Page 1

Regulations and Legal Notices of Uruguay
Return

Decree No. 64/020

REGULATION OF THE ARTS. 37 TO 40 OF LAW 19.670 AND ART. 12 OF LAW 18.331, REFERRING TO THE PROTECTION OF PERSONAL DATA
Actualized document

Promulgation: 02/17/2020
Publication: 02/21/2020

Section: Last Moment
The National Registry of Laws and Decrees for this semester has not yet been published.

Regulatory of:
Law No. 19,670 of 10/15/2018 Articles 37 , 38 and 40 ,
Law No. 18,331 of 08/11/2008 article 12 .

SEEN: Articles 37 to 40 of Law No. 19,670 of October 15, 2018;
RESULTING: that they contain new provisions regarding the protection of
personal data that impact on the national system and seek to provide the
people a level of protection according to new technological developments
and the evolution in the forms of treatment of personal data;
CONSIDERING: I) that the right to the protection of personal data is a
Inherent right of the human person included in article 72 of the
Constitution of the Republic, as recognized in Article 1 of Law No.
18,331 of August 11, 2008;
II) that for the purposes of the issuance of this regulation, the
takes into account the most recent provisions and doctrines, such as the Regulation
European N ° 2016/679 on the protection of natural persons as regards
regarding the processing of personal data and the free movement of
these data, the Standards on Protection of Personal Data for the
Ibero-American States issued by the Ibero-American Network for the Protection of
Data in June 2017, the Convention No. 108 of the Council of Europe for the
protection of individuals with regard to automated data processing
of a personal nature, its Additional Protocol of November 8, 2001 -both
approved by Law No. 19.030 of December 27, 2012-, and the Protocol of
Modernization of the aforementioned Convention approved by the Committee of Ministers of
Council of Europe on May 18, 2018, signed by the Eastern Republic
from Uruguay on October 10, 2018;
III) that the ubiquity of people in the digital world and the protection
of their rights requires duly addressing the scope of the protection of
your personal information, which corresponds to complement the mechanisms
compliance control at the international level and the necessary
obligations of managers and managers, who despite being placed in the
outside the country, perform data processing of people who are located
in this;
IV) that on the other hand, due to the importance and volume of the
information processed by multiple organizations regarding individuals and
possible security breaches, it is essential to establish
a clear regime regarding the procedure to be performed in
those situations;
V) that the current state of personal data protection has led to
strengthen the principle of responsibility, in its evolution towards a
principle of proven responsibility, which imposes on the person responsible and
in charge, where appropriate, the obligation to demonstrate that the activities of
treatment comply with applicable legislation. In that sense it has
incorporated a minimum of measures -among which are the protection
data from design and default and impact evaluations
previous-, especially in cases where there is a greater risk for the
people;
VI) that, likewise, the Law that regulates it has incorporated the figure of the
data protection officer, who must have the powers
necessary and technical independence to fulfill their functions in the
appropriate. Its designation is relevant in the cases of entities
public entities that process sensitive data or that process data
large volumes of personal data;
VII) that in accordance with the provisions of article 32 of Law No. 18,331 of
August 11, 2008, the Advisory Council of the Unit was consulted
Regulatory and Control of Personal Data and contemplated, as
pertinent, their proposals, raising a regulation project by the
Executive Council of said Unit.
ATTENTION: to the above and to the provisions of article 168 ordinal 4 of the
Constitution of the Republic;
THE PRESIDENT OF THE REPUBLIC
- acting in the Council of Ministers DECREE:

