sign in sign up
<<
Home , Law of Uruguay

ANALYSIS OF THE ADEQUACY OF PROTECTION OF

PERSONAL DATA PROVIDED IN

Final report

PREPARED BY : Claire GAYREL and Florence de VILLENFAGNE under the supervision of Prof. dr. Yves POULLET

CRID (Research Center in IT and ), University of Namur (Belgium)

AND : Dr. Pablo Palazzi

Buenos Aires (Argentina)

Report delivered in the framework of contract JLS/2007/C4/003 between CRID and the Directorate General Justice, Freedom and Security.

30 April 2009 With an update on 30 June 2009 Table of content

Abbreviations ______6 I. Introduction ______7 A. Aim of the report ______7 B. Methodology______8 1. General remarks ______8 2. Principal assessment criteria______9 2.1. Legal criteria______9 2.2. Methodological criteria______9 II. Context of the data protection regime of Uruguay ______11 A. Constitutional system and political regime ______11 1. Executive Power______11 2. Legislative Power______12 3. Judiciary Power ______12 4. Local Government ______13 5. Legal system______13 B. Constitutional background on privacy and fundamental rights______14 1. Data protection and Privacy as fundamental rights? ______14 2. Constitutionally foreseen remedy______16 C. International Human Rights texts effective in Uruguay ______16 D. Legislative History of the Data Protection Act ______17 1. From a first bill to the final adoption of a general Data Protection Act ______17 III. Assessment of the Data Protection Act of Uruguay ______21 A. Preliminary remarks______21 B. Definitions of the Data Protection Act______22 1. General definitions corresponding to the EU Directive ______22 2. Definitions peculiar to the Uruguayan Act______25 C. Scope of the Act ______26 1. Substantive scope ______27 1.1. With regard to the controller______27 1.2. With regard to the data subjects ______27 1.3. With regard to the means of processing ______28 1.4. Exceptions in certain fields and special rules for certain kinds of data______29 1.4.1 Principles applicable to databases owned by Armed forces, Police and Intelligence agencies 30 1.4.2 Other specific regimes ______32 2. Territorial scope ______33 D. Basic principles of the Data Protection Act: grounds for lawfulness of processing 34 1. Preliminary remark______34 2. The consent: main ground for lawfulness______34 3. Other grounds for lawfulness ______35 E. Content Principles ______38 1. Purpose limitation principle ______38 1.1. Definition of WP12______38 1.2. Provisions of the Act______39 1.3. Exemptions ______40 2. Data quality and proportionality principle ______42 2 2.1. Definition of WP12______42 2.2. Provisions of the Act______42 3. Transparency principle ______43 3.1. Definition of WP12______43 3.2. Provisions of the Act______43 3.2.1 The obligation of information at the time of collection ______43 3.2.2 Obligation of information at the time of communication______45 3.3. Exemptions ______46 3.3.1 At the time of communication ______46 3.3.2 At the time of collection or communication: when the data subject’s consent is not required 48 3.3.3 Exemption to the public sector______50 4. Security principle ______50 4.1. Definition of WP12______50 4.2. Provisions of the Act______51 5. Right of access, rectification and opposition ______54 5.1. Definition of WP12______54 5.2. Provisions of the Act______54 5.2.1 Right of access ______54 5.2.2 Right of rectification and deletion ______56 5.3. Exemptions ______58 5.3.1 Exemptions to the right of deletion whether in the public or private sector_____58 5.3.2 Exemptions to the rights of access, rectification and deletion in the public sector59 6. Restrictions on onward transfers ______60 6.1. Definition of WP12______60 6.2. Provisions of the Act______60 6.3. Exemptions ______61 6.4. Relation between the two sets of exemptions ______64 6.5. Adequate safeguards ______65 F. Additional principles to be applied to specific types of processing______66 1. Sensitive data ______66 1.1. Definition of WP12______66 1.2. Provisions of the Act______67 2. Direct marketing______69 2.1. Definition of WP12______69 2.2. Provisions of the Act______69 3. Automated individual decisions ______70 3.1. Definition of WP12______70 3.2. Provisions of the Act______70 IV. Statutory safeguard outside data protection legislation ______72 A. List of other norms enacted in Uruguay ______72 B. Financial sector regulations ______74 C. Employment regulation ______75 D. Statistics regulation______76 E. Regulation related to Youth and Minors______76 F. Access to public information Regulations ______76 1. Freedom of Information Act______76 2. Links between the Data Protection Act and the Freedom of Information Act ______80 3. Memory Regulation ______81 G. Criminal Code ______83 1. Interception of correspondence or communications______83 2. Professional secrecy ______83 3. Prohibition of slander and defamation ______84 V. Important Uruguayan Case Law related to privacy and data protection ____85 3 A. Case law before the enactment of the data Protection Law ______85 1. Gender and data protection______85 2. Privacy in internet. ______85 3. Credit reporting ______86 4. Access to personal information ______86 5. Infringement to the right of image ______86 6. Identity theft (2007) ______87 7. Identification of parties in case law ______87 B. Case law after the enactment of the data Protection Law ______87 1. Freedom of expression and privacy ______87 2. Right of access to personal data hold by Armed forces ______88 VI. Procedural and enforcement mechanisms ______90 A. A good level of compliance with the data protection rules ______90 1. Data Protection Supervisory authority ______91 1.1. Independence of the Data Protection Authority ______91 1.1.1 Structural, functional and financial independence ______91 1.1.2 AGESIC ______93 1.2. Composition of the Data Protection Authority ______94 1.2.1 The Executive Council______94 1.2.2 The Advisory Council ______95 1.3. Role and powers of the Data Protection Authority ______96 1.3.1 Registration of processing: from one authority to the other______97 1.3.2 Inspection powers ______99 2. Effective dissuasive sanctions ______100 2.1. Administrative sanctions______100 2.2. Remedies against decisions of the Data Protection Authority ______102 2.3. Criminal sanctions ______102 3. Level of awareness ______102 B. Support and help to individual data subjects in the exercise of their rights __ 103 1. Receiving complaints - support and help from the Data Protection Authority______103 2. The enforcement of one’s rights: the Habeas data action ______104 C. Appropriate redress to the injured party ______107 VII. Table: Chart comparing EU principles for Adequacy to the Articles of the Data Protection Act of Uruguay.______109 VIII. Conclusion ______110 A. Scope______110 B. Legitimating grounds for processing______111 C. Summary of the step-by-step analysis ______112 1. The content principle criteria ______112 1.1. Purpose limitation principle ______112 1.2. Data quality and proportionality principle ______112 1.3. Transparency principle ______113 1.4. Security and confidentiality principle ______113 1.5. The rights of the person affected: Access, rectification and opposition ______114 1.6. Restrictions on onward transfers______114 1.7. Sensitive data ______115 1.8. Direct Marketing______115 1.9. Automated individual decisions ______115 2. Procedural and enforcement mechanisms ______115 2.1. To deliver a good compliance with the rules ______115 2.2. To provide support and help to data subject ______116 2.3. To provide appropriate redress to injured party ______116 D. Areas of concern ______117 4 E. Adequacy assessment conclusion ______117 IX. Bibliography______119 X. Annex: Ley n° 18,331 ______123

5 Abbreviations

Act Data Protection Act of Uruguay, Law 18,331 AGESIC Agencia para el Desarrollo del Gobierno de Gestión Electrónica y la Sociedad de la Información y el Conocimiento

Art. Article Article 29 WP Article 29 Data Protection Working Party Const. 1967 Credit Reporting Law Law 17,838, September 8, 2004 Derecho Informático Colección Derecho Informático (Uruguay) DP Data protection E-Privacy Directive Directive 2002/58 on Privacy and Electronic Communications

EU European Union EU Directive Directive 95/45/EC of the 24 October 1995 FOI Freedom of information LOPDCP Ley Orgánica de Proteccion de Datos de Caracter Personal (Ley Orgánica 15/1999 of 13 December - Spain)

Mercosur Mercado Comun del Sur

Num. Number OJ Official Journal Prov. Province/Provincial U.S. United States WP12 WP 12 - Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive

6 I. Introduction

A. Aim of the report

This report has been prepared at the request of the Commission of the European Communities, Directorate-General for Justice, Freedom and Security.

The basic aim of the report is to provide the Commission with information on the Personal Data Protection regime in Uruguay that will enable a proper determination of whether Uruguay provides an adequate level of protection for personal data with a view to a possible Commission decision pursuant to Article 25(6) of Directive 95/46/EC 1.

Article 25 of Directive 95/46/EC regulates the transfer of personal data from Member States of the European Union (EU) to “third countries” – i.e., countries outside the EU (and EEA). According to Article 25(1), transfer of personal data “ may take place only if (...) the third country in question ensures an adequate level of protection ”. The essential concern of the Directive on this point is to ensure that data relating to European citizens and residents 2 remain subject to safeguards when transferred out of the EU (and EEA). The adequacy of protection “ shall be assessed in the light of all the circumstances surrounding a data transfer or set of data transfer operations (…) ” (Art. 25(2)).

The European Commission has the power to make determinations of adequacy, which are binding on EU (and EEA) Member States (Art 25(6)). 3 Positive determinations of

1 Directive 95/46/EC of the European Parliament and of the Council of 24.10.1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31 et seq.) – hereinafter also termed “the data protection Directive” or “the Directive”. 2 Note, though, that applicability of the provisions of the Directive does not turn on the nationality or official place of residence of a data subject. 3 The Commission does not make such decisions on its own but with input from: (i) the Data Protection Working Party established pursuant to Art. 29 of the Directive (which may deliver a non-binding opinion on the proposed decision (Art. 30(1)(a) & (b))); (ii) the Committee of Member State representatives set up under Art. 31 of the Directive (which must approve the proposed decision and which may refer the matter to the Council for final determination (Art 31(2))); and (iii) the European Parliament (which is able to check whether the Commission has properly used its powers). The procedure follows the ground rules contained in Council Decision 1999/468/EC of 28.6.1999 laying down the procedures for the exercise of implementing powers conferred on the Commission (OJ L 184, 17.7.1999, p. 23 et seq.). 7 adequacy have hitherto been made for Switzerland, 4 Canada, 5 Argentina 6, the Bailiwick of Guernsey 7, the Isle of Man 8, the United States’ (US) “safe harbour” scheme 9 and Jersey. 10

B. Methodology

1. General remarks

The Directive sets out criteria for assessing adequacy. Article 25(2) states that adequacy shall be assessed in the light of all circumstances surrounding a data transfer operation. Consideration must be given to the nature of the data, and the purpose and duration of the proposed processing operations. The rules of law in general and in specific sectors must be analyzed. 11 The content of the rules applicable and the means for ensuring their effective application must also be considered.

When assessing the content of applicable rules, account must not only be taken of formal legal rules and formal oversight mechanisms rooted in legislation. The Directive therefore requires that account shall be taken of non-legal rules that may be in force in the third country in question, provided that these rules are complied with.

Moreover, the way in which a regime functions (including, of course, the extent to which “law in books” equates with “law in practice”) will be tied not just to the rules found in both “hard” and “soft law” instruments but also to a myriad of relatively

4 Commission Decision 2000/518/EC of 26.7.2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Switzerland (OJ L 215, 25.8.2000, p. 1 et seq.). The Commission has reaffirmed the adequacy of the Swiss regime in 2004: see Commission Staff Working Document SEC (2004) 1322, Brussels, 20.10.2004. 5 Commission Decision 2002/2/EC of 20.12.2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act (OJ L 2, 4.1.2002, p. 13 et seq.). The Commission is currently undertaking a review of the adequacy of the Canadian regime as mandated by Art. 4 of its decision. 6 Commission Decision C(2003) 1731 of 30.6.2003 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Argentina (OJ L 168, 5.7.2003, p. 19 et seq.). 7 Commission Decision of 21 November 2003 on the adequate protection of personal data in Guernsey (OJ L 308, 25.11.2003) 8 Commission Decision 2004/411/EC of 28 April 2004 on the adequate protection of personal data in the Isle of Man 9Commission Decision 2000/520/EC of 26.7.2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbor privacy principles and related frequently asked questions issued by the US Department of Commerce (OJ L 215, 25.8.2000, p. 7 et seq.). 10 Commission Decision 2008/393/EC of 8 may 2008 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Jersey ( OJ L138/21, 28.05.2008) 11 ZINSER Alexander, “International Data Transfer out of the European Union: The Adequate Level of Data Protection According to Article 25 of the European Data Protection Directive”, John Marshall J. of Comp. & Inf. Law , n°21, 2003, p.547 at. p. 550 et seq. 8 informal customs and attitudes which prevail in the country concerned – e.g., the extent to which the country’s administrative and corporate cultures are imbued with a respect for authority or respect for “fair information” principles. 12

2. Principal assessment criteria

2.1. Legal criteria The principal legal criteria for assessing the Data Protection regime of Uruguay are the rules of Directive 95/46/EC (and more precisely article 25 of the Directive).

2.2. Methodological criteria The principal methodological criteria for assessing the Data Protection regime of Uruguay are set out by the Article 29 DP Working Party in its document “ Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive” (WP12 - 5025/98). 13 While the core criteria suggested by the Working Party do not have any legal standing, they are the considered view of Europe’s data protection authorities as to what constitutes ‘ adequacy’ , and are derived from the Working Party’s assessment of the most important requirements of Directive 95/46/EC and other international data protection texts.

The headings of the core criteria suggested by the Working Party are as follows:

Content Principles

- Purpose limitation - Data quality and proportionality - Transparency - Security - Rights of access, rectification and opposition - Restrictions on onward transfers

12 See generally FLAHERTY David H., Protecting Privacy in Surveillance Societies , University of North Carolina Press, Chapel Hil, London, 1989 13 See also European Commission, Preparation of a methodology for evaluating the adequacy of the level of protection of individuals with regard to the processing of personal data (Luxembourg: Office for Official Publications of the EC, 1998). 9 - Additional principles are to be applied to specific types of processing, such as those concerning (i) sensitive data, (ii) direct marketing and (iii) automated decisions.

Procedural/enforcement mechanisms

- Delivery of a good level of compliance - Support and help to individual data subjects - Provision of appropriate redress to the injured parties

In this Report these criteria are used as a guide to the most important factors comprising the adequacy of any legislation or other scheme.

10 II. Context of the data protection regime of Uruguay

A. Constitutional system and political regime

The Oriental Republic of Uruguay (‘República Oriental del Uruguay’ ) is a unitary democratic republic that is organized in nineteen administrative subdivisions with limited autonomy. When it became independent on August 27, 1828, the Oriental Republic of Uruguay drew up its first Constitution, which was promulgated on July 18, 1830 14 . Since achieving independence in 1828, Uruguay has promulgated five Constitutions: in 1830, 1917, 1934, 1952, and in 1967.

Uruguay's democratic government is currently governed by the 1967 Constitution 15 . Uruguay is organized under a unitary system with three separate branches of power. The 1967 Constitution institutionalized a strong presidency, subject to legislative and judicial checks. The electorate exercises sovereignty directly through elections, initiatives, or referendums and indirectly through representative powers established by the Constitution.

1. Executive Power

Executive power is exercised by the President of the Republic, acting with the advice of the Council of Ministers 16 . The Vice-President of the Republic serves as the president of the General Assembly and the Senate 17 . The President and Vice-President are elected for five-year terms by a simple majority of the people through a unique voting system 18 .

The President's duties include publishing all and enforcing them, informing the General Assembly of the state of the Republic and of proposed improvements and reforms, making objections to or observations on bills sent by the General Assembly,

14 For more information see GROS ESPIELL Héctor and ESTEVA GALLICCHIO Eduardo G., Constituciones Iberoamericanas , Instituto de Investigaciones Jurídicas de la UNAM, México, 2005 15 Constitution of Uruguay of the year 1967 with amendments of November 26, 1989; November 26, 1994, December 8, 1996 and October 31, 2004 (hereinafter “Constitution” or “Const.”). 16 Constitution, Article 149. 17 Constitution, Article 150. 18 Constitution, Article 149. 11 proposing bills to the chambers or amendments to laws previously enacted, conferring civilian and military offices, and removing civil servants (with the consent of the Senate) for " inefficiency, dereliction of duty, or malfeasance."19 .

In addition, a number of autonomous entities (autonomous agencies or state enterprises) and decentralized services are very important in government administration 20 .

2. Legislative Power

The General Assembly is bicameral: composed by a Senate and a House of Representatives. It enacts laws and regulates the administration of justice. On one hand the Senate is made up of thirty senators and the Vice-President of the Republic. The latter chairs the Senate as well as the General Assembly and has both a voice and a vote in Senate deliberations. On the other hand the House of Representatives has ninety-nine members 21 .

3. Judiciary Power

The 1967 Constitution has established the judicial branch as an independent power of the State. The Supreme Court of Justice heads it. Lower civilian courts include six Courts of Appeal (for civil matters, criminal matters, and labor matters), Courts of first instance (sometimes referred to as lawyer courts or “juzgados letrados ”), and local courts (“juzgado de paz ”) .

Located in , the Supreme Court of Justice manages the entire judicial system 22 . It prepares the budget for the judiciary and submits it to the General Assembly for approval, proposes all legislation regarding the functioning of the courts, appoints judges to the courts of Appeal, and nominates all other judges and judicial officials. It has the power to modify any decision made by the courts of Appeal and is the only court allowed to declare the unconstitutionality of laws passed by the General Assembly 23 .

19 Constitution, Article 168. 20 Constitution, Article 185. 21 Constitution, Articles 89 and 94. 22 Constitution, Articles 233-239. 23 Constitution, Article 239. 12

The Courts of Appeals are also located in Montevideo. They consist of three judges appointed by the Supreme Court of Justice with the approval of the Senate. These courts do not have original jurisdiction but hear appeals from lower courts. The courts of Appeal may tackle civil matters (including issues relating to commerce, customs or minors), as well as criminal and labor affairs.

4. Local Government

Uruguay's administrative subdivisions consist of nineteen (19) departments (“intendencias ”), which are subordinate to the central government. They are responsible for local administration.

They enforce national laws and administer the social and educational policies and institutions within their territories. These territories have limited taxing powers. They can borrow funds and acquire property 24 but they cannot enact nor change substantive law (e.g. data protection regulations).

Executive authority is vested in a governor (“intendente ”) – who administers the department – and in a departmental board (“junta departamental ”)25 , which carries out limited legislative functions. These functions include approval of the departmental budget and judicial actions, such as impeachment proceedings against departmental officials.

5. Legal system

The legal regime of Uruguay is based on the civil law system, in opposition to the Common law system. The sources of law are mainly the Constitution and the laws of the General Assembly, but one would not exclude the implementing decrees of the Executive Power. 26 Case law does not have mandatory value though it can be influential and also it allows understanding how law is interpreted and applied,

24 Constitution, Article 273. 25 That consists of thirty-one members. 26 These decrees are regulating the laws enacted by Parliament, or regulate the bodies under its jurisdiction 13 specifically when dealing with the decisions of the Supreme Court. Finally, legal doctrine and scholars play an important role as a source of law 27 .

B. Constitutional background on privacy and fundamental rights

1. Data protection and Privacy as fundamental rights?

The Constitution of 1967 of Uruguay provides for freedom of religion 28 , thought, speech and press 29 , peaceful assembly and association 30 , collective bargaining, movement within the country 31 , foreign travel, emigration and repatriation, respect for political rights, and the inviolability of property and privacy and other rights of personality. Under the Constitution neither “privacy” nor “data protection” are specifically mentioned as fundamental rights. The Constitution, however, refers several times to privacy-related matters: there are articles related to confidentiality of correspondence and privacy. Those articles are quoted below:

- Article 10 . The private actions of individuals that are not contrary to the public order, and do not harm a third party are exempted from the authority of judges. No inhabitant of the Nation shall be obliged to perform what the law does not demand nor deprived of what it does not prohibit 32 and 33 . - Article 11 . The home is sacred and inviolable. During the night, nobody may enter a home without consent of the owner and, on daylight, only with the express written order of a competent judge and in the circumstances determined by law 34 .

27 Argentine law doctrine may also be very influential, particularly when related to private and constitutional law. 28 Constitution, Article 5. 29 Constitution, Article 29. 30 Constitution, Article 39. 31 Constitution, Article 37. 32 Las acciones privadas de las personas que de ningún modo atacan el orden público ni perjudican a un tercero, están exentas de la autoridad de los magistrados. Ningún habitante de la República será obligado a hacer lo que no manda la ley, ni privado de lo que ella no prohíbe. 33 Constitution, Article 10. The text is similar to section 19 of the Argentinean Constitution but without the reference to God. 34 El hogar es un sagrado inviolable. De noche nadie podrá entrar en él sin consentimiento de su jefe, y de día, sólo de orden expresa de Juez competente, por escrito y en los casos determinados por la ley. 14 - Article 28 . The papers of individuals and their correspondence of any kind are inviolable; their registry, seizure or examination may only be done in accordance with the laws adopted for reasons of general interest 35 .

The fact that privacy or data protection are not expressly mentioned in the Constitution does however not mean that they are not considered to be fundamental rights under the legal system of Uruguay. In this respect, Article 72 of the Constitution provides that “ the enumeration of rights, duties and guarantees in this Constitution does not exclude other rights, duties and guarantees that are inherent to human personality or derived from the republican form of government” 36 .

In addition, the Constitution provides in its article 332 that the rights it foresees, as well as the duties and powers of the authorities, shall have to be applied even without any applicable regulation – this being then supplied by general principles of law, generally accepted doctrine or grounds of similar laws. 37 .

These two “open clauses” in the Constitution of Uruguay facilitate the recognition of other fundamental rights. The new data protection Act based consequently its recognition of data protection as a fundamental right in Article 72 of the Constitution. After the enactment of the Act, “data protection” has been considered as an inherent right of the individual under the legal system of Uruguay 38 .

35 Los papeles de los particulares y su correspondencia epistolar, telegráfica o de cualquier otra especie, son inviolables, y nunca podrá hacerse su registro, examen o interceptación sino conforme a las leyes que se establecieren por razones de interés general. 36 Const., Article 72. “La enumeración de derechos, deberes y garantías hecha por la Constitución, no excluye los otros que son inherentes a la personalidad humana o se derivan de la forma republicana de gobierno”. 37 Const., Article 332. “Los preceptos de la presente Constitución que reconocen derechos a los individuos, así como los que atribuyen facultades e imponen deberes a las autoridades públicas, no dejarán de aplicarse por falta de la reglamentación respectiva, sino que ésta será suplida, recurriendo a los fundamentos de leyes análogas, a los principios generales de derecho y a las doctrinas generalmente admitidas”. 38 BRIAN NOUGERÉS , Ana, Protección de Datos Personales en Uruguay , p. 10; DELPIANO Asencio Héctor, Protección de Datos de carácter personal , FCU, Montevideo, 1997, p. 25/26. 15 2. Constitutionally foreseen remedy

One would also notice that the Constitution does not provide for a specific judicial remedy for the protection of personal data (known as “ habeas data ”) 39 as the rest of Latin America does 40 . However, the Constitution foresees a writ of “ amparo ” that authors considered as a viable alternative to the habeas data action before the enactment of the Data Protection Act.

C. International Human Rights texts effective in Uruguay

The following list details the International Human Rights texts that are effective in Uruguay:

- American Declaration of the Rights and Duties of Man : Article V provides that “Every person has the right to the protection of the law against abusive attacks upon his honor, his reputation, and his private and family life ”. - International Covenant on Civil and Political Rights : Article 17 provides that “ 1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honor and reputation ” and that “ 2. Everyone has the right to the protection of the law against such interference or attacks ”. The Convention was ratified in Uruguay by Law 13,751 (February 21, 1967). - American Convention on Human Rights (also known as “ Pacto de San Jose de Costa Rica ”) : Article 11. “Right to Privacy” provides that “1. Everyone has the right to have his honor respected and his dignity recognized. 2. No one may be the object of arbitrary or abusive interference with his private life, his family, his home, or his correspondence, or of unlawful attacks on his honor or reputation. 3. Everyone has the right to the protection of the law against such

39 The habeas data action is, in general terms, a quick, expedited proceeding designed to cause personal data recorded in files, records or databases to be completed, updated, corrected, suspended, blocked or destroyed, or to access any such records, files or databases. 40 For an analysis of data protection in Latin America see PUCINELLI Oscar Raúl, Protección de datos de carácter personal, Astrea, Buenos Aires , 2004, and PALAZZI, Pablo, La transmisión internacional de datos personales y la protección de la privacidad , Buenos Aires, 2002, Ad-Hoc 16 interference or attacks ”. The Convention was ratified in Uruguay by Law 15,837 (March, 8 1985). - Universal Declaration of Human Rights : Article 12 provides that “ No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks ”. Although not specifically internalized in Uruguay, the doctrine understands that these principles are valid and binding in Uruguay internal law 41 .

The following international documents related to privacy and data protection have not been ratified nor implemented by Uruguay: - Council of Europe Convention N° 108; - Council of Europe Cyber crime Convention; - OCDE Guidelines on Privacy and Trans-border Data flows; and - United Nations guidelines concerning Computerized personal data files.

D. Legislative History of the Data Protection Act

1. From a first bill to the final adoption of a general Data Protection Act

The Data Protection Act of 2008 was enacted by the General Assembly as Law number 18,331 and promulgated on August 11, 2008. It was published in the edition of the Official Journal of August 18, 2008.

41 BRIAN NOUGERÉS, Ana, Protección de Datos Personales en Uruguay, p. 13.

17 Before reaching this, it took some time. History started in 1997. At that time, several bills were introduced in the General Assembly proposing a data protection act and a regulation for credit reporting issues. These bills followed to some extent closely the Spanish Data Protection Act of 1992 42 , but none of them were finally enacted. The only concern of these bills seemed to be the regulation of several credit reporting agencies in Uruguay that were selling information about citizens at that time 43 .

In 2004 a data protection act was approved. This law was restricted to credit reports. It was called Law on the “ Protection of personal data to be used in credit reporting and habeas data actions ” (Law 17,838, September 8, 2004, hereinafter “Credit Reporting Law”). The Credit Reporting Law (Law 17,838) was repealed by the current Data Protection Act (Law 18,331, article 48). Therefore, it is not necessary to provide a detailed explanation of this statute.

The Bill that lead to the current Data Protection Act was drafted and introduced by the Executive Power (President Tabaré Vázquez) in Parliament on September 16, 2007, “as a general data protection law, to differentiate it from law 17,838 that regulates only credit reporting data ”.

In the recitals of the Bill, the Executive Power of Uruguay expressed that one of the aims of the new proposed regulation was to have a data protection law that can be considered adequate with respect to the European Union . The recitals of the Bill mentioned that: “ Our country needs to have a law like the one we are proposing, not only to regulate the rights of citizens but also with respect to third countries […] The current bill would allow Uruguay to be recognized by the European Union as a secure country for the sending of personal data [the text enumerates the WP12 requirements to determine adequacy related to the enforcement mechanisms]…Without even assessing the human right implications, from an economic point of view, to be a country without an adequate level of protection of

42 DELPIANO Asensio Héctor, Protección de Datos de carácter personal , op.cit ., p. 112. 43 Ibidem , p. 10-13. 18 personal data may constitute a potential barrier to access markets and to receive investments, specifically those originated in the European Union ”44 .

Other mentioned grounds for the adoption of such Bill were the reform of public administration and technological change 45 .

An examination of the legislative debate shows that the will to obtain an adequacy decision from the European Union was shared within the General Assembly. This was mentioned by Senator Percovich in the legislative debate in the Senate and by Deputy Diego Canepa who expressed the same ideas in his statement as rapporteur to the House of Representatives 46 .

The differences between the original Bill 47 of the Executive Power and the one approved by the General Assembly are minimal. Most of the changes introduced by the General Assembly were related to the wording of some provisions. The only important change was the addition in article 23 of the Bill (related to international transfers) of new exceptions matching the derogations provided in article 26 of the EU Directive 48 (the first exceptions were however not deleted from article 23, and, as

44 See Data protection Bill proposed by the Executive Power of Uruguay, September 2007. In their original language the recitals provide that “ Nuestro país necesita contar con una normativa como la prevista, no solo en cuanto a la regulación específica de los derechos que constitucionalmente poseen los ciudadanos, sino también en el relacionamiento con terceros países. El presente marco normativo, permitiría a Uruguay encuadrar dentro de los requerimientos de la Unión Europea como país seguro en cuanto al envío de datos, ya que los elementos considerados a tales efectos son: en primer lugar, asegurar un nivel satisfactorio de cumplimiento de las normas, lo que presupone la existencia de una ley de protección de datos, que se posea un órgano de control y un régimen sancionatorio. En segundo lugar la posibilidad de ofrecer apoyo y asistencia a los interesados en el ejercicio de sus derechos. Esto presupone la existencia de un organismo que entre sus tareas incluya: asesoramiento a los ciudadanos sobre sus derechos, campañas de difusión sobre los derechos sobre los datos personales y cursos formativos para profesionales y/o titulares de bases de datos. En tercer lugar ofrecer vías adecuadas de recurso a quienes resulten perjudicados en el caso de que no se observen las normas, tanto en vía administrativa (ante el organismo de control) como en vía jurisdiccional (acción de habeas data). Sin entrar a valorar los aspectos relativos a la defensa de los derechos humanos, desde el punto de vista estrictamente económico, ser un país con nivel de protección de datos personales no adecuado, constituye una potencial barrera no arancelaria para el acceso a mercados y para la captación de inversiones, particularmente aquellos pertenecientes a la Unión Europea ”. 45 In an email interview with Martin Colombo, attorney specialized in IT & IP in the law firm Ferrere Abogados (Montevideo, Uruguay), it was expressed that another reason for obtaining a finding of adequacy was “…to clear the way for call center companies from Uruguay to work with European clients ”. 46 See Sala de la comision, 25 de junio de 2008, Diego Canepa, miembro informante. Congreso de Uruguay, Comisión de Constitución, Códigos, Legislación General y Administración, Carpeta Nº 2497 de 2008, Anexo I al Repartido Nº 1224 Julio de 2008. In its original language: “ Una vez aprobado este proyecto y según lo que establece el Mensaje del Poder Ejecutivo, Uruguay estará encuadrado dentro de los requerimientos de la Unión Europea como país seguro para el envío de datos, ya que contaremos con una ley de protección de datos, un órgano de control y un régimen sancionatorio ”. 47 See text of the Bill in Derecho Informático, vol VIII, p. 421-436. 48 In fact, Article 23, third paragraph, letters A to F of the Act are a literal transposition of article 26.1. letters (a) to (f) of the EU Directive. 19 we will see and discuss later in this report 49 , this will cause some interpretation issues). The General Assembly also added a provision related to an Advisory Council (‘Consejo Consultivo’ ) assisting the Data Protection Agency (‘Consejo Ejecutivo de la Unidad Reguladora y de Control de Datos Personales ’) (article 32 of the Act).

During the year 2008, the General Assembly held several hearings with different experts and public officials including the Sub-director of the Budget Office (‘Oficina de Planeamiento y Presupuesto’ ), Dr. Conrado Ramos; Director of AGESIC, Ing. José Castornik and Dra. María José Viega (legal advisor to AGESIC). The Senate also received suggestions from the Institute of Computer Law (“Instituto de Derecho Informático”) of the University of the Republic 50 and the Association of Telecommunications Companies.

The Data Protection Act 51 was approved by the Senate in April 2008 and by the House of Representatives in July 2008. It was enacted by Parliament as Law number 18,331, promulgated on August 11, 2008 and published in the edition of the Official Journal of August 18, 2008 52 .

One point that is worth mentioning is that the Act was approved by unanimity by the General Assembly, even with the votes of the opposition. This is showing a clear political support for this measure in the country.

49 See “Content principles”, “Restrictions to onward transfers”, p. 64 50 See Informe del Instituto de Derecho Informático de la Universidad de la República del 29 de octubre de 2007, available at Derecho Informático, vol VIII, p. 436-456, CFU. Montevideo, mayo 2008. 51 The Act does not have a name or title in its text, it is identified only by a number. An English non official translation of the Act is attached as Annex 1 52 Official Journal number 27549. 20 III. Assessment of the Data Protection Act of Uruguay

A. Preliminary remarks

The Uruguayan Data Protection Act is the result of the mix of several legal influences. It has been inspired by the EU Directive, the Spanish Data Protection Act (Law 5/1999 amended by Law 62/2003, LOPDCP) and the Data Protection Act of Argentina. It is also based, as a model of departure, on the Credit Reporting Law (law 17,838).

