Data protection & privacy laws in Uruguay (2026)

Ley N° 18.331 (enacted 11 Aug 2008) regulates the processing of personal data across public and private sectors, anchored in the constitutional right to data protection (art. 72 of the Constitution); it is fully in force, not pending.

The Unidad Reguladora y de Control de Datos Personales, a body with technical autonomy operating under AGESIC, oversees compliance, maintains the mandatory database registry, investigates complaints, conducts inspections and imposes sanctions.

Ley N° 19.670 (2018, arts. 37-40) and its regulation Decreto N° 64/020 (21 Feb 2020) introduced extraterritorial scope, proactive accountability (responsabilidad proactiva), mandatory data protection officers (delegado de protección de datos), and security-breach notification obligations.

Controllers must register databases containing personal data with the URCDP, and data subjects hold rights of access, rectification, updating, inclusion and deletion, enforceable through the habeas data judicial action set out in the law.

Art. 23 of Ley N° 18.331 prohibits transfers to countries lacking adequate protection unless an exception applies (e.g. prior, express and informed consent of the data subject) or URCDP authorization is obtained.

The URCDP can apply graduated sanctions ranging from observations and warnings to fines (up to 500,000 indexed units / Unidades Indexadas) and suspension or judicial closure of non-compliant databases.

The European Commission granted Uruguay an adequacy decision in 2012 (the second Latin American country to obtain one) and reaffirmed it in its January 2024 review of pre-GDPR adequacy decisions.