CHAPTER I - TERRITORIAL SCOPE

Article 1
Territorial scope. For the purposes of the provisions of article 37 of the
Law N ° 19.670 of October 15, 2018, it will be understood that the person responsible or
data controller is established in Uruguayan territory
when you carry out a stable activity in it, regardless of the legal form
adopted for it.
In the event that the person in charge or manager is not established in
Uruguayan territory, Law No. 18,331 of August 11, 2008 and this
regulations will also apply if:
a) The data processing activities are related to the
offer of goods or services directed to inhabitants of the Republic which
will be appreciated through elements such as the use of language, the
reference to payment in national currency or the provision of related services -no
necessarily provided by the person in charge or in charge - in the territory
Uruguayan.
b) The data processing activities are related to the
analysis of the behavior of the inhabitants of the Republic, including the
destined to the elaboration of profiles, being applicable to the effect in
special provisions of Article 16 of Law No. 18 331 of August 11
2008.
c) It is provided by rules of public international law or a contract. On
In no case may the contracting parties exclude the application of national law,
when it corresponds.
d) In the treatment, means located in the country are used, such as
information and communication networks, data centers and infrastructure
computing in general.

(*) Notes:

See in this standard, article: 2 .

Article 2
Scope of obligations. In the situations provided for in subsection
second of the previous article, those responsible and in charge of treatment,
where appropriate, they must comply with the obligations set forth in the Law
N ° 18,331 of August 11, 2008, and amendments, including the registration of
their databases and provide the corresponding contact information to
the Regulatory and Control Unit of Personal Data.
It is exempted from the obligation to register the databases, the
situations referred to in literal d) of the second paragraph of article 1
provided that the means are used exclusively for transit purposes and the
responsible for the treatment designate a representative domiciled in
national territory before the Regulatory and Data Control Unit
Personal.

CHAPTER II - SECURITY VIOLATIONS

Article 3
Security measures. The person in charge and the person in charge of treatment, in their
case, they must adopt the technical and organizational measures necessary to
preserve the integrity, confidentiality and availability of the information,
in order to guarantee the security of personal data. To these effects
will value the adoption of national and international standards on the
information security, such as the Cybersecurity Framework
prepared by the Agency for the Development of the Management Government
Electronics and the Information and Knowledge Society.
Once the existence of security incidents that cause, among
others, the accidental or unlawful disclosure, destruction, loss or alteration
of personal data, or unauthorized communication or access to said
data, those responsible and those in charge of treatment must initiate the
planned procedures necessary to minimize the impact of such
incidents within the first 24 hours of being verified.

Article 4
Communication of security breaches. The person responsible for
treatment, once the occurrence of any violation of
security that affects data protection, you must notify the
Regulatory and Control Unit of Personal Data within a maximum period of 72
hours of known violation.
Communication to the Regulatory and Control Unit of Personal Data
must contain relevant information, such as the certain or estimated date of
the occurrence of the violation, its nature, personal data
affected, and the possible impacts generated.
In the event that the violation has been known by the person in charge of the
treatment, he will immediately communicate it to the person responsible for the treatment.
The latter, once it verifies the occurrence of any violation of
security that affects data protection, you must communicate it in a
clear and simple language to the owners of the data who have suffered a
significant impact on their rights.
Once the violation has been solved, the person responsible for the treatment must elaborate
a detailed report of the security breach and the measures
adopted and communicate it to the Regulatory and Data Control Unit
Personal.

CHAPTER III - PROACTIVE RESPONSIBILITY MEASURES

Article 5
Proactive responsibility. Those responsible and in charge of treatment of
personal data, where appropriate, must adopt, in view of the nature of
the data, the treatments they carry out and the risks they imply, the
measures indicated in this Chapter and all those that correspond
according to the provisions of article 12 of Law No. 18,331 of August 11,
2008, in the wording given by article 39 of Law No. 19,670 of 15
October 2018.
In order to adopt these measures, the state of the
technique, the cost of its implementation and the nature, scope, context and purposes
treatment, as well as the risks of varying probability and severity that
that entails for the rights of the people.
The measures adopted must be documented, periodically reviewed and
evaluated on their effectiveness.
The documentation of the measures must contain, as a minimum, the form,
means and purpose of the treatment, the procedures aimed at giving
compliance with data protection regulations, planning
mechanisms to respond to security breaches, and the role of the delegate
of data protection when applicable.
This documentation must be available upon request made by
the Regulatory and Control Unit of Personal Data.