The differences between the models and the Act are mainly those necessary to adapt the law to local requirements of the Uruguayan legal system; that is to say, the name and designation of the data protection authority and the procedural aspects of the habeas data action. The rest of the text of the Act is clearly based on EU laws or the Argentinean law (which was already considered adequate). However, as we will see further, the mix of different models has not always been adequately coordinated. In several aspects, the Act reveals confusions, or even mistakes, making some (few) provisions hardly understandable or lacking of legal certainty. An implementation Decree has however been prepared by the Executive, but not yet officially enacted (at the time of finishing this report, we received the information that this Decree would be enacted within 2 months). In many aspects, this Decree should come to complete the lacks of the Act. This is why, in the present report, clarifications on the interpretation of the Act are based, when available, on the current existing case law, and on the assertions provided to us by the legal advisor of AGESIC, in particular with respect to the content of the future Implementation Decree.

Another point to take into account is that, since there is no official translation in English of the Data Protection Act, for the purpose of this research report, references to the provisions of the Act are based on an unofficial translation done by the authors of the report. Please refer however to the original language of the Act (Annexed to

21 this report), in order to find there some nuances that are sometimes not easy to translate.

Finally, when presenting the definitions and the scope of the Data Protection, comparison with the Directive can be made in order to provide a correct analysis of the situation.

B. Definitions of the Data Protection Act

This part aims at presenting the wording of the Data Protection Act and the definitions provided for. In a first part, we will present the definitions of the Act discussing them on the basis of those of the EU Directive. In a second part, we will focus on some additional definitions peculiar to the Uruguayan Act.

1. General definitions corresponding to the EU Directive

The concept of “ database ”, which is a key concept of the Act, is defined as “ an organized set of personal data which is subject to treatment or processing, electronically or otherwise, regardless of the way it was created, stored, organized or by which way it can be accessed ”53 . This definition corresponds mutatis mutandis to the concept of “ personal data filing system ” defined in the EU Directive 54 .

The “ data subject’s consent ” is conceived as “ any expression of a free, unequivocal, specific and informed will, by which the data subject consents to the processing of personal data concerning him ”55 . As in the EU Directive, the consent must be “ freely given, specific and informed .” 56

The concept of “ personal data ” is understood to comprise “ information of any kind related to identified or identifiable natural or legal persons ”57 . The protection afforded by the Act applies to both natural and legal persons. The term is very broad because it applies not only to information identifying an individual (e.g. a name), but

53 Article 4.A. of the Data Protection Act 54 Article 2 c) of the Directive: “ any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis ” 55 Article 4.C. of the Data Protection Act 56 Article 2 h) of the Directive 57 Article 4.D. of the Data Protection Act 22 also to “identifiable” information. “Identifiable” information is data that helps to identify indirectly an individual. For example under this concept, an “IP address” can be identifiable information if it allows to trace back the name of an internet user by asking an ISP to correlate such “IP address” with one of its clients. We understand that the term is in line with article 2.a) of the EU Directive ( 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity ).

“Sensitive data ” refer to “ personal data revealing the racial and ethnic origin, political opinions, religious or moral beliefs, trade-union membership or information relating to health or sex life ”58 . This definition only slightly differs from the one of the Directive 59 , which refers to “ philosophical beliefs ” instead of “ moral beliefs ”.

The concept of “ recipient ” is defined as “ any natural or legal person, public or private, that receives personal data, whether a third party or not ”60 , and corresponds to the one provided for in the Directive 61 .

The “ processor ” (“encargado del tratamiento ”) is understood as “ any natural or legal person, public or private that, either alone or jointly with other persons, processes personal data on behalf of the controller ”62 . This definition includes the same aspects of the definition of the Directive, 63 that is to say the idea that the processor, who may be a natural or legal person of a public or private nature, processes personal data on behalf of the controller. However, after having been defined, the term is not used as such in the Act anymore. One will however understand that the ‘ third party providing personal data processing services’ to which the Act refers must be understood as being a processor. 64

58 Article 4.E. of the Data Protection Act 59 Article 8 of the Directive 60 Article 4.F. of the Data Protection Act 61 Article 2 g) of the Directive 62 Article 4.H. of the Data Protection Act 63 Article 2 e) of the Directive 64 As for instance in Article 30 of the Data Protection Act 23 The “ third party ” is conceived as “ a natural or legal person, public or private, other than the data subject, the controller, the processor or any other person authorized to process data under the direct authority of the controller or the processor ”. This definition corresponds to the one of the EU Directive. 65

The “ Database controller ” (“Responsable de la base de datos o del tratamiento ”) is defined as “ any natural or legal person, public or private, who is owner of the database or decides on the purpose, content and use of the processing ”66 . Under the Act, the concept of controller is wider than in the EU Directive, because of the alternative criteria applicable to identify the said controller: either the ownership of the database or the control over the purpose and means of processing. On one side, this definition affords a wider protection, since more individuals or companies may be subject to the Act. On the other side, this might lead in practice to some difficulties when identifying the controller, since one can be the owner of a database without being the one who decides on the purpose and means of the processing. The reference to these alternative criteria might be explained by the influence of both the EU Directive and the Argentinean Law which based the definition of the “ Responsable de archivo, registro, base o banco de datos ” on the criterion of ownership 67 .

Finally, “ Data processing ” is defined as “ systematic operations and procedures, whether or not of automatic nature, for the processing of personal data and their transfer to third parties by means of communication, consultation, interconnection and transmission ”68 . This definition corresponds, in other words, to the definition provided for in the Directive, which refers to “ any operation or set of operations which is performed upon personal data, whether or not by automatic means .69 ”

As a conclusion, all the definitions of the EU Directive find their equivalent in the Uruguayan Act, and as we have observed, most of them correspond faithfully.

65 Article 2 f) of the Directive 66 Article 4.K. of the Data Protection Act 67 See the definition provided for in the Argentinean Law: “ Persona física o de existencia ideal pública o privada, que es titular de un archivo, registro, base o banco de datos ”. “Titular ” means owner. 68 Article 4.M. of the Data Protection Act 69 Article 2 b) of the Directive 24 2. Definitions peculiar to the Uruguayan Act

The Data Protection Act provides several other definitions, which may or not refer to concepts found in the Directive.

The definition of the “ data subject ” as “ any person whose data are subject to a processing within the scope of application of the Act ”70 , does not call for further comments. Neither the definition concerning the “ communication of data ” as “ any disclosure of data to a person other than the data subject ”71 , which obviously covers any disclosure of data.

The process of “ data dissociation ” is defined as being “ any processing of personal data that makes impossible to link the information obtained with any identified or identifiable person .72 ” The aim of such processing is to make the data anonymous, so that it cannot be considered as personal data anymore.

“Accessible public sources ” are understood to be “ databases that can be consulted by any person, without any legal restrictions or obligations other than, where applicable, the payment of a fee ”73 . This concept is inspired by the definition found in the Spanish data protection law of 1999 (art. 3.J, LOPDCP 74 ), and by the Argentinean law. This concept refers to databases that are publicly accessible, and usually destined to provide public information held by the government to citizens (in this sense, there is a public interest in keeping the citizens informed). The term is not used to exclude a certain area of the application of the Act, but rather to create an exception to the data subject’s consent requirement (article 9.A of the Act) since the personal information taken from these sources have to be freely available to the public. In any case, the data taken from public sources may be subject to other limitations like the purpose

70 Article 4.L. of the Data Protection Act 71 Article 4.B. of the Data Protection Act 72 Article 4.G. of the Data Protection Act 73 Article 4.J. of the Data Protection Act 74 The Spanish LOPDCP defined “ sources accessible to the public ” as “ those files which can be consulted by anyone, which are not subject to restrictive legislation, or which are subject only to payment of a consultation fee. Only the following shall be considered to be sources accessible to the public: the publicity register, telephone directories subject to the conditions laid down in the relevant regulations, and the lists of persons belonging to professional associations containing only data on the name, title, profession, activity, academic degree, address and an indication of his membership of the association. Newspapers, official gazettes and the media shall also be considered sources with public access ” (article 3.J). 25 limitation principle (article 8 of the Act). This concept may include the registry of property, the electoral roll or the telephone guide.

The Act comprises an additional definition referring to the “ data user ” as “ any person, public or private, who at its sole discretion, processes data, whether from an own database or by connecting to one ”75 . This concept has certainly been inspired by the Argentinean Law, which inserted the same definition 76 . It however does not appear relevant, since the main actors processing personal data (controller, processor, third party, recipient), have already been defined. Furthermore, it introduces confusion with respect to the definition of controller, which is conceived broadly in the Act. In Argentina, since the concept has been introduced in the data protection act of 2000, the term has only been used twice by courts to held financial entities liable for the inaccuracies of credit reports. This distinction between the user and the controller was however not relevant in the cases at stake, since credit reporting agencies could also be considered as controllers and their liability could equally be assessed on this basis. Like in the Argentinean Law, further reference to the “ data user ” in the Act can only be found in the provisions relating to security and confidentiality measures 77 . In this respect, the influence of the Argentinean Law over the Uruguayan Legislator contributed to introduce a lack of legal certainty.

C. Scope of the Act

According to Article 1 of the Act, “ the right to personal data protection is inherent to the human person therefore it is covered by Section 72 of the Republic’s Constitution 78 ”. As explained before 79 , the open nature of the Constitution allows considering data protection a human (fundamental) right.

75 Article 4.N. of the Data Protection Act 76 See article 2 of the Argentinean Act: “ usuario de datos” : “ Toda persona, pública o privada que realice a su arbitrio el tratamiento de datos, ya sea en archivos, registros o bancos de datos propios o a través de conexión con los mismos.” 77 Article 10 of the Data Protection Act: “ the controller or user must adopt the necessary measures to ensure the security and confidentiality of the data ." 78 El derecho a la protección de datos personales es inherente a la persona humana, por lo que está comprendido en el artículo 72 de la Constitución de la República. 79 See “Data protection and privacy as fundamental Rights”, p. 13 of this report. 26 Article 3 of the Act provides that it applies to “personal data recorded under any format which makes its processing possible and to any subsequent form of use of such data by either the public or the private sector 80 ”. The law consequently foresees provisions for both the public (Articles 24 to 27) and the private sector (Articles 28 to 30).

Other provisions are relevant as regards the substantive (1) and territorial (2) scope of the Data Protection Act.

1. Substantive scope

Based on the definitions and principles provided by the Act, we will delimitate its scope of application with regard to the controller, the data subject and the means of processing, before dealing with the excluded matters.

1.1. With regard to the controller As has already been mentioned, the “Database controller or controller” is defined in the Act as the “ natural or legal person, public or private, who is the owner of the database or decides on the purpose, content and use of the processing. 81 ” The Data Protection Act applies to controllers, whether they are natural or legal persons, of a public or private nature. The Act lays down an alternative criterion to determine the controller, who can either be the owner of the database or the one who determines the purpose and means of processing. As already mentioned, this definition affords in fact a wide protection, since the liability of both can be sought.

1.2. With regard to the data subjects The Act covers both natural and legal persons with regard to the processing of personal data. - Natural persons : Article 1 of the Act (quoted above) refers to a right of a human person. Natural persons are by nature protected under the Act.

80 El régimen de la presente ley será de aplicación a los datos personales registrados en cualquier soporte que los haga susceptibles de tratamiento, y a toda modalidad de uso posterior de estos datos por los ámbitos público o privado. 81 Responsable de la base de datos o del tratamiento: persona física o jurídica, pública o privada, propietaria de la base de datos o que decida sobre la finalidad, contenido y uso del tratamiento. 27 - Legal entities : Article 2 of the Act provides that “ by extension, the right to personal data protection shall apply to legal persons where applicable 82 ”.

This means that not all the principles and rights determined in the Act shall necessarily apply to legal persons. For example, under article 3 letter “A”, the Act “shall not apply to databases which: A) Are maintained by natural persons in the course of exclusively personal or household/domestic activities ”. Legal persons are not granted such exemption. In addition, the provisions relating to sensitive data shall not apply to legal entities.

Furthermore, the protection principles provided in the Act apply to every “personal data”, defined in Article 4 letter “D” as: “ information of any kind related to identified or identifiable natural or legal persons ”. In that case it is made clear that both individuals and legal entities are protected.

1.3. With regard to the means of processing Article 3 of the Act provides that it “ shall apply to personal data recorded under any format ”.

Following Article 4 letter “M” of the Act defines “data processing” as “ systematic operations and procedures, whether or not of automatic nature , for the processing of personal data and their transfer to third parties by means of communication, consultation, interconnection and transmission 83 ”.

Therefore the Act covers the protection of personal data with regard to both manual and automatic processing. The Act affords here a wider protection than the EU Directive does.

82 El derecho a la protección de los datos personales se aplicará por extensión a las personas jurídicas, en cuanto corresponda. 83 Tratamiento de datos: operaciones y procedimientos sistemáticos, de carácter automatizado o no, que permitan el procesamiento de datos personales, así como también su cesión a terceros a través de comunicaciones, consultas, interconexiones o transferencias. 28 1.4. Exceptions in certain fields and special rules for certain kinds of data Since no general provision defines the data files which should be subject to the Act, data files, registers and databases set up for any purpose are – as a principle – subject to the Act, except in those cases where a specific provision rules otherwise (see below).

Article 3.2 provides that the Act does not apply to databases which:

“A) Are maintained by natural persons in the course of exclusively personal or household/domestic activities.

B) Are created for the purposes of public safety, defense, state security and government’s activities relating to criminal law, investigation and repression of crimes 84 .

C) Are created and governed by special laws.”

The first exception is in line with article 3.2 of the EU Directive, which provides an exception for data processing “ by a natural person in the course of a purely personal or household activity ”.

The third exemption C), referring to databases “ created and governed by special laws ” does not correspond as such to any general exemption granted by the EU Directive. According to the AGESIC, the aim of such exemption is to maintain the applicability of specific regulations concerning certain databases. This exemption would actually cover the laws regulating registries of property (for the registry of property, vehicles, etc 85 ) and the law creating a public database of debtors of the financial system managed by the Central Bank (Law 17,948, of January 8, 2006) 86 .

84 Las que tengan por objeto la seguridad pública, la defensa, la seguridad del Estado y sus actividades en materia penal, investigación y represión del delito. 85 E.g. Law 16,871, regulating generally public registries and specifically the registry of property, the registry of “personal acts” (marriages, interdictions, legal capacity, power of attorneys and mandates, law of heirs) and public registry of commerce; Law 16,585 regarding the Registry of vehicles and drivers (Registro Nacional Único de Conductores, Vehículos, Infracciones e Infractores creado por la Ley Nº 16,585, de 22 de setiembre de 1994); Law 17,011 (trademark registry), and similar registries. 86 Telephone interview with Maria José Viega, legal advisor to AGESIC, April 2009. 29 The rationale behind this exception is that the existing registries or databases remain governed by their own regime for their daily management.

The second exception corresponds to the exemptions provided in article 3§2 of the EU Directive referring to activities outside Community law (1 st pillar) including “operations concerning public security, defense, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law ”. Apparently, the Uruguayan Legislator intended to maintain outside the scope of protection of the Act all processing carried out for national security or criminal law enforcement purposes. However, when going deeper into the analysis of the Act, we noticed that several provisions are dedicated to precise the applicable regime to “ databases owned by Armed forces, Police and Intelligence Agencies ”.

1.4.1 Principles applicable to databases owned by Armed forces, Police and Intelligence agencies

Article 25 of the Act specifically deals with those databases owned by Armed forces, Police and Intelligence Agencies . An in-depth analysis of this article is required to clearly delimitate the scope of the exclusion of article 3§2 B).

First paragraph of article 25 provides that:

“This Act shall apply to personal data recorded on a permanent basis for administrative purposes in databases owned by the Armed Forces, Police organisms and Intelligence Agencies; and to personal records produced from said databases and submitted to administrative or judicial authorities that so request by virtue of legal requirements. 87 ”

87 “Base de datos correspondientes a las Fuerzas Armadas, Organismos Policiales o de Inteligencia”: “Quedarán sujetos al régimen de la presente ley, los datos personales que por haberse almacenado para fines administrativos, deban ser objeto de registro permanente en las bases de datos de las fuerzas armadas, organismos policiales o de inteligencia; y aquellos sobre antecedentes personales que proporcionen dichas bases de datos a las autoridades administrativas o judiciales que los requieran en virtud de disposiciones legales.”

30 Databases constituted for administrative purposes by Armed forces, Police and Intelligence agencies are thus expressly submitted to the Act. This article confirms that article 3§2 B) does not intend to exclude every processing carried out by those public authorities. In fact, the Act appears to distinguish the processing carried out by the Armed forces, Police and Intelligence agencies for administrative purposes from those carried out for national security and criminal law enforcement purposes.

Paragraphs 2 and 3 of the Act further provide that:

“Processing of personal data for purposes of national defence or public security by the Armed Forces and Police and Intelligence Agencies without prior consent of the data subject shall be limited to those cases and categories of data which are strictly necessary to fulfil the mission assigned to them by law in the matters of national defence, public safety and the repression of crimes. In those cases, databases shall be specifically established for that purpose , and shall be divided into different categories based on their degree of reliability 88 . Personal data registered for police work purposes shall be destroyed once the investigation for which they were registered is closed. 89 ”

Although the processing of personal data for national defense or public security purposes are, in general, excluded from the scope of the Act, these provisions come to afford minimal guarantee of protection as regards them. Indeed, §2 of article 25 calls for the respect of the purpose limitation principle and proportionality principle requiring that processing of personal data by Armed forces, Police and Intelligence agencies shall be limited to what is “ strictly necessary ” to their missions. It allows us to conclude that these processing, contrary to what could be deduced from the general exclusion granted in article 3§2 B), are not completely excluded from the scope of

88 “El tratamiento de datos personales con fines de defensa nacional o seguridad pública por parte de las fuerzas armadas, organismos policiales o inteligencia, sin previo consentimiento de los titulares, queda limitado a aquellos supuestos y categoría de datos que resulten necesarios para el estricto cumplimiento de las misiones legalmente asignadas a aquéllos para la defensa nacional, la seguridad pública o para la represión de los delitos. Las bases de datos, en tales casos, deberán ser específicas y establecidas al efecto, debiendo clasificarse por categorías ” 89 “ Los datos personales registrados con fines policiales se cancelarán cuando no sean necesarios para las averiguaciones que motivaron su almacenamiento.” 31 protection of the Act. Rather, while excluding them in general, the Act provides minimal rules of protection defined as a specific regime.

However, what makes the issue a bit more complex is that specific exemptions to specific rights or obligations are foreseen in the Act concerning the processing of personal data by Armed forces, Police and Intelligence agencies for purposes of “public safety, defense, state security and government’s activities relating to criminal law, investigation and repression of crime” . As we will see in our analysis of the content principles, these processing are granted derogations as regards the obligation of information 90 , the rights of the data subjects 91 and the prohibition to transfer personal data toward countries that would not ensure an adequate level of protection 92 . This makes the Act a bit confusing in this respect, since these exemptions are not necessary in the light of the general exclusion of article 3§2 B). This must be explained by the influences of several laws in which the Uruguayan Legislator took inspiration, without harmonizing appropriately the whole provisions relating to these activities of processing. As we will see later in the report, the Uruguayan judge recently allowed an individual to exercise his right of access to the Army 93 , under the conditions of the Act. Therefore, it is not clear how the scope of the exclusion of article 3§2 shall be interpreted in the future.

1.4.2 Other specific regimes

In addition, apart from these excluded sectors, there are specific rules and regimes laid down in the Act concerning: - Sensitive data (Article 18); - Health Data (Article 19); - Telecommunications data (Article 20); - Marketing data (Article 21); - Credit reporting (Article 22);

90 In particular article 27 of the Act, discussed later in “the transparency principle”, p. 43 91 In particular article 26 of the Act, discussed in “the rights of access, rectification and opposition”, p. 59 92 In particular article 23§2 5) of the Act, discussed in “restrictions on onward transfers”, p. 60 93 This case law is presented p. 87 32 2. Territorial scope

This matter is not regulated in the Act and calls for several remarks.

First, it is to be highlighted that, by constitutional provisions, only the General Assembly of Uruguay may adopt a substantive law at national level. As expressed before 94 , Uruguay is a unitary country and its subdivisions do not have the autonomy to legislate on data protection matters. The Act consequently applies in all the territory of Uruguay.

Secondly, the legal advisor of AGESIC confirmed us that this matter will be specified in the implementation Decree to be adopted 95 . The Decree closely follows the European criteria to determine the territorial scope. It will be provided that the Act applies when the activities of the establishment of the controller are located in Uruguay, but also when the controller is not established in Uruguay but uses equipment located within its territory. As in the Directive, the Decree will provide an exemption for the cases where the controller would only use equipment located in Uruguay for purposes of transit. It will also be provided that when the controller is not established in Uruguay, he shall designate a representative with domicile and permanent residency in the territory in order to comply with the obligations of the Act. Such designation will not prevent or diminish the liability of the controller 96 . We however question the relevance to regulate the territorial scope of the Act through means of regulation.

94 See “Constitutional System and Political Regime”, p. 10 of this report. 95 Telephone interview with the legal advisor of AGESIC 96 These assertions are based on the future Decree of implementation. The legal advisor of AGESIC supplied us with the current version of the article that shall regulate the territorial scope of the Act. Provided its official adoption, it says: « Están sometidos a la Ley que se reglamenta los tratamientos de datos personales cuando: A) El responsable esté establecido en territorio uruguayo, considerándose tal a quien ejerce una actividad en el país, cualquiera sea su forma jurídica. B) Los tratamientos de datos personales sean efectuados por un responsable de base de datos o tratamiento establecido en territorio uruguayo, siendo éste el lugar donde ejerza su actividad, cualquiera sea su forma jurídica. El mismo régimen se aplicará cuando el responsable de la base de datos o tratamiento no esté establecido en territorio uruguayo pero utilice en el tratamiento de datos medios situados en el país. Exceptúanse de la regla precedente los casos en que los citados medios se utilicen exclusivamente con fines de tránsito siempre que el responsable de la base de datos o tratamiento designe ante el Órgano de Control un representante con domicilio y residencia permanente en territorio nacional a los efectos de cumplir con las obligaciones previstas por la citada Ley y en esta reglamentación. Tal designación no impedirá las acciones legales que puedan ser promovidas contra el responsable de la base de datos o tratamiento, ni disminuirá su responsabilidad en cuanto al cumplimiento de las obligaciones impuestas legal o reglamentariamente .” 33 D. Basic principles of the Data Protection Act: grounds for lawfulness of processing

1. Preliminary remark

Despite the principle of legitimacy is not included in the WP12, to be complete, this report will compare the grounds of lawfulness with those provided in the Directive. However, one would not be able to draw conclusions on this basis as regards the adequacy of the protection of personal data in Uruguay.

2. The consent: main ground for lawfulness

Article 9 of the Act provides that a “ processing of personal data is lawful when the data subject has given his prior, free, express and informed consent, and there is recorded evidence of such consent.

Said consent together with any other statements made, shall be stated in an explicit and evident form. The person giving his/her consent shall have been previously notified of the information established in Section 12 of this Act. 97 ”

Contrary to the European Directive which puts the data subject’s consent on the same level as other legitimating grounds 98 , the Data Protection Act appears to give more importance to the data subject’s consent. It is the main principle of legitimization of processing while all others are considered as secondary legitimating grounds.

Furthermore, the Act establishes a strong link between the data subject’s consent and the obligation of information, as stated in §2 of article 9. As we will see further 99 , the obligation to inform the data subject will only apply when the data subject’s consent is required.

97 Articulo 9°: Principio del previo consentimiento informado.- El tratamiento de datos personales es lícito cuando el titular hubiere prestado su consentimiento libre, previo, expreso e informado, el que deberá documentarse. El referido consentimiento prestado con otras declaraciones, deberá figurar en forma expresa y destacada, previa notificación al requerido de datos, de la información descrita en el artículo 12 de la presente ley…. 98 See Article 7, Section II « Criteria for making data processing legitimate », Chapter II of the European Directive. 99 Refer to « transparency principle », p. 43 34

3. Other grounds for lawfulness

Other grounds for lawfulness of processing are mentioned in article 9.3 of the Data Protection Act. It provides that the previous consent is not necessary when:

“A) The data are obtained from public sources of information, such as registers or publications in the media.

B) The data are gathered for the exercise of functions peculiar to the state powers or by virtue of a legal obligation.

C) The data consist of records, which in the case of natural persons, are restricted to information about the first and last name, national identity number, nationality, domicile and birth date. In the case of legal persons, the records are restricted to information about the business name, fancy name, the tax identification number, domicile, telephone and the names of the people in charge of the entity.

D) The data arise from a contractual, scientific or professional relationship with the data subject and are necessary for the fulfillment or development of the said relationship.

E) The processing is carried out by natural or legal persons, private or public, for a exclusively personal or household use”.

As already mentioned, the data subject’s consent will not be required when the data is taken from accessible public sources of information (exception A), since this information must be considered as publicly available.

Exception B) appears to be in line with the cases envisaged in article 7 c) and e) of the Directive, referring to processing “ necessary for compliance with a legal obligation to which the controller is subject ” or “ for the performance of a task carried out in the public interest or in the exercise of official authority ”.

Exception C) of the Act does not correspond, as such, to any legitimate grounds of the Directive. This exemption leads to allow the collection of some ‘basic’ data concerning both natural or legal persons without their previous and informed consent. 35 A similar provision can be found in the Argentinean Act, allowing the processing of some “basic data” concerning natural persons without their previous and express consent 100 . However the exemption should not play if any other additional information is collected. The Argentinean case law developed a theory according to which, in case of transfer of such information to a third, if the sender knows the meaning or the logic behind the database (e.g. clients of a bank, clients of adult videos), it must be considered that the database holds additional information 101 and that the exemption to the data subject’s consent requirement does not play. Under this interpretation, it could be that the collection of the data listed in exemption C) would not raise a big issue, but therefore the Uruguayan judge has to apply a similar (Argentinean) interpretation (which is not certain). It is thus worth underscoring that the Uruguayan Act allows a very easy way to process ‘basic’ data (which however even includes the national identity number, the birth date, the nationality!) without any consent (and, as we will see further in our analysis, without even informing the data subject of the processing 102 ). In practice, the impact of such provision can also be nuanced. It must be highlighted that the rest of the Act fully applies to the processing of these data, notably the purpose limitation principle, which still applies irrespective of the fact that there is an exception to the data subject’s consent. Furthermore, such legitimating ground for processing will only apply in cases of collection of personal data submitted to the Uruguayan Act, and as a consequence, does not have much impact on the question at stake: the transfer of personal data from EU to Uruguay.

100 Article 5§2 c) of the Argentinean Act provides : « No serà necessario el consentimiento cuando : c) Se trate de listados cuyos datos se limiten a nombre, documento nacional de identidad, identificación tributaria o previsional, ocupación, fecha de nacimiento y domicilio; » 101 The Argentinean case is “Salvador v. Citibank” (CNCom, Sala D, 22/11/2005, Salvador, Claudio v. Citibank, JA 2006-II-375, note by P. Palazzi). The case arose when Citibank sent a letter to all their customers informing them of its new privacy policy. The letter provided also a ten days period to opt out from the sharing of the client’s personal information. A disgruntled client sued the bank seeking the confidentiality of his personal data. A judgment was rendered in his favor in first instance and by the court of appeals. The court maintained that it was not sufficient for the bank to simply allow its customers to opt out to use their personal data for purposes other than those relating to the initial purpose: the banking service. Because Article 5 of the Act requires express consent and because, under article 919 of the Civil Code, silence does not equal consent, the marketing technique of the data controller was considered illegal. The defense of the bank also relies on section 5.2.c of the act which does not requires consent for the use of names, domicile and other data. In this case, the Court of Appeals also shared the legal opinion of the Advocate General at the Commercial Court of Appeals who argued that the use of that personal information for marketing purposes amounted to an infringement of the purpose limitation principle of the data protection act .

102 Please refer to the section dedicated to « the transparency principle », « exception », p. 48 36 Exception D) of the Act might be compared with article 7 b) of the Directive legitimating any processing of personal data when “necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract ”.

Finally, exception E) refers to cases in which the processing of personal data is carried out in the framework of personal or household activities. For such purposes, natural persons are already excluded from the scope of application of the Act under article 3§2 A). The above-quoted exemption to the data subject’s consent is however extended to legal persons, whether public or private. This provision raises the question of the relevance to refer to “ personal or household activities ” when speaking about legal persons. In our opinion, such a provision is confusing and might introduce a gap in the scope of protection of the Act.

In the end, we notice that not all grounds of legitimate processing provided in the Directive are present in the Uruguayan Act. Indeed the Act does not address the case in which processing of personal data without the data subject’s consent could be “necessary to protect the vital interest of the data subject ”103 . As we will see further, the Act however envisages an exemption to the data subject’s consent at the time of communication of health data “ due to emergency reasons” 104 . In this framework, the lack of such legitimate ground of processing appears to us as an omission of the Legislator.

The Act neither refers to the “ legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed ”105 as a legitimate ground for processing without the data subject’s consent. Rather, in the Act, such reference is made when addressing the purpose limitation principle, as we will see hereunder.

103 Article 7 e) of the Directive 104 See Article 17§2 B) of the Data Protection Act, discussed in « Transparency principle », « exemptions to the obligation of information at the time of communication », p. 46 105 Article 7 f) of the Directive 37 E. Content Principles

As mentioned earlier, the document on Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP12 5025/98, hereinafter “the WP12”) compiles a basic list of conditions which can be seen as a minimum requirement for protection to be adequate . This list contains content principles as well as conditions regarding the procedural/enforcement mechanisms. The present chapter shall provide for an analysis of the content principles (the purpose limitation principle, the data quality and proportionality principle, the transparency principle, the security principle, the rights of access, rectification and opposition, the restrictions on onward transfers). Because the present report is dealing with adequacy and not equivalency (which would have been the sign of a European will of legal imperialism), the aim of the chapter is not to compare the principles with the wording of the European Directive, but rather to verify whether the Data Protection Act fulfils the conditions laid down in the WP12. A comparison with the European Directive shall consequently only be made in two circumstances:

- When the WP12 explicitly requires to do so (e.g.: verification of the conditions laid down in article 13 of the Directive), or

- When in the course of our research we determined that a more actual comparison with the Directive had to be made in order to provide a correct analysis of the situation.

1. Purpose limitation principle

1.1. Definition of WP12 This principle provides that data should be processed for a specific purpose and subsequently used or further communicated only insofar as this is not incompatible with the purpose of the transfer. The only exemptions to this rule would be those necessary in a democratic society on one of the grounds listed in article 13 of the

38 Directive 106 .

1.2. Provisions of the Act Article 8 of the Act, under the heading of “Purpose principle” (“principio de finalidad ”) provides that:

“Data subject to processing shall not be used for other purposes or incompatible purposes than those for which they were obtained. Data shall be deleted once they have become unnecessary or irrelevant for the purposes for which they were obtained 107 .”

Further article 17, referring to “data communication rights”, provides that:

“The personal data subject to processing shall only be communicated for the carrying out of the purposes directly related to the legitimate interests of the sender and the recipient , provided that the data subject has given his previous consent, which must be informed about the purpose of such communication and the identification of the recipient or elements that enable him to identify such recipient. The said previous consent to the communication of data shall be revocable. 108 ”.

