Last review date: 30 December 2024
Uruguay's data protection supervisory authority is the Regulatory and Personal Data Control Unit (Unidad Reguladora y de Control de Datos Personales or URCDP). It is an autonomous entity of the agency for the Development of Electronic Government and the Information-Based Society (Agencia para el Desarrollo del Gobierno de Gestión Electrónica y la Sociedad de la Información y del Conocimiento or AGESIC).
Additionally, AGESIC has jurisdiction over cybersecurity, being responsible for developing the "National Cybersecurity Strategy" and the "National Data Strategy."
Last review date: 30 December 2024
Compliance with data protection regulations in advertising and marketing, the requirement to update registered databases and the completion of privacy impact assessments are closely monitored. It is expected that the Regulator will participate in a probable regulation on AI in 2025
AGESIC, with the support of the personal data Regulator for data privacy aspects, has sent to Parliament guidelines and recommendations for the eventual regulation of Artificial Intelligence, aimed at ethical development, the protection of human rights and the promotion of technological innovation.
Last review date: 30 December 2024
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
☒ Increasing
Enforcement of data breach investigations has been increasing, along with increased proactive reporting by affected public and private entities.
Class actions/group actions under data or cyber regulation are:
☒ Not available in the jurisdiction
Last review date: 30 December 2024
There are:
☒ administrative remedies /civil penalties applied by regulators and law enforcement
Regulatory and Personal Data Control Unit (Unidad Reguladora y de Control de Datos Personales) may take punitive measures in response to violations of the data protection regulation. These measures include, depending on the nature of the offense, notice of violation, warning, fine amounting to no more than 500,000 Index Units (approximately USD 48,000), suspension of the database in question for five days, and closing of the database.
☒ private remedies
Law N° 18,331 grants the data subjects the right to request the correction, update, addition, or deletion (suppression) of personal data that are included in a database upon confirmation of an error, incorrect entry, or exclusion from their information. The data controller must carry out the rectification, update, inclusion, or deletion within a maximum of five business days of receipt of the request or otherwise identify the reasons why the controller believes such a modification should not be made.
In addition, Law N° 18,331 establishes that data subjects may bring an action for the protection of personal data or habeas data, against any data controller of a public or private database, if:
- The data subject sought access to their personal information, and such access was denied or was not provided by the data controller as required by Law (e.g., within five business days), or
- The data subject requested for their information to be corrected, updated, removed, or deleted, and such request was not complied with in the term established to this effect by Law (five business days).