Article 6
Impact evaluation on the protection of personal data. Fit
prior to the start of the treatment, the person in charge and the person in charge of the
treatment, if applicable, must carry out an impact assessment on the
protection of personal data, when in processing operations
can:
a) Use sensitive data as a main business.
b) Plan a permanent or stable treatment of the data
protected areas referred to in Chapter IV of Law No. 18,331 on
August 11, 2008, or the data related to the commission of infractions
criminal, civil or administrative.
c) Involve an evaluation of personal aspects of the holders with the
in order to create or use personal profiles, in particular through the
analysis or prediction of aspects related to their performance in the
work, economic situation, health, preferences or personal interests,
reliability of behavior and financial solvency and location.
d) Carry out the data processing of groups of people in
situation of special vulnerability and, in particular, of minors or
People with disabilities.
e) Produce a treatment of large volumes of personal data.
f) Transferring personal data to other States or organizations
for which there is no adequate level of protection.
g) Others determined by the Regulatory and Data Control Unit
Personal.

(*) Notes:

See in this standard, article: 7 .

Article 7
Content of the impact assessment on the protection of personal data
- The evaluation provided for in the preceding article must contain, as
minimum:
a) A systematic description of the treatment to be carried out and its purpose.
b) An evaluation of the treatment in relation to compliance with the
personal data protection regulations.
c) An assessment of the risks to the rights of the holders of the
data.
d) A detail of the security measures and mechanisms for
demonstrate compliance with the personal data protection regulations.
In relation to the treatments already started and that are included
In the cases of article 6, the person in charge and the person in charge of
treatment, if applicable, they must carry out this evaluation within a period of 1 year
from the publication of this decree in the Official Gazette.
If a risk arises from the result of the corresponding evaluation
potential and significant for the rights of data subjects, the
responsible and the person in charge of the treatment, if applicable, must put it in
knowledge of the Regulatory and Control Unit of Personal Data, with
detailed information on the measures they adopted or will adopt, and in this
last case the respective term.
For the purposes of conducting the impact assessment, according to the type
o volume of data and its treatment, the aforementioned Unit will set
criteria that contribute to the fulfillment of the obligation foreseen in the
this article.

Article 8
Privacy by design. The person in charge and the person in charge of treatment, in their
In this case, they must incorporate in the design of the databases, the operations
treatment, applications and computer systems, measures
aimed at complying with data protection regulations
personal. For these purposes, prior to treatment and throughout your
development, apply appropriate technical and organizational measures, such
What:
a) Dissociation, pseudonymization and data minimization techniques.
b) Mechanisms to ensure the exercise of the rights of the holders
of personal data.
c) Documentation of the consents or other grounds that
legitimize the treatment.
d) Time of conservation of the data, considering their types and their
treatment.
e) Adoption of contingency plans that include security measures for
information.
f) Functional analysis and data architecture models.
g) Other measures established by the Regulatory and Control Unit of
Personal information.

Article 9
Privacy by default. The person in charge and the person in charge of the treatment, in
where appropriate, they will apply the appropriate technical and organizational measures to
effects of guaranteeing that, by default, only the
personal data that are necessary for each of the specific purposes
treatment.
This obligation refers to the amount of personal data collected, to the
extension of its treatment, its conservation period and its communication.

CHAPTER IV - PERSONAL DATA PROTECTION OFFICER

Article 10
Scope. In accordance with the provisions of article 40 of Law No. 19670
of October 15, 2018, they must designate a data protection delegate
personal:
a) Public, state or non-state entities and private entities totally or
partially state-owned.
b) Private entities that process sensitive data as their main business.
In accordance with the provisions of Article 4, literal E) of Law No.
18,331 of August 11, 2008, sensitive data are those that reveal
racial and ethnic origin, political preferences, religious convictions or
morals, union membership and information regarding health or life
sexual.
c) Private entities that process large volumes of
data.
Treatment of large volumes of data is considered any activity
in which a personal data processing of more than 35,000
people.
The Regulatory and Control Unit of Personal Data, ex officio or before
management carried out before it, may be issued on the relevance of
a private entity has a data protection officer.

