Last modified 6 March 2026

Data Protection in Uruguay

Breach notification in Uruguay

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in Uruguay

Law No. 18,331 (2008) – Personal Data Protection and Habeas Data Act; establishes the general legal framework for the processing and protection of personal data.

Decree No. 414/009 (2009) – Regulatory decree implementing Law No. 18,331, setting out operational rules for data processing, database registration, security measures, and international transfers.

Law No. 19,670 (2018) – Introduced updates to the data protection regime, including the regulation of personal data breaches and the concept of data portability.

Decree No. 64/020 (2020) – Regulates the obligation to notify personal data security incidents (data breach notification).

URCDP Resolutions and Guidelines – Complementary regulatory criteria issued by the data protection authority on matters such as international data transfers, security standards, and compliance obligations.

Related resources

Definitions

Definitions in Uruguay

Law No. 18,331 on the Protection of Personal Data and Habeas Data provides the following key definitions:

Personal Data

Information of any kind relating to identified or identifiable natural or legal persons.

Sensitive Personal Data

Personal data revealing racial or ethnic origin, political opinions, religious or moral beliefs, trade union membership, or information concerning health or sexual life.

Data Controller

A natural or legal person, public or private, who owns the database or determines the purpose, content, and use of the data processing.

Data Processor

A natural or legal person, whether public or private, who, either individually or jointly with others, processes Personal Data under the instruction and on behalf of the Data Controller.

Processing

Systematic operations or procedures, automated or non-automated, that enable the collection, storage, use, modification, communication, or transfer of personal data.

Database

Any organized set of personal data subject to processing, whether electronic or otherwise, regardless of the method of creation, storage, organization, or access.

Data Anonymization (Data Dissociation)

Processing of personal data in such a way that the resulting information cannot be associated with an identified or identifiable individual.

Data Subject

The natural or legal person to whom the personal data relates.

Related resources

Authority

National data protection authority in Uruguay

The competent authority is the Regulatory and Control Unit of Personal Data ("URCDP"). The URCDP operates within the Agency for Electronic Government and Information and Knowledge Society ("AGESIC") and acts as the national supervisory authority responsible for ensuring compliance with Law No. 18,331.

Related resources

Registration

Registration in Uruguay

Personal data databases must be registered before the Regulatory and Control Unit of Personal Data ("URCDP"). Both public and private entities that process personal data are required to register their databases prior to their operation. The registration must include information regarding the data controller, the purpose of the database, the categories of personal data processed, applicable security measures, and any potential data transfers. The registry is public and aims to ensure transparency and regulatory oversight of personal data processing activities.

Related resources

Data protection officers

Data protection officers in Uruguay

While Uruguay's data protection law does not establish a general obligation for all organizations to appoint a Data Protection Officer (DPO), Decree No. 64/020 introduced specific cases in which the designation of a DPO is required. In particular, entities whose core activities involve the large-scale processing of personal data, especially sensitive data, or those that carry out systematic monitoring of individuals, must appoint a Data Protection Officer. The DPO is responsible for advising the organization on compliance with Law No. 18,331, monitoring the implementation of data protection policies, and acting as a point of contact with the Regulatory and Control Unit of Personal Data ('URCDP').

Related resources

Collection and processing

Collection and processing in Uruguay

Collection and processing of personal data must be carried out lawfully, fairly, and for specific, explicit, and legitimate purposes. Data must be adequate, relevant, and not excessive in relation to the purposes for which it is collected.

As a general rule, the data subject’s prior, informed, and express consent is required for the processing of personal data, unless an exception provided by law applies (such as data derived from public sources or processing necessary for legal or contractual obligations).

Additionally, data controllers must ensure the accuracy, security, and confidentiality of the personal data processed.

Related resources

Transfer of personal data

Transfer of personal data in Uruguay

Under Law No. 18,331, the communication or transfer of personal data to third parties must be consistent with the purposes for which the data was originally collected and generally requires the prior consent of the data subject, unless a statutory exception applies. The recipient of the data is bound by the same legal and confidentiality obligations as the data controller.

With regard to international transfers, personal data may be transferred to jurisdictions that provide an adequate level of protection, or where appropriate safeguards or legal exceptions apply.

Notably, European Commission recognized Uruguay as a jurisdiction providing an adequate level of protection for personal data in 2012, which facilitates the lawful transfer of personal data from the European Union to Uruguay.

Related resources

Security

Security in Uruguay

Data controllers and processors must implement appropriate technical and organizational security measures to ensure the confidentiality, integrity, and availability of personal data, and to prevent its alteration, loss, unauthorized access, or processing. Such measures must be proportionate to the nature of the data processed, the risks involved, and the technological state of the art. In addition, applicable regulations require organizations to report certain personal data security incidents to the supervisory authority (URCDP) and, where appropriate, to adopt internal procedures for incident management and mitigation.

Related resources

Breach notification

Breach notification in Uruguay

Under Decree No. 64/020, data controllers must notify the Personal Data Protection Regulatory and Control Unit ('URCDP') of any security breach that may significantly affect the rights of impacted data subjects.

The notification must be made without undue delay upon detection of the incident and must include information regarding the nature of the breach, the data potentially affected, and the measures adopted to mitigate its effects. In certain cases, the controller must also inform the affected data subjects, particularly when the breach may pose a significant risk to their rights.

Related resources

Enforcement

Enforcement in Uruguay

Compliance with personal data protection regulations in Uruguay is supervised by the Personal Data Protection Regulatory and Control Unit (URCDP), which has investigative and enforcement powers under Law No. 18,331.

The authority may conduct inspections, require information, and order corrective measures to ensure compliance with the legal framework. In cases of infringement, the URCDP may impose administrative sanctions, including warnings, fines, suspension of database operations, or the closure of databases, depending on the seriousness of the violation.

Related resources

Electronic marketing

Electronic marketing in Uruguay

The Act will apply to most electronic marketing activities, as these activities likely involve the processing and use of personal data (e.g. an email address is likely to be "personal data" for the purposes of the Act). The Act does not prohibit the use of personal data for the purposes of electronic marketing but grants personal data owners with the right to demand the elimination or blocking of their data from the data base.

Personal data can be used and processed for marketing purposes when it has been taken from public documents, when it has been provided by the personal data owner or when prior consent has been gathered.

Related resources

Online privacy

Online privacy in Uruguay

There are no express provisions for online privacy, but the general data privacy principles fully apply. In this regard, key principles such as prior informed consent, the purposes of collection and use, and the right to information are particularly relevant. These principles state that in order to use cookies, the data subject's prior consent must be obtained and the data subject must be informed about the purposes of collection and use; personal data collected through cookies may only be processed as necessary to fulfill the purposes for which it was collected and must be deleted when the purpose ceases.