Uruguay Data Privacy Laws: Law 18.331, URCDP, and EU Adequacy (2026)

Uruguay's data privacy framework is governed by Law No. 18.331, enacted 11 August 2008, enforced by the URCDP. The European Commission reaffirmed Uruguay's EU adequacy status in January 2024 under Decision 2012/484/EU. Decree 64/020 imposes a 72-hour breach notification requirement on all controllers.

Uruguay's personal data protection regime under Law No. 18.331 of 2008 is the most internationally recognised in Latin America. The European Commission reaffirmed Uruguay's EU adequacy status in January 2024 following its first GDPR-era review. Uruguay also holds Convention 108+ status as the first non-European country to accede to the Council of Europe privacy treaty. This article sets out the full legal framework as in force on 19 May 2026.

Information last verified on 19 May 2026. This article has not been reviewed by a licensed lawyer and presents general legal information only.

Jurisdiction scope: This article addresses data protection law in the Eastern Republic of Uruguay under Law No. 18.331 (as amended), Decree No. 414/009, Decree No. 64/020, Law No. 19.924, and Law No. 20.075. It does not address Argentine, Brazilian, or other Latin American data protection laws. For Uruguay's recording consent rules, see Uruguay Recording Laws.

Quick Answer: What Are Uruguay's Data Privacy Laws?

Uruguay's primary data protection statute is Law No. 18.331, the Ley de Proteccion de Datos Personales y Accion de Habeas Data, enacted on 11 August 2008. The law is implemented by Decree No. 414/009 of 31 August 2009 and has been materially amended by Decree No. 64/020 of February 2020 (accountability, DPO, and breach notification), Law No. 19.924 of December 2020 (biometric data and data protection impact assessments), and Law No. 20.075 of October 2022. The supervisory authority is the Unidad Reguladora y de Control de Datos Personales (URCDP), established by Law 18.331 itself. Uruguay obtained EU adequacy status on 21 August 2012 under European Commission Decision 2012/484/EU, and that status was reaffirmed on 15 January 2024 following the Commission's first GDPR-era periodic review. Uruguay was also the first non-European state to accede to Council of Europe Convention 108 (2013) and the first state from the Americas to ratify Convention 108+ (CETS 223). Together, these instruments give Uruguay's framework the highest level of international recognition of any country in the region.

Constitutional Basis and the Habeas Data Action

Uruguay's constitution does not contain an express data protection right. However, Article 72 of the Political Constitution of the Eastern Republic of Uruguay provides that the enumeration of rights, duties, and guarantees in the Constitution does not exclude others that are inherent to the human personality or that derive from the republican form of government.

Article 1 of Law No. 18.331 expressly anchors the right to personal data protection in this provision:

"The right to the protection of personal data is inherent to the human being and is therefore included in Article 72 of the Constitution of the Republic." -- Law No. 18.331, Article 1

This framing makes the right to data protection a constitutional right in Uruguay even in the absence of a dedicated constitutional article. Courts treat Law 18.331 as implementing a constitutional guarantee, not merely a statutory scheme.

The Habeas Data Action

The habeas data action (accion de habeas data) is the judicial remedy through which a data subject enforces the constitutional right. A data subject may bring a habeas data action before the courts to compel a controller (public or private) to:

• grant access to personal data held about them;
• rectify inaccurate or incomplete data;
• update data that has become outdated; or
• delete data that was collected unlawfully or is no longer necessary for the declared purpose.

The habeas data action operates alongside the URCDP's administrative complaint mechanism. A data subject may choose either route or pursue both. The judicial action is particularly valuable when the controller is a public entity or when urgent relief is needed to prevent imminent harm from processing.

Law 18.331: Scope, Principles, and Legal Bases

Scope of Application

Law 18.331 applies to all personal data recorded in any medium that makes it susceptible to processing, including collection, storage, organisation, conservation, modification, retrieval, consultation, use, dissemination, blocking, or destruction. The law expressly covers both automated and non-automated processing, and applies to public and private sector entities alike.

The territorial scope follows the location of the data controller or the means of processing. The law applies to processing carried out in Uruguayan territory, and also to controllers established outside Uruguay when they use equipment or means located in Uruguay for processing, unless those means are used solely for transit purposes.

Core Processing Principles

Law 18.331 and Decree 414/009 establish the following principles, which govern every processing activity:

Legal Bases for Processing

Consent is the default legal basis under Law 18.331. Consent must be free, express, and informed. The data subject must receive clear information about the purpose of processing before giving consent. Consent may be revoked at any time, without retroactive effect.