It is to be highlighted that, while the Directive refers to the “ legitimate interest of the controller ” as a legitimate ground for processing 109 , the Uruguayan Act rather refers to the legitimate interests of the controller to strengthen the purpose limitation principle. In article 17 of the Act, the legitimate interests of the sender and the recipient must be understood as a limitation to further communication of personal data

106 Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP 12, 1998), p. 6. 107 Principio de finalidad.- Los datos objeto de tratamiento no podrán ser utilizados para finalidades distintas o incompatibles con aquellas que motivaron su obtención. Los datos deberán ser eliminados cuando hayan dejado de ser necesarios o pertinentes a los fines para los cuales hubieren sido recolectados. 108 Los datos personales objeto de tratamiento sólo podrán ser comunicados para el cumplimiento de los fines directamente relacionados con el interés legítimo del emisor y del destinatario y con el previo consentimiento del titular de los datos, al que se le debe informar sobre la finalidad de la comunicación e identificar al destinatario o los elementos que permitan hacerlo. El previo consentimiento para la comunicación es revocable. 109 Article 7 f) of the Directive, “ Member states shall provide that personal data may be processed only if” the “processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed , except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1) .” 39 for incompatible purposes. Similar provisions can be found in the Spanish and Argentinean Acts 110 .

In addition, specific rules are laid down by Article 30 for the case of outsourcing personal data to a third party 111 .

Article 30 of the Act provides that

“Where a third party provides personal data processing services, said data shall not be used for a purpose other than that defined in the work for hire contract, nor assigned to other persons to preserve the data or for any other reason.

Once the contractual obligation has been performed the processed data shall be destroyed, unless the party that requested the processing service expressly authorized otherwise if it could be reasonably assumed that there will be further service requests from the provider, in which case the data may be kept for a maximum period of two years on condition that the required security measures are followed ”112 .

The principle according to which data should be processed for a specific purpose and subsequently used or further communicated only insofar as this is not incompatible with the purpose of the transfer is thus present in the Uruguayan Act.

1.3. Exemptions Article 8§3 foresees several exceptions to the purpose limitation principle:

110 See article 11 of the Spanish LOPDCP relating to “comunicación de datos ”: “ Los datos de carácter personal objeto del tratamiento sólo podrán ser comunicados a un tercero para el cumplimiento de fines directamente relacionados con las funciones legítimas del cedente y del cesionario con el previo consentimiento del interesado .” 111 This provision is based on Article 25 of the data protection law of Argentina. 112 Cuando por cuenta de terceros se presten servicios de tratamiento de datos personales, éstos no podrán aplicarse o utilizarse con un fin distinto al que figure en el contrato de servicios, ni cederlos a otras personas, ni aun para su conservación. Una vez cumplida la prestación contractual los datos personales tratados deberán ser destruidos, salvo que medie autorización expresa de aquel por cuenta de quien se prestan tales servicios cuando razonablemente se presuma la posibilidad de ulteriores encargos, en cuyo caso se podrá almacenar con las debidas condiciones de seguridad por un período de hasta dos años. 40 “The regulation 113 shall determine the cases and procedures in which, only as an exception and taking into consideration historical, statistical or scientific values and according to specific laws, retention of personal data shall continue even after the expiration of the said need or relevance 114 .”

In its original language, article 8 of the Act says: “La reglamentación determinará los casos y procedimientos … y de acuerdo con la legislación específica ”. Thus, the exceptions to the purpose limitation principle may be originated in the implementation Decree to be adopted, but shall remain limited to the provisions of the Act (e.g. they may not contravene the limitation on consideration of historical, statistical or scientific values that may derive from “ specific laws ”).

The limitation related to historical, statistical and scientific values is in line with the EU Directive which provides that: “ Member States shall provide that personal data must be:…(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards ”115 .

Last §4 of article 8 provides that “ Exchange of data among databases shall not be permitted unless such exchange is authorized by Law or with the previous and informed consent of the data subject 116 ”.

The Act prohibits as a principle the exchange of data among databases. This provision comes to reinforce the purpose limitation principle. However, the same provision foresees two exemptions to this rule. Exchange of data among databases pursuing incompatible purposes is possible when the (1) data subject has given his previous and informed consent or when (2) Law authorizes it. In the first case, there is no exemption to the purpose limitation principle, since the data subject’s consent has to be solicited. This case does not raise any issue. In turn, the second exemption – when

113 The regulation or “reglamentación” is the decree to be enacted by the Executive Power. 114 La reglamentación determinará los casos y procedimientos en los que, por excepción, y atendidos los valores históricos, estadísticos o científicos, y de acuerdo con la legislación específica, se conserven datos personales aun cuando haya perimido tal necesidad o pertinencia. 115 Article 6§1 b) of the Directive 116 Tampoco podrán comunicarse datos entre bases de datos, sin que medie ley o previo consentimiento informado del titular. 41 a Law comes to authorize an exchange of data – might lead in practice to derogate to the purpose limitation principle, which would be an issue. One would however nuance this view, since the adoption of a law implies democratic debates of the General Assembly, which should act as the guarantor of the legitimacy of any derogation to the purpose principle.

2. Data quality and proportionality principle

2.1. Definition of WP12 This principle provides that data should be accurate and, where necessary, kept up to date. The data should be adequate, relevant and not excessive in relation to the purposes for which they are transferred or further processed 117 .

2.2. Provisions of the Act According to Article 7 of the Act “All personal data obtained for the purpose of being processed shall be accurate, adequate, equitable and not excessive with respect to the purpose for which they were obtained. Personal data shall not be obtained through unfair, fraudulent, abusive means or through any way which is contrary with the provisions of this Act .118 ”

Article 7 of the Act continues by foreseeing that “Data shall be accurate and be updated when necessary 119 ”.

Finally it provides that “If any data are found to be inaccurate or false, the data controller, as soon as he has knowledge of the said circumstances, shall delete, replace or complete them with accurate, true and updated data. Also, any expired data in accordance with this Act shall be deleted.”120

117 Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP 12, 1998), p.6. 118 Principio de veracidad.- Los datos personales que se recogieren a los efectos de su tratamiento deberán ser veraces, adecuados, ecuánimes y no excesivos en relación con la finalidad para la cual se hubieren obtenido. La recolección de datos no podrá hacerse por medios desleales, fraudulentos, abusivos, extorsivos o en forma contraria a las disposiciones a la presente ley. 119 Los datos deberán ser exactos y actualizarse en el caso en que ello fuere necesario. 120 Cuando se constate la inexactitud o falsedad de los datos, el responsable del tratamiento, en cuanto tenga conocimiento de dichas circunstancias, deberá suprimirlos, sustituirlos o completarlos por datos exactos, veraces y actualizados. Asimismo, deberán ser eliminados aquellos datos que hayan caducado de acuerdo a lo previsto en la presente ley. 42 These principles may be enforced by the data subject at two different stages: first, by requesting to the data controller to update or rectify the information, as provided under article 15 of the Act, and second, by filing an action of habeas data against the data controller who does not update or rectify the aforementioned personal data in the time allotted to proceed (Article 38 of the Act).

Consequently, the data quality principle and the proportionality principle are present in the Act.

3. Transparency principle

3.1. Definition of WP12 Under this principle, individuals should be provided with information as to the purpose of the processing and the identity of the data controller in the third country and other information insofar as this is necessary to ensure fairness. The only exemptions permitted should be in line with article 11(2) and 13 of the directive 121 .

3.2. Provisions of the Act As regards the duty of information, the Data Protection Act does not differentiate, unlike the Directive, the cases of collection of personal data from the data subject from the cases where the information is not directly obtained from the data subject himself. Instead, the Act differentiates the cases where consent is required from the ones where no consent is needed. Information is only needed to be provided in the former case. On this basis, the Act further distinguishes the obligation of information at the time of collection, from the obligation to inform at the time of communication of the data to a recipient.

3.2.1 The obligation of information at the time of collection

As already has been mentioned, Article 9 of the Act provides that:

“Processing of personal data is lawful when the data subject has given his prior, free, express and informed consent, and there is recorded evidence of such consent.

121 Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP 12, 1998), p.6. 43 Said consent together with any other statements made, shall be stated in an explicit and evident form. The person giving consent shall have been previously notified of the information established in Section 12 of this Act.” [Remark : Please note that the Act wrongly refers to Article 12 where it should refer to Article 13 (article 12 refers to the liability of the data controller, not to the information to be provided to the data subject).]

Article 13 of the Act provides that:

“Data subjects whose data are being collected shall be entitled to be previously notified in an express, accurate and clear way of:

A) The purpose for which the data are going to be processed and the recipients or classes of recipients to whom the data may be disclosed.

B) Whether data of which he is the data subject has been recorded in a data file, in electronic or other form, and the name and domicile of the person responsible therefore.

C) Whether the answers included in the submitted questionnaire are mandatory or facultative, especially with regards to sensitive data.

D) The consequences of providing the data or refusing to do so or of their inaccuracy.

E) The data subject’s rights of access, and of rectification and suppression of the data ”. 122

It is made clear that, in accordance with article 9 and 13 of the Act, when the processing takes place with the data subject’s consent, this consent must be an

122 Derecho de información frente a la recolección de datos.- Cuando se recaben datos personales se deberá informar previamente a sus titulares en forma expresa, precisa e inequívoca: A) La finalidad para la que serán tratados y quiénes pueden ser sus destinatarios o clase de destinatarios. B) La existencia de la base de datos, electrónico o de cualquier otro tipo, de que se trate y la identidad y domicilio de su responsable. C) El carácter obligatorio o facultativo de las respuestas al cuestionario que se le proponga, en especial en cuanto a los datos sensibles. D) Las consecuencias de proporcionar los datos y de la negativa a hacerlo o su inexactitud. E) La posibilidad del titular de ejercer los derechos de acceso, rectificación y supresión de los datos. 44 “informed ” one. This means that all the information referred to in article 13 of the Act must have been provided to the data subject on beforehand. This obligation of information finds to apply regardless whether the personal data are obtained directly from the data subjects or from third parties.

The obligation of information does in turn not apply when the data subject’s consent is not required, that is to say in the cases envisaged in article 9 §3. As one may notice, the Act establishes a close link between the data subject’s consent, conceived as the main legitimate ground of processing, and the obligation of information. Based on this close link, and in the light of the exemptions of article 17 analyzed hereafter, it appears clear that the obligation of information only applies when the data subject’s consent is required. The legal advisor of AGESIC confirmed this interpretation of the Act 123 .

3.2.2 Obligation of information at the time of communication

Article 17, under the heading “data communication rights” provides that:

“The personal data subject to processing shall only be communicated for the carrying out of the purposes directly related to the legitimate interests of the sender and the recipient, provided that the data subject has given his previous consent, whom must be informed about the purpose of such communication and the identification of the recipient or elements that enable him to identify such recipient. The said previous consent to the communication of data shall be revocable.”

As already mentioned, the principle of the data’s subject consent is conceived in the Act as the main ground for lawfulness of processing. It is thus provided that, before communicating personal data, the controller, if he did not already obtained the consent of the data subject, has to inform him previously about the purpose of the communication and the identity of the recipient in order to obtain the said consent. However, if the data subject had already been informed at the time of collection that

123 Telephone interview with the legal advisor of AGESIC, April 2009 45 his personal data could be communicated to “ recipients or classes of recipients ”124 , the obligation of information on part of the sender is not required.

3.3. Exemptions

3.3.1 At the time of communication

Article 17§3 provides several exemptions to the data subject’s consent requirement when communicating personal data to a recipient:

“The previous consent requirement shall not apply when: A) A general law so provides; B) The provisions set forth in Section 9 of this Act apply. C) The personal data consist of health data and their communication is necessary to safeguard public health or due to emergency reasons or for conducting epidemiological studies and provided that the identity of the data subject is kept confidential through adequate dissociation mechanisms; D) A dissociation procedure had been applied, which makes the data subject unidentifiable.”

In fact, the derogations to the data subject’s consent in cases of communication of personal data concerning him also constitute exemptions to the obligation of information about the purpose of the communication and the identity of the recipient enshrined in article 17§1. An in dept analysis of those exemptions in the light of article 13 and 11§2 of the Directive is thus required under this section.

Exception A) referring to cases of communication when “ a general law so provides ”, corresponds to last part of 11§2 of the Directive in cases where the “ recording or disclosure is expressly laid down by law ”.

Exception C), applicable to health data, envisages in fact three distinct situations, which could be more rightly compared with article 8§4 of the Directive 125 . However,

124 See Article 13 A) of the Data Protection Act 46 since the WP12 requires comparing the exemptions to the obligation of information with articles 11§2 and 13 of the Directive, one will follow this grid. First, the case in which the communication is “ necessary to safeguard public health ” can enter in the scope of exemptions of either article 13 c) 126 or g) 127 of the Directive. Second, the case in which the communication is necessary “ due to emergency reasons ” appears to correspond to article 13 g) of the Directive, referring to the “ protection of the data subject or of the rights and freedoms of others ”. The third situation of communication refers to a communication of data when necessary “ for conducting epidemiological studies”. It is also provided that the health data shall undergo a process of dissociation. It is however not clear whether such process of dissociation apply in all the cases. According to the DPA 128 , the process of dissociation must be understood to apply in all these cases. In our opinion, this interpretation is not wholly satisfactory. Applying a process of dissociation to health data in cases of emergency or to safeguard public health does not always make sense. For instance, in cases of emergency where the vital interest of the data subject would be at stake, a process of dissociation would certainly not apply. Also, there can be cases in which safeguarding the public health does not imply a dissociation of health data. Obviously, in the example case of the emerging “Mexican flu”, governments and competent health authorities do process and communicate health data relating to individuals that would not necessarily be dissociated and this, in the aim to safeguard public health. However, since it is clear that the process of dissociation applies in case of epidemiological studies, the derogation to the obligation of information of the data subject does not raise any issue in this framework.

Exception D) does not call for specific comments. Obviously, when the personal data underwent a process of dissociation, they do not constitute personal data anymore and do not fall under the scope of the Act. As a consequence, the duty to inform the data subject about the communication of anonymous data does not apply.

125 Article 8§4 of the Directive is an exemption to the prohibition of processing of sensitive data : « Subject to the provision of suitable safeguards, Member States may, for reasons of substancial public interest, lay down exemptions in addition to those laid down in §2 either by national law or by decision of the supervisory authority » 126 « public security » 127 « the protection of the data subject or of the rights and freedoms of others. » 128 Answers of the brand new DPA in June 2009 47 Finally, it must be highlighted that the obligation of information does not apply in the cases envisaged in article 9 of the Act, as stated in exemption B), that is to say in the cases where the data subject’s is not required. Because the cases envisaged in article 9 derogate both to the obligation of information at the time of collection and at the time of communication, an in-depth analysis is provided hereunder.

3.3.2 At the time of collection or communication: when the data subject’s consent is not required

Due to the close link between the principle of the data subject’s consent and the duty of information, this duty only applies when the data subject’s consent is required. As a consequence, the exemptions to the data subject’s consent also constitute exemptions to the obligation of information and the cases envisaged in article 9§3 of the Act have to be analysed in the light of article 13 and 11§2 of the Directive.

As already mentioned, this article 9§3 provides that the previous and informed consent of the data subject is not required when:

“A) The data are obtained from public sources of information, such as registers or publications in the media.

B) The data are gathered for the exercise of functions peculiar to the state powers or by virtue of a legal obligation.

C) The data consist of records, which in the case of natural persons, are restricted to information about the first and last name, national identity number, nationality, domicile and birth date. In the case of legal persons, the records are restricted to information about the business name, fancy name, the tax identification number, domicile, telephone and the names of the people in charge of the entity.

D) The data arise from a contractual, scientific or professional relationship with the data subject and are necessary for the fulfillment or development of the said relationship.

E) The processing is carried out by natural or legal persons, private or public, for a exclusively personal or household use”.

48 The assessment of these exemptions in the light of article 11§2 and 13 of the Directive is not easy, because they are originally conceived as exemptions to the data subject’s consent. One would rather try to assess to which extent they might derogate to the guarantee of a “ fair processing in respect of the data subject. 129 ”

Exception A) derives from the legitimacy to provide information to the public. In fact, one could consider that the data subject’s is already informed about the processing of personal data relating to him in those accessible public sources of information, because in most of the cases, the data subject’s himself provided the said information (e.g. when the data subject enrols in the telephone guide or in other registries).

Exception B) referring to cases in which “ The data are gathered for the exercise of functions peculiar to the state powers or by virtue of a legal obligation” does not raise a big issue. It can be compared with the provisions of article 13 mostly relating to State specific powers and to article 11§2 for the cases where “ recording or disclosure is expressly laid down by law ”.

Exception C), allowing a controller to collect a set of data concerning natural or legal persons without informing them on the purpose of the processing is problematic. If it is true that most of the data listed can be found in accessible public sources of information (exception A), the level of transparency guaranteed in those cases might be questioned. Since any information collected without the informed consent of the data subject on the basis of exception C) can also be further communicated to a recipient, and this, again, without informing the data subject as stated in article 17§2, we identify a serious risk relating to the lack of control of the data subject over the personal data relating to him/her. These previous remarks can nevertheless be nuanced. As has already been mentioned 130 , under Argentinean case-law, the meaning relating to a database made up on the basis of this provision is considered as ‘additional’ information (with respect to the ‘basic’ information referred to under C)). This implies the requirement to obtain the data subject’s consent and, thus, the obligation to inform him/her. Under this interpretation, as in many cases, data could be obtained together with its meaning (e.g. the list related to clients of a store, of a

129 Article 11§1 last alinéa of the Directive 130 See « Grounds for lawfulness of processing», p. 35 49 bank, of adult videos,…) the risks of lack of transparency should be narrowed. One should however wait and see whether such Argentinean interpretation would be adopted in Uruguay.

Concerning exception D), because the processing takes place in the framework of a contractual, scientific or professional relationship, we can consider that the data subject is aware of the processing (for contractual and professional relationship) and its purposes and that sufficient fairness as regards the data subject is guaranteed. As regards scientific purposes, one can compare the exemption with article 11§2 of the Directive.

Finally exception E) is hardly justifiable. On one side, it consists in providing an exemption to processing that are already excluded from the scope of the Act: the processing carried out by “ natural persons for exclusively personal or household use ”. On the other side, we already noticed the irrelevance of such exemption when discussing the legitimacy of the processing. The same is worth when now speaking about the exemption to the obligation of information of legal persons.

To conclude, these exemptions cannot be considered to fully comply with the requirement of the WP12. In our opinion, if they might lead to weaken the level of transparency in this respect, on shall notice that a certain level of fairness is however guaranteed.

3.3.3 Exemption to the public sector

Article 27 of the Act provides a general exemption to the obligation of information in the cases of public databases. It provides that “ The provisions provided in this Act shall not apply when the information of the data subject may affect national defense, public safety or the prosecution of criminal offenses ”. This article of the Act appears in accordance with article 13 of the EU directive.

4. Security principle

4.1. Definition of WP12 This principle provides that technical and organizational security measures that are appropriate to the risks presented by the processing should be taken by the data

50 controller. Any person acting under the authority of the data controller, including a processor, must not process data except on instructions from the controller 131 .

4.2. Provisions of the Act Article 10 of the Act provides that:

“The controller or user must adopt the necessary measures to ensure the security and confidentiality of all personal data. Said measures shall be aimed at avoiding any alteration, loss or unauthorized access or processing of information, and at detecting any deviations thereof whether intentional or not, and regardless of whether the risks were caused by human action or the technology used.

All data must be stored in a way that allows the data subjects to exercise their right of access.

It is hereby forbidden to record personal data in databases that do not meet the integrity and security technical requirements” 132 .

The wording of section 10 of the Act is very similar to the one contained in the Argentinean Data Protection Act 133 .

In addition, Article 11§1 of the Act refers to confidentiality measures. It provides that:

“Any natural or legal person that lawfully obtains access to information which can be processed must use it preserving its confidentiality and exclusively for carrying out his ordinary business activities, and shall not disclose said information to third

131 Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP 12, 1998), p.6. 132 Principio de seguridad de los datos.- El responsable o usuario de la base de datos debe adoptar las medidas que resultaren necesarias para garantizar la seguridad y confidencialidad de los datos personales. Dichas medidas tendrán por objeto evitar su adulteración, pérdida, consulta o tratamiento no autorizado, así como detectar desviaciones de información, intencionales o no, ya sea que los riesgos provengan de la acción humana o del medio técnico utilizado Los datos deberán ser almacenados de modo que permitan el ejercicio del derecho de acceso de su titular. Queda prohibido registrar datos personales en bases de datos que no reúnan condiciones técnicas de integridad y seguridad. 133 Under Article 9 (1) of the Argentinean Data Protection Act “ The person responsible for or the user of data files must take such technical and organizational measures as are necessary to guarantee the security and confidentiality of personal data, in order to avoid their alteration, loss, unauthorized consultation or processing, and which allow for the detection of any intentional or unintentional distortion of such information, whether the risks arise from human conduct or the technical means used”. The Act provides that “it is prohibited to record personal data in files, registers or banks that do not meet the requirements of technical integrity and security ” (Article 9 (2) of the Act). 51 parties 134 ”.

Confidentiality is also mandatory for employees and consultants. They can be sanctioned by criminal rules if they infringe willfully this duty of secrecy. Article 11§2 of the Act provides that:

“Any person that, by virtue of a labor relationship or any other kind of relationship with the controller, accesses or participates at any stage in the processing of personal data, shall have a professional secrecy duty (pursuant to section 302 of the Criminal Code) if the data were obtained from non accessible public sources. This obligation shall not apply in the case a warrant has been granted by a competent court, in accordance with the applicable law or if the data subject has given his consent ”135 .

The Act provides that the confidentiality duty “ shall survive after the termination of the relationship with the controller ” according to article 11§3 of the Act.

Article 20 of the Act, under the heading of “Data protection in telecommunications activities”, provides that “ Telecommunications operators that operate public networks or provide electronic communications services to the public shall guarantee the protection of personal data in the carrying out of their activities in accordance with this Act ”.

Article 20§2 of the Act adds that:

“They shall also adopt appropriate technical and management measures to preserve safety in the network operation activities and services in order to meet the standards of personal data protection required by this Act and the related rules on the subject. In the event of a detected risk of security breach on an electronic

134 Principio de reserva.- Aquellas personas físicas o jurídicas que obtuvieren legítimamente información proveniente de una base de datos que les brinde tratamiento, están obligadas a utilizarla en forma reservada y exclusivamente para las operaciones habituales de su giro o actividad, estando prohibida toda difusión de la misma a terceros. 135 Las personas que, por su situación laboral u otra forma de relación con el responsable de una base de datos, tuvieren acceso o intervengan en cualquier fase del tratamiento de datos personales, están obligadas a guardar estricto secreto profesional sobre los mismos (artículo 302 del Código Penal), cuando hayan sido recogidos de fuentes no accesibles al público. Lo previsto no será de aplicación en los casos de orden de la Justicia competente, de acuerdo con las normas vigentes en esta materia o si mediare consentimiento del titular. 52 communications public network , the operator that operates or that provides services through that network shall inform the customers of said risk and the measures to be adopted”.

This provision is based on article 4.2 of the E-Privacy Directive (EU Directive 2002/58 on Privacy and Electronic Communications) that provides that “ In case of a particular risk of a breach of the security of the network, the provider of a publicly available electronic communications service must inform the subscribers concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, of any possible remedies, including an indication of the likely costs involved .”

A further elaboration of the security principle can be found in the criminal provisions of the Criminal Code. Willful personal data breaches are considered a criminal offence in Uruguay (as opposed to those produced by negligence). Under section 302 of the Criminal code 136 , there is a monetary penalty for anyone who, without cause, reveals secrets that have come to his knowledge because of his profession, employment or commission. Uruguay has a longstanding tradition of bank secrecy in Latin America and this provision has strongly been enforced in the past with respect to financial entities.

Finally, guarantee that personal data shall only be processed under the instructions of the controller flows from the definition of the “processor” as “ any natural or legal person, public or private that, either alone or jointly with other persons, processes personal data on behalf of the controller ”, and the definition of the “third party” as “a natural or legal person, public or private, other than the data subject, the controller, the processor or any other person authorized to process data under the direct authority of the controller or the processor .”

The security and confidentiality principle is present in the Act.

136 Article 302 (Revelación de secreto profesional) “ El que, sin justa causa, revelare secretos que hubieran llegado a su conocimiento, en virtud de su profesión, empleo o comisión, será castigado, cuando el hecho causare perjuicio, con multa de 100 U.R. (cien unidades reajustables) a 600 U.R. (seiscientas unidades reajustables )”. 53 5. Right of access, rectification and opposition

5.1. Definition of WP12 This principle provides that “ the data subject should have a right to obtain a copy of all data relating to him/her that are processed, and a right to rectification of those data where they are shown to be inaccurate. In certain situations he/she should also be able to object to the processing of the data relating to him/her. The only exemptions to these rights should be in line with Article 13 of the EU Directive ”137 .

5.2. Provisions of the Act

5.2.1 Right of access

Under Article 14 of the Act: “The data subject is entitled to access any of his information recorded in public or private databases upon evidencing his identity through the national identity document or a relevant power. This right of access may only be exercised free of charge once every six months, unless, according to law, there is a legitimate new interest to request access ”138 .

The right of access to personal information can be exercised at no cost once every six month. It is however possible to request another access within this time if the data subject justifies a new legitimate interest to access his/her data. For example, if there has been a change in the information in the last 3 months. If there is no legitimate reason, the data subject is still entitled to exercise his right of access but the data controller may charge him/her a fee.

Accessing personal data is however not restricted to the data subject himself. In some circumstances other people have standing to use this right. The Act provides that: “In the case of deceased persons, their general heirs shall be entitled to exercise the right stated in this Section, upon evidencing such character by presenting the

137 Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP 12, 1998), p. 6. 138 Derecho de acceso.- Todo titular de datos personales que previamente acredite su identificación con el documento de identidad o poder respectivo, tendrá derecho a obtener toda la información que sobre sí mismo se halle en bases de datos públicas o privadas. Este derecho de acceso sólo podrá ser ejercido en forma gratuita a intervalos de seis meses, salvo que se hubiere suscitado nuevamente un interés legítimo de acuerdo con el ordenamiento jurídico. 54 determination of the decedent’s heirs ruled by the court” (article 14.2 of the Act) 139 .

This provision is originated in the Argentinean Data Protection Act and the leading case of the Supreme Court of Argentina that recognized data protection rights to the relatives of a deceased (or missed) data subject 140 .

Article 14.2 of the Act further provides that: “The information shall be provided within five working days upon the reception of the information request. If after this period, the person responsible for the data fails or refuses to provide the requested information on grounds that are not in accordance with this Act, the applicant may file a habeas data action in court 141 ”.

In Uruguay, the person in charge has consequently to act rapidly on the receipt of an access request. One shall notice that the previous exercise of the right of access by the data subject is a requisite for filing a court action.

139 Cuando se trate de datos de personas fallecidas, el ejercicio del derecho al cual refiere este artículo, corresponderá a cualesquiera de sus sucesores universales, cuyo carácter se acreditará por la sentencia de declaratoria de herederos. 140 The Supreme Court of Argentina considered that the brother of a “missing person” during the military regime had the right to sue the government to request information about the fate of his relative. In “Urteaga v. Estado Nacional”, the Supreme Court allowed an individual to access personal information about his brother who disappeared during the military government, presumably in an armed conflict. The lower court dismissed the action of habeas data for lack of standing. The Court of Appeal reasoned that habeas data grants access only to personal information, and the claimant was trying to access data related to a third person. However, the Supreme Court reversed this ruling. The core of the judgment indicated an expanding approach of the interpretation of habeas data , granting a wide right of access to personal information. 141 La información debe ser proporcionada dentro de los cinco días hábiles de haber sido solicitada. Vencido el plazo sin que el pedido sea satisfecho o si fuera denegado por razones no justificadas de acuerdo con esta ley, quedará habilitada la acción de habeas data. 55 The Act (article 14.3. and 4) also provides that: “The information must be provided in a clear way, without any codes and, where applicable, enclosing an explanation thereof, in layman’s language 142 ” and that “The information must be extensive and must concern the complete record corresponding to the data subject, even if the request refers to only one item of personal data. In no case shall the report disclose information corresponding to third parties, even if such third parties are related to the requesting party. The information may, at the data subject's option, be provided in writing, by electronic, telephonic, visual, or other means that are appropriate for such purpose ”143 .

The intention of the lawmakers was to have an effective right of access. Therefore, the data controller cannot use codes or other data than may render the right of access incomprehensible. Also, to provide more flexibility the Act allows communicating the personal information requested by any medium.

5.2.2 Right of rectification and deletion

The exercise of the rights of rectification and deletion are ruled in the same provisions in the Data Protection Act. There is no, as such, a general right of opposition in the Uruguayan system, except in the matter of direct marketing 144 . However, we will see that the right of deletion, as conceived in the Act, constitutes a fair alternative to the right of opposition.

Article 15 of the Act under the heading of “Rectification, updating, inclusion or deletion right” provides that “ Every natural or legal person has the right to request the rectification, updating, inclusion or deletion of personal data stored in databases if an error or falsehood or exclusion is noticed 145 ”.

142 La información debe ser suministrada en forma clara, exenta de codificaciones y en su caso acompañada de una explicación, en lenguaje accesible al conocimiento medio de la población, de los términos que se utilicen. 143 La información debe ser amplia y versar sobre la totalidad del registro perteneciente al titular, aun cuando el requerimiento sólo comprenda un aspecto de los datos personales. En ningún caso el informe podrá revelar datos pertenecientes a terceros, aun cuando se vinculen con el interesado. 144 Please refer to « Additional Principles », « Direct Marketing », p. 69 145 Derecho de rectificación, actualización, inclusión o supresión.- Toda persona física o jurídica tendrá derecho a solicitar la rectificación, actualización, inclusión o supresión de los datos personales que le corresponda incluidos en una base de datos, al constatarse error o falsedad o exclusión en la información de la que es titular. 56 The Controller shall have to act according to this request within five business days. He may however, where applicable, notify the data subject the reasons why he would not accept the said request 146 .

Again, if the Controller does not comply with his obligation within the defined timeframe, the data subject is entitled to initiate a habeas data action, as prescribed in Article 15.3 of the Act.

Finally, paragraphs 5 and 6 of article 15 of the Act provide that:

“During a process of verification, rectification or inclusion of personal data, the data controller shall inform any third parties requesting reports on such data that the data are being revised.

The data controller shall notify to third parties to whom the data have been disclosed of the rectification, inclusion or deletion within five business days as from the day the data was processed 147 ”.

The rectification, updating, inclusion or deletion of personal data has to be done at no cost for the data subject (article 15 paragraph 5 of the Act).

There is also a specific provision about access to personal data for marketing data (article 21 of the Act). We will come back to this when specifically dealing with this subject.

146 Article 15 §2 of the Act 147 Durante el proceso de verificación, rectificación o inclusión de datos personales, el responsable de la base de datos o tratamiento, ante el requerimiento de terceros por acceder a informes sobre los mismos, deberá dejar constancia que dicha información se encuentra sometida a revisión. En el supuesto de comunicación o transferencia de datos, el responsable de la base de datos o del tratamiento debe notificar la rectificación, inclusión o supresión al destinatario dentro del quinto día hábil de efectuado el tratamiento del dato. 57 5.3. Exemptions

5.3.1 Exemptions to the right of deletion whether in the public or private sector

If the WP12 does not deal with the right of deletion, we will however provide a short analysis of these exemptions, since the right of deletion can be seen as an alternative to the right to object.

The Act provides in Article 15§ 4, that:

“Elimination or suppression of personal data shall not apply, except if (‘ No procede la eliminación o supresión de datos personales salvo en aquellos casos de’ ):

A) Legitimate rights or interests of third parties could be affected;

B) There is an evident error or falseness;

C) Doing so would mean non compliance with a legal obligation 148 ”

The way article 15§4 is written is dubious and definitely lacks of clarity due to the use of a double negative (‘ no… salvo…’; ‘not… except if…’). We are of the opinion that the article should be interpreted as an exception to the right of deletion, and should thus be understood as follows: “ The controller should not proceed to the suppression of the data when: A) legitimate rights or interests of third parties could be affected; B) there is an evident error or falseness; C) the suppression would contravene a legal obligation.”

From then on, exception A) and C) appear to be based on article 16.5 of the Data Protection law of Argentina which provides that “ Such suppression must not be effected in the event it could cause harm to the rights or legitimate interests of third parties, or there exists a legal obligation to preserve such data ”149 . These exemptions do not override the rights of the data subjects. However, exception B) referring to

148 ”No procede la eliminación o supresión de datos personales salvo en aquellos casos de : A) perjuicios a los derechos e intereses legítimos de terceros B) notorio error o falsedad C) contravención a la establecido por una obligación legal” 149 In its original language: “ La supresión no procede cuando pudiese causar perjuicios a derechos o intereses legítimos de terceros, o cuando existiera una obligación legal de conservar los datos ” 58 cases of “ evident error or falseness ” is disconcerting. Would this mean that the data subject is not entitled to exercise his right of deletion when the data concerning him are shown to be inaccurate? Such an interpretation would not make any sense. In our opinion, it should be understood that the data would not have to be deleted if the demand to delete the data is manifestly erroneous or false.

