Last review date: 30 December 2024
Yes.
☒ general obligation to take appropriate / reasonable technical, physical and/or organizational security measures
☒ other
Regulating Decree N° 64/020 states that data controllers and processors should consider national and international standards in information security, such as the Cybersecurity Framework prepared by AGESIC, when determining the security measures to adopt. However, the regulation does not mandate specific security controls.
Last review date: 30 December 2024
☒ public company obligations (e.g., duties to maintain sufficient information security measures or ensure operational resilience to cyberattacks)
☒ providers of critical infrastructure
If yes, please provide brief details of the relevant law or regulation.
Last review date: 30 December 2024
☒ Data privacy
☒ financial services
☒ critical infrastructure
Last review date: 30 December 2024
Yes.
Both data controllers and processors must immediately report a data breach upon learning about it. The report shall detail the breach and the measures undertaken to address the breach. In the case of data controllers, the notification should be addressed to the Regulatory and Personal Data Control Unit (Unidad Reguladora y de Control de Datos Personales (URCDP)) within a maximum of 72 hours[1] and to all affected individuals. Although the legislation provides that the notification to the data subjects whose rights have been significantly affected must be made immediately, no specific term has been indicated for this. In addition, the regulation provides that in case the breach has been known by a data processor, it will immediately[2] notify the data controller. Once notified, the URCDP will coordinate the course of action with the unit in charge of security breaches (Centro Nacional de Respuesta a Incidentes de Seguridad Informática, CERTUY).
Within the first 24 hours of a breach being verified, controllers and processors must initiate the necessary procedures to minimize the impact of such incidents.
Once the violation has been solved, the controller must prepare a detailed report of the breach and the measures adopted and communicate it to URCDP.
--------------------------------------------------------------
[1] Article 4 of Decree No. 64/020:
Communication of security breaches. The data controllers, once they verify the occurrence of a security breach that affects data protection, must notify the Regulatory and Control Unit of Personal Data within a maximum period of 72 hours after the breach is known.
[2] Article 38 of Law No. 19,670:
When the data controllers or processors become aware of the occurrence of the security breach, they must immediately and in detail report it and the measures adopted, to the data subjects and to the Regulatory Unit and Control of Personal Data, which will coordinate the corresponding course of action, with the National Center for Response to Computer Security Incidents of Uruguay (CERTuy).