Applicability of Uruguay's Data Protection Law (Law No. 18,331)

Uruguay's data protection framework is established through comprehensive legislation that regulates the processing of personal data. The primary role of this framework is fulfilled by Law No. 18,331 on the Protection of Personal Data and the Habeas Data Action (Ley N° 18.331 de Protección de Datos Personales y Acción de Habeas Data), which serves as the country's principal data protection statute.

The law was adopted on August 11, 2008 and became effective on August 18, 2008. The most recent amendments were introduced through Ley N° 20.075, which was adopted on October 20, 2022 and became effective on November 3, 2022. These 2022 amendments introduced DPO obligations, provisions for high-risk processing, stricter international transfer rules, and enhanced breach notification requirements. Uruguay's data protection framework is established through comprehensive legislation that regulates the processing of personal data. The Decree No. 414/009 of August 31, 2009 (Decreto N° 414/009 de 31 de agosto de 2009) serves as the primary regulatory instrument that provides detailed implementation rules for Uruguay's Personal Data Protection Law.

The decree was adopted on August 31, 2009 and became effective on September 15, 2009. The most recent amendment to this decree was made by Decree No. 64/020 (2020), which was adopted on February 17, 2020 and became effective on February 21, 2020.

Material Applicability

The material scope of Uruguay's data protection framework is defined by the following factors:

• Processing-Susceptible Medium Factor
• Personal and Domestic Use Exemption
• National Security and Law Enforcement Exemption
• Sectoral Exceptions Regulated by Other Laws

Processing-Susceptible Medium Factor

LPPD № 18.331 Art.3(1):

"The regime of the present law shall apply to personal data recorded in any medium that makes them susceptible to processing, and to any subsequent use of such data by the public or private sectors."

Decree No. 414/009 Art.2:

"The legal regime for the protection of personal data applies to its collection, recording, and all types of processing, whether automated or not, under any medium and mode of use, whether in the public or private sphere."

The law applies broadly to all forms of personal data processing, regardless of the medium used or whether the processing is automated or manual.

Personal and Domestic Use Exemption

LPPD № 18.331 Art.3(2A):

"It shall not apply to the following databases: A) Those maintained by individuals exclusively for personal or domestic purposes."

Decree No. 414/009 Art.2(2A):

"This regime shall not apply to the following databases: A) Those maintained by individuals in the exercise of exclusively personal or domestic activities, understood as those carried out in a strictly private sphere, including, among others, personal correspondence files and agendas."

The law excludes purely personal or domestic data processing activities from its scope.

National Security and Law Enforcement Exemption

LPPD № 18.331 Art.3(2B):

"It shall not apply to the following databases: B) Those intended for public security, defense, state security, and activities related to criminal investigation and suppression of crime."

This exemption covers databases used for national security, law enforcement, and related activities.

Sectoral Exceptions

LPPD № 18.331 Art.3(2C):

"It shall not apply to the following databases: C) Databases created and regulated by special laws."

Territorial Applicability

The territorial scope is determined by two main factors:

• Processing by Local Establishment
• Use of Equipment Within Jurisdiction

Processing by Local Establishment

Decree No. 414/009 Art.3(1A):

"Personal data processing is subject to the Law that is regulated when: A) They are carried out by a database controller or processor established in Uruguayan territory, being the place where they exercise their activity, regardless of their legal form."

The law applies to all entities established in Uruguay, regardless of their legal structure.

Use of Equipment Within Jurisdiction

Decree No. 414/009 Art.3(1B):

"Personal data processing is subject to the Law that is regulated when: B) The database controller or processor is not established in Uruguayan territory but uses means located in the country for data processing."

Decree No. 414/009 Art.3(2):

"The aforementioned rule does not apply to cases where the aforementioned means are exclusively used for transit purposes, as long as the database controller or processor designates a representative, with a domicile and permanent residence in national territory."

The law extends to non-established entities using equipment in Uruguay for data processing, with an exception for mere data transit when a local representative is appointed.