The law recognises several exemptions from the consent requirement:

• personal data obtained from publicly accessible sources;
• data collected in the exercise of public-authority functions;
• data consisting only of names and addresses collected for direct marketing, subject to the right to object at any time;
• data necessary for the performance of a contractual relationship to which the data subject is a party; and
• data processing required by law.

Sensitive (Especially Protected) Data

Law 18.331 designates certain categories as datos especialmente protegidos (especially protected data). These include data revealing racial or ethnic origin, political opinions, religious or moral beliefs, trade union membership, and data relating to health or sexual life.

As a general rule, no person may be compelled to provide sensitive data, and no database of sensitive data may be created without an overriding legitimate purpose authorised by law. Processing of sensitive data requires the express, written consent of the data subject, subject to limited statutory exceptions such as processing for statistical or scientific research (with anonymisation), processing by religious, political, or trade union organisations in relation to their own members, and processing by healthcare professionals for treatment purposes.

Law 19.924, enacted on 18 December 2020, added biometric data to the list of especially protected categories. The law defines biometric data as personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of an individual that allows or confirms their unique identification, such as fingerprint data, image recognition, or voice recognition. Processing of biometric data requires prior informed consent and a Data Protection Impact Assessment (DPIA) under Decree 64/020.

Data Subject Rights

Under Law 18.331, data subjects hold the following rights against controllers that process their personal data:

Right to information. When data is collected, the data subject must be informed of the existence and purpose of the database, the identity and address of the controller, the categories of third parties to whom data may be transferred, and the consequences of providing or refusing to provide the data.

Right of access. A data subject may request a copy of all personal data held about them and information about how it is being processed. The controller must respond within five business days. The access right is free of charge when exercised once per twelve-month period.

Right to rectification. Where data is inaccurate, incomplete, or outdated, the data subject may demand correction. The controller must rectify the data and notify any third party to whom the data was disclosed.

Right to deletion (cancellation). Where data is excessive, irrelevant, or was obtained without a proper legal basis, the data subject may request deletion. The controller must comply and notify downstream recipients.

Right to object. Data subjects may object to the processing of their data where it is used for direct marketing or where processing lacks adequate legal basis.

Right to data portability. Subsequent regulatory developments have introduced portability rights enabling data subjects to obtain their data in a structured, commonly used format.

Watch out: The five-business-day deadline for responding to access requests is strict. The URCDP has sanctioned organisations for delays and for partial responses that omit categories of data. Controllers should map their data holdings before a request arrives so that responses are complete and timely.

The Proactive Responsibility Regime and the DPO Requirement

Accountability Under Decree 64/020

Decree No. 64/020, adopted on 21 February 2020, introduced a formal proactive-responsibility (responsabilidad proactiva) framework that aligns Uruguay's obligations with the accountability principle in the EU's General Data Protection Regulation. Under this framework, controllers and processors must be able to demonstrate compliance, not merely assert it. Key obligations include:

• maintaining records of processing activities;
• implementing data protection by design and by default;
• conducting Data Protection Impact Assessments (DPIAs) in prescribed circumstances; and
• appointing a Data Protection Officer (DPO) where required.

When Is a DPO Required?

Decree 64/020 makes DPO appointment mandatory for:

1. All public-sector entities (state and non-state public bodies);
2. Private entities whose core activity involves the processing of sensitive personal data; and
3. Private entities that process personal data of more than 35,000 data subjects.

The 35,000-person threshold applies to the total number of data subjects whose data is processed, not merely active users or customers. Organisations that cross this threshold at any point must appoint a DPO.

The DPO must have specialist knowledge of data protection law, must be accredited by the URCDP, and must be independent from operational decisions about data processing. The DPO's appointment must be submitted to the URCDP for approval. The DPO acts as the primary link between the organisation and the URCDP, advises on compliance policies, monitors implementation, and proposes corrective measures.

When Is a DPIA Required?

Decree 64/020 requires a DPIA before commencing processing that involves:

• especially protected (sensitive) data, including biometric data;
• large volumes of personal data (data of more than 35,000 persons); or
• international transfers to countries that do not provide an adequate level of protection.

Where the DPIA identifies a potential and significant risk to the rights of data subjects, the controller must notify the URCDP before commencing processing. The URCDP, together with the Argentinian Agency of Access to Public Information, has published a joint Guide for Data Protection Impact Assessment to assist organisations with this obligation.