5.3.2 Exemptions to the rights of access, rectification and deletion in the public sector

Article 26 of the Act allows restrictions to the right of access, rectification or deletion of personal data held by the public sector:

“The controller of any database which includes the data described in paragraphs two and three of the previous section can deny the right of access, rectification or suppression based on the ensuing perils that could affect State defence or public security , the protection of rights and freedoms of third parties or the needs of the investigations carrying out at this time.” These restrictions to the data subjects’ rights are respectively in line with article 13b), c), g) and d) 150 of the Directive.

Next paragraph of article 26 provides: “ The controller of government databases may likewise deny the rights described in the previous paragraph where granting said right may hinder administrative actions to ensure compliance with tax obligations, and where the data subject is subject to an inspection proceeding.” This exemption enter in the scope of the restrictions provided in article 13 e) 151 of the Directive.

Finally, article 26 provides that “ The data subject to whom the exercise of the above mentioned rights is totally or partially denied may present the case to the Controlling Authority, that shall decide on the applicability or not thereof.”

150 “ Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in Articles 6 (1), 10, 11 (1), 12 and 21 when such a restriction constitutes a necessary measures to safeguard: (b) defence;(c) public security;(d) the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated professions; (g) the protection of the data subject or of the rights and freedoms of others .” 151 (e) an important economic or financial interest of a Member State or of the European Union, including monetary, budgetary and taxation matters 59

6. Restrictions on onward transfers

6.1. Definition of WP12 Further transfers of the personal data by the recipient of the original data transfer should be permitted only where the second recipient (i.e. the recipient of the onward transfer) is also subject to rules affording an adequate level of protection. The only exceptions permitted should be in line with Article 26(1) of the Directive” 152 .

6.2. Provisions of the Act According to Article 23 of Act:

“It is hereby forbidden to transfer personal data of any kind to countries or international organizations that do not provide adequate levels of protection in accordance with International and Regional Law standards with respect to this subject 153 ”.

The Act has put in place a ban of international transfers toward countries or organizations that would not provide and adequate level of protection. But instead of measuring adequacy in the light of the Data Protection Act of Uruguay, it measures it with “ International and Regional Law standards ”. We understand that the intention of the drafters of the Act was to subject the transfers to a higher standard, including not only the local law but also international parameters like the current international instruments (U.N. Guidelines, Council of Europe Convention, EU Directive). In addition, having in mind a future regulation in the Mercosur regional agreement 154 , the Act mentions Regional Law as another standard to measure adequacy.

152 Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP 12, 1998), p. 6. 153 Se prohíbe la transferencia de datos personales de cualquier tipo con países u organismos internacionales que no proporcionen niveles de protección adecuados de acuerdo a los estándares del Derecho Internacional o Regional en la materia. 154 The Common Market of the South (MERCOSUR or Mercado Común del Sur) is a multilateral agreement on trade, including agricultural trade, between Argentina, Brazil, Paraguay and Uruguay. The agreement was signed in 1991 and came into effect on 1 January 1995. Its main goal was to create a customs union between the four countries by 2006. Lately Mercosur has been enacting common legislation in other fields like consumer protection and intellectual property. Talks are advancing on data protection matters also and the fact that Uruguay and Argentina have advanced data protection laws may be an impulse for the rest of their members to legislate. 60 One must bear in mind that “International and Regional Law standards” also include the Data Protection Act of Uruguay and all its future regulations. Thus, in the end, an adequacy assessment shall be performed by the Data Protection Authority by comparing the destination country legal system with the Data Protection Act of Uruguay 155 . It has been confirmed to us that the Executive Council of the DPA shall adopt a resolution establishing that “adequate countries” would be those providing a specific law and the means to ensure its application, including EU countries and those that have been declared adequate by the EU Commission if they comply with the aforementioned requirements 156 . In this framework, it is possible that Uruguay will constitute its own “white list” of adequate destinations. Whether this list will concur or not with the one of the EU is an issue that merit further observations and assessment in a short future. At this stage, it is however difficult to anticipate how the DPA will use its margin of appreciation on this question.

6.3. Exemptions Second paragraph of article 23 provides that “ the aforementioned prohibition shall not apply in any of the following cases:

1) International judicial cooperation, in accordance with the respective international instrument, Treaty or Agreement, considering the case’s special circumstances.

2) Exchange of medical data, when it is required to treat a person on public health or hygiene reasons.

3) Bank or brokerage transfers, with respect to the respective transactions and in accordance with the applicable law.

4) Agreements entered into by the Republic of Uruguay by virtue of an international treaty to which it is a party.

5) International cooperation between intelligence agencies in the fight against organized crime, terrorism and drug trafficking”

155 Interview with legal advisor for AGESIC, April 2009. 156 Answers of the DPA, June 2009 61

For purposes of assessing the accuracy of these exemptions, we will refer to article 26§1 of the Directive, as recommended in the WP12, and further interpreted in the WP114 157 .

First exemption of article 23 can be compared with article 26§1 d) of the Directive allowing transfer of personal data for “ the establishment, exercise or defense of legal claims .”

Exception 2) is comparable to article 26§1 e) of the Directive which provides the possibility to transfer personal data toward a country that would not ensure an adequate level of protection when “ necessary to protect the vital interest of the data subject ”. Indeed, the Act envisages the case of transfer “when it is required to treat a person ”. In our opinion, this exemption does not go beyond the transfer of personal data in the event of a medical emergency 158 .

Exception 3), referring to bank of brokerage transfers, is not directly tackled by the Directive. Such transfers could enter in the scope of exemptions of article 26§1 a) 159 , b) 160 or c) 161 , needing thus the existence of a contract or the consent of the data subject.

Exception 4) may be compared with exemption 26§1 d) of the Directive, which states that “ the transfer is necessary or legally required on important public interest ”. Transfers of personal data for compliance with international agreements to which Uruguay is a party could enter, in our opinion, in the scope of an “ important public interest ” in the sense of the Directive.

Finally, exception 5) concerning the transfer of personal data between intelligence agencies in the fight against organized crime, terrorism and drug trafficking does not

157 WP114, Working Document on a common interpretation of article 26(1) of Directive 95/46 of 24 October 1995, adopted on 25 November 2005 158 WP114, “Transfer necessary to protect the vital interest of the data subject (article 26(1) e)), p. 15 159 “ the data subject has given his consent unambiguously to the proposed transfer” 160 “ the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre contractual measures taken in response to the data subject’s request” 161 “the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party” 62 correspond, as such, to any exemptions of article 26§1 of the Directive. It is however worth to recall that the Directive does not cover third pillar matters, and that article 3§2 B) of the Act already excluded from its scope of application the processing of personal data by intelligence agencies in these matters, which obviously fall outside the scope of protection of the Act.

Derogations provided in article 23§2 of the Act, identified by numbers 1 to 5, are clearly based on the Data Protection Act of Argentina 162 . One shall notice that those are not the only accepted derogations. Being in the line of the will to obtain the EU adequacy, the legislator finally added another set of derogations that contains an exact copy of Article 26§1 of the EU Directive 163 , identified with capital letters A to F.

Indeed, under Article 23§3 of the Act one can indeed find the following text:

“International transfer of data is also authorized on condition that: (A) the data subject has given his consent unambiguously to the proposed transfer; or (B) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request; or (C) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or (D) the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defense of legal claims; or (E) the transfer is necessary in order to protect the vital interests of the data subject; or (F) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by

162 See section 12 of the Argentinean Law, exceptions are provided for: “ a) International judicial collaboration; b) Exchange of data of a medical nature, when required for treatment of the person affected or epidemiological research, to the extent that it is carried out using a dissociated procedure; c) Bank or securities exchange transfers, in matters relating to the respective transactions and in accordance with the law applicable thereto; d) When the transfer has been agreed to within the framework of international treaties to which the Argentinean Republic is a party; e) When the purpose of the transfer is international cooperation between or among intelligence organizations in the fight against organized crime, terrorism or narcotics trafficking ”. 163 The first set of exemptions was based on the Argentinean data protection act and included in the original bill sent by the Executive Power to the General Assembly. The second set was introduced in the Senate to be sure to have an adequate protection in this regard. The two sets of exceptions were unfortunately and by an obvious error of the legislator not arranged before adopting the text, having this strange result. 63 any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation" are fulfilled in the particular case”.

The WP12 indicates that: “ The only exceptions permitted should be in line with Article 26(1) of the directive ”164 . Because the derogations of the Data Protection Act (article 23§3, items A to F) are identical to article 26 (1) of the EU Directive, in this respect, this set of exemptions of the Data Protection Act of Uruguay must be considered in conformity with WP12. One should however notice that, since the Act was enacted recently, there are currently no guidelines about how these exceptions should be interpreted and applied. It is likely that the Authority shall take into consideration the guidelines of Chapter 5 of the WP12 165 or the WP114 on a common interpretation of article 26(1) of the Directive.

6.4. Relation between the two sets of exemptions Although the first set of exemption might be in line with article 26§1 of the Directive, we identify an issue concerning the relationship between the two sets of exemptions.

As explained, the first set of derogations was taken from the data protection act of Argentina (section 12). However, in its opinion about the adequacy of the Argentinean data protection system 166 , the Working Party considered that some exceptions were broader than those provided by the Directive. In particular, the exceptions referring to “ bank or securities exchange transfers ” and cases “ when the transfer has been agreed to within the framework of international treaties ”, respectively provided in section 12 c) and d) of the Argentinean Act. These provisions are comparable with the third and fourth exemptions of the article 23§2 of the Uruguayan Act. The Working Party in its WP63 opinion encouraged the Argentinean Government to narrow these exceptions, something that has not been done yet. In the light of this previous opinion of the Working Party, one can assert that article 23§2 of the Act contains several exceptions to the ban on international transfers that might go beyond the scope of exemptions of article 26§1 of the Directive.

164 Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP 12, 1998), p. 6. 165 Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP 12, 1998), p. 24-25. 166 Opinion 4/2002 on adequate level of protection of personal data in Argentina (WP 63, 2002), p.11 (hereinafter the “WP 63 document”). 64 Furthermore, and this is our main concern, the existence of both sets of exemptions involves a lack of clarity and a lack of legal certainty. Some exemptions are even obviously covered twice (e.g. in case of medical emergency, a transfer of medical data could equally be based on article 23§2 exception 2) or on article 23§3 exception E). Because both set of exceptions are included in the Act, the DPA may have to apply both or decide whether they overlap. Contrary to the first set of exemptions, the exceptions of the third paragraph are drafted to apply on a case-by-case basis, requiring a “ necessity test ”, and are totally compatible with EU law. The existence of two sets of exemptions necessarily involves a risk to broaden the cases of transfers of personal data toward non-adequate destinations.

6.5. Adequate safeguards Finally, Article 23, fourth paragraph of the Act also provides that:

“Without prejudice to paragraph 1 herein, the Personal Data Regulatory, Protection and Controlling Authority may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and with regards to the exercise of the corresponding rights. Such safeguards may arise from appropriate contractual clauses ”.

This provision is designed to allow controller to compensate the lack of protection in a third country by imposing appropriate safeguards. The provision is in accordance with article 26.2 of the EU Directive. It may allow companies and citizens of Uruguay to establish contractual arrangements to provide safeguards in international transfers of personal data to destinations that do not provide an adequate level of protection of personal data.

65 However, as explained in the WP12: “ A contractual solution must encompass all the basic data protection principles and provide means by which the principles can be enforced ” 167 .

Therefore, it would be important to determine how the Data Protection Authority would scrutinize these agreements. A guideline is provided in the final part of Article 23 of the Act: the Authority may authorize this transfers if “ the controller adduces (and demonstrates) adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and with regards to the exercise of the corresponding rights ”.

Unlike the Directive, there is no explanation in the Act on how adequacy of third countries will be assessed and who will decide this matter. However it is clear that because the final part of Article 23 of the Act empowers the Data Protection Authority to authorize a transfer or a set of transfers, it shall be the controlling body itself that may decide which country is adequate and how to reach such a conclusion. The government has delegated on the Data Protection Agency all this technical matters.

F. Additional principles to be applied to specific types of processing

Additional principles to be applied to specific types of processing are related to sensitive data, direct marketing and automated individual decisions.

1. Sensitive data

1.1. Definition of WP12 When sensitive categories of data are involved 168 , additional safeguards should be in place, such as a requirement that the data subject gives his/her explicit consent for the processing” 169 .

167 Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP 12, 1998), p. 23. 66 1.2. Provisions of the Act Article 4 E) of the Act defines “sensitive data” as “ personal data revealing the racial and ethnic origin, political opinions, religious or moral beliefs, trade-union membership or information relating to health or sex life ”. The notion is similar to the one contained in the EU Directive (article 8).

The Act contains a special provision dealing with sensitive data. Article 18 is located in Title IV of the Act under the heading “ Specially protected data ”. This Title of the Act includes also special rules for other kinds of data like credit reporting, telecommunications or marketing activities.

Article 18 of the Act provides for additional safeguards for the processing of this kind of data: “No person shall be compelled to provide sensitive data. Sensitive data may be subject to processing if the data subject has given his express and written consent 170 ”.

Further protection is available when the Act states that: “Sensitive data shall only be collected and subject to processing on general interest grounds authorized by Law, or when the requesting organism is legally empowered to do so. Said data may also be processed for statistical or scientific purposes provided they are dissociated from the data subjects. 171 ” (article 18, paragraph 3 of the Act).

We can notice – even if it is not a matter of adequacy – that while the Directive, in its article 8§4, refers to the processing of sensitive data “ for reasons of substantial public interests ”, the Act only refers to “ general interest grounds ”.

The Act however contains some exceptions to these rules:

168 Those listed in Article 8 of the Directive: “…personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life ”.- 169 Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP 12, 1998), p. 7. 170 Ninguna persona puede ser obligada a proporcionar datos sensibles. Éstos sólo podrán ser objeto de tratamiento con el consentimiento expreso y escrito del titular 171 Queda prohibida la formación de bases de datos que almacenen información que directa o indirectamente revele datos sensibles 67 “Said prohibition shall not apply to political parties, unions, churches, religious organizations, associations, foundations and non-profit institutions with a political, religious, philosophical, or trade-union aim and on condition that the processing relates solely to the members of such body and that the data are not disclosed to a third party without the prior consent of the data subject 172 ”.

These exceptions are in accordance with article 8§2 d) of the EU Directive which states that “…processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects ”.

Finally Article 18 of the Act provides that: “Processing of data relating to criminal or civil offences, or the violation of any regulations, may be carried out only by the competent government authority, in accordance with the applicable laws and regulations, provided however that further authorizations may be granted at any time by law. No provision established herein shall imply a prohibition to make public the identity of any individual or legal entity under investigation for committing any contravention contrary to applicable law by government authorities, if other rules so provide or if said authorities deem it appropriate 173 ”.

172 Se exceptúan aquellos que posean los partidos políticos, sindicatos, iglesias, confesiones religiosas, asociaciones, fundaciones y otras entidades sin fines de lucro, cuya finalidad sea política, religiosa, filosófica, sindical, que hagan referencia al origen racial o étnico, a la salud y a la vida sexual, en cuanto a los datos relativos a sus asociados o miembros, sin perjuicio que la comunicación de dichos datos precisará siempre el previo consentimiento del titular del dato. 173 Los datos personales relativos a la comisión de infracciones penales, civiles o administrativas sólo pueden ser objeto de tratamiento por parte de las autoridades públicas competentes, en el marco de las leyes y reglamentaciones respectivas, sin perjuicio de las autorizaciones que la ley otorga u otorgare. Nada de lo establecido en esta ley impedirá a las autoridades públicas comunicar o hacer pública la identidad de las personas físicas o jurídicas que estén siendo investigadas por, o hayan cometido, infracciones a la normativa vigente, en los casos en que otras normas lo impongan o en los que lo consideren conveniente. 68 Furthermore, Article 19 of the Act provides that “ Public and private health care institutions and health care professionals may collect and process private data related to the physical and mental health of the patients that request treatment or are or have been under treatment at those institutions, in accordance with the professional secrecy duty, the specific rules and the provisions set forth herein 174 ”.

Health data can be considered sensitive data. So the provision of Article 19 reinforces the protection afforded by the Act as regards them.

The Act provides fewer exceptions than the EU Directive for the processing of personal data (there is no mention of all the exceptions provided in article 8.2 of the EU Directive). In that sense, the Data Protection Act of Uruguay is stricter than the EU Directive.

The main provision of the Directive is included in the Act. However, the Act has no reference to conditions under which a national identification number (or any other identifier of general application) may be processed175 .

2. Direct marketing

2.1. Definition of WP12 When data are transferred for the purpose of direct marketing, the data subject should be able to ‘opt-out’ at any stage from having his/her data used for such purposes 176 .

2.2. Provisions of the Act Opt out rules are found in the Act. Article 21 of the Act provides as follows:

174 Los establecimientos sanitarios públicos o privados y los profesionales vinculados a las ciencias de la salud pueden recolectar y tratar los datos personales relativos a la salud física o mental de los pacientes que acudan a los mismos o que estén o hubieren estado bajo tratamiento de aquéllos, respetando los principios del secreto profesional, la normativa específica y lo establecido en la presente ley 175 Article 8.7 of the EU Directive provides that “ Member States shall determine the conditions under which a national identification number or any other identifier of general application may be processed ”. 176 Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP 12, 1998), p. 7. 69 “In the collection of addresses, and delivery of documents, advertising, sales or other similar activities, processing of data may be carried out in such a way as to allow to define specific profiles for promotional, commercial or marketing purposes; or to define consumer habits, when the data is available in accessible public documents or has been provided by the data subjects or obtained with the data subject’s consent .177 ”.

The Act provides the following rights to the data subject: “In the cases set forth in this section, the data subject may exercise the right of access free of charge. The data subject may at any time , request the suppression or blocking of his data from the data banks referred to herein ”.

Thus under the Act individuals have a right to opt out from marketing activities, and this at any stage.

3. Automated individual decisions

3.1. Definition of WP12 This principle provides that where the purpose of the transfer is to take an automated decision in the sense of Article 15 of the Directive, the individual should have the right to know the logic involved in this decision, and other measures should be taken to safeguard the individual’s legitimate interest 178 .

3.2. Provisions of the Act In particular, Article 16 of the Act provides as follows: “Any person is entitled to ensure that no decision having legal effects and which significantly affects him/her is taken on the basis of a processing of personal data whether or not by automatic means for the purpose of evaluating some aspects of

177 En la recopilación de domicilios, reparto de documentos, publicidad, venta u otras actividades análogas, se podrán tratar datos que sean aptos para establecer perfiles determinados con fines promocionales, comerciales o publicitarios; o permitan establecer hábitos de consumo, cuando éstos figuren en documentos accesibles al público o hayan sido facilitados por los propios titulares u obtenidos con su consentimiento. 178 Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP 12, 1998), p. 7. 70 his/her personality, such as, among others, his performance at work, his creditworthiness, his reliability or his conduct.

The said individual shall be allowed to object to any administrative act or private decisions which imply an assessment of his/her behavior and which is solely based on a processing of personal that defines said individual’s profile or personality.

In such a case, the individual shall be entitled to be informed by the person responsible for the database of the assessment criteria and the program used for processing the data on which the taken decision was based.

Any individual’s behavior assessment based on the processing of data shall be invalid for purposes of evidence unless it is requested so by the concerned individual 179 ”.

As it can be seen, this provision may be applied both to the private and the public sector. It also provides additional rights not contained in the EU Directive as the one mentioned in the last paragraph of article 16 of the Act. The Act does not allow the use of such data as evidence, unless the data subject requests to use it.

It is however surprising that Article 16 applies to non-automatic means of processing. In those cases, we cannot talk about automated individual decisions anymore. This is probably a mistake of the Uruguayan Legislator.

179 Las personas tienen derecho a no verse sometidas a una decisión con efectos jurídicos que les afecte de manera significativa, que se base en un tratamiento automatizado o no de datos destinado a evaluar determinados aspectos de su personalidad, como su rendimiento laboral, crédito, fiabilidad, conducta, entre otros. El afectado podrá impugnar los actos administrativos o decisiones privadas que impliquen una valoración de su comportamiento, cuyo único fundamento sea un tratamiento de datos personales que ofrezca una definición de sus características o personalidad. En este caso, el afectado tendrá derecho a obtener información del responsable de la base de datos tanto sobre los criterios de valoración como sobre el programa utilizado en el tratamiento que sirvió para adoptar la decisión manifestada en el acto. La valoración sobre el comportamiento de las personas, basada en un tratamiento de datos, únicamente podrá tener valor probatorio a petición del afectado.

71 IV. Statutory safeguard outside data protection legislation

Personal data is regulated in Uruguay by the Data Protection Act. There is however also other (sectoral) rules that contain some provisions related to privacy and data protection. To be complete, the present report will present and assess these rules as long as this has to be done according to the given methodology (and mainly the fact that we have to stay in the framework of the EU First Pillar matters).

A. List of other norms enacted in Uruguay

Uruguay approved numerous other legal norms related to data protection and privacy. We include a list – in chronological order – of applicable national legislation that has been enacted in the last decades and that includes some protection for the rights of personality or privacy. Although the only previous regulation that approached a kind of data protection norm was the law enacted to regulate Credit Reporting, other norms provide evidence that the Uruguayan legal system was concerned with providing protection to privacy and data protection in several sectors even before adopting a general data protection Act.

Norm – Date of enactment Brief description Article 31 of Law 9,739. Right of image. Protection for the portrait of persons. Law 13,751 (February 21, 1967). International Covenant on Political and Civil Rights. Law 14,005 (August 17, 1971). Law authorizing living wills. Decree 14,306 (November 29, 1974). Tax Code, section 47. Secrecy of tax information provided by taxpayer to government. Law-Decree 15,322 (September 17, 1982). Bank secrecy regulation. Law 15,837 (March, 8 1985). American Convention on Human Rights. Law 16,011. Writ of “ Amparo ” Act. Law 16,099 (November 3, 1989). Law of the freedom of press. Right to rectify or reply information in newspapers.

72 La 16,616 (October 20, 1994). Law for the statistical system, provides for the secrecy of the personal data provided by companies and individuals. Law17,060 (December 23, 1998). Freedom of information and exceptions for reserved or secret documents. Law 17,823 (September 7, 2004). Provides for the privacy and confidentiality of the information about youth stored in the archives of the Instituto del Niño y Adolescente de Uruguay . Law 17,835 (September 23, 2004). Money laundering law and terrorism. Law 17,838 (September 24, 2004, OJ October Credit reporting law (repealed by Data 1, 2004). Protection Law). Law 17,930 (December 19, 2005). Governmental agency in charge of the Information Society agenda. Creation of AGESIC: Governmental agency for the administration of the electronic Government and Information Society. Law 17,948 (January 8, 2006). Limitations of bank secrecy to create centralized public credit reporting database in the . Law 18,046 (October 24 ,2006). Structure and functions of AGESIC. Decree 258-1992 of June 9, 1992. Duty of confidentiality for health records held by doctors. Decree 204-2001 of May 23, 201. Extends applications of Decree 258 to medical institutions. Decree 396-2003 of September 2003. Regulation of electronic medical files Agreement 7,564/2006 of the Supreme Court Creates data protection rules for the of Justice of Uruguay (currently suspended by documents and information held by the Judiciary. Agreement 7,578). Law 18,270 (April 25, 2008). Approves the Iberoamerican Convention on the rights of Youth ( jovenes ). Provides a specific right of privacy of youth (article 15). Law 18,331. Data Protection Act.

Law 18.383 (October 31, 2008). Amends Criminal Code to include obstruction or alteration of wire or wireless

73 communications. Law 18,435 (OJ 30 December 2008 - Nº Creation of the National Archive for the 27643). Memory.

Law 18.381 (OJ November 7, 2008). Law on the right of access to public information.

Law 18,426 (December 10, 2008) Law on the defense of sexual and reproductive health. Provides for the privacy of the act of giving birth and related services. Law 18,446 (December 17, 2008) Law creating the Institute on Human Rights of the Government

Before the enactment of the Data Protection Act several norms were used to obtain privacy or data protection safeguards.

B. Financial sector regulations

The Uruguayan Tax Code and the Bank Law No. 15,322 regulate privacy and confidentiality in their respective areas. Article 68 of the Tax Code authorizes the Government to require taxpayers and parties in position of responsibility to produce business records, documents, and correspondence. This documentation is not protected by professional confidentiality since the taxpayer himself is obliged to produce it.

The Bank Law establishes the obligation to protect the confidentiality of funds and secure checking accounts, deposit accounts, or other accounts belonging to natural

74 and legal persons, as well as any confidential information received by the bank from its clients 180 .

There have been some doctrinal debates 181 about whether bank secrecy is limited to operations that create assets (“passive” bank operations) like a bank deposit or whether it includes operations that create liabilities (“active” bank operations). While the financial system and the credit reporting industry have always been opposed to the expansion of bank secrecy to active operations, in practice both types of transactions have always been kept secret in Uruguay. This debate was finally settled with interpretative Law 17,948 (January 8, 2006). It establishes that for the purpose of bank secrecy regulations (article 25 Law Decree 15,322), confidentiality is limited to “passive” bank operations. The law also authorizes the Central Bank of Uruguay to create a centralized credit reporting database as it has been done in other countries of the region 182 . The information of this central database is furnished by each financial entity.

C. Employment regulation

Law 16,713 protects the confidentiality of employment history and other labor records. The employment history includes information about the length of employment, the benefits and contributions paid by each reported company, and the outcome of inspections. The employee can ask for the correction of inaccurate information (sections 89-90 of Law 16,713). While there are no explicit regulations that protect information in the contractual stage, some scholars have contended that it is unlawful to request information about criminal convictions or data about family status, political beliefs, religious beliefs, or trade-union affiliations.

180 Article 25 of Law-Decree 15,322 (September 17, 1982). 181 See Siegbert RIPPE, Secreto bancario , FCU, Montevideo, 2005. 182 On this matter please refer to: Credit Reporting Systems and the International Economy, Margaret J. Miller (Editor), (The MIT Press, 2003). 75 D. Statistics regulation

Law No. 16,616, enacted on October 20, 1994, regulates the national statistical system. It establishes that the individual information obtained must be treated with the utmost confidentiality, and that a link should exist between the data requested and the objectives of the statistics or census.

E. Regulation related to Youth and Minors

In September 2005, the Children and Adolescents Code was approved. This Code states that any child or adolescent has the right to a private life and the right to control his/her own image. Children’s images cannot be used in a harmful way that damages or identifies them. The law creates the National Information System on Childhood and Adolescence, under the responsibility of the National Institute of the Minor. This System includes personal data about children or adolescents who are under the responsibility of the Institute and of the institutions that take care of them. The law establishes that " this personal information cannot be used as a database to trace them once they reach the age to be considered adult " and that " the judicial and administrative records of the children and adolescents in conflict with the law must be destroyed immediately once they reach the age of 18 or once the measure ceases to have effects. " Moreover, the law specifies that children are the only owners of their personal history 183 .

F. Access to public information Regulations

1. Freedom of Information Act

The Law 18,381 enacted in October 2008 (OJ November 7, 2008) regulates the right of access to public information (“FOI Act”). The purpose of the FOI Act is to provide administrative transparency of the public administration and to provide individuals with a fundamental right of access to public information 184 .

183 See Privacy International and EPIC, Privacy and Human Rights report 2006, chapter about Uruguay. 184 Article 1 of the FOI Act 76

The FOI Act defines “ Public information ” as “ all information originated or in possession of a public entity, whether it is state-controlled or not… ”185 and provides that “ the access to public information is a right of all persons, without discrimination of nationality or character… ”186 . There is no need to justify the reasons why the person is requesting the information.

The FOI Act establishes a presumption that all information produced by public entities or under the control of them are regulated by the FOI Act, whether it is stored on digital or traditional media 187 .

For the purpose of promoting transparency, the act provides that all public entities must foresee the adequate organization, systematization and availability of the information it controls, allowing a large and easy access to it for interested people. The public entities, being or not state-controlled, shall also have an obligation of ‘active’ information: on their web pages and through other channels, they shall at least publish information related, for instance, to their organic structure, their competences, their functioning, and statistics 188 .

The public bodies subject to the FOI Act must deliver an annual report to the controlling authority detailing the requests made under the act and their solutions and status 189 .

185 Article 2 of the FOI Act - Se considera información pública toda la que emane o esté en posesión de cualquier organismo público, sea o no estatal, salvo las excepciones o secretos establecidos por ley, así como las informaciones reservadas o confidenciales. 186 Article 3 of the FOI Act 187 Article 4 of the FOI Act: Se presume pública toda información producida, obtenida, en poder o bajo control de los sujetos obligados por la presente ley, con independencia del soporte en el que estén contenidas. 188 Articul 5 of the FOI Act: Los organismos públicos, sean o no estatales, deberán difundir en forma permanente, a través de sus sitios web u otros medios que el órgano de control determine, la siguiente información mínima: a) su estructura orgánica; b) las facultades de cada unidad administrativa; c) la estructura de remuneraciones por categoría escalafonaria, funciones de los cargos y sistema de compensación; d) información sobre presupuesto asignado, su ejecución, con los resultados de la auditorias que en cada caso corresponda; e) concesiones, licitaciones, permisos o autorizaciones otorgadas, especificando los titulares o beneficiaros de éstos; f) toda informaión estadistica de interés general, de acuerdo a los fines de cada organismo; g) Mecanismos de participación ciudadana, en especial domicilio y unidad a la que deben dirigirse leas solicitudes para obtener información. 189 Article 7 of the FOI Act 77 The FOI Act provides that exceptions to the right of access must be interpreted restrictively. They will include the information defined as ‘ secret’ by law and those defined as ‘ reserved’ and ‘ confidential’ under the FOI Act 190 .

Under the FOI Act the following information has been classified as “ reserved ”: a) information that compromises national security; b) information that can affect international relations with other countries; c) information that can affect the financial or economic stability of the country; d) information that create a risk for life or human dignity, security or the health of any individual; e) information that can affect a competitive advantage for the obliged entity, or that can affect its production process; f) information that can unlock the protection of scientific, technological or cultural discoveries developed or owned by the obliged entity 191 .

Information can be classified as reserved up to a term of fifteen years, but under certain circumstances this period can be extended 192 .

Article 10 of the FOI Act provides that “ confidential ” information shall be: i) the one provided to the person with this character when it : a) refers to the patrimony of the person; b) relate to facts or acts of a natural or legal person that have an economic, legal, administrative character or that relates to his/her/its accounts and that could be useful for a competitor; c) is protected by a contractual confidentiality clause and ii) personal data that require previous informed consent.

190 Article 8 of the FOI Act 191 Article 9 of the FOI Act 192 Article 11 of the FOI Act 78 This exception will equally apply to the documents or part of documents that contain such kind of confidential data (Article 10 in fine).

Article 12 of the FOI Act provides that a reserve cannot be invoked in a case related to infringements of human rights or when the information would be relevant to investigate, foresee or prevent such infringements.

Chapter Three of the FOIA details the procedure to access to the information. Any natural or legal person may request the access to public information. This has to be done in writing. The request has to contain the identification of the applicant, the description of the requested documents or data or any other detail to facilitate the location of the requested information 193 . The requested bodies are not obliged to create or produce information that they do not have or possess at the time of the request 194 . After the request the public body must provide the data within 20 days 195 . After that term, the individual may initiate a legal action to access the information.

The controlling authority is the Unit of Access to Public Information (‘Unidad de Acceso a la Información Pública’ ), an independent (“desconcentrado ”) organism within the AGESIC (the Public Agency in charge of Electronic Commerce and Electronic Government in Uruguay).

Chapter Five of the FOI Act contains a detailed description of the judicial action to enforce the right of access to public information 196 .