Article 11
Functions of the data protection delegates. The functions
The main data protection delegates will be:
a) Advise on the formulation, design and application of security policies
personal data protection.
b) Supervise compliance with the regulations on said protection in the
entity or entities for which it provides services.
c) Propose all the measures that it deems pertinent to adapt to the
regulations and international standards regarding the protection of
personal data and verify its realization.
d) Act as a link between your entity and the Regulatory and Control Unit
of Personal Data.

Article 12
Quality and conditions of the delegate. The data protection officer
may perform its functions through any contractual modality,
whether it involves dependency or not. You must have knowledge of
Law, specialized in the protection of personal data, which
must be accredited.
In the event that the delegate is a legal entity, they must communicate to
the Regulatory and Control Unit of Personal Data how your
administrative body, as well as the data of its members and of the
person or natural persons designated to carry out the task.

Article 13
Position of the data protection officer. The delegate of protection of
data must participate appropriately in all matters relating to
the protection of personal data.
In order to carry out their tasks in the performance of their duties, they are
provide full access to personal databases and operations of
treatment. He will act with technical autonomy and will not receive instructions in the
performance of their specific functions as a data protection officer.
The data protection officer must keep absolute
confidentiality of the information to which you have access due to its quality,
being applicable the provisions of article 11 of Law No. 18,331 of
August 11, 2008.
This delegate may perform other functions as long as they do not generate
conflict of interests.

Article 14
Term of appointment, termination or resignation of the delegate. When appropriate
designation of a delegate for the protection of personal data, this must be
communicated to the Regulatory and Control Unit of Personal Data in a
90 days from the start of treatment.
Any entity that at the time of entry into force of this decree
is in the situation provided for in article 40 of Law No. 19,670
of October 15, 2018, you must designate the data protection officer
within the period provided for in the preceding paragraph, as of the publication of the
present decree in the Official Gazette.
Any termination or resignation of a data protection officer must be
communicated to the Regulatory and Control Unit of Personal Data in the
term foreseen in the previous paragraph, having to designate a new delegate.
The data protection officer may communicate directly to the
Regulatory and Control Unit of Personal Data its cessation or resignation.

Article 15
Possibility of appointing a single delegate. A set of entities with
tasks or related activities, may appoint a single delegate of
data protection provided that it can fully comply with the
functions legally established in relation to each and every one of them.
They may also designate a single data protection delegate in the
terms indicated in this article, various public entities that
are part of the same administrative structure, which will be carried out by
founded resolution, especially as regards the viability of the cabal
compliance referred to above.
The Regulatory and Control Unit of Personal Data may require the
appointment of additional data protection officers to protect
the rights of the data owners in the cases provided for in the
present provision.

CHAPTER V - FINAL RULES

Article 16
Criteria and sanctions. The Regulatory and Data Control Unit
Personal will set criteria for compliance, auditing and evaluation of
the measures established in Law No. 18,331 of August 11, 2008 and in the
present decree. The Executive Council of that Unit will impose the sanctions
corresponding to breaches of the provisions of this
Decree in accordance with the provisions of article 35 of Law No.
18,331 of August 11, 2008, in the wording given by article 152 of
Law No. 18,719 of December 27, 2010 and Article 83 of Law No.
19,355 of December 19, 2015.

Article 17
Repeal articles 7 and 8 of Decree No. 414/009 of August 31,
2009.

Article 18
Communicate, publish.

TABARÉ VÁZQUEZ - JORGE VÁZQUEZ - RODOLFO NIN NOVOA - DANILO ASTORI - JOSÉ
BAYARDI EDITH MORAES - VÍCTOR ROSSI - GUILLERMO MONCECCHI - ERNESTO MURRO JORGE BASSO - ENZO BENECH - BENJAMÍN LIBEROFF - ENEIDA DE LEÓN - MARINA
ARISMENDI

Help