Breach Notification: The 72-Hour Rule

Decree 64/020 introduced mandatory breach notification obligations that closely parallel those in Articles 33 and 34 of the EU GDPR.

Notification to the URCDP

When a controller becomes aware of a personal data security incident (a breach affecting confidentiality, integrity, or availability of personal data), it must notify the URCDP within a maximum of 72 hours of becoming aware of the breach. The notification must include:

• the actual or estimated date and time of the breach;
• the nature of the personal data affected (categories and approximate number of records);
• the likely consequences of the breach;
• the measures taken or proposed to address the breach and mitigate its effects; and
• the identity and contact details of the DPO or the data protection contact point.

If complete information is not available within 72 hours, a partial notification must be filed within that window with the available information, followed by a supplementary notification as soon as further details are confirmed.

Notification to Affected Individuals

Where the breach is likely to result in a high risk to the rights and freedoms of the affected individuals, the controller must also notify those individuals without undue delay. The notification to individuals must be in plain language and must describe the nature of the breach, the likely consequences, the measures being taken, and the contact details of the DPO or data protection contact point.

Decree 64/020 also requires all controllers to implement internal procedures to minimise the impact of incidents within the first 24 hours of detection, including containment, preliminary assessment, and escalation to the DPO and senior management.

Database Registration

Mandatory Pre-Processing Registration

One of the most operationally distinctive features of Uruguay's framework is the requirement under Law 18.331 and Decree 414/009 to register all personal data databases with the URCDP before processing begins. This obligation applies equally to public and private sector entities.

The registration must specify:

• the name and purpose of the database;
• the identity and contact details of the data controller;
• the categories of personal data held;
• the categories of data subjects;
• the technical and organisational security measures in place;
• the source of the data; and
• any intended transfers to third parties or foreign countries.

Failure to register before commencing processing is a standalone sanctionable offence and has been one of the most common grounds for URCDP enforcement action.

The National Registry of Databases

The URCDP maintains the Registro Nacional de Bases de Datos (National Registry of Databases), which is publicly accessible. Any person may search the registry to identify which organisations hold databases of personal data, facilitating the exercise of data subject rights. The transparency function of the registry also enables the URCDP to monitor the universe of processing activities in Uruguay and to target audit and inspection resources accordingly.

Cross-Border Data Transfers and EU Adequacy

EU Adequacy Decision (2012, Reaffirmed 2024)

Uruguay obtained an EU adequacy decision on 21 August 2012 under European Commission Decision 2012/484/EU, adopted pursuant to Directive 95/46/EC. The decision recognised that Uruguay's legal framework, the independence and powers of the URCDP, and the effective exercise of data subject rights together provided a level of protection essentially equivalent to the EU standard.

On 15 January 2024, the European Commission published its Report on the first review of the functioning of adequacy decisions adopted under the pre-GDPR Directive. The Commission reviewed 11 existing adequacy decisions, including Uruguay's, against the requirements of the GDPR and concluded:

"The Uruguayan data protection system, modernised through successive reforms over the years, continues to provide individuals with protection equivalent to that provided by the GDPR in the EU." -- European Commission, Report on the Review of Adequacy Decisions, 15 January 2024

The practical effect is that personal data may flow freely from EU Member States (and the broader European Economic Area) to Uruguay without any additional safeguard such as standard contractual clauses, binding corporate rules, or derogations. Uruguay is one of only two countries in Latin America to hold EU adequacy status, the other being Argentina.

Convention 108 and Convention 108+

Uruguay became the first non-European state to accede to Council of Europe Convention 108 (Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data) on 1 August 2013. Convention 108 is the only binding international treaty on the protection of personal data.

Uruguay subsequently ratified the modernised Protocol (CETS 223), known as Convention 108+, becoming the first state from the Americas to do so. Convention 108+ aligns the Convention's requirements with the current international standard, adding provisions on data protection impact assessments, accountability, transparency, and supervisory authority independence. Uruguay's accession to Convention 108+ provides an additional international law basis for its domestic framework and reflects its commitment to aligning with global best practices.

Uruguay's Adequate-Countries List for Outbound Transfers

Law 18.331 restricts outbound transfers of personal data from Uruguay to countries or international organisations that provide an adequate level of protection. The URCDP maintains a list of countries it recognises as adequate. As of 2024, that list includes:

• all EU and EEA member states;
• Andorra, Argentina, Canada (private sector under PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland, South Korea, and the United Kingdom; and
• US-based entities that have adhered to the EU-U.S. Data Privacy Framework, provided the importing entity confirms it has extended those DPF safeguards to the Uruguayan transfer.

