - ERNESTO AGAZZI - HECTOR LESCANO - CARLOS COLACCE - MARINA
ARISMENDI

Help

