Global Data and Cyber Handbook

Uruguay

Select a Topic
Start Comparison
International Data Transfer
Are there restrictions on the transfer of personal data to third countries?

Last review date: 30 December 2024

Yes.

Law 18,331 prohibits the transfer of any personal data to countries or international organizations that do not offer proper protection in accordance with the standards of international or regional law on this matter.

According to a resolution issued by the Regulatory and Personal Data Control Unit (Unidad Reguladora y de Control de Datos Personales (URCDP)), countries deemed to provide the required levels of personal data protection include members of the European Union, Andorra, Argentine Republic, the private sector of Canada, Guernsey, Isle of Man, Faroe Islands, State of Israel, Japan, Jersey, New Zealand, United Kingdom of Great Britain and Northern Ireland,  Swiss Confederation and Korea. In addition, cross-border data transfers to companies located in the United States that have adhered to the EU- U.S. Data Privacy Framework are also deemed adequate under the URCDP's criterion, provided that the importing entity declares that it has extended the application of the safeguards of said framework to the data transferred from Uruguay.

The prohibition on not transferring personal data to countries or organizations that do not meet the standards on this subject does not apply where one of the legal bases listed below applies. However, note that in some cases, those legal bases must have certain characteristics to be applicable.

Separately, URCDP may additionally authorize international transfers of personal data to a third country that does not guarantee the proper protection if the data controller offers the necessary guarantees for the protection of private life, of essential rights and freedoms of people, as well as guarantees for the exercise of their respective rights. These guarantees may stem from corresponding contractual clauses.

As a final note, international transfers of data within multinational organizations (i.e., between affiliates, subsidiaries, branches or a parent company) would be permitted if the local entity (data controller) files for the registration of a Code of Conduct (type of binding corporate rules) to govern such transfers before the local data protection authority.

Transfers of personal data to third countries are only permissible if there is a legal basis for the processing/transfer and one of the following applies:

☒       approved adequate/whitelisted jurisdictions
☒       to holders of specific certifications or followers of specific code of conduct programs each approved by the relevant data protection and cybersecurity authority (e.g., EU-US Data Privacy Framework)
☒       approved standard contractual clauses
☒       binding corporate rules
☒       derogations, such as consent, contract performance, necessity to establish, exercise or defend legal claims
☒       other solutions

Please see separate question for information on data localization provisions that are not restricted to personal data.

The prohibition on transferring personal data to countries or organizations that do not meet the standards on this subject does not apply in the cases of:

  • International judicial cooperation, in accordance with the corresponding international instrument, being either a treaty or a convention, with the particular circumstances under consideration
  • Exchange of medical information, whenever required for the treatment of patients, either for health or public hygiene reasons
  • Bank or stock exchange transactions, pertaining to the respective transactions and in accordance with the applicable legislation
  • Agreements within the framework of international treaties agreed upon by the Oriental Republic of Uruguay
  • International cooperation among intelligence organizations to fight against organized crime, terrorism and the drug trade

International transfers of data may also be possible in the following scenarios:

  • The transfer is required to execute pre-contractual measures taken at the interested party's request
  • The transfer is required to enter into or execute a contract entered into, or to be entered into on behalf of the interested party, between the data processor and a third party
  • The transfer is required or demanded by law to protect a major public interest
  • The transfer is required to protect the vital interest of the interested party
  • The transfer takes place from a registry, which is created by virtue of legal or regulatory provisions, to release information to the public and receive queries from the general public or from any person who may prove that they have a legitimate interest, as long as the conditions established by law for the query are met for each particular case
{{ $store.state.loadingScreen.message }} ...