Transfer Mechanisms for Non-Adequate Countries

Where the destination country is not on the adequate-countries list, transfers from Uruguay may proceed under one of the following mechanisms:

1. Standard contractual clauses (SCCs). Resolution No. 41/001 of the URCDP provides a set of SCCs for controller-to-controller transfers. In December 2022, URCDP Resolution No. 50/022 approved the Ibero-American Data Protection Network Standard Contractual Clauses, which entered into force on 29 December 2022 and provide an additional set of SCCs usable for transfers within the Ibero-American region.
2. Data subject consent. The data subject's express consent to the specific transfer is a valid basis, though reliance on consent for routine transfers is not recommended.
3. Contractual necessity. Transfers necessary for the performance of a contract between the data subject and the controller, or for the implementation of pre-contractual measures at the data subject's request.
4. International judicial cooperation. Transfers required for the purposes of international legal cooperation.
5. Public interest. Transfers necessary for the protection of a recognised public interest.

Penalties and URCDP Enforcement

Administrative Sanction Scale

The URCDP is empowered under Law 18.331 to impose the following administrative sanctions, in ascending order of severity:

The URCDP employs a graduated enforcement approach and takes into account the economic capacity of the offending organisation, the duration of the violation, and the degree of cooperation offered during the investigation.

Recent Enforcement Trends (2024-2025)

The URCDP's published enforcement register confirms active enforcement across private individuals, small businesses, and larger commercial operators. Current enforcement priorities include:

• failure to register personal data databases before commencing processing;
• unlawful direct marketing including unsolicited commercial communications without valid consent or without honouring opt-outs;
• inadequate security measures leading to unauthorised disclosure;
• failures to respond to data subject access requests within the statutory five-business-day period; and
• CCTV and surveillance camera installations that capture data subjects in common areas without adequate notice or legal basis.

In 2024, the URCDP sanctioned a private individual for operating surveillance cameras that recorded the entrance of a residential building in a manner that infringed the privacy of neighbours, ordering the removal of the cameras or their registration with the URCDP within 15 days. The authority also required businesses to regularise database registrations following complaint investigations even in cases where no fine was ultimately imposed.

The URCDP publishes its resolutions at gub.uy/unidad-reguladora-control-datos-personales once administrative appeals are concluded.

Criminal and Judicial Enforcement

In addition to administrative sanctions, Law 18.331 contemplates judicial enforcement through the habeas data action. Courts may issue orders compelling access, rectification, or deletion of personal data and may grant injunctions to halt unlawful processing. Criminal liability for serious data protection offences may also arise under general provisions of the Uruguayan Penal Code where the conduct involves fraud, breach of confidentiality, or abuse of public office.

The URCDP as Supervisory Authority

Establishment and Governance

The URCDP was created by Law 18.331 as a decentralised unit within the Uruguayan state, operating with technical and functional autonomy. It is governed by a Council of three members appointed by the Executive Branch with the consent of the Senate for renewable four-year terms. This structure provides organisational independence from the specific organisations the URCDP regulates while preserving democratic accountability.

Functions and Powers

The URCDP's principal functions and powers include:

• Regulation: issuing binding resolutions and interpretive opinions on Law 18.331 and its implementing decrees;
• Registry: maintaining and publishing the National Registry of Databases;
• Complaints: receiving and investigating complaints from data subjects alleging violations of their rights under Law 18.331;
• Inspection and audit: conducting inspections of data controllers and processors, with or without prior notice, and requiring production of documents and information;
• Enforcement: imposing administrative sanctions within the scale set out in Law 18.331;
• Guidance: publishing guidelines, model contracts, DPIA methodologies, and compliance templates;
• International cooperation: representing Uruguay in international data protection fora including the Council of Europe Convention 108 Committee (T-PD) and the Ibero-American Data Protection Network; and
• DPO accreditation: certifying Data Protection Officers before they may be appointed under Decree 64/020.

The URCDP maintains its official resources and normative texts at gub.uy/unidad-reguladora-control-datos-personales.

Recent Developments (2024-2026)

EU Adequacy Review Completed (January 2024)

The European Commission's January 2024 adequacy review confirmed that Uruguay's framework continues to provide GDPR-equivalent protection. The Commission specifically cited Uruguay's successive modernisation reforms as a positive factor supporting continued adequacy. This reaffirmation is significant for Uruguayan and EU-based businesses because it removes any uncertainty about the continued legality of EU-to-Uruguay data flows without additional safeguards.