Finally, Chapter Six of the FOI Act provides administrative liabilities for infringement of the law by public officials 197 .

193 Article 13 of the FOI Act 194 Article 14 of the FOI Act 195 Article 15 of the FOI Act 196 Article 22 to 3O of the FOI Act 197 Article 31 of the FOI Act 79 2. Links between the Data Protection Act and the Freedom of Information Act

Because both the Data Protection Authority and the Unit of Access to Public Information (authority for FOI matters) are under the umbrella of AGESIC, both entities plan to have regular meetings and to create a Working Group composed of representative members of both authorities. The aim of this Working Group shall be to define how to solve conflicts between transparency, access to public information and the protection of personal data contained in public documents 198 .

One cannot easily conclude which legal regime would prevail. However it is clear that access to public information is limited when such document contains “ confidential information ”. As has already been mentioned, article 10 of the FOI Act defines “confidential information” as: i) the one provided to the person with this character when it : a) refers to the patrimony of the person; b) relate to facts or acts of a natural or legal person that have an economic, legal, administrative character or that relates to his/her/its accounts and that could be useful for a competitor; c) is protected by a contractual confidentiality clause and ii) personal data that require previous informed consent.

Specifically, the last requirement provided in article 10.ii (“ personal data that require previous informed consent ”) is in line with article 9 of the Data Protection Act. This would allow to exclude sensitive data, or information not mentioned in article 9§2 of the Act. In this respect, one can say that the FOI Act clearly indicates the cases where personal data should not be released under a freedom of information request.

This is a hard issue subject to different standards worldwide and in the case of Uruguay, both legal regimes were recently enacted so there is no experience in dealing with these kinds of conflict. However it should be considered positive that both regimes are going to be interpreted and applied by entities belonging to the same sphere of government and that they are planning to coordinate together a Working Group.

198 Information provided by Dra. María José Viega, Legal advisor for AGESIC. 80

3. Memory Regulation

Law 18,435 (OJ December 30, 2008) creates the National Archive for the Memory (located within the National Archive of Uruguay).

The law creates a registry to preserve all state documents and data related to the violation of human rights by the State between 1973 and 1985, in order to promote the memory of those tragic events and to provide access to all public documents related to these matters. The aim of the Archive is also to promote the importance and effectiveness of human rights and democracy and the full exercise of the individual and collective “ right to Truth ” (“Verdad”) and to the memory of human rights violations 199 . In Eastern Europe these laws are also know as “ lustration laws ”200 .

The law mandates the archive to compile and organize copies of all documents relating to human right violations and to coordinate its access and publication with AGESIC 201 . A “ Document ” is defined as any verbal, written or image expression collected in any medium, as well as objects and evidence of human right violations 202 .

The National Archive for the Memory is managed by a collegiate body of 5 members with voting rights composed by: (i) Director of the National Archive; (ii) Director of the National Library; (iii) Director of the Museum of History; (iv) Director of Human Rights in the Ministry of Education and Culture, and a (v) representative of a NGO related to human rights. A representative of AGESIC may participate in the meetings “with voice but without voting rights ”203 .

The task of this collegiate body is: (i) to control the application of the law and to require the documents to incorporate in the archives; (ii) to provide guidelines for selection of documents, its compilation and its access under the regime of the FOI law

199 Article 2 of the Memory regulation 200 See http://en.wikipedia.org/wiki/Lustration 201 Article 3 of the Memory regulation 202 Article 4 of the memory regulation 203 Article 5 of the Memory regulation 81 (law 18,331 of October 17, 2008); (iii) to collaborate with other government organizations to promote educative campaigns relating to the memory and access to this documents; (iv) to enter into agreements with other local or foreign organizations to promote the interchange of documents of the Archive, according to Law 18,331 of August 11, 2008 (the data protection law); (v) to subscribe agreements with entities of the State, and NGOs or other private institutions, universities, media companies or any other entity with the aim of duplicating the graphical or audiovisual material of the Archive 204 .

The selection and assessment of the documents destined to be in the National Archive for the Memory shall be guided by the rules to be enacted by the Directors of the Archive. Their Directors are authorized to visit any public entity and to request, read and research its archives with the aim to compile and classify the documents to be sent to the National Archive for the Memory 205 . All public entities are required to answer their request and to have a person in charge of coordinating the efforts to locate documentation 206 .

As mentioned earlier, the access to the National Archive for the Memory is subject to the conditions of access of the FOI Act. It is provided that exemptions to the right of access must be interpreted restrictively, applying only in cases where the information will be defined as “ secret ” by law or as “ reserved ” and “ confidential ” under the FOI Act. Under these conditions, the wide access to the National Archive for the Memory could raise questions relating to the right to data protection, in particular concerns about the right to forget of individuals who would have been involved in the repression during the dictatorship. On this issue, the FOI Act makes clear, in its article 12, that no exceptions to the right of access of individuals will be allowed when the information requested is related to a crime against humanity, infringements of human rights or violations and prosecutions of those crimes 207 . The DPA confirmed 208 that

204 Article 7 of the Memory regulation 205 Article 9 of the Memory regulation 206 Article 10 of the Memory regulation 207 Article 12 of the FOI Act, in its original version : « Artículo 12. (Inoponibilidad en casos de violaciones a los derechos humanos-. Los sujetos obligados por esta ley no podrán invocar ninguna de la reservas mencionadas en los artículos que anteceden cuando la información solicitada se refiera a violaciones de derechos humanos o sea relevante para investigar, prevenir o evitar violaciones de los mismos. » 208 Answers of the brand new DPA in June 2009 82 the right to forget would not be admitted in the case of crimes against humanity, as defined in article 7 of the Rome Statute of the International Criminal Court. The articulation between the Memory regulation, the FOI Act and the Data Protection Act reveals to be a very complicated issue. The trend in Uruguay is to provide the widest access to information relating to crimes against humanity committed during the dictatorship. As has already been said, both laws are very recent, and it is difficult to predict which standard will be adopted by both agencies (the DPA, and the FOI Agency), in addressing these issues.

G. Criminal Code

1. Interception of correspondence or communications

The Criminal Code includes various provisions punishing libel, slander, defamation and violation of privacy (secrecy). The Uruguayan Criminal Code (‘Código Penal’ ) establishes several offences related to the violation of privacy. Article 296 of the Code guarantees the privacy of correspondence, establishing that whoever opens an envelope containing a letter that is not directed to that person, with the intent of learning about its content, is guilty of felony. Article 298 punishes the disclosure of information obtained by any means similar to those referred to in Article 296. Article 297 punishes the interception of telephone or telegraphic communications. Articles 300 and 301 increase the maximum penalty when said " information was known by means of fraud and the document was supposed to remain secret by reason of its content or nature. "

2. Professional secrecy

The law also punishes a person who reveals confidential information that has been learned through his job. This provision establishes the obligation to respect professional secrecy.

83 3. Prohibition of slander and defamation

Article 333 of the Criminal Code provides the penalty of up to three years' imprisonment for the defamation or slander of any person who can be subject to public scorn. Article 334 provides punishment to any person who by means of speech, gestures, writings, or actions offends the honor of another.

84 V. Important Uruguayan Case Law related to privacy and data protection

Although case law is not the primary source of law in the Uruguayan legal system (as opposed to the common law system), the interpretation of the Act by the Courts will help to understand how the Act may work and the duties that it imposes to data controllers. Because the law was enacted near the end of 2008 and this report is written and updated until April 2009, only few cases based on the Data Protection Act will be presented. We however found former case law related to data protection and privacy that is worth discussing in the present report.

A. Case law before the enactment of the data Protection Law

1. Gender and data protection

In 2005, the Supreme Court of Justice confirmed a former decision that ordered the amendment of information about the gender included in a birth certificate since the plaintiff had a sex change by surgery. During the trial, the Supreme Court considered whether national regulations cover the right to determine one’s gender. The majority of the Magistrates of the Supreme Court considered that, since the person had changed her social sexual appearance through a surgical intervention that modified her sexuality, she was entitled to request and amend the gender included in her birth certificate. Otherwise, privacy about her sexuality would not be protected since her former sex would be disclosed on the birth certificate 209 .

2. Privacy in internet.

A lawsuit was filed by a student of the University of “La Republica ” requesting the removal of his name from the web site. The student had been suspended as a student

209 Supreme Court of Justice of Uruguay, 22 July 2005, published in "La Justicia Uruguaya," Case 15157, volume 132, (2005), cited in Privacy International and EPIC, Privacy and Human Rights report 2006, Uruguay section. 85 by the university which made a notice about this in its website. The Court of first instance granted the petition based on the fact that the administrative act sanctioning the student was being appealed. However the Court of Appeals revoked the decision 210 . It held that the information published on the web site was part of the publication of the sessions of the administrative authorities of the University. Finally the court concluded that there was no illegitimate act.

3. Credit reporting

In this lawsuit the court granted damages to a plaintiff against a credit reporting company. The court held that plaintiff’s personality rights were affected because he was informed as a debtor, while the information was found to be inaccurate 211 .

Another lawsuit concerned a plaintiff who was seeking damages because his bank informed the Central Bank database that he was a debtor. The Plaintiff’s request for damages was rejected for lack of evidence 212 .

4. Access to personal information

In an action of amparo , a plaintiff was requesting the access to information about a psychological test to which he had been submitted. The claim has been dismissed because the old Credit Reporting Law (Law 17,838) did not apply to non-commercial information 213 .

5. Infringement to the right of image

In one case, damages were provided (U$S 1500) for the infringement of the right of image (art. 31 of Law 9,739) 214 .

210 See comment of the case by Maria Jose Viega, Silvana Leberrié y Fabrizio Messano, Perspectiva nacional de la protección de datos personales, in Derecho Informático, vol. VII- 2006, p. 221. Tribunal de Apelaciones en lo civil de 4° Turno, sentencia 349, 30 Novembre 2005 211 Juzgado letrado de Primera Instancia de 2° Turno, sentencia 194, 4 August 2006. Derecho Informático, vol. VII- 2006, p. 353. See also a similar case cited at Derecho Informático, vol. VII- 2006, p. 484. 212 Juzgado de Paz departamental de 7° Turno, sentencia 20, 7 June 2007. Derecho Informático, vol. VIII- 2007, p. 188. 213 Juzgado letrado de Primera Instancia en lo civil de 3° Turno, sentencia 1, 25 July 2007. Please note that the result would be different today with the enactment of a general data protection law. 214 Juzgado letrado de Primera Instancia en lo civil de 6° Turno, sentencia 71, 13 December 2006 86

6. Identity theft (2007)

In another case, a plaintiff sued a clearing reporting agency because he was incorrectly informed as being a debtor of the TV Cable Company. It was considered a case of identity theft and Article 1319 of the Civil Code was applied. The court awarded damages 215 .

7. Identification of parties in case law

Names of the parties of cases are not individualized in Uruguay. They are only indicated as AA, BB, CC, DD etc.

B. Case law after the enactment of the data Protection Law

1. Freedom of expression and privacy 216

The case concerns a minor who was involved in a crime about 10 years ago. Because he was considered as being “mental ill”, he has not been condemned, but submitted to medical treatment. A TV producer was preparing a program relating to his case. The parents of the minor learnt about the imminent broadcasting of the TV program and initiated a lawsuit to block it. They argued that the broadcasting of the program and the revealing of all the information would jeopardize the medical and psychological treatment of the minor. The defendant argued that the lawsuit was a form of “ prior censorship ” not allowed under article 13 of the American Convention on Human Rights relating to the freedom of thought and expression. The Civil Court of Appeal of Uruguay rather referred to article 29 of the Constitution, which enshrined the same guarantees, and held that the required injunction would amount to an illegal prior censorship. This decision confirms a sentence of first instance that rejected an action of amparo .

215 Derecho informático, vol. VIII-2007, p. 346. 216 Tribunal de Apelaciones en lo Civil de 5° Turno, sentencia 123, 28 October 2008 87 2. Right of access to personal data hold by Armed forces 217

The suit is about a habeas data action against the army. The plaintiff, as a member of the army, had been previously subject to a “tribunal of honor” in a case for which he had been finally acquitted. After the case, he filed an action of “ amparo ” requesting the access to all the information relating to the proceedings. This first lawsuit was rejected for technical matters. But after the enactment of the Data Protection Act (law 18,331), the plaintiff decided to file a habeas data action to access his personal information based on Law 18,331. The defendant opposed the (i) defense of res iudicatae and (ii) that the Data Protection Act does not apply, according to its article 3§2 B) to “ databases which:… b) are created for the purposes of public safety, defense, state security and government’s activities relating to criminal law, investigation and repression of crimes ”.

With respect to the res iudicatae , the Court distinguished the action of “ amparo ” from the new action of habeas data . It held that “ this action of habeas data is the main and natural procedure, because the current procedure to access personal data is contemplated in articles 37 to 45 of Law 18,331 ”. On this basis, the judge considered that, by adopting the Act, the lawmaker wanted to introduce the habeas data action as an autonomous and special procedure that is different from the action of “ amparo ”. In this respect, the judge’s interpretation demonstrates the will to guarantee the effectiveness of the action of habeas data in Uruguay.

With respect to the defense based on article 3 of the Act, the Court of Appeals recalled that “ article 3§2.B) of law 18,331 excludes from the application of the Act those databases that are created for the purposes of public safety, defense, state security and government’s activities relating to criminal law, investigation and repression of crimes ”. It however added that “ it is not enough that the information is held by 3§2 B), because the same law in article 25 regulates the same databases with respect to personal data stored for administrative purposes, and articles 26 and 27 only allow to deny access” based on the ensuing perils that could affect State defense or public security, the protection of rights and freedoms of third parties and the needs

217 Tribunal de Apelaciones en lo Civil de 5° Turno, sentencia 12, 14 November 2008 88 of the investigations carried out at that time” or when it “may hinder administrative actions to ensure compliance with tax obligations .” 218 ”

The court finally concluded: “ None of these situations was explicitly developed by the defendant and could be present in the case, because the investigation had already finished and only referred to certain aspects of his sexual conduct that had been commented in the military community, and the access to the requested information does not affect the defense of the State, public security or rights of third parties; specially because the facts investigated did not originated any administrative or criminal sanction ”219 . On this basis, the Court allowed the plaintiff to access to his personal information, without justifying any reason.

This judicial decision is of great importance. It demonstrates that the judge is willing to afford a protective interpretation of the minimal rules of protection concerning databases owned by Armed forces, Police and Intelligence agencies. This judgment also raises the issue of the scope of the exclusion of article 3§2 B), discussed earlier 220 . It is likely that the judge will have to clarify it in a short future.

218 “El art. 3° de la Ley N°18.331 excluye la aplicación del régimen establecido a aquellas bases relativas a la segunda pública, defensa o seguridad del Estado y actividades en materia penal (literal B) pero al afecto no basta con que se trate de información en poder del BB, porque la misma ley, en sur art. 25, refiere a las bases correspondientes a BB con datos almacenados con fines administrativos, y los art. 26 y 27 solamente habilitant a denegar el acceso « en función de los peligros que pudieren derivarse para la defensa del Estado o la seguridad pública, la protección de los derechos y libertades de terceros o las necesidades de investigaciones tributarias, inspecciones o la persecución de infrecciones penales”. 219 “Ninguna de esas hipótesis fue siquiera invocada por el demandado, y no se conjugarían en el caso concreto, porque la investigación ya culminada a que fuera sometido el actor solamente refiere a eventuales aspectos de su conducta sexual que habrían sido objeto de comentarios en el ámbito castrense, no advirtiéndose que el acceso del mismo al contenido afecte la defensa del Estado, la seguridad pública o derechos de terceros; máxime cuando según la propia autoridad administrativa los hechos comentados no dieron mérito a que se tipificara falta administrativa ø necesidad de investigación penal del funcionario”. 220 Please, refer to “Principles applicable to databases owned by Armed forces, police and Intelligence agencies”, p. 30 89 VI. Procedural and enforcement mechanisms

The Working Party’s methodology indicates that the assessment of the adequacy of a third country legal system should identify the underlying objectives of a data protection procedural system, and on this basis judge the variety of different judicial and non-judicial procedural mechanisms used in third countries.

In that regard, the WP12 document provides that the objectives of a data protection system mentioned by the WP are essentially threefold: (i) to deliver a good level of compliance with the rules; (ii) to provide support and help to individual data subjects in the exercise of their rights; (iii) to provide appropriate redress to the injured party where rules are not complied with 221 .

We will examine the existence of these principles in the legal system of Uruguay and specifically in the Act. Please note that due to the recent enactment of the Act there are no much cases dealing with the interpretation of the main principles of the Act. The assessment is consequently only based on the text of the Act and on the existing compliance of previous regulation.

A. A good level of compliance with the data protection rules

As has been underscored in WP12, “ no system can guarantee a hundred percent compliance, but some are better than others. A good system is generally characterized by a high degree of awareness among data controllers of their obligations, and among data subjects of their rights and the means of exercising them. The existence of effective and dissuasive sanctions can play an important role in ensuring respect for rules, as of course can systems of direct verification by authorities, auditors , or independent data protection officials ” 222 .

221 Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP 12, 1998), p. 7. 222 Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP 12, 1998), p. 7. 90 The Act has put in place a number of elements to serve this objective. The present section will first be dedicated to the presentation of the data protection supervisory authority, its independence, composition, and powers (1). We will then go deeper into the presentation of the sanction mechanisms (2) and will finally speak about the level of awareness (3).

1. Data Protection Supervisory authority

The data protection authority is called Regulatory and Personal Data Controlling Unit (“Unidad Reguladora y de Control de Datos Personales ”). For purposes of this report it will be called “Data Protection Authority” or “controlling body”. The Data Protection Act has established it 223 . Its main role is to “ take all the necessary actions towards achieving the objectives and complying with the provisions of the Act.” 224

1.1. Independence of the Data Protection Authority The independence of the Data Protection Authority is considered by the WP12 as an essential prerequisite of the adequacy of protection. We will thus tackle the issue relating to the structural, functional and financial independence of the Data Protection Authority. However, because this last is conceived as a body dependant from AGESIC, one will also provide a deeper presentation of the AGESIC in order to understand its missions, and the links between both entities.

1.1.1 Structural, functional and financial independence

Under article 31 of the Act, the Data Protection Authority is created as a body dependant from “AGESIC”, the Electronic Management Government Development and Knowledge and Information Society Agency (“Agencia para el Desarollo del Gobierno de Gestión Electrónica y la Sociedad de la Información y el Conocimiento ”). It is a decentralized agency. The term used in the Act is “desconcentrado ” which means that the Data Protection Authority is not included in the central administration. This also means that it has a technical autonomy, e.g. within its area of expertise, it takes the final decisions. The same article 31 of the Act

223 Article 31 of the Data Protection Act 224 Article 34 of the Data Protection Act 91 provides that the Data Protection Authority “ shall be endowed with the broadest technical autonomy ”.

In addition, the implementation Decree to be adopted should attribute the legal personality to the Data Protection Authority, so it can sue and be sued without the intervention of a superior authority 225 .

Thus, independence and autonomy of the Data Protection Authority are granted for the matters of its specific competence even though the Data Protection Authority depends on AGESIC who in turns depends on the Presidency of the Republic. However, as already expressed, the Data Protection Authority has technical autonomy: this means a broad and discretionary margin to project, provide opinions and adopt decisions 226 . The Authority however does not have functional or operational autonomy: its employees and offices will be provided by AGESIC.

The reason of this structure is that under the Constitution and the laws of Uruguay there are no other independent bodies from the ones already created. The Constitution does not expressly prohibit the creation of legally independent public organisms. But the Constitution of Uruguay contemplates only the three branches of government (Executive 227 , Legislative 228 and Judiciary 229 Powers), the Account Court 230 (“Tribunal de Cuentas ”), the Electoral Court 231 and Contentious-Administrative court 232 (“contencioso administrativo ”) and the autonomous entities and decentralized services 233 . Apart from these categories, there are no other ways of establishing an independent body under Uruguayan law.

Concerning its financing, it is provided that the Data Protection Authority “ shall submit a budget proposal for consideration by the Executive power ”. If the Executive has a financial control over the Data Protection Authority, it is worth to highlight that

225 Telephone interview with the legal advisor of AGESIC 226 Carlos E. DELPIAZZO - “Derecho Administrativo Uruguayo”, Porrúa – UNAM, México, 2005, pág. 47. 227 Constitution, Articles 149-183. 228 Constitution, Articles 83-148. 229 Constitution, Articles 233-261. 230 Constitution, Articles 208-213. 231 Constitution, Articles 322-328. 232 Constitution, Articles 307-321. 233 Constitution, Articles 185-205. 92 its budget appears to be distinguished, and thus autonomous, from the one of the AGESIC.

Finally, on March 2009, the Data Protection Authority created its official website located at the following URL: http://www.protecciondedatos.gub.uy/sitio/index.html . The web site is a different one from the web site of AGESIC, signaling here again its independence.

1.1.2 AGESIC

The objectives of AGESIC are to enhance the public service to citizens, to assure accessibility and enhancement of the use of new technologies and communications for citizens, with the aim to strengthen the Information Society and promote actions in the area of E-government and to change and provide transparency to the Government 234 .

The Executive Director of AGESIC should be a person with experience in electronic commerce and e-government. AGESIC has been very active in these matters. It has several advisory councils and different working groups (on digital signatures, data protection, electronic commerce, data integration, electronic files and the issue of information security in governmental databases). The help and support of AGESIC public officials was decisive for the enactment of the Data Protection Act as well as the FOI Act by the General Assembly.

AGESIC recently finished a project called “Digital Agenda 2008-2010 for Uruguay” 235 . The program was introduced by the President itself and approved by a Decree. One of the main objectives in the area of legal developments is objective n. 21. This objective is to approve or regulate (in the case that they have already been enacted) several laws before the year 2010, including the data protection and privacy law, the FOI Act, and laws regarding digital signatures, e-commerce and electronic procurement 236 . In addition, objective 22 establishes the creation of a data protection

234 Article 118 of Law18,172. 235 http://www.presidencia.gub.uy/_Web/noticias/2008/08/2008081209.htm 236 http://www.agesic.gub.uy/Sitio/agenda.html?4 93 unit before the year 2010 237 . Again, this is showing a strong political support for the development of data protection in Uruguay.

The fact that the Data Protection Authority is dependent on AGESIC is of importance. AGESIC was able to gather a lot of political support for its proposals, including the approval of the data protection Act. In addition, the AGESIC Working Group on Data Protection was responsible for preparing the draft of the Data Protection Bill that was introduced by the Executive Power into the General Assembly 238 .

1.2. Composition of the Data Protection Authority The Data Protection Authority is basically composed of an Executive Council. The Act further provides that it is assisted in its missions by an Advisory Council.

1.2.1 The Executive Council

The Data Protection Authority is a collegiate body 239 . The Act establishes that an Executive Council composed of three members manages it: the Executive Director of AGESIC and two members to be appointed by the Executive Power 240 . The personal, professional and knowledge background of these two last members must be deemed to ensure “ independence, efficiency, objectivity and impartiality in their function” 241 . In a certain way the independence of the body is established in the Act as regards the field of expertise of their members.

Because the Data Protection Authority is a collegiate body, its decisions are adopted by a majority of two members. Also only two members are necessary to have a quorum and to deliberate. Therefore, the Executive Director of AGESIC cannot have any decisive influence on the other two members who may have different views on how to decide an issue or to conduct the Agency in general. The influence of AGESIC on the Data Protection Authority is very limited. In other words, the Director of AGESIC is not a “ primus inter pares ” but just another member of the Data Protection Authority. His opinion may only constitute dissidence against the

237 http://www.agesic.gub.uy/Sitio/descargas/Agenda_Digital2008-2010.pdf 238 AGESIC Working Group on data Protection, Data Protection Report, December 2006, available at http://www.agesic.gub.uy/Sitio/descargas/ProteccionDatosPersonales.pdf 239 The same structure is adopted by the FOI Act (see article 19 of Law 18,381 of October 17, 2008). 240 Article 31 of the Act 241 Ibidem 94 majority of two votes. Furthermore, the draft bill of the Regulation, currently under process of enactment, should clarify this matter, putting the Executive Director of the AGESIC in a second position with some distance with respect to the other members 242 . It is worth to recall that in any case, the last paragraph of article 31 of the Act is clear: “ During their time in office, members shall not receive orders or instructions on technical issues ”.

In addition it must be noticed that the members of the Data Protection Authority, with the exception of the Executive Director of AGESIC, are appointed for a term of four years, renewable. They only cease to exercise their functions when the term of their mandate ends and a new member is designated. They can be removed by the Executive Power, but only in cases of misconduct ( ineptitud), omission or felony, in conformity with due process legal guarantees.243 Therefore they are assured that they may be in their position as long as they are not legally removed. The two members are in the process of being designated at the time this report is being written.

1.2.2 The Advisory Council

Under article 32 of the Act, the Executive Council shall be assisted by an Advisory Council, in charge to give advice and deliver opinions, on request of the Executive Council, on any aspect that falls within its competence244 .

The Advisory Council shall meet on request of the Executive Council or at the request of the majority of its members 245 . It shall be composed of five members, appointed for a term of four years 246 , as the members of the Executive Council. The composition of the Advisory Council reveals the intention of the Legislator to solicit different and complementary experiences. Indeed, according to the Act it shall be composed of:

242 Telephone interview with the legal advisor of AGESIC, April 2009 243 Article 31 §2 and 3 of the DP Act: ‘ A excepción del Director Ejecutivo de la AGESIC, los miembros durarán cuatro años en sus cargos, pudiendo ser designados nuevamente. Sólo cesarán por la expiración de su mandato y designación de sus sucesores, o por su remoción dispuesta por el Poder Ejecutivo en los casos de ineptitud, omisión o delito, conforme a las garantías del debido proceso. Durante su mandato no recibirán órdenes ni instrucciones en el plano técnico’. 244 Article 32§4 of the Data Protection Act 245 Article 32§2 of the Data Protection Act 246 Article 32§3 of the Data Protection Act 95 “A person of a renowned record in promoting and defending human rights, appointed by the Legislative branch, who must not be an active member of the Parliament; a representative of the judicial branch; a representative of the Attorney General’s office; a representative of the academic community; a representative of the private sector, to be elected following the regulatory procedures. 247 ”

1.3. Role and powers of the Data Protection Authority According to article 34 of the Act, the Data Protection Authority is in charge of the following functions and powers:

“a) Assist and advise any person that so requests on the scope of this Act and the legal means available for the defense of the rights guaranteed by the same

b) Establish the rules and regulations to be observed in the carrying out of the activities covered by this Act

c) Carry out a census of the databases covered by the Act and keep a permanent record thereof

d) Control compliance with the rules on data integrity, accuracy and security of databases, and carry out the respective judicial inspection proceedings

e) Request information from public and private entities, which shall furnish the background, documents, software or other elements relating to personal data that such entities may be required f) Give an opinion when it is so requested by the competent authorities on issues concerning the imposing of administrative sanctions for the violation of any of the provisions hereunder, or the adoption of regulations and resolutions governing the processing of personal data referred to herein g) Advise, necessarily, the Executive power, on bill drafts that deal, in whole or in part, with personal data protection

247 Article 32§1 of the Data Protection Act 96 h) Provide free information to the public about the existence of databases, their purposes and the identity of the persons responsible for them .”

The Data Protection Authority has three different powers regarding compliance: normative powers, control powers and sanction powers that are typical of any regulatory authority 248 .

In the framework of the assessment of the existing procedural and enforcement mechanisms for the objective “ to deliver a good compliance with the rule ”, one will specifically tackle here the obligation of registration of databases and the inspection powers of the Agency.

1.3.1 Registration of processing: from one authority to the other

The Data Protection Authority is in charge of the management of the registrations of processing of personal data. For that purpose it shall “ carry out a census of the databases covered by the Act ”.

It must be underlined that the Data Protection Authority is not the first authority in charge of the census of data processing. In October 2006, Uruguay established a register gathering information about processing performed by public and private entities on personal data related to credit reporting (see Credit Reporting Law n. 17.838, now repealed by the Data Protection Act). This register was under the responsibility of the Advisory Board that assisted the former Data Protection Authority.249 However this was only a registry, not a full Data Protection Agency. There were neither annual reports nor campaigns with information about data protection laws. The Credit Reporting Law provided that individuals processing personal data according to the Law were required to enroll in the Register within 90 days of the beginning of their activities. The existing databases were required to register within 90 days after the Decree creating the Register entered into force 250 .

248 See Carlos E. DELPIAZZO - “Administración electrónica y tratamiento de la información” in Anuario de Derecho Informático, tomo VIII, pág. 399.

249 Article 20 of the Credit Reporting Law 17,838, of 24 October 2004 250 Decree 399/2006, October 30, 2006. 97 All these registrations were recently transferred to the new Data Protection Authority. Indeed, Article 47 of the Act provides that “ within one hundred twenty (120) running days (counted from the enactment of the Act) the current controlling authority for commercial data protection run by the Ministry of Economy and Finance shall transfer all information and documentation to AGESIC ”.

The obligation of registration of personal data processing is, under the Act, extended to “ all public and private databases ”251 containing personal data. In compliance with the Act, the registration procedure is described in the Presidency Decree 664/2008, enacted on 22 December 2008.

The Decree confirms the creation of the registry for personal databases, which management is entrusted to the Data Protection Authority 252 . It is then provided that all natural or legal persons (public or private) regulated under the Data Protection Act must register their databases within 90 days of initiating their activities or from the date this decree is enacted in the case of already existing databases 253 . The controller is thus not required to register a processing before creating the database, but rather is invited to do so in a term of 90 days after the starting of the processing.

Article 4 of the Decree, in compliance with article 29§2 of the Act, details the information to include in the notification form, which has to be produced by the Data Protection Authority. This information must comprise: “ A) Identification of the database and of the controller; B) Nature of the personal data recorded; C) Procedures for obtaining and processing data; D) Security measures adopted and a technical description of the database; E) Personal data protection and rights related thereto; F) Final use of the data and possible natural persons or legal persons to whom they may be transmitted; G) Period of time during which the data will be kept; H) Way and conditions to allow access to data subjects and procedures for rectifications or updating of data; I) Number of creditors that are individuals for whom the five-year period established by section 22 herein has expired 254 ; J) Number

251 Article 29 of the Data Protection Act 252 Article 1 of the Decree regulating the Registry of personal databases 253 Article 3 of the Decree regulating the Registry of personal databases 254 Article 22 of the Data Protection Act provides the specific applicable rules to Credit reporting processing 98 of cancellations, due to default in payment if applicable, in accordance to section 22 herein.”

It is also provided that the Data Protection Authority is authorized to add the necessary elements in order to comply with the Act. Next article 5 of the Decree details the procedure of registration 255 . It is provided that the controller shall solicit the notification form or register through the website. In this case, the registration must be considered provisional, until its regularisation within ten days. Regularisation of the registration is submitted to the authentic signature of the controller and the supply of the necessary documents that cannot be done by electronic means. The validity of the registration is limited to one-year term, at this end of which the controller has to renew it. Finally, the Decree provides that controllers are required to update their registration monthly, if any change 256 .

On this basis, we understand that the registration of the file has a legal validity, meaning that the registration prejudges that all requirements of the Data Protection Act are fulfilled.

1.3.2 Inspection powers

Among its functions and powers, the Data Protection Authority shall “ control the compliance with the rules on data integrity, accuracy and security of databases, and carry out the judicial inspection proceeding.”

The Act does not provide further indications about the procedure of inspection that can be carried out by the Data Protection Authority. It is only specified in the next point that the controlling body can “ request information from public and private entities, which shall furnish the background, documents, software or other elements relating to personal data that may be required ”. As has been confirmed to us by

255 Article 5 of the Decree regulating the Registry of personal databases: “ La inscripción ante el Registro se realizara de acuerdo a lo siguiente: a) la solicitud y el formulario de inscripción deberán estar suscriptos por el responsable de la base de datos; b) la inscripción deberá realizarse con todos los requisitos exigidos, dentro del plazo establecido, admitiéndose de forma provisoria la inscripción a través del sitio web de la Unidad Reguladora y de Control de Protección de Datos, bajo condición de regularizar la misma dentro de los 10 días hábiles siguientes; c) para proceder a la regularización se deberá agregar la firma auténtica del responsable y aquellos datos o documentos que el medio electrónico no admitiera; d) la inscripción tendrá un ano de vigencia y deberá renovarse dentro de los 10 días hábiles siguientes al vencimiento. La Unidad Reguladora y de Control de Datos Personales expedirá una constancia del registro inicial y de sus sucesivas renovaciones.” 256 Article 6 of the Decree regulating the Registry of personal databases: 99 AGESIC 257 , an inspection proceeding can either be initiated by the Data Protection Authority ex officio , or on the basis of a data subject’s complaint which would have call the attention of the Authority on a possible violation of the Act. Furthermore, the implementation Decree should detail the inspection powers of the Data Protection Authority and refer to the administrative procedure, well known by civil servants, to rule the inspection proceeding 258 .

2. Effective dissuasive sanctions

2.1. Administrative sanctions The Act provides for a number of sanctions of different types and degrees according to the seriousness of the offence incurred by the controllers or users of the databases.

The administrative sanctions are regulated in Article 35 of the Act. This article provides that the controlling authority may apply sanctions (including fines) to persons responsible for databases or data controllers in case there is a violation of the rules of the Act.

The following types of sanctions are established:

1) A legal warning (or call of attention – “apercibimiento” ); 2) A fine up to 500,000 (five hundred thousand) indexed units; 3) A suspension of the concerned database.

In the case of the sanction of suspension, the Act provides however that:

“For that purpose the AGESIC is empowered to request, before the competent jurisdictional authorities, the suspension of databases for a term of up to six business days during which it shall have to be demonstrated whether they infringe or transgress the present Act 259 .

257 Telephone interview with the legal advisor of AGESIC, April 2009 258 Telephone interview with the legal advisor of AGESIC, April 2009 259 Article 35 §1 3) : A tal efecto se faculta a la AGESIC a promover ante los órganos jurisdiccionales competentes, la suspensión de las bases de datos, hasta por un lapso de seis días hábiles, respecto de los cuales se comprobare que infringieren o transgredieren la presente ley 100 The constituent facts of the offence shall be reported in accordance with the legal procedures and the suspension shall be ordered within the three days following AGESIC’s request. If, after that term, the judge fails to declare the suspension, AGESIC shall be empowered to declare it by itself.

In this last case, if the Judge subsequently denies the suspension, AGESIC shall have to lift the suspension immediately 260 ”.

In addition the Act provides that any appeal filed against a court ruling that gave rise to the sanction of suspension, shall not have a suspensory effect 261 . This means that once the sanction is affirmed, the AGESIC may proceed with its execution, enforcement or collection. For that purpose, AGESIC may request the assistance of law enforcement agencies to ensure the execution of the resolution 262 .

It is however surprising that it comes to the AGESIC to request the suspension of a database before the judge. As has already been mentioned, the implementation Decree should modify the situation, attributing the legal personality to the Data Protection Authority. If adopted in these terms, the Decree should allow the Data Protection Authority to ask for the suspension sanction 263 .

Administrative sanctions may constitute a dissuasive measure, and satisfactorily serve as a deterrent to unlawful processing of personal data and infringement of the Act. We can affirm this because the maximum amount of the fine, which can climb up to 500,000 (five hundred thousand) indexed units 264 – equivalent to US$ 40.785 (calculating the value of indexed units at December 2008) – is an important deterrent. The minimum national salary in Uruguay is the lowest of Latin America and on

260 Article 35 §2 - §3: Los hechos constitutivos de la infracción serán documentados de acuerdo a las formalidades legales y la suspensión deberá decretarse dentro de los tres días siguientes a aquel en que la hubiere solicitado la AGESIC, la cual quedará habilitada a disponer por sí la suspensión si el Juez no se pronunciare dentro de dicho término. En este último caso, si el Juez denegare posteriormente la suspensión, ésta deberá levantarse de inmediato por la AGESIC. Para hacer cumplir dicha resolución, la AGESIC podrá requerir el auxilio de la fuerza pública. 261 Article 35 §4: Los recursos que se interpongan contra la resolución judicial que hiciere lugar a la suspensión, no tendrán efecto suspensivo. 262 Article 35 §5: Para hacer cumplir dicha resolución, la AGESIC podrá requerir el auxilio de la fuerza pública. 263 Telephone interview with the legal advisor of AGESIC. 264 The “indexed units” is a unit measure created by the Central Bank of Uruguay in June 2002 that reflects the increment of prices to consumers. In that date, an indexed unit was equivalent to one . See http://www.bhu.net/estadisticas/estadisticas.htm 101 August 2008 it was of $ 4,150265 a month in local currency (approximately US$ 200). Thus for a medium size company the amount of the fine would be severe.

2.2. Remedies against decisions of the Data Protection Authority For any decision of the Data Protection Authority, the concerned subject may lay an administrative appeal. This is first done by asking the same Authority to reconsider the decision (“recurso de revocación ”) and later through an administrative appeal before the Executive Power. If the administrative act is confirmed, the person may initiate a judicial revision of such administrative act before a special tribunal for administrative litigation (“Tribunal de lo Contencioso Administrativo” ).

2.3. Criminal sanctions There are no specific criminal sanctions foreseen in the Data Protection Act. However, by virtue of the confidentiality principle provided in article 11 of the Act, any person that accesses or participates at any stage in the processing of personal data shall have a professional secrecy duty, as defined by article 302 of the Criminal Code. Breaches of the said professional secrecy can be subject to criminal sanctions. Under the Act, criminal sanctions should only play in those cases.

This reference apart, the Criminal Code could apply, in case of violation of correspondence and secrets. Please refer to the previous chapter of this report for more explanation about the secret of correspondence266 .

3. Level of awareness

As regards the level of awareness there is no available data to measure compliance to the Act at this time. However an important indication is that there are already several complaints filed next to the Data Protection Authority 267 and courts cases are already

265 Decree 377/08 of 4 August 2008 fixes the amount of the national minimum salary in the amount of 4.150 (four thousand one hundred fifty pesos), equivalent to US$ 214 (two hundred and fourteen dollars). 266 See « Statutory safeguards outside data protection legislation », p. 83 267 Interview with legal advisor to AGESIC. 102 invoking the Data Protection Act 268 . This demonstrates that citizens and companies are aware of the existence of the Act and its rights.

B. Support and help to individual data subjects in the exercise of their rights

A second characteristic to comply with according to WP12, is the need to have an efficient support and help to data subjects in the exercise of their rights. Therefore, “the individual must be able to enforce his/her rights rapidly and effectively, and without prohibitive cost. To do so there must be some sort of institutional mechanism allowing independent investigation of complaints. 269 ”

1. Receiving complaints - support and help from the Data Protection Authority

The Data Protection Authority is entitled to “ assist and advise any person that so requests on the scope of the Act and the legal means available for the defence of the rights guaranteed .” Providing support and help to persons is thus part of the explicit functions of the controlling body. Natural or legal persons, of public or private nature, can address complaints to the Authority. These complaints can initiate an inspection by the Data Protection Authority, as previously explained, and might lead to the attribution of sanctions. These sanctions will however only be of an administrative nature and can never result in obtaining compensation. This has to be claimed before court. The controlling body has also a mission of consultation (advice) that should contribute in practice to prevent complaints.

The Authority has already received numerous complaints from individuals and internal requests of advice from different entities of the public administration. The Data Protection Authority is working in these matters but until the members are designed in their functions it cannot adopt any decision.

268 See « Case law after the adoption of the Act », p. 87 269 WP12, p. 7 103 2. The enforcement of one’s rights: the Habeas data action

As said before, the Data Protection Act foresees that the right of access can be exercised “ free of charge ” once every six month 270 . Any request concerning the exercise of the rights of access, rectification, updating or deletion should be satisfied within five business days 271 . Refusal to the effective exercise of those rights entitles the data subject to initiate a habeas data action 272 .

In Latin America, such action is a specific judicial proceeding destined to protect constitutional rights. The action of habeas data has been specifically included in the Data Protection Act, in its articles 37 to 45, to guarantee the enforcement of the data subject’s rights of access, rectification and deletion.

Indeed, article 38 of the Act allows any person to file a legal action for the following purposes : “A) Where the data subject intends to access any personal data concerning him recorded in databases or similar files and said access has been denied or has not been provided by the person responsible for the database in the events and within the timeframes prescribed by law. B) Where the data subject has requested the person responsible for the database or the controller, to perform a rectification, updating, inclusion or deletion of data and said person has failed to do so or to provide reasonable grounds as to the inapplicability of the request within the applicable term specified by law.”

This article of the Act is based on section 33 of the Argentinean Data Protection law.

Article 39 of the Act deals with the capacity to bring this legal action. It is defined in broad terms, following Argentinean case law. It provides that: “The habeas data action may be brought by the affected party, the data subject or a representative, legal guardian or curator thereof, and the universal heirs of deceased persons, whether they are direct or collateral descendants of such

270 Article 14§1 of the Data Protection Act 271 Article 14§3 and 15§2 of the Data Protection Act 272 Article 14§3 and 15§3 of the Data Protection Act 104 persons up to the second degree, who may act by themselves or through an attorney. Where the action is brought by a legal entity, it shall do it through its legal representative or an agent appointed for such purpose 273 ”.

The plaintiff in a habeas data action can sue the data controller in charge of a private or a public (governmental) database.

The procedure to be applied to this habeas data action is established in the law (Article 40 of the Act). And articles 14 and 15 of the Procedural Code shall be applicable to the relevant cases 274 . The procedure described in the Act is a copy of the Law of Amparo .

Briefly explained, one can say that the Act provides that “ If the action is evidently ungrounded, the court shall dismiss it without exposing any judicial grounds. If the action is admissible, the court shall call the parties to a public hearing within three days as from the filing date ” (article 41 of the Act).

At the hearing, the defendant shall be heard and the evidence submitted to the Court and the parties shall present their pleadings. The Court may reject any evidence that it deems evidently irrelevant or unnecessary. To be valid, the hearing must be chaired by the Judge. The Court shall question the witnesses and the parties, which may be crossed-interrogated by the attorneys. The Court shall have the broadest powers of police and direction of the hearing.

At any moment of the proceeding, if the Court deems it necessary to take an immediate action, it may take, with provisional character, the measures to safeguard rights or liberties that were presumably violated.275

273 La acción de habeas data podrá ser ejercida por el propio afectado titular de los datos o sus representantes, ya sean tutores o curadores y, en caso de personas fallecidas, por sus sucesores universales, en línea directa o colateral hasta el segundo grado, por sí o por medio de apoderado. En el caso de personas jurídicas, la acción deberá ser interpuesta por sus representantes legales o los apoderados designados a tales efectos. 274 The Código General del Proceso (or General Procedural Code) is a set of norms that regulate procedural actions in Uruguay. See Law 15,982 available at the web site of the General Assembly of Uruguay http://www.parlamento.gub.uy/leyes/AccesoTextoLey.asp?Ley=15982&Anchor= 275 Article 42 of the Data Protection Act. 105 Under article 43 of the Act a judgment in a habeas data action should include the following information:

(a) The specific identity of the authority or individual to whom it is addressed and whose action, fact or omission has given reason to grant the habeas data;

(b) The precise determination of what must or must not be done and, if applicable, the term during which the resolution shall stand;

(c) The term to comply with the judgment, which shall be fixed by Court considering the special circumstances of the case, and which shall not exceed fifteen running uninterrupted days as from the notification date.

It must be highlighted that the three days term between the filing of a habeas data action and the public hearing before the judge is rapid.

As regards the costs of such procedure, one shall notice that the plaintiff (the data subject) will have to pay a tax court, which however does not constitute a too huge amount, and thus an impossible payment. If the data subject cannot afford such payment, he can however seek for a benefit of poverty (“beneficio de litigar sin gastos” ), or ask the State to provide him a lawyer for free.

On these grounds, we are of the opinion that the habeas data action complies with the requirement of the WP12 that data subject shall be entitled to enforce his/her right rapidly, effectively, and without prohibitive cost.

106 C. Appropriate redress to the injured party

As stated in the WP12:

“This is a key element, which must involve a system of independent adjudication, or arbitration which allows compensation to be paid and sanctions imposed where appropriate ” 276 .

We have seen that the Act has put in place the action of habeas data to enforce the data subject’s rights. However, this procedure cannot be used to claim damages. For this, the data subject has to file a separate lawsuit. It must be highlighted that if the data subject successfully brought a habeas data action, this will constitute a legitimate basis to claim damages and ask for compensation.

The general liability rules provided in the Civil Code of Uruguay and the Data Protection Act (article 12 of the Act) allow the enforcement of the data protection rights and obligations by Courts according to general procedures.

In particular, a Court proceeding may be initiated by the data subject before a civil Court (as opposed to criminal Courts) for compensation of the damage suffered or for protection of any of the rights recognized by the Act or the Regulation.

A Court may find liable the data controller for infringement of the data protection Act. The data subject may seek damages in the event of breach of his data protection rights. Usually, an infringement of a data protection right may cause "daño moral ". "Daño moral " is the injury caused to one’s honor, reputation, affections, sentiments and privacy by another’s negligence or intentional acts (e.g. if the personal data is inaccurate or not timely updated or disclosed without authorization).

There is a debate in case law and doctrine about whether “moral damages” are available to any data subject who has suffered a violation of his data protection right. On one side, some case law require to show special damages, while other courts

276 Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP 12, 1998), p. 7. 107 understand that the fact to have inaccurate information in a database is enough to demonstrate the damage without the need of any additional evidence.

The aggrieved individual shall also be entitled to obtain compensation for material damages if he or she is able to demonstrate in Court an economic harm and causation between the infringement of his or her rights and the damage.

108 VII. Table: Chart comparing EU principles for Adequacy to the Articles of the Data Protection Act of Uruguay.

In this chart we summarize the articles of the Act that contain the principles identified by the Article 29 WP in its guidelines to assess adequacy.

Principles identified by the Article 29 WP Data protection law of Uruguay Content Principles Purpose limitation principle Art. 8, 17 and 30 Data quality and proportionality principle Art. 7 Transparency principle Art. 9, 13, 17 and 27 Security principle Art. 10, 11, 20 and 302 del Cod. Penal Rights of access, rectification and Art. 14, 15 and 26, Art. 21 (for opposition marketing) Restrictions on onward transfers Art. 23 Additional principles to be applied to specific types of processing Sensitive Data Art. 18 y 19 Marketing Art. 21 (opt out right) Automated individual decision Art. 16 Procedural/ Enforcement Mechanisms Good level of compliance Art. 31, 32 y 34 To provide support and help to individual Art. 34 a) and 37 to 42- habeas data writ. data subjects To provide appropriate redress to the Art. 12, Rules for liability. See also injured party Amparo rules and Civil Code.

***

109 VIII. Conclusion

As requested by the European Commission, the examination of the Uruguayan personal data protection system – in a view of a potential adequacy in this regards – has been carried out following the guidance issued by the 29 Working Party on the Protection of Individuals with regard to the Processing of Personal Data – in particular, on the basis of the assessment principles of WP12 which are now framed in a clearly structured methodological grid. The present conclusion aims at summarising our observations – and our conclusions on this basis – as regards this system. It will be organised taking the assessment principles of the WP12 as a guide, setting out the adequacies and discrepancies between the Uruguayan regime and these principles. The consequently presented results exclusively reflect our personal view based on our observations of the current state of data protection in Uruguay as outlined in this report.

To be complete, the present report had to replace the content principles and enforcement mechanisms in their scope of implementation before tackling them specifically. In this aim, our conclusion will equally start by a conclusion on the scope of application of the Act and the legitimating grounds for processing, focusing mainly on the discrepancies with the Directive.

A. Scope

In several aspects, the Data Protection Act affords a wider protection than most of European regimes. On one hand, protection of personal data is granted to both natural and legal persons. On the other hand, it applies to any processing, whether or not automatic, covering thus manual processing of personal data.

A slight discrepancy with the Directive flows from the definition of he database controller, who can either be the owner of the database or the one who determines the purpose and means of processing.

Concerning the excluded matters, the Data Protection Act provides that it shall not apply to “ databases created and governed by special laws ”. Such an exemption to the

110 application of the Act might appear very wide, but would actually cover existing databases before the enactment of the Act in order to maintain their specific regimes, as for example, the laws regulating registries of property and the law creating a public database of debtors of the financial system managed by the Central Bank.

If databases “created for the purposes of public safety, defense, state security and government’s activities relating to criminal law, investigation and repression of crimes” are also excluded from the scope of the Act, a specific regime, providing minimal guarantees of protection concerning the “ databases owned by Armed forces, Police and Intelligence agencies ” is foreseen in the Act. Articulation of the general exclusion with the specific regime aimed at article 25 to 27 of the Act will need to be clarified by the judge. One can already notice that a first case law dealt with this matter and lead to a protective decision, allowing an individual the right of access to his personal information held by the Army.

B. Legitimating grounds for processing

As far as the principle of legitimacy is concerned, the Data Protection Act gives more importance to the data subject’s consent, conceived as the main ground for lawfulness of processing, while all other are considered as secondary legitimating grounds. A major discrepancy with the Directive comes from the strong link established in the Act between the data subject’s consent and the duty of information. Contrary to what is stated in the Directive, the requirement to inform the data subject only applies in the cases for which his consent is required.

Secondary legitimating grounds of processing are thus not subject to the duty of information. Besides, not all grounds of legitimate processing of the Directive are provided in the Uruguayan system. In particular, we noticed the lack of legitimating grounds in cases where the protection of “ vital interest of the data subject ” would be at stake 277 or when the processing would be necessary “ for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom

277 Article 7 d) of the Directive 111 the data are disclosed. 278 ” Instead, other grounds for lawfulness of processing are provided in the Act, among which, one called our attention because of its potential wide application. Indeed, Article 9 C) of the Act authorizes the processing of some “basic data”, whether referring to natural or legal persons, and this without the previous and informed consent of the data subjects. Since the WP12 does not address the issue of the legitimacy principle, it is worth to recall that one cannot build any inadequacy conclusion on this point. However, and as we did in the report, we rather concentrated our conclusions on the transparency issue, which are summarized hereunder.

C. Summary of the step-by-step analysis

1. The content principle criteria

1.1. Purpose limitation principle The purpose limitation principle is present in the Data Protection Act. It is expressed as an autonomous principle that shall apply to every processing. Furthermore, several guarantees are provided with respect of the disclosure of data. Among these guarantees, it is provided that “ exchange of data among databases is prohibited ”. One can only derogate to this rule if such exchange is authorized by Law. Although it can appear wide, we are of the opinion that this exemption should have little consequences in practice. Indeed, it would imply the need for a democratic debate of the General Assembly before allowing derogations to the purpose limitation principle.

1.2. Data quality and proportionality principle Both principles, according to which data should be accurate, kept up to date and not excessive in relation to the purposes for which they are processed are clearly represented in the Uruguayan Act. No exemption to this rule is foreseen.

278 Article 7 f) of the Directive 112 1.3. Transparency principle As already mentioned, under the Act, information must be provided to the data subject only when his consent is required. An obligation of information is provided at the time of collection, when obtaining the data subject’s consent, and at the time of communicating the data if the data subject has not been previously informed and given his consent. Exemptions to the obligation of information are then provided in all the cases for which the data subject’s consent is not required. Among these cases, several processing of personal data might involve a lack of transparency that cannot be considered to comply fully with the WP12 requirement, in particular, the provision allowing the collection and communication of “basic data” gathered under article 9 C) of the Act. However, the impact of such provision as a potential weakness of transparency guaranteed by the Act must be nuanced. First and mainly, in the framework of an adequacy decision of the EU concerning Uruguay, the exemptions to the duty of information identified in the Act should not have much impact on the level of transparency guaranteed to Europeans. The exemptions to the obligation of information, and to the data subject’s consent in the cases of article 9§3 are destined to apply only to the collection of personal data carried out by controllers submitted to the Uruguayan Act. Second, we could also argue that the Argentinean Act provides a similar provision.

Another exemption to the obligation of information on part of the controller is foreseen concerning the databases owned by Armed forces, police and intelligence agencies. This exemption is however adequate with respect to article 13 of the Directive.

1.4. Security and confidentiality principle The security and confidentiality principle is represented in several provisions of the Act. The security duty is mentioned as a general rule, complemented by specific provisions in the telecommunications sector. The confidentiality duty, on its side, applies to controllers, users, and more generally to “ any person that, by virtue of a labor relationship or any other kind of relationship with the controller, accesses or participates at any stage in the processing of personal data.” The Act also guarantees that personal data can only be processed under the authority of the controller.

113 1.5. The rights of the person affected: Access, rectification and opposition The Data Protection Act contains several provisions relating to natural and legal persons’ rights of access and rectification. There is no, as such, a general right of opposition in the Uruguayan system, except in the matter of direct marketing. However, we think that the right of deletion, as conceived in the Act, may constitute a fair alternative to the right of opposition.

The exemptions to these rights find to comply with article 13 of the Directive.

1.6. Restrictions on onward transfers The Data Protection Act prohibits as a rule the transfers of personal data towards countries or organisations that would not afford an adequate level of protection. The adequacy shall be measured according to “ International and Regional Law standards ”, among which the Data Protection system of Uruguay itself should obviously be taken into account. On this point, a further analysis of the practice developed by the DPA would be necessary.

The Act further provides two sets of exemptions to this restriction. We have found that the first set of exemption might comply, with some (few) reservations, with the WP12. Because, the second set of exemptions is a perfect copy of article 26§1 of the Directive, it must be considered to comply with the WP12.

However, we identify an issue concerning the relationship between the two sets of exemptions, which involves a lack of legal certainty. The Data Protection Authority will have to decide whether the exemptions overlap or whether both would apply at the same time. At the time this conclusion is being written, the DPA is however not able to provide us with further clarifications on the way these exemptions will be applied 279 . In our opinion, the existence of two sets of exemptions could involve a risk of confusion at the time of transferring personal data abroad, and maybe to broaden the cases of transfers of personal data toward non-adequate destinations.

279 Answers of the brand new DPA in June 2009 114 Finally, the Act provides that under adequate safeguards, such as appropriate contractual clauses, the transfers to non-adequate destinations may take place. It will come to the Data Protection Authority to assess the adequacy of these contractual safeguards.

1.7. Sensitive data The Uruguayan data protection system foresees additional safeguards for the processing of sensitive data – among which the obligation to obtain the express and written consent of the data subject. As in the European system, exemptions are provided concerning legitimate activities of processing carried out by associations with a philosophical, religious, trade union or political aim. Further protection is provided concerning the processing of health data or personal data relating to criminal and civil offences.

1.8. Direct Marketing The Data protection Act provides that “ the data subject may at any time, request the suppression or blocking of his data”. Additional protection from direct marketing activities is thus guaranteed to data subjects.

1.9. Automated individual decisions Additional protection concerning automated individual decisions is expressly provided in the Act. In these cases, any person is granted a right to object to an administrative act or private decisions that could affect him, allowing the data subject to be informed about the assessment criteria on which the decision was taken.

2. Procedural and enforcement mechanisms

2.1. To deliver a good compliance with the rules The Data Protection Authority is created as a body dependant from “AGESIC”, the Electronic Management Government Development and Knowledge and Information Society Agency, which in turn depends on the Presidency. The Executive Director of AGESIC and two members to be appointed by the Executive will compose it.

Independence of the Authority is guaranteed through several means. First, it is a decentralized agency, which means that it is not included in the central

115 administration. Second, it is endowed with the broadest technical autonomy, that is to say that it has a broad and discretionary power in the matters of its competences. Third, because the decisions should be adopted by a majority vote, the executive director of AGESIC should not be able to block a decision (this point will be regulated in the implementation decree).

The Data Protection Authority has three different powers regarding compliance: normative powers, control powers and sanction powers that are typical of any regulatory authority. It is notably in charge of the management of registrations of databases, which should contribute to develop the data protection awareness in the country. It also has inspection powers that should be further detailed in the Regulation decree to be adopted (which should be within two months as from the time we are finalizing the present report).

Finally, Uruguay has a system of sanctions in place that relies on administrative sanctions and criminal sanctions. The latter apply in the cases of breach of professional secrecy and secrecy of communications.

2.2. To provide support and help to data subject Providing support and help to persons is part of the explicit functions of the Data Protection Authority. Data subjects can place complaints that may lead to the attribution of sanctions. This sanction will however only be of administrative nature and can never result in obtaining compensation. This has to be claimed before tribunal.

Furthermore, the action of habeas data put in place in the Data Protection Act, constitutes an effective means for data subjects to exercise their rights rapidly and without prohibitive cost.

2.3. To provide appropriate redress to injured party The general liability rules provided in the Civil Code of Uruguay and the Data Protection Act (article 12 of the Act) allow the enforcement of the data protection rights and obligations by Courts according to general procedures.

116 In particular, a Court proceeding may be initiated by the data subject before a civil Court (as opposed to criminal Courts) for compensation of the damage suffered or for protection of any of the rights recognized by the Act or the future Regulation.

D. Areas of concern

Besides our (important) remarks regarding the scope and the legitimating grounds for processing on the fact that the processing of personal data in Uruguay can be done without the consent of the data subject in some problematic circumstances, the following elements of our adequacy analysis have met our concerns:

- The fact that the obligation of information does not apply in the cases of processing for which the data subject’s consent is not required, that is to say in the cases of article 9§3 of the Act. - The lack of legal certainty regarding the articulation of both sets of exemptions to the prohibition on onward transfers. - As regards the enforcement mechanisms, one would keep some reservations, waiting for the adoption of the implementation decree that shall provide further guarantees in particular with respect to the independence of the Authority and its inspection powers.

E. Adequacy assessment conclusion

The main difficulty arising in the drafting of an adequacy assessment conclusion with respect to the Uruguayan system comes from the fact that the Act has been adopted recently, that the Data Protection Authority is not officially active 280 and that the implementation decree has not yet been enacted. Our conclusions can only be based on the specific regulations adopted outside the scope of the Act and on the Act itself. And on this basis, Uruguay clearly demonstrates its will to reach an adequate level of protection. One shall indeed notice the provisions that are obviously inspired from European Laws, the Directive itself or the Argentinean Act.

280 It is finally the case since mid-May 2009. 117 Thereby, taking into account the criteria of WP12, the analysis of the current state of regulation in Uruguay on data protection (bearing in mind the remark we just made above) mainly reveals some reservations concerning (the legitimating grounds 281 ,) the transparency principle and the future interpretation by the Data Protection Authority of the exemptions to the prohibition of international transfers toward non-adequate countries.

We are nonetheless of the opinion that an assessment analysis has to be taken as a whole, balancing the reservation with the rest of the landscape of personal data protection. And this is why, we conclude that, at this stage, the Uruguayan data protection system should be considered to provide an adequate level of protection . Our opinion is however that – should it be decided upon a positive adequacy for Uruguay – the decision should include a clear statement on the reservation the present report makes and highlight the fact that a revision (update) of the decision shall take place. This all to encourage Uruguay to solve the still existing problem of transparency.

* * *

*

281 Which are however not part of the criteria of WP12 118 IX. Bibliography

Books and articles

• DELPIANO ASENCIO Héctor, Protección de Datos de Carácter Personal , Fondo de Cultura Universitaria, Montevideo, 1997

• DELPIAZZO Carlos Enrique and JOSE VIEGA María, Lecciones de Derecho Telemático , Fondo de Cultura Universitaria, Montevideo, 2004

• DELPIAZZO Carlos Enrique, Derecho Administrativo Uruguayo , UNAM- Porrúa , México, 2005.

• DELPIAZZO Carlos Enrique, “Administración electrónica y tratamiento de la información” in Anuario de Derecho Informático , tomo VIII.

• FLAHERTY David H., Protecting Privacy in Surveillance Societies , University of North Carolina Press, Chapel Hill, London, 1989

• GROS ESPIELL Héctor and ESTEVA GALLICCHIO Eduardo G., Constituciones Iberoamericanas , Instituto de Investigaciones Jurídicas de la UNAM, México, 2005

• PALAZZI, Pablo, La transmisión internacional de datos personales y la protección de la privacidad , Buenos Aires, 2002, Ad-Hoc

• PUCINELLI Oscar Raúl, Protección de datos de carácter personal , Astrea, Buenos Aires, 2004

• RIPPE Siegbert, Secreto bancario , Fondo de Cultura Universitaria, Montevideo, 2005.

119

• ZINSER Alexander, ”International Data Transfer out of the European Union: The Adequate Level of Data Protection According to Article 25 of the European Data Protection Directive”, John Marshall J. of Comp. & Inf. Law , n°21, 2003, p. 550 et seq

• Credit Reporting Systems and the International Economy , Margaret J. Miller (Editor), The MIT Press, 2003

• Privacy International and EPIC, Privacy and Human Rights report 2006 , chapter about Uruguay.

Documents

• Informe del Instituto de Derecho Informático de la Universidad de la República del 29 de octubre de 2007, available at Derecho Informático, vol VIII , p. 436-456, Fondo de Cultura Universitaria, Montevideo, mayo 2008

• Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP 12, 1998)

• Commission Decision 2000/518/EC of 26.7.2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Switzerland (OJ L 215, 25.8.2000, p. 1 et seq.).

• Commission Decision 2002/2/EC of 20.12.2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act (OJ L 2, 4.1.2002, p. 13 et seq.).

120 • Commission Decision C(2003) 1731 of 30.6.2003 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Argentina (OJ L 168, 5.7.2003, p. 19 et seq.).

• Commission Decision of 21 November 2003 on the adequate protection of personal data in Guernsey (OJ L 308, 25.11.2003)

• Commission Decision 2004/411/EC of 28 April 2004 on the adequate protection of personal data in the Isle of Man.

• Commission Decision 2000/520/EC of 26.7.2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbor privacy principles and related frequently asked questions issued by the US Department of Commerce (OJ L 215, 25.8.2000, p. 7 et seq.).

• Commission Decision 2008/393/EC of 8 may 2008 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Jersey ( OJ L138/21, 28.05.2008)

• European Commission, Preparation of a methodology for evaluating the adequacy of the level of protection of individuals with regard to the processing of personal data (Luxembourg: Office for Official Publications of the EC, 1998).

Main Legislation

Constitution of Uruguay

http://www.parlamento.gub.uy/constituciones/const004.htm

Criminal Code of Uruguay

http://www.parlamento.gub.uy/Codigos/CodigoPenal/Cod_Pen.htm

121 Data Protection Law

http://www.parlamento.gub.uy/leyes/AccesoTextoLey.asp?Ley=18331&Anchor =

http://www.presidencia.gub.uy/_web/leyes/2008/08/CM524_26%2006%202008_00001.PDF

Freedom of Information Act http://www.presidencia.gub.uy/_web/leyes/2008/10/EC1028-00001.PDF

Web sites

Privacy International – Privacy and Human Rights 2006 http://www.privacyinternational.org/index.shtml?cmd[342][]=c-1- Privacy+and+Human+Rights&als[theme]=Privacy%20and%20Human%20Rights&c onds[1][category...... ]=Privacy%20and%20Human%20Rights

Information about political and constitutional http://countrystudies.us/uruguay/62.htm

Data Protection Authority website

http://www.protecciondedatos.gub.uy/sitio/index.html

122 X. Annex: Ley n° 18,331

Law 18,331 Data Protection law of Uruguay (Spanish (original) and English (translated by the authors for the need of the present report) versions)

Spanish English translation ARTICULO 1. (Derecho humano).- El Section 1: (Human right). The right to derecho a la protección de datos personal data protection is inherent to the personales es inherente a la persona human person; therefore, it is covered by humana, por lo que está comprendido en Section 72 of the Republic’s el artículo 72 de la Constitución de la Constitution. República. Artículo 2º. (Ámbito subjetivo).- El Section 2. (Subjective scope). By derecho a la protección de los datos extension, the right to personal data personales se aplicará por extensión a las protection shall apply to legal persons personas jurídicas, en cuanto where applicable. corresponda. Artículo 3º. (Ámbito objetivo).- El Section 3. (Objective scope). This Act régimen de la presente ley será de shall apply to personal data recorded aplicación a los datos personales under any format, which makes its registrados en cualquier soporte que los processing possible and to any haga susceptibles de tratamiento, y a toda subsequent form of use of such data by modalidad de uso posterior de estos datos either the public or private sector. por los ámbitos público o privado. No será de aplicación a las siguientes The Act shall not apply to databases bases de datos: which: A) A las mantenidas por personas A) Are maintained by natural persons in físicas en el ejercicio de actividades the course of exclusively personal or exclusivamente personales o domésticas. household/domestic activities. B) Las que tengan por objeto la seguridad B) Are created for the purposes of public pública, la defensa, la seguridad del security, defence, state security and Estado y sus actividades en materia penal, government’s activities relating to investigación y represión del delito. criminal law, investigation and repression C) A las bases de datos creadas y of crimes. reguladas por leyes especiales. C) Are created and governed by special laws. Artículo 4º. (Definiciones).- A los efectos Section 4 . (Definitions). In this Act, the de la presente ley se entiende por: following words shall have the meaning set forth herein: A) Base de datos: indistintamente, A) Database: An organized set of designan al conjunto organizado de datos personal data which is subject to personales que sean objeto de tratamiento treatment or processing, electronically or o procesamiento, electrónico o no, otherwise, regardless of the way it was cualquiera que fuere la modalidad de su created, stored, organized or by which formación, almacenamiento, organización way it can be accessed.

123 o acceso. B) Comunicación de datos: toda B) Communication of data: any revelación de datos realizada a una disclosure of data to a person other than persona distinta del titular de los datos. the data subject. C) Consentimiento del titular: toda C) Subject’s consent: any expression of a manifestación de voluntad, libre, free, unequivocal, specific and informed inequívoca, específica e informada, will, by which the data subject consents mediante la cual el titular consienta el to the processing of personal data tratamiento de datos personales que le concerning him. concierne. D) Dato personal: información de D) Personal data: information of any kind cualquier tipo referida a personas físicas o related to identified or identifiable natural jurídicas determinadas o determinables. or legal persons. E) Dato sensible: datos personales que E) Sensitive data: personal data revealing revelen origen racial y étnico, the racial and ethnic origin, political preferencias políticas, convicciones opinions, religious or moral beliefs, religiosas o morales, afiliación sindical e trade-union membership or information informaciones referentes a la salud o a la relating to health or sex life. vida sexual. F) Destinatario: persona física o jurídica, F) Recipient: any natural or legal person, pública o privada, que recibiere public or private, that receives personal comunicación de datos, se trate o no de data, whether a third party or not. un tercero. G) Disociación de datos: todo tratamiento G) Data dissociation: any processing of de datos personales de manera que la personal data that makes impossible to información obtenida no pueda vincularse link the information obtained with any a persona determinada o determinable. identified or identifiable person. H) Encargado del tratamiento: persona H) Processor: Any natural or legal física o jurídica, pública o privada, que person, public or private that, either alone sola o en conjunto con otros trate datos or jointly with other persons, processes personales por cuenta del responsable de personal data on behalf of the controller. la base de datos o del tratamiento. I) Fuentes accesibles al público: aquellas I) Accessible public sources: databases bases de datos cuya consulta puede ser that can be consulted by any person, realizada por cualquier persona, no without any legal restrictions or impedida por una norma limitativa o sin obligations other than, where applicable, más exigencia que, en su caso, el abono the payment of a fee. de una contraprestación. J) Tercero: la persona física o jurídica, J) Third party: a natural or legal person, pública o privada, distinta del titular del public or private, other than the data dato, del responsable de la base de datos subject, the controller, the processor or o tratamiento, del encargado y de las any other person authorized to process personas autorizadas para tratar los datos data under the direct authority of the bajo la autoridad directa del responsable o controller or the processor. del encargado del tratamiento. K) Responsable de la base de datos o del K) Database controller or controller: any tratamiento: persona física o jurídica, natural or legal person, public or private, pública o privada, propietaria de la base who is the owner of the database or de datos o que decida sobre la finalidad, decides on the purpose, content and use contenido y uso del tratamiento. of the processing. 124 L) Titular de los datos: persona cuyos L) Data subject: any person whose data datos sean objeto de un tratamiento are subject to a processing within the incluido dentro del ámbito de acción de la scope of application of the Act. presente ley. M) Tratamiento de datos: operaciones y M) Data processing: systematic procedimientos sistemáticos, de carácter operations and procedures, whether or automatizado o no, que permitan el not of automatic nature, for the procesamiento de datos personales, así processing of personal data and their como también su cesión a terceros a transfer to third parties by means of través de comunicaciones, consultas, communication, consultation, interconexiones o transferencias. interconnection and transmission. N) Usuario de datos: toda persona, N) Data user: any person, public or pública o privada, que realice a su arbitrio private, who at its sole discretion, el tratamiento de datos, ya sea en una processes data, whether from an own base de datos propia o a través de database or by connecting to one. conexión con los mismos. Artículo 5º. (Valor y fuerza).- La Section 5. (Value and force). actuación de los responsables de las bases Controllers’s conduct, whether public or de datos, tanto públicos como privados, y, private, and, in general, any person en general, de todos quienes actúen en involved in the processing of personal relación a datos personales de terceros, data with respect to third parties shall deberá ajustarse a los siguientes abide by the following general principles: principios generales: A) Legalidad. A) Lawfulness. B) Veracidad. B) Accuracy. C) Finalidad. C) Purpose. D) Previo consentimiento informado. D) Previous, informed consent. E) Seguridad de los datos. E) Security F) Reserva. F) Confidentiality. G) Responsabilidad. G) Responsibility. Dichos principios generales servirán These general principles shall serve as también de criterio interpretativo para interpretive criteria to solve any issue that resolver las cuestiones que puedan may arise from the application of the suscitarse en la aplicación de las relevant provisions. disposiciones pertinentes. Artículo 6º. (Principio de legalidad).- La Section 6. (Lawfulness principle). The formación de bases de datos será lícita creation of databases shall be deemed cuando se encuentren debidamente legal if they are dully registered, and inscriptas, observando en su operación los carried out in conformity with the principios que establecen la presente ley y principles set forth in this Act and with las reglamentaciones que se dicten en any regulations with respect thereto that consecuencia. may be enacted. Las bases de datos no pueden tener Databases shall not be created for finalidades violatorias de derechos purposes that violate human rights, or are humanos o contrarias a las leyes o a la against the law or public morality. moral pública. Artículo 7º. (Principio de veracidad).- Los Section 7. (Accuracy principle). All datos personales que se recogieren a los personal data obtained for the purpose of efectos de su tratamiento deberán ser being processed shall be accurate, veraces, adecuados, ecuánimes y no adequate, equitable and not excessive 125 excesivos en relación con la finalidad with respect to the purpose for which para la cual se hubieren obtenido. La they were obtained. Collection of recolección de datos no podrá hacerse por personal data shall not be carried out medios desleales, fraudulentos, abusivos, through unfair, fraudulent, abusive means extorsivos o en forma contraria a las or through any way against the provisions disposiciones a la presente ley. of this Act. Los datos deberán ser exactos y Data shall be accurate and be updated actualizarse en el caso en que ello fuere when necessary. necesario. Cuando se constate la inexactitud o If any data are found to be inaccurate or falsedad de los datos, el responsable del false, the data controller, as soon as he tratamiento, en cuanto tenga has knowledge of the said circumstances, conocimiento de dichas circunstancias, shall delete, replace or complete them deberá suprimirlos, sustituirlos o with accurate, true and updated data. completarlos por datos exactos, veraces y Also, any expired data in accordance actualizados. Asimismo, deberán ser with this Act shall be deleted. eliminados aquellos datos que hayan caducado de acuerdo a lo previsto en la presente ley. Artículo 8º. (Principio de finalidad).- Los Section 8. (Purpose principle). Data datos objeto de tratamiento no podrán ser subject to processing shall not be used for utilizados para finalidades distintas o other or incompatible purposes than those incompatibles con aquellas que motivaron for which they were obtained. su obtención. Data shall be deleted once they have Los datos deberán ser eliminados cuando become unnecessary or irrelevant for the hayan dejado de ser necesarios o purposes for which they were collected. pertinentes a los fines para los cuales hubieren sido recolectados. The regulations shall determine the cases La reglamentación determinará los casos and procedures in which, only as an y procedimientos en los que, por exception and taking into consideration excepción, y atendidos los valores historical, statistical or scientific values históricos, estadísticos o científicos, y de and according to specific laws, retention acuerdo con la legislación específica, se of personal data shall continue even after conserven datos personales aun cuando the expiration of the said need or haya perimido tal necesidad o pertinencia. relevance. Exchange of data among databases shall Tampoco podrán comunicarse datos entre not be permitted unless such exchange is bases de datos, sin que medie ley o previo authorized by Law or with the previous consentimiento informado del titular. and informed consent of the data subject. Artículo 9º. (Principio del previo Section 9. (Previous and informed consentimiento informado).- El consent principle). Processing of tratamiento de datos personales es lícito personal data is lawful when the data cuando el titular hubiere prestado su subject has given his previous, free, consentimiento libre, previo, expreso e express and informed consent, and there informado, el que deberá documentarse. is recorded evidence of such consent. El referido consentimiento prestado con Said consent together with any other otras declaraciones, deberá figurar en statements made, shall be stated in an forma expresa y destacada, previa explicit and evident form. The person notificación al requerido de datos, de la giving consent shall have been previously información descrita en el artículo 12 de notified of the information established in 126 la presente ley. Section 12 of this Act. No será necesario el previo Previous consent shall not be necessary consentimiento cuando: when: A)Los datos provengan de fuentes A) The data are obtained from public públicas de información, tales como sources of information, such as registers registros o publicaciones en medios or publications in the media. masivos de comunicación. B) The data are gathered for the B)Se recaben para el ejercicio de exercise of functions peculiar to the state funciones propias de los poderes del powers or by virtue of a legal obligation. Estado o en virtud de una obligación C) The data consist of records, which legal. in the case of natural persons, are C)Se trate de listados cuyos datos se restricted to information about the first limiten en el caso de personas físicas a and last name, national identity number, nombres y apellidos, documento de nationality, domicile and birth date. In identidad, nacionalidad, domicilio y fecha the case of legal persons, the records are de nacimiento. En el caso de personas restricted to information about the jurídicas, razón social, nombre de business name, fancy name, the tax fantasía, registro único de contribuyentes, identification number, domicile, domicilio, teléfono e identidad de las telephone and the names of the people in personas a cargo de la misma. charge of the entity. D)Deriven de una relación contractual, D) The data arise from a contractual, científica o profesional del titular de los scientific or professional relationship datos, y sean necesarios para su with the data subject and are necessary desarrollo o cumplimiento. for the fulfillment or development of the E)Se realice por personas físicas o said relationship. jurídicas, privadas o públicas, para su uso E) The processing is carried out by exclusivo personal o doméstico. natural or legal persons, private or public, for exclusively personal or household use. Artículo 10. (Principio de seguridad de Section 10. (Data security principle). los datos).- El responsable o usuario de la The controller or user must adopt the base de datos debe adoptar las medidas necessary measures to ensure the security que resultaren necesarias para garantizar and confidentiality of all personal data. la seguridad y confidencialidad de los Said measures shall be aimed at avoiding datos personales. Dichas medidas tendrán any alteration, loss or unauthorized por objeto evitar su adulteración, pérdida, access or processing of information, and consulta o tratamiento no autorizado, así at detecting any deviations thereof como detectar desviaciones de whether intentional or not, and regardless información, intencionales o no, ya sea of whether the risks were caused by que los riesgos provengan de la acción human action or the technology used. humana o del medio técnico utilizado. Los datos deberán ser almacenados de All data must be stored in a way that modo que permitan el ejercicio del allows the data subjects to exercise their derecho de acceso de su titular. right of access Queda prohibido registrar datos It is hereby forbidden to record personal personales en bases de datos que no data in databases that do not meet the reúnan condiciones técnicas de integridad integrity and security technical y seguridad. requirements. Artículo 11. (Principio de Section 11. (Confidentiality principle). reserva).- Aquellas personas físicas o Any natural or legal person that lawfully 127 jurídicas que obtuvieren legítimamente obtains access to information which can información proveniente de una base de be processed must use it preserving its datos que les brinde tratamiento, están confidentiality and exclusively for the obligadas a utilizarla en forma reservada carrying out of his ordinary business y exclusivamente para las operaciones activities, and shall not disclose said habituales de su giro o actividad, estando information to third parties. prohibida toda difusión de la misma a terceros. Las personas que, por su situación laboral Any person that, by virtue of a labour u otra forma de relación con el relationship or any other kind of responsable de una base de datos, relationship with the controller, accesses tuvieren acceso o intervengan en or participates at any stage in the cualquier fase del tratamiento de datos processing of personal data, shall have a personales, están obligadas a guardar professional secrecy duty (pursuant to estricto secreto profesional sobre los section 302 of the Criminal Code), if the mismos (artículo 302 del Código Penal), data were obtained from non accessible cuando hayan sido recogidos de fuentes public sources. This obligation shall not no accesibles al público. Lo previsto no apply in the case a warrant has been será de aplicación en los casos de orden granted by a competent court, in de la Justicia competente, de acuerdo con accordance with the applicable law or if las normas vigentes en esta materia o si the data subject has given his consent. mediare consentimiento del titular. This obligation shall survive after the Esta obligación subsistirá aun después de termination of the relationship with the finalizada la relación con el responsable controller. de la base de datos. Artículo 12. (Principio de Section 12. (Responsibility principle). responsabilidad).- El responsable de la The controller shall be liable for any base de datos es responsable de la violation to the provisions of this Act. violación de las disposiciones de la presente ley. Artículo 13. (Derecho de información Section 13. (Right of information). Data frente a la recolección de datos).- Cuando subjects whose data are being collected se recaben datos personales se deberá shall be entitled to be previously notified informar previamente a sus titulares en in an express, unequivocal and clear way forma expresa, precisa e inequívoca: of: A)La finalidad para la que serán tratados A) The purpose for which the data y quiénes pueden ser sus destinatarios o are going to be processed and the clase de destinatarios. recipients or classes of recipients. B)La existencia de la base de datos, B) Whether data of which he is the electrónico o de cualquier otro tipo, de data subject has been recorded in a data que se trate y la identidad y domicilio de file, in electronic or other form, and the su responsable. name and domicile of the person C)El carácter obligatorio o facultativo de responsible therefore. las respuestas al cuestionario que se le C) Whether the answers included in proponga, en especial en cuanto a los the submitted questionnaire are datos sensibles. mandatory or facultative, especially with D)Las consecuencias de proporcionar los regards to sensitive data. datos y de la negativa a hacerlo o su D) The consequences of providing inexactitud. the data or refusing to do so or of their E)La posibilidad del titular de ejercer los inaccuracy. 128 derechos de acceso, rectificación y E) The data subject’s rights of supresión de los datos. access, rectification and suppression of the data. Artículo 14. (Derecho de acceso).- Todo Section 14. (Right of access). The data titular de datos personales que subject is entitled to access any of his previamente acredite su identificación information recorded in public or private con el documento de identidad o poder databases upon evidencing his identity respectivo, tendrá derecho a obtener toda through the national identity document or la información que sobre sí mismo se a relevant power. This right of access halle en bases de datos públicas o may only be exercised free of charge privadas. Este derecho de acceso sólo once every six months, unless, according podrá ser ejercido en forma gratuita a to law, there is a legitimate new interest intervalos de seis meses, salvo que se to request access. hubiere suscitado nuevamente un interés legítimo de acuerdo con el ordenamiento jurídico. Cuando se trate de datos de personas In the case of deceased persons, their fallecidas, el ejercicio del derecho al cual general heirs shall be entitled to exercise refiere este artículo, corresponderá a the right stated in this Section, upon cualesquiera de sus sucesores universales, evidencing such character by presenting cuyo carácter se acreditará por la the determination of the descendant’s sentencia de declaratoria de herederos. heirs ruled by the court. La información debe ser proporcionada The information shall be provided within dentro de los cinco días hábiles de haber five working days upon the reception of sido solicitada. Vencido el plazo sin que the information request. If after this el pedido sea satisfecho o si fuera period, the access request has not been denegado por razones no justificadas de satisfied or has been refused on grounds acuerdo con esta ley, quedará habilitada that are not in accordance with this Act, la acción de habeas data. the applicant may file an habeas data La información debe ser suministrada en action in court. forma clara, exenta de codificaciones y en The information must be provided in a su caso acompañada de una explicación, clear way, without any codes and, where en lenguaje accesible al conocimiento applicable enclosing an explanation medio de la población, de los términos thereof, in layman’s language. que se utilicen. The information must be extensive and La información debe ser amplia y versar must concern the complete record sobre la totalidad del registro corresponding to the data subject, even if perteneciente al titular, aun cuando el the request refers to only one item of requerimiento sólo comprenda un aspecto personal data. In no case shall the report de los datos personales. En ningún caso el disclose data corresponding to third informe podrá revelar datos parties, even if such data are related to pertenecientes a terceros, aun cuando se the requesting party. vinculen con el interesado. La información, a opción del titular, The information may, at the data subject's podrá suministrarse por escrito, por option, be provided in writing, by medios electrónicos, telefónicos, de electronic, telephonic, visual, or other imagen, u otro idóneo a tal fin. means that are appropriate for such purpose.

129 Artículo 15. (Derecho de rectificación, Section 15. (Rectification, updating, actualización, inclusión o addition or suppression right). supresión).- Toda persona física o jurídica tendrá derecho a solicitar la rectificación, Every natural or legal person has the actualización, inclusión o supresión de los right to request the rectification, datos personales que le corresponda updating, inclusion or deletion of incluidos en una base de datos, al personal data stored in databases if an constatarse error o falsedad o exclusión error or falsehood or exclusion is noticed. en la información de la que es titular. El responsable de la base de datos o del tratamiento deberá proceder a realizar la rectificación, actualización, inclusión o Within five business days upon receiving supresión, mediante las operaciones the request from the data subject, the necesarias a tal fin en un plazo máximo controller shall rectify, update, add or de cinco días hábiles de recibida la suppress the personal data by performing solicitud por el titular del dato o, en su the necessary operations for such caso, informar de las razones por las que purpose, or where applicable, notify the estime no corresponde. data subject the reasons why the said El incumplimiento de esta obligación por request is not applicable. parte del responsable de la base de datos o del tratamiento o el vencimiento del Non-compliance with this obligation by plazo, habilitará al titular del dato a the controller upon the expiration of the promover la acción de habeas data above mentioned term shall entitle the prevista en esta ley. data subject to initiate an habeas data No procede la eliminación o supresión de action as prescribed in this Act. datos personales salvo en aquellos casos de: Elimination or suppression of personal A) Perjuicios a los derechos e intereses data shall not apply except if: legítimos de terceros. A) Legitimate rights or interests B) Notorio error o falsedad. of third parties could be affected C) Contravención a lo establecido por una B) There is an evident error or obligación legal. falseness Durante el proceso de verificación, C) Not doing so would mean rectificación o inclusión de datos non compliance with a legal obligation personales, el responsable de la base de During a process of verification, datos o tratamiento, ante el requerimiento rectification or inclusion of personal data, de terceros por acceder a informes sobre the controller shall inform any third los mismos, deberá dejar constancia que parties requesting reports on such data dicha información se encuentra sometida that the data are being revised. a revisión. En el supuesto de comunicación o transferencia de datos, el responsable de The controller shall notify to third parties la base de datos o del tratamiento debe to whom the data have been disclosed of notificar la rectificación, inclusión o the rectification, inclusion or deletion supresión al destinatario dentro del quinto within five business days as from the day día hábil de efectuado el tratamiento del the data was processed. dato. La rectificación, actualización, inclusión, Where a rectification, updating, addition eliminación o supresión de datos or suppression of personal data applies, it personales cuando corresponda, se will be at no cost for the data subject. 130 efectuará sin cargo alguno para el titular. Artículo 16. (Derecho a la impugnación Section 16. (Right to object personal de valoraciones personales).- Las assessments). Any person is entitled to personas tienen derecho a no verse sometidas a una decisión con efectos ensure that no decision having legal jurídicos que les afecte de manera effects and which significantly affects significativa, que se base en un tratamiento automatizado o no de datos him/her is taken on the basis of a destinado a evaluar determinados processing of personal data whether or aspectos de su personalidad, como su rendimiento laboral, crédito, fiabilidad, not by automatic means for the purpose conducta, entre otros. of evaluating some aspects of his/her

El afectado podrá impugnar los actos personality, such as, among others, his administrativos o decisiones privadas que performance at work, his impliquen una valoración de su comportamiento, cuyo único fundamento creditworthiness, his reliability or his sea un tratamiento de datos personales conduct. que ofrezca una definición de sus características o personalidad. En este caso, el afectado tendrá derecho a The affected person shall be allowed to obtener información del responsable de la contest any administrative act or private base de datos tanto sobre los criterios de valoración como sobre el programa decisions which imply an assessment of utilizado en el tratamiento que sirvió para his/her behaviour and which is solely adoptar la decisión manifestada en el acto. based on a processing of personal data La valoración sobre el comportamiento that defines said person’s profile or de las personas, basada en un tratamiento de datos, únicamente podrá tener valor personality. probatorio a petición del afectado. In such a case, the affected person shall be entitled to be informed by the controller of the assessment criteria and the program used to process the data on which the taken decision was based.

A person’s behaviour assessment, based on the processing of data, can only have an evidential value when the affected person has requested it. Artículo 17. (Derechos referentes a la Section 17. (Data communication comunicación de datos).- Los datos rights). The personal data subject to personales objeto de tratamiento sólo processing shall only be communicated podrán ser comunicados para el for the carrying out of the purposes cumplimiento de los fines directamente directly related to the legitimate interests relacionados con el interés legítimo del of the sender and the recipient, provided 131 emisor y del destinatario y con el previo that the data subject has given his consentimiento del titular de los datos, al previous consent, which must be que se le debe informar sobre la finalidad informed about the purpose of such de la comunicación e identificar al communication and the identification of destinatario o los elementos que permitan the recipient or elements that enable him hacerlo. to identify such recipient. El previo consentimiento para la The said previous consent to the comunicación es revocable. communication of data shall be El previo consentimiento no será revocable. necesario cuando: The previous consent requirement shall A)Así lo disponga una ley de interés not apply when: general. A) A general law so provides; B)En los supuestos del artículo 9º de la B) The provisions set forth in Section 9 presente ley. of this Act apply. C)Se trate de datos personales relativos a C) The personal data consist of health la salud y sea necesario por razones de data and their communication is salud e higiene públicas, de emergencia o necessary to safeguard public health or para la realización de estudios due to emergency reasons or for epidemiológicos, en tanto se preserve la conducting epidemiological studies and identidad de los titulares de los datos provided that the identity of the data mediante mecanismos de disociación subject is kept confidential through adecuados. adequate dissociation mechanisms; D)Se hubiera aplicado un procedimiento D) A dissociation procedure had been de disociación de la información, de applied, which makes the data subject modo que los titulares de los datos no unidentifiable. sean identificables. El destinatario quedará sujeto a las The recipient shall be subject to the same mismas obligaciones legales y regulatory and legal obligations as the reglamentarias del emisor y éste person responsible for the data, and both responderá solidaria y conjuntamente por shall respond jointly and severally for the la observancia de las mismas ante el observance of such obligations before the organismo de control y el titular de los controlling body and the relevant data datos de que se trate. subject. Artículo 18. (Datos sensibles).- Ninguna Section 18. (Sensitive data). No person persona puede ser obligada a shall be compelled to provide sensitive proporcionar datos sensibles. Éstos sólo data. Sensitive data may only be subject podrán ser objeto de tratamiento con el to processing with the express and consentimiento expreso y escrito del written consent of the data subject. titular. Los datos sensibles sólo pueden ser Sensitive data shall only be collected and recolectados y objeto de tratamiento subject to processing on general interest cuando medien razones de interés general grounds authorized by Law, or when the autorizadas por ley, o cuando el requesting organism is legally organismo solicitante tenga mandato legal empowered to do so. Said data may also para hacerlo. También podrán ser tratados be processed for statistical or scientific con finalidades estadísticas o científicas purposes provided they are dissociated cuando se disocien de sus titulares. from the data subjects. Queda prohibida la formación de bases de Hereby is forbidden the creation of datos que almacenen información que databases that include information that directa o indirectamente revele datos directly or indirectly disclose sensitive 132 sensibles. Se exceptúan aquellos que data. Said prohibition shall not apply to posean los partidos políticos, sindicatos, political parties, trade-unions, churches, iglesias, confesiones religiosas, religious organizations, associations, asociaciones, fundaciones y otras foundations and non-profit institutions entidades sin fines de lucro, cuya with a political, religious, philosophical, finalidad sea política, religiosa, filosófica, or trade-union aim, making reference to sindical, que hagan referencia al origen racial or ethnic origin, health or sex life, racial o étnico, a la salud y a la vida on condition that the data relates solely to sexual, en cuanto a los datos relativos a the members and that the data are not sus asociados o miembros, sin perjuicio disclosed to a third party without the que la comunicación de dichos datos previous consent of the data subject. precisará siempre el previo Processing of personal data relating to consentimiento del titular del dato. criminal, civil or administrative offences, Los datos personales relativos a la may only be carried out by the competent comisión de infracciones penales, civiles public authorities, in accordance with the o administrativas sólo pueden ser objeto applicable laws and regulations, without de tratamiento por parte de las prejudice of further authorizations that autoridades públicas competentes, en el may be granted at any time by law. No marco de las leyes y reglamentaciones provision established herein shall prohibit respectivas, sin perjuicio de las public authorities to make public or to autorizaciones que la ley otorga u communicate the identity of any natural otorgare. Nada de lo establecido en esta or legal person under investigation for ley impedirá a las autoridades públicas committing any offence according to comunicar o hacer pública la identidad de applicable law, if other rules so provide las personas físicas o jurídicas que estén or if said authorities deem it appropriate. siendo investigadas por, o hayan cometido, infracciones a la normativa vigente, en los casos en que otras normas lo impongan o en los que lo consideren conveniente. Artículo 19. (Datos relativos a la Section 19. (Health related data). salud).- Los establecimientos sanitarios Public and private health care institutions públicos o privados y los profesionales and health care professionals may collect vinculados a las ciencias de la salud and process personal data related to the pueden recolectar y tratar los datos physical and mental health of the patients personales relativos a la salud física o that request treatment or are or have been mental de los pacientes que acudan a los under treatment in those institutions, in mismos o que estén o hubieren estado accordance with the professional secrecy bajo tratamiento de aquéllos, respetando duty, the specific rules and the provisions los principios del secreto profesional, la set forth herein. normativa específica y lo establecido en la presente ley. Artículo 20. (Datos relativos a las Section 20. (Data protection in telecomunicaciones).- Los operadores que telecommunications activities). exploten redes públicas o que presten Telecommunications operators that servicios de comunicaciones electrónicas operate public networks or provide disponibles al público deberán garantizar, electronic communications services to the en el ejercicio de su actividad, la public shall guarantee the protection of protección de los datos personales personal data in the carrying out of their conforme a la presente ley. activities in accordance with this Act. 133 Asimismo, deberán adoptar las medidas técnicas y de gestiones adecuadas para They shall also adopt appropriate preservar la seguridad en la explotación technical and management measures to de su red o en la prestación de sus preserve safety in the network operation servicios, con el fin de garantizar sus activities and services in order to meet niveles de protección de los datos the standards of personal data protection personales que sean exigidos por la required by this Act and the related rules normativa de desarrollo de esta ley en on the subject. In the event of a detected esta materia. En caso de que exista un risk of security breach on an electronic riesgo particular de violación de la communications public network, the seguridad de la red pública de operator that operates or that provides comunicaciones electrónicas, el operador services through that network shall que explote dicha red o preste el servicio inform the customers of said risk and the de comunicaciones electrónicas informará measures to be adopted a los abonados sobre dicho riesgo y sobre las medidas a adoptar. La regulación contenida en esta ley se entiende sin perjuicio de lo previsto en la These provisions shall be applied without normativa específica sobre prejudice to the specific laws concerning telecomunicaciones relacionadas con la public safety and national defense related seguridad pública y la defensa nacional. to telecommunications.

Artículo 21. (Datos relativos a bases de Section 21. (Databases for marketing datos con fines de publicidad).- En la purposes). In the collection of addresses, recopilación de domicilios, reparto de and delivery of documents, advertising, documentos, publicidad, venta u otras sales or other similar activities, actividades análogas, se podrán tratar processing of data may be carried out in datos que sean aptos para establecer such a way as to allow to define specific perfiles determinados con fines profiles for promotional, commercial or promocionales, comerciales o marketing purposes; or to define publicitarios; o permitan establecer consumer habits, when the data is hábitos de consumo, cuando éstos figuren available in accessible public documents en documentos accesibles al público o or has been provided by the data subjects hayan sido facilitados por los propios or obtained with the data subject’s titulares u obtenidos con su consent. consentimiento. En los supuestos contemplados en el In the cases set forth in this section, the presente artículo, el titular de los datos data subject may exercise the right of podrá ejercer el derecho de acceso sin access free of charge. cargo alguno. El titular podrá en cualquier momento The data subject may at any time, request solicitar el retiro o bloqueo de sus datos the suppression or blocking of his data de los bancos de datos a los que se refiere from the data banks referred to herein. el presente artículo. Artículo 22. (Datos relativos a la Section 22. (Data related to credit actividad comercial o crediticia).- Queda reporting). The processing of personal expresamente autorizado el tratamiento data for purposes of providing de datos personales destinados a brindar commercial reports is hereby expressly informes objetivos de carácter comercial, authorized, including reports with respect incluyendo aquellos relativos al to the compliance or non compliance of 134 cumplimiento o incumplimiento de commercial obligations and loans, that obligaciones de carácter comercial o are used to assess business engagements crediticia que permitan evaluar la in general, as well as the commercial concertación de negocios en general, la behavior and solvency of the data conducta comercial o la capacidad de subject, provided that the data have been pago del titular de los datos, en aquellos obtained from public sources or from casos en que los mismos sean obtenidos information provided by the creditor or in de fuentes de acceso público o the specific situations prescribed in this procedentes de informaciones facilitadas Act. Besides of the specific situations por el acreedor o en las circunstancias prescribed in this Act, legal persons may previstas en la presente ley. Para el caso process all the information as authorized de las personas jurídicas, además de las by applicable law. circunstancias previstas en la presente ley, se permite el tratamiento de toda información autorizada por la normativa vigente. Los datos personales relativos a Personal data with respect to individuals’ obligaciones de carácter comercial de commercial obligations shall be kept on personas físicas sólo podrán estar record for a term of up to five years as registrados por un plazo de cinco años from their being recorded. If upon the contados desde su incorporación. expiration of said term, the obligation has En caso que al vencimiento de dicho not been settled, the creditor shall be plazo la obligación permanezca entitled to request the controller to record incumplida, el acreedor podrá solicitar al the obligation for another five-year term responsable de la base de datos, por única only. Said request shall be made thirty vez, su nuevo registro por otros cinco days before the original expiration date. años. Este nuevo registro deberá ser solicitado en el plazo de treinta días anteriores al vencimiento original. Las obligaciones canceladas o The obligations that have been paid or extinguidas por cualquier medio, cancelled in any other way shall be kept permanecerán registradas, con expresa on record, expressly mentioning this fact, mención de este hecho, por un plazo for a maximum non-renewable term of máximo de cinco años, no renovable, a five years as from the payment or contar de la fecha de la cancelación o cancellation date. extinción. The database controller shall deal with the processing of data exclusively, based Los responsables de las bases de datos se on the recorded information as it was limitarán a realizar el tratamiento objetivo provided, and shall abstain from making de la información registrada tal cual ésta any subjective assessments based on said le fuera suministrada, debiendo abtenerse information. de efectuar valoraciones subjetivas sobre When an unpaid obligation recorded on a la misma. database is paid, the creditor shall inform Cuando se haga efectiva la cancelación de the database controller thereof within a cualquier obligación incumplida maximum term of five business days as registrada en una base de datos, el from said cancellation. The database acreedor deberá en un plazo máximo de controller shall update the information cinco días hábiles de acontecido el hecho, within a maximum term of three business comunicarlo al responsable de la base de days as from receiving the datos o tratamiento, éste dispondrá de un communications, by registering the new 135 plazo máximo de tres dias hábiles para situation. proceder a la actualización del dato asentando su nueva situación.

Artículo 23. (Datos transferidos Section 23. (International transfer of internacionalmente).- Se prohíbe la personal data). It is hereby forbidden to transferencia de datos personales de transfer personal data of any kind to cualquier tipo con países u organismos countries or international organizations internacionales que no proporcionen that do not provide adequate levels of niveles de protección adecuados de protection in accordance with acuerdo a los estándares del Derecho International and Regional Law standards Internacional o Regional en la materia. with respect to this subject. La prohibición no regirá cuando se trate Said prohibition shall not apply in any of de: the following cases: 1) Cooperación judicial internacional, de 1) International judicial cooperation, acuerdo al respectivo instrumento in accordance with the respective internacional, ya sea Tratado o international instrument, Treaty or Convención, atendidas las circunstancias Agreement, considering the case’s del caso. special circumstances. 2) Intercambio de datos de carácter 2) Exchange of medical data, when it médico, cuando así lo exija el tratamiento is required to treat a person on public del afectado por razones de salud o health or hygiene reasons. higiene públicas. 3) Bank or brokerage transfers, with 3) Transferencias bancarias o bursátiles, respect to the respective transactions and en lo relativo a las transacciones in accordance with the applicable law. respectivas y conforme la legislación que 4) Agreements entered into by the les resulte aplicable. Republic of Uruguay by virtue of an 4) Acuerdos en el marco de tratados international treaty to which it is a party. internacionales en los cuales la República 5) International cooperation between Oriental del Uruguay sea parte. intelligence agencies in the fight against 5) Cooperación internacional entre organized crime, terrorism and drug organismos de inteligencia para la lucha trafficking. contra el crimen organizado, el terrorismo y el narcotráfico. También será posible realizar la International transfer of data is also transferencia internacional de datos en los authorized on condition that: siguientes supuestos: A) Que el interesado haya dado su A) The data subject has given his consent consentimiento inequívocamente a la unambiguously to the proposed transfer; transferencia prevista. B) Que la transferencia sea necesaria para B) The transfer is necessary for the la ejecución de un contrato entre el performance of a contract between the interesado y el responsable del data subject and the controller or the tratamiento o para la ejecución de implementation of pre-contractual medidas precontractuales tomadas a measures taken in response to the data petición del interesado. subject's request. C) Que la transferencia sea necesaria para C) The transfer is necessary for the la celebración o ejecución de un contrato conclusion or performance of a contract celebrado o por celebrar en interés del concluded in the interest of the data interesado, entre el responsable del subject between the controller and a third 136 tratamiento y un tercero. party D) Que la transferencia sea necesaria o D) The transfer is necessary or legally legalmente exigida para la salvaguardia required on important public interest de un interés público importante, o para el grounds, or for the establishment, reconocimiento, ejercicio o defensa de un exercise or defence of legal claims derecho en un procedimiento judicial. E) Que la transferencia sea necesaria para E) The transfer is necessary in order to la salvaguardia del interés vital del protect the vital interests of the data interesado. subject F) Que la transferencia tenga lugar desde F) The transfer is made from a register un registro que, en virtud de which according to laws or regulations is disposiciones legales o reglamentarias, intended to provide information to the esté concebido para facilitar información public and which is open to consultation al público y esté abierto a la consulta por either by the public in general or by any el público en general o por cualquier person who can demonstrate legitimate persona que pueda demostrar un interés interest, to the extent that the conditions legítimo, siempre que se cumplan, en laid down in law for consultation are cada caso particular, las condiciones que fulfilled in the particular case. establece la ley para su consulta. Sin perjuicio de lo dispuesto en el primer Without prejudice to paragraph 1 herein, inciso de este artículo, la Unidad the Personal Data Regulatory, Protection Reguladora y de Control de Protección de and Controlling Authority may authorize Datos Personales podrá autorizar una a transfer or a set of transfers of personal transferencia o una serie de transferencias data to a third country which does not de datos personales a un tercer país que ensure an adequate level of protection no garantice un nivel adecuado de where the controller adduces adequate protección, cuando el responsable del safeguards with respect to the protection tratamiento ofrezca garantías suficientes of the privacy and fundamental rights and respecto a la protección de la vida freedoms of individuals and with regards privada, de los derechos y libertades to the exercise of the corresponding fundamentales de las personas, así como rights. respecto al ejercicio de los respectivos derechos. Dichas garantías podrán derivarse de Such safeguards may arise from cláusulas contractuales apropiadas. appropriate contractual clauses.

Artículo 24. (Creación, modificación o Section 24. (Creation, modification or supresión).- La creación, modificación o suppression). The creation, modification supresión de bases de datos or suppression of databases owned by pertenecientes a organismos públicos government agencies shall be registered deberán registrarse conforme lo previsto in accordance to the next chapter. en el capítulo siguiente. Artículo 25. (Base de datos Section 25. (Databases owned by the correspondientes a las Fuerzas Armadas, Armed Forces, and Police and Organismos Policiales o de Intelligence Agencies). This Act shall Inteligencia).- Quedarán sujetos al apply to personal data recorded on a régimen de la presente ley, los datos permanent basis for administrative personales que por haberse almacenado purposes in databases owned by the para fines administrativos, deban ser Armed Forces, Police organisms and objeto de registro permanente en las bases Intelligence Agencies; and to personal 137 de datos de las fuerzas armadas, records produced from said databases and organismos policiales o de inteligencia; y submitted to administrative or judicial aquellos sobre antecedentes personales authorities that so request by virtue of que proporcionen dichas bases de datos a legal requirements. las autoridades administrativas o judiciales que los requieran en virtud de disposiciones legales. El tratamiento de datos personales con fines de defensa nacional o seguridad Processing of personal data for purposes pública por parte de las fuerzas armadas, of national defence or public security by organismos policiales o inteligencia, sin the Armed Forces and Police and previo consentimiento de los titulares, Intelligence Agencies without prior queda limitado a aquellos supuestos y consent of the data subject shall be categoría de datos que resulten necesarios limited to those cases and categories of para el estricto cumplimiento de las data which are strictly necessary to fulfil misiones legalmente asignadas a aquéllos the mission assigned to them by law in para la defensa nacional, la seguridad the matters of national defence, public pública o para la represión de los delitos. security and the repression of crimes. In Las bases de datos, en tales casos, those cases, databases shall be deberán ser específicas y establecidas al specifically established for that purpose, efecto, debiendo clasificarse por and shall be divided into different categorías, en función de su grado de categories based on their degree of fiabilidad. reliability. Los datos personales registrados con fines policiales se cancelarán cuando no sean necesarios para las averiguaciones que Personal data registered for police work motivaron su almacenamiento. purposes shall be destroyed once the investigation for which they were registered is closed.

Artículo 26. (Excepciones a los derechos Section 26. (Exceptions to the right of de acceso, rectificación y access, rectification and suppression). cancelación).- Los responsables de las The controller of any database which bases de datos que contengan los datos a includes the data described in paragraphs que se refieren los incisos segundo y two and three of the previous section can tercero del artículo anterior podrán deny the right of access, rectification or denegar el acceso, la rectificación o suppression based on the ensuing perils cancelación en función de los peligros that could affect State defence or public que pudieran derivarse para la defensa del security, the protection of rights and Estado o la seguridad pública, la freedoms of third parties or the needs of protección de los derechos y libertades de the investigations carried out at this time. terceros o las necesidades de las investigaciones que se estén realizando. The controller of government databases Los responsables de las bases de datos de can likewise deny the rights described in la Hacienda Pública podrán, igualmente, the previous paragraph where granting denegar el ejercicio de los derechos a que said right may hinder administrative se refiere el inciso anterior cuando el actions to ensure compliance with tax mismo obstaculice las actuaciones obligations, and where the data subject is administrativas tendientes a asegurar el subject to an inspection proceeding. cumplimiento de las obligaciones 138 tributarias y, en todo caso, cuando el titular del dato esté siendo objeto de The data subject to whom the exercise of actuaciones inspectivas. the above mentioned rights is totally or El titular del dato al que se deniegue total partially denied may present the case to o parcialmente el ejercicio de los the Controlling Authority, that shall derechos mencionados en los incisos decide on the applicability or not thereof. anteriores podrá ponerlo en conocimiento del Órgano de Control, quien deberá asegurarse de la procedencia o improcedencia de la denegación. Artículo 27. (Excepciones al derecho a la Section 27. (Exceptions to the right of información).- Lo dispuesto en la information). The provisions provided in presente ley no será aplicable a la this Act shall not apply when the recolección de datos, cuando la information of the data subject may affect información del titular afecte a la defensa national defence, public safety or the nacional, a la seguridad pública o a la prosecution of criminal offences. persecución de infracciones penales. Artículo 28. (Creación, modificación o Section 28. (Creation, modification or supresión).- Las personas físicas o suppression). Any natural person or jurídicas privadas que creen, modifiquen private legal person that creates, modifies o supriman bases de datos de carácter or suppresses data contained in databases personal, que no sean para un uso of a personal nature, which are not exclusivamente individual o doméstico, intended for individual or household deberán registrarse conforme lo previsto purposes exclusively, shall comply with en el artículo siguiente. the registration requirement in accordance with the provisions set forth in the next section. Artículo 29. (Inscripción registral).- Toda Section 29. (Registrar). All public and base de datos pública o privada debe private databases shall be registered with inscribirse en el Registro que al efecto the Registrar that will be created by the habilite el Órgano de Control, de acuerdo Controlling Authority for that purpose, in a los criterios reglamentarios que se accordance with the regulations to be establezcan. adopted. Por vía reglamentaria se procederá a la The regulations to be adopted shall regulación detallada de los distintos provide detailed requirements as to the extremos que deberá contener la registration procedure, of which the inscripción, entre los cuales figurarán following shall be mandatory: necesariamente los siguientes: A)Identificación de la base de datos y el A) Identification of the database and responsable de la misma. of the controller. B)Naturaleza de los datos personales que B) Nature of the personal data contiene. recorded. C)Procedimientos de obtención y C) Procedures for obtaining and tratamiento de los datos. processing data. D)Medidas de seguridad y descripción D) Security measures adopted and a técnica de la base de datos. technical description of the database. E)Protección de datos personales y E) Personal data protection and ejercicio de derechos. rights related thereto F)Destino de los datos y personas físicas F) Final use of the data and possible o jurídicas a las que pueden ser natural persons or legal persons to whom 139 transmitidos. they may be transmitted. G)Tiempo de conservación de los datos. G) Period of time during which the H)Forma y condiciones en que las data will be kept. personas pueden acceder a los datos H) Way and conditions to allow referidos a ellas y los procedimientos a access to data subjects and procedures for realizar para la rectificación o rectifications or updating of data. actualización de los datos. I) Number of creditors that are I)Cantidad de acreedores personas físicas individuals for whom the five-year period que hayan cumplido los 5 años previstos established by section 22 herein has en el artículo 22 de la presente ley. expired. J)Cantidad de cancelaciones por J) Number of cancellations, due to incumplimiento de la obligación de pago default in payment if applicable, in si correspondiera, de acuerdo a lo accordance to section 22 herein. previsto en el artículo 22 de la presente ley. Ningún usuario de datos podrá poseer No data user may keep personal data of a datos personales de naturaleza distinta a nature that differs to that declared to the los declarados en el registro. Registrar. El incumplimiento de estos requisitos Non-compliance with these requirements dará lugar a las sanciones administrativas shall open the way to the administrative previstas en la presente ley. sanctions prescribed in this Act. Respecto a las bases de datos de carácter Commercial databases already registered comercial ya inscriptos en el Órgano with the Regulatory Authority shall Regulador, se estará a lo previsto en la conform to the provisions of this Act as presente ley respecto del plazo de to the adequacy term. adecuación. Artículo 30. (Prestación de servicios Section 30. (Provision of personal data informatizados de datos computerized services). Where a third personales).- Cuando por cuenta de party provides personal data processing terceros se presten servicios de services, said data shall not be used for a tratamiento de datos personales, éstos no purpose other than that defined in the podrán aplicarse o utilizarse con un fin work for hire contract, nor assigned to distinto al que figure en el contrato de other persons to preserve the data or for servicios, ni cederlos a otras personas, ni any other reason. aun para su conservación. Una vez cumplida la prestación Once the contractual obligation has been contractual los datos personales tratados performed the processed data shall be deberán ser destruidos, salvo que medie destroyed, unless the party that requested autorización expresa de aquel por cuenta the processing service expressly de quien se prestan tales servicios cuando authorized otherwise if it could be razonablemente se presuma la posibilidad reasonably assumed that there will be de ulteriores encargos, en cuyo caso se further service requests from the podrá almacenar con las debidas provider, in which case the data may be condiciones de seguridad por un período kept for a maximum period of two years de hasta dos años. on condition that the required security measures are followed. Artículo 31. (Órgano de Control).- Créase Section 31. (Controlling Authority). como órgano desconcentrado de la The Personal Data Regulatory, and Agencia para el Desarrollo del Gobierno Controlling Authority is hereby created, a de Gestión Electrónica y la Sociedad de decentralized body, dependant on the 140 la Información y del Conocimiento Agencia para el Desarrollo del Gobierno (AGESIC), dotado de la más amplia de Gestión Electrónica y la Sociedad de autonomía técnica, la Unidad Reguladora la Información y del Conocimiento y de Control de Datos Personales. Estará (Electronic Management Government dirigida por un Consejo integrado por tres Development and Knowledge and miembros: el Director Ejecutivo de Information Society Agency or AGESIC) AGESIC y dos miembros designados por which shall be endowed with the broadest el Poder Ejecutivo entre personas que por technical autonomy. It shall be managed sus antecedentes personales, by a Council composed of three profesionales y de conocimiento en la members: the Executive Director of materia aseguren independencia de AGESIC and two members to be criterio, eficiencia, objetividad e appointed by the Executive Power and imparcialidad en el desempeño de sus whose personal, professional and cargos. knowledge background on the subject matter are deemed to ensure independence, efficiency, objectivity and impartiality in their function. Excepting the Executive Director of A excepción del Director Ejecutivo de la AGESIC, the members shall remain in AGESIC, los miembros durarán cuatro office for four years and they may be años en sus cargos, pudiendo ser reappointed. They will cease to exercise designados nuevamente. Sólo cesarán por their function upon the expiration of their la expiración de su mandato y term and appointment of their successors designación de sus sucesores, o por su or upon their removal decided by the remoción dispuesta por el Poder Executive Power on grounds of Ejecutivo en los casos de ineptitud, ineptitude, omission or felony, in omisión o delito, conforme a las garantías conformity with due process legal del debido proceso. guaranties. During their time in office members shall Durante su mandato no recibirán órdenes not receive orders or instructions on ni instrucciones en el plano técnico. technical issues.

Artículo 32. (Consejo Consultivo).- El Section 32. (Advisory Council). The Consejo Ejecutivo de la Unidad Executive Council of the Personal Data Reguladora y de Control de Datos Regulatory and Controlling Authority Personales funcionará asistido por un will be assisted by an Advisory Council Consejo Consultivo, que estará integrado to be composed of five members: por cinco miembros: - A person of a renowned record in -Una persona con reconocida trayectoria promoting and defending human rights, en la promoción y defensa de los appointed by the Legislative Branch, who derechos humanos, designado por el must not be an acting member of Poder Legislativo, el que no podrá ser un parliament. Legislador en actividad. - A representative of the Judicial -Un representante del Poder Judicial. Branch. -Un representante del Ministerio Público. - A representative of the Attorney -Un representante del área académica. General’s Office -Un representante del sector privado, que - A representative of the academic se elegirá en la forma establecida community reglamentariamente. - A representative of the private Sesionará presidido por el Presidente de sector, to be elected following the 141 la Unidad Reguladora y de Control de regulatory procedures. protección de Datos Personales. The meetings shall be presided by the Sus integrantes durarán cuatro años en President of the Data Protection sus cargos y sesionarán a convocatoria Regulatory and Controlling Authority. del Presidente de la Unidad Reguladora y Its members shall remain four years in de Control de Datos Personales o de la office and shall meet at the request of the mayoría de sus miembros. Data Protection Regulatory and Podrá ser consultado por el Consejo Controlling Authority’s president or at Ejecutivo sobre cualquier aspecto de su the request of the majority of its competencia y deberá ser consultado por members. éste cuando ejerza potestades de The Executive Council may request it to reglamentación. give advice on any aspect that falls within its competency and it shall require its opinion when exercising its regulatory powers. Artículo 33. (Recursos).- La Unidad Section 33. (Resources). The Personal Reguladora y de Control de Datos Data Regulatory and Controlling Agency Personales formulará su propuesta de shall submit a budget proposal for presupuesto, la cual será puesta a consideration by the Executive Branch. consideración del Poder Ejecutivo. Artículo 34. (Cometidos).- El órgano de Section 34. (Functions). The controlling control deberá realizar todas las acciones authority shall take all the necessary necesarias para el cumplimiento de los actions toward achieving the objectives objetivos y demás disposiciones de la and complying with the provisions of this presente ley. A tales efectos tendrá las Act. For that purpose it shall have the siguientes funciones y atribuciones: following functions and powers: A)Asistir y asesorar a las personas que lo a) Assist and advise any person that so requieran acerca de los alcances de la requests on the scope of this Act and the presente ley y de los medios legales de legal means available for the defense of que disponen para la defensa de los the rights guaranteed by the same derechos que ésta garantiza. B)Dictar las normas y reglamentaciones b) Establish the rules and regulations to que se deben observar en el desarrollo de be observed in the carrying out of the las actividades comprendidas por esta ley. activities covered by this Act C)Realizar un censo de las bases de datos alcanzados por la ley y mantener el c) Carry out a census of the databases registro permanente de los mismos. covered by the Act and keep a permanent D)Controlar la observancia de las normas record thereof sobre integridad, veracidad y seguridad de datos por parte de los responsables de d) Control compliance with the rules on las bases de datos, pudiendo a tales data integrity, accuracy and security of efectos realizar las actuaciones de databases, and carry out the respective inspección pertinentes. judicial inspection proceedings. E)Solicitar información a las entidades públicas y privadas, las que deberán e) Request information from public and proporcionar los antecedentes, private entities, which shall furnish the documentos, programas u otros elementos background, documents, software or relativos al tratamiento de los datos other elements relating to personal data personales que se le requieran. En estos that may be required. In these cases, the casos, la autoridad deberá garantizar la authority shall guarantee the security and 142 seguridad y confidencialidad de la confidentiality of the information and the información y elementos suministrados. elements provided F)Emitir opinión toda vez que le sea requerida por las autoridades f) Give an opinion when it is so requested competentes, incluyendo solicitudes by the competent authorities on issues relacionadas con el dictado de sanciones concerning the imposing of administrativas que correspondan por la administrative sanctions for the violation violación a las disposiciones de esta ley, of any of the provisions hereunder, or the de los reglamentos o de las resoluciones adoption of regulations or resolutions que regulan el tratamiento de datos governing the processing of personal data personales comprendidos en ésta. referred to herein G)Asesorar en forma necesaria al Poder Ejecutivo en la consideración de los g) Advise, necessarily, the Executive proyectos de ley que refieran total o Branch, on bill drafts that deal, in whole parcialmente a protección de datos or in part, with personal data protection. personales. H)Informar a cualquier persona sobre la h) Provide free information to the public existencia de bases de datos personales, about the existence of databases, their sus finalidades y la identidad de sus purposes and the identity of the persons responsables, en forma gratuita. responsible for them.

Artículo 35. (Potestades Section 35. (Sanctions). The controlling sancionatorias).- El órgano de control authority may apply the following podrá aplicar las siguientes medidas sanctions to databases controller or data sancionatorias a los responsables de las processors in case there is a violation to bases de datos o encargados del the rules under in this Act: tratamiento de datos personales en caso 1) A Legal warning que se violen las normas de la presente 2) A Fine up to five hundred ley: thousand indexed units 1) Apercibimiento. 3) A Suspension of the concerned 2) Multa de hasta quinientas mil unidades database. For that purpose the indexadas. AGESIC is empowered to 3) Suspensión de la base de datos request, before the competent respectiva. A tal efecto se faculta a la jurisdictional authorities, the AGESIC a promover ante los órganos suspension of databases, in jurisdiccionales competentes, la respect of which it can be suspensión de las bases de datos, hasta demonstrated that this Act has por un lapso de seis días hábiles, respecto been violated, for a term of up to de los cuales se comprobare que six business days. infringieren o transgredieren la presente The constituent facts of the offence shall ley. be reported in accordance with the legal Los hechos constitutivos de la infracción procedures and the suspension shall be serán documentados de acuerdo a las decreed within the following three days formalidades legales y la suspensión to AGESIC’s request. If, after that term deberá decretarse dentro de los tres días the judge fails to declare the suspension, siguientes a aquel en que la hubiere AGESIC shall be empowered to declare solicitado la AGESIC, la cual quedará it by itself. habilitada a disponer por sí la suspensión In this case, if the Judge subsequently si el Juez no se pronunciare dentro de rules against the suspension, AGESIC dicho término. shall lift the suspension immediately. 143 En este último caso, si el Juez denegare Any motion filed against a court ruling posteriormente la suspensión, ésta deberá confirming a suspension, shall not imply levantarse de inmediato por la AGESIC. an executionary stay. Los recursos que se interpongan contra la AGESIC may request the assistance of resolución judicial que hiciere lugar a la law enforcement agencies to ensure the suspensión, no tendrán efecto suspensivo. enforcement of the resolution. Para hacer cumplir dicha resolución, la AGESIC podrá requerir el auxilio de la fuerza pública. La competencia de los Tribunales Competent courts shall be determined by actuantes se determinará por las normas the rules of the Judiciary Act ( Ley de la Ley Orgánica de la Judicatura, Orgánica de la Judicatura ), Act 15,750, Nº 15.750, de 24 de junio de 1985, sus of June 24, 1985 and any amendments modificativas y concordantes. thereof. Artículo 36. (Códigos de conducta).- Las Section 36. (Codes of conduct). The asociaciones o entidades representativas associations or entities representing de responsables o usuarios de bancos de controllers or users of private data banks datos de titularidad privada podrán may create professional practice codes of elaborar códigos de conducta de práctica conduct, establishing the rules for the profesional, que establezcan normas para processing of personal data leading to el tratamiento de datos personales que ensure and improve the operational tiendan a asegurar y mejorar las conditions of information systems based condiciones de operación de los sistemas on the principles established by this Act. de información en función de los principios establecidos en la presente ley. Said codes shall be registered with the Dichos códigos deberán ser inscriptos en registrar kept by the controlling authority, el registro que al efecto lleve el which may deny registration whenever it organismo de control, quien podrá considers that the said codes do not denegar la inscripción cuando considere conform with the legal and regulatory que no se ajustan a las disposiciones provisions governing the subject matter legales y reglamentarias sobre la materia. Artículo 37. (Habeas data).- Toda persona Section 37. (Habeas data). Every person tendrá derecho a entablar una acción shall be entitled to file an effective legal judicial efectiva para tomar conocimiento action to be informed about any data de los datos referidos a su persona y de su stored in public or private databases finalidad y uso, que consten en bases de concerning that person, the purpose and datos públicos o privados; y -en caso de use of the data; and in the case of error, error, falsedad, prohibición de inaccuracy, discrimination or in the case tratamiento, discriminación o the data is outdated or there is a desactualización- a exigir su rectificación, prohibition for the processing thereof, to inclusión, supresión o lo que entienda demand a rectification, addition or corresponder. suppression or any other action such Cuando se trate de datos personales cuyo person deems relevant. registro esté amparado por una norma Where the personal data involved has legal que consagre el secreto a su been imposed a secrecy duty for purposes respecto, el Juez apreciará el of this recording, the Judge shall consider levantamiento del mismo en atención a whether to lift said duty taking into las circunstancias del caso. consideration the case’s particular circumstances. Artículo 38. (Procedencia y Section 38. (Legal grounds for the 144 competencia).- El titular de datos habeas data action and jurisdiction). personales podrá entablar la acción de The data subject may file an habeas data protección de datos personales o habeas action against any controller of a public data, contra todo responsable de una base or private database in the following de datos pública o privada, en los cases: siguientes supuestos: A) Where the data subject intends to A) Cuando quiera conocer sus datos access any personal data concerning him personales que se encuentran registrados recorded on databases or similar files and en una base de datos o similar y dicha said information has been denied or has información le haya sido denegada, o no not been provided by the database le hubiese sido proporcionada por el controller in the events and within the responsable de la base de datos, en las timeframes prescribed by law. oportunidades y plazos previstos por la B) Where the data subject has requested ley. the database controller a rectification, B) Cuando haya solicitado al responsable updating, deletion, addition or de la base de datos o tratamiento su suppression of data and said person has rectificación, actualización, eliminación, failed to do so or to provide reasonable inclusión o supresión y éste no hubiese grounds as to the inapplicability of the procedido a ello o dado razones request within the applicable term suficientes por las que no corresponde lo specified by law. solicitado, en el plazo previsto al efecto en la ley. The following are the competent courts Serán competentes para conocer en las that may hear habeas data actions: acciones de protección de datos 1) In the capital city, the First personales o habeas data: Instance Federal Administrative courts 1) En la capital, los Juzgados that deal with actions against the public Letrados de Primera Instancia en administration offices, and the First lo Contencioso Administrativo, Instance Federal Civil courts in all other cuando la acción se dirija contra cases. una persona pública estatal, y los 2) First Instance district courts that Juzgados Letrados de Primera have been granted competency on the Instancia en lo Civil en los subject. restantes casos. 2) Los Juzgados Letrados de Primera Instancia del Interior a quienes se haya asignado competencia en dichas materias. Artículo 39. (Legitimación).- La acción Section 39. (Standing). The habeas data de habeas data podrá ser ejercida por el action may be filed by the affected party, propio afectado titular de los datos o sus the data subject or a representative, representantes, ya sean tutores o guardian or curator thereof, and the curadores y, en caso de personas successors of physical persons, whether fallecidas, por sus sucesores universales, they are direct or collateral descendants en línea directa o colateral hasta el of such persons up to the second degree, segundo grado, por sí o por medio de who may act by himself or through an apoderado. attorney. En el caso de personas jurídicas, la acción Where the action is brought by a legal deberá ser interpuesta por sus entity, it shall do it through its legal representantes legales o los apoderados representative or an agent appointed for designados a tales efectos. such purpose. 145 Artículo 40. (Procedimiento).- Las Section 40. (Procedure). Legal actions acciones que se promuevan por violación filed for violations of the rights a los derechos contemplados en la contemplated herein shall be governed by presente ley se regirán por las normas the provisions set forth below. Sections contenidas en los artículos que siguen al 14 and 15 of the General Procedural presente. Serán aplicables en lo pertinente Code shall be applicable to the relevant los artículos 14 y 15 del Código General cases. del Proceso. Artículo 41. (Trámite de primera Section 41. (First instance procedure). instancia).- Salvo que la acción fuera Unless the action is evidently manifiestamente improcedente, en cuyo ungrounded, in which case the court shall caso el tribunal la rechazará sin dismiss it without exposing any judicial sustanciarla y dispondrá el archivo de las grounds and shall cause the case to be actuaciones, se convocará a las partes a filed, the court shall call the parties to a una audiencia pública dentro del plazo de public hearing within three days as from tres días de la fecha de la presentación de the claim’s filing date. la demanda. At the hearing, the defendant shall be En dicha audiencia se oirán las heard and the evidence submitted to the explicaciones del demandado, se court and the parties shall present their recibirán las pruebas y se producirán los pleadings. The court may reject any alegatos. El tribunal, que podrá rechazar evidence which it deems evidently las pruebas manifiestamente irrelevant or unnecessary. The hearing impertinentes o innecesarias, presidirá la must be presided by the Judge or it shall audiencia so pena de nulidad, e be invalid. The court shall interrogate the interrogará a los testigos y a las partes, witnesses and the parties, which may be sin perjuicio de que aquéllos sean, a su also interrogated by the attorneys, and vez, repreguntados por los abogados. shall have the broadest police and Gozará de los más amplios poderes de directional powers with respect to the policía y de dirección de la audiencia. hearing. En cualquier momento podrá ordenar It may, at any moment order any diligencias para mejor proveer. proceeding that will help it to render a La sentencia se dictará en la audiencia o a judgment on the case. más tardar, dentro de las veinticuatro The court shall render judgment at the horas de su celebración. Sólo en casos hearing or within the next twenty four excepcionales podrá prorrogarse la hours. The hearing may be extended up audiencia por hasta tres días. to three days only and under exceptional Las notificaciones podrán realizarse por circumstances. intermedio de la autoridad policial. A los All notifications may be served through efectos del cómputo de los plazos de the police department. For purposes of cumplimiento de lo ordenado por la calculating the term to comply with the sentencia, se dejará constancia de la hora court’s decision, the time of notification en que se efectuó la notificación. shall be recorded. Artículo 42. (Medidas provisionales).- Si Section 42. (Injunctions). If, upon the de la demanda o en cualquier otro filing of the claim or at any other moment momento del proceso resultare, a juicio in the course of the proceeding, the court del tribunal, la necesidad de su inmediata should deem it necessary to act without actuación, éste dispondrá, con carácter hesitation, it shall order appropriate provisional, las medidas que cautionary measures in order to safeguard correspondieren en amparo del derecho o the rights and freedoms that were libertad presuntamente violados. presumably violated. 146 Artículo 43. (Contenido de la Section 43. (Content of judgment). A sentencia).- La sentencia que haga lugar judgment affirming an habeas data al habeas data deberá contener: should include the following information: A)La identificación concreta de la A) The specific identity of the autoridad o el particular a quien se dirija authority or individual to whom it is y contra cuya acción, hecho u omisión se addressed and whose action, fact or conceda el habeas data. omission has given reason to grant the B)La determinación precisa de lo que habeas data. deba o no deba hacerse y el plazo por el B) The precise determination of cual dicha resolución regirá, si es que what must or must not be done and, if corresponde fijarlo. applicable, the term during which the C)El plazo para el cumplimiento de lo resolution shall stand. dispuesto, que será fijado por el tribunal C) The term to comply with the conforme las circunstancias de cada caso, judgment, which shall be fixed by the y no será mayor de quince días corridos e court considering the case’s special ininterrumpidos, computados a partir de circumstances, and which shall not la notificación. exceed fifteen running uninterrupted days as from the notification date. Artículo 44. (Recurso de apelación y Section 44. (Appeal and second segunda instancia).- En el proceso de instance). In an habeas data proceeding, habeas data sólo serán apelables la only the final judgment and the court’s sentencia definitiva y la que rechaza la dismissal of the claim may be appealed. acción por ser manifiestamente Any appeal motion shall be filed in improcedente. writing, specifying the grounds for the El recurso de apelación deberá request within a peremptory term of three interponerse en escrito fundado, dentro days. In the case of an appeal against a del plazo perentorio de tres días. El dismissal by the court on the grounds that tribunal elevará sin más trámite los autos the complaint lacks legal basis, the court al superior cuando hubiere desestimado la shall submit the case files to the superior acción por improcedencia manifiesta, y lo court without any further action, and in sustanciará con un traslado a la the case the appeal is against the final contraparte, por tres días perentorios, judgment, the court shall substantiate its cuando la sentencia apelada fuese la decision and serve the counterparty definitiva. within a term of three peremptory days. El tribunal de alzada resolverá en The second instance court members shall acuerdo, dentro de los cuatro días agree on a final judgment within four siguientes a la recepción de los autos. La days following the reception of the case interposición del recurso no suspenderá file. The appeal motion shall not stay any las medidas de amparo decretadas, las injunction orders decreed, which shall be cuales serán cumplidas inmediatamente enforced immediately after the final después de notificada la sentencia, sin judgment notification, regardless of any necesidad de tener que esperar el legal term during which objections may transcurso del plazo para su impugnación. be presented against it. Artículo 45. (Sumariedad. Otros Section 45. (Summary judgment. aspectos).- En los procesos de habeas Other aspects). In an habeas data data no podrán deducirse cuestiones proceeding, no previous issues, previas, reconvenciones ni incidentes. El counterclaims or related cases shall be tribunal, a petición de parte o de oficio, resolved. By operation of law or at the subsanará los vicios de procedimiento, request of a party, the court shall cure asegurando, dentro de la naturaleza any procedural faults, and considering the 