Data Protection in Uruguay

Breach notification in Uruguay

Data breaches and data incidents must be reported to the URCDP and to the Data Subject.

Once the DPO or the Data Controller confirms the occurrence of a security breach, it must be notified to the URCDP within 72 hours.

Notification to data subjects must be done once the DPO or the Data Controller confirms the occurrence of a security breach. The Uruguayan Data Privacy Act requires the notification to be effected “as soon as practicable”, but fails to spell out a precise time frame for such notice.

Legal requirement of the data breach/incident

  • Notification to the Regulator must contain relevant information, including the:
    • certain or estimated date of the occurrence of the breach;
    • main characteristics of the breach;
    • details of the data affected; and
    • the possible impacts.
  • The regulation does not state any formalities to the communication to the Data subject. However, it states that such notification must be clear and simple.

After the first notification to the Regulator within the first 72 hours after the Data Breach/incident, a second communication must be done by the DPO or the Data Controller to the Regulator. The second report must indicate all the details of what happened and the measures that were adopted and carried out so that such violation/incident has been mitigated and does not occur again. The Act does not state a time frame for execution of the second report.

Continue reading

  • no results

Previous topic
Back to top