The European Data Protection Board wrote to the Commission in December 2024 calling for ongoing monitoring of all 11 adequacy jurisdictions and recommending that the Commission adopt formal adequacy regulations going forward to strengthen their legal basis. Uruguay's adequacy status was not subject to adverse findings in that correspondence.

AGESIC National Data Strategy 2030 (December 2024)

The Agency for the Development of Electronic Government and the Information-Based Society (AGESIC) published the National Data Strategy 2030 on 26 December 2024. The strategy sets out Uruguay's long-term vision for the governance, sharing, and use of data across the public and private sectors, including principles for open data, data quality, and the protection of personal data in digital government services. The URCDP is a key implementing partner under the strategy.

AI Governance (Anticipated 2025-2026)

As of May 2026, Uruguay has not enacted a standalone artificial intelligence regulation. The URCDP has signalled its intention to participate in the development of AI governance frameworks and has confirmed that existing obligations under Law 18.331 and Decree 64/020 already apply to AI-based data processing systems. Organisations deploying AI systems that process personal data of Uruguayan residents must conduct DPIAs where the processing is large-scale or involves sensitive data, and must implement data protection by design principles from the outset.

Convention 108+ Active Implementation

Uruguay's ratification of Convention 108+ continues to drive alignment between the URCDP's regulatory practice and the standards of the Council of Europe data protection community. The URCDP participates in the work of the Convention 108 Committee (T-PD) and has incorporated Convention 108+ principles, including the strengthened independence requirements for supervisory authorities and the explicit data minimisation standard, into its guidance materials.

Business Compliance: Key Obligations

Organisations operating in Uruguay, or processing personal data about Uruguayan residents from outside the country, should address the following compliance requirements:

1. Database registration. Register every personal data database with the URCDP before processing begins. Update registrations when the purpose, categories of data, or security measures change materially. Failure to register is the most commonly sanctioned violation.

2. Legal basis and consent. Identify and document the legal basis for each processing activity. Where consent is the legal basis, ensure it is free, express, and informed. Implement mechanisms to record the grant and revocation of consent.

3. Data subject rights procedures. Establish documented procedures for receiving, authenticating, and responding to access, rectification, deletion, and objection requests within five business days. Train staff on the procedures and maintain records of all requests and responses.

4. DPO appointment. If the organisation is a public entity, or a private entity whose core activity involves sensitive data or whose processing covers more than 35,000 data subjects, appoint a URCDP-accredited DPO before commencing or continuing processing in those categories.

5. Breach response plan. Implement and test an incident response plan that achieves containment within 24 hours and URCDP notification within 72 hours. Designate a data breach response team and ensure the DPO has authority to file URCDP notifications.

6. DPIAs. Conduct DPIAs before launching processing activities involving sensitive data, biometric data, large-scale processing (more than 35,000 persons), or cross-border transfers to non-adequate countries. Retain DPIA records and notify the URCDP if a significant residual risk is identified.

7. Cross-border transfers. Verify the URCDP adequate-countries list before making international transfers. For non-adequate destinations, use URCDP-approved SCCs or the Ibero-American Network SCCs (Resolution 50/022), or rely on a valid statutory derogation.

8. URCDP monitoring. Subscribe to URCDP guidance publications and resolution registers at gub.uy. The URCDP issues resolutions, opinions, and guidelines that supplement Law 18.331 and Decree 64/020 and that frequently address practical compliance questions.

Disclaimer

This article presents general legal information about Uruguay's personal data protection regime under Law No. 18.331 (as amended), Decree No. 414/009, Decree No. 64/020, Law No. 19.924, and Law No. 20.075. It does not constitute legal advice and does not address any individual's or organisation's specific circumstances. Information was verified against publicly available primary and secondary sources as of 19 May 2026. Data protection law is subject to change through legislative amendment and regulatory guidance; readers should verify the current in-force version of any statute or regulation before relying on it. Organisations and individuals should consult a lawyer licensed to practise in Uruguay for advice specific to their situation.

Authorities Cited

Related Articles

• Uruguay Recording Laws: Consent Rules and Surveillance
• EU Adequacy Decisions: Which Countries Qualify
• World Data Privacy Laws: Global Overview

---

Last updated: 19 May 2026. Statutes cited reflect their in-force version as of 19 May 2026.