Material Applicability

The material scope of Uruguay's data protection framework is defined by the following factors:

• Processing-Susceptible Medium Factor
• Personal and Domestic Use Exemption
• National Security and Law Enforcement Exemption
• Sectoral Exceptions Regulated by Other Laws

Processing-Susceptible Medium Factor

LPPD № 18.331 Art.3(1):

"The regime of the present law shall apply to personal data recorded in any medium that makes them susceptible to processing, and to any subsequent use of such data by the public or private sectors."

Decree No. 414/009 Art.2:

"The legal regime for the protection of personal data applies to its collection, recording, and all types of processing, whether automated or not, under any medium and mode of use, whether in the public or private sphere."

The law applies broadly to all forms of personal data processing, regardless of the medium used or whether the processing is automated or manual.

Personal and Domestic Use Exemption

LPPD № 18.331 Art.3(2A):

"It shall not apply to the following databases: A) Those maintained by individuals exclusively for personal or domestic purposes."

Decree No. 414/009 Art.2(2A):

"This regime shall not apply to the following databases: A) Those maintained by individuals in the exercise of exclusively personal or domestic activities, understood as those carried out in a strictly private sphere, including, among others, personal correspondence files and agendas."

The law excludes purely personal or domestic data processing activities from its scope.

National Security and Law Enforcement Exemption

LPPD № 18.331 Art.3(2B):

"It shall not apply to the following databases: B) Those intended for public security, defense, state security, and activities related to criminal investigation and suppression of crime."

This exemption covers databases used for national security, law enforcement, and related activities.

Sectoral Exceptions

LPPD № 18.331 Art.3(2C):

"It shall not apply to the following databases: C) Databases created and regulated by special laws."

Territorial Applicability

The territorial scope is determined by two main factors:

• Processing by Local Establishment
• Use of Equipment Within Jurisdiction

Processing by Local Establishment

Decree No. 414/009 Art.3(1A):

"Personal data processing is subject to the Law that is regulated when: A) They are carried out by a database controller or processor established in Uruguayan territory, being the place where they exercise their activity, regardless of their legal form."

The law applies to all entities established in Uruguay, regardless of their legal structure.

Use of Equipment Within Jurisdiction

Decree No. 414/009 Art.3(1B):

"Personal data processing is subject to the Law that is regulated when: B) The database controller or processor is not established in Uruguayan territory but uses means located in the country for data processing."

Decree No. 414/009 Art.3(2):

"The aforementioned rule does not apply to cases where the aforementioned means are exclusively used for transit purposes, as long as the database controller or processor designates a representative, with a domicile and permanent residence in national territory."

The law extends to non-established entities using equipment in Uruguay for data processing, with an exception for mere data transit when a local representative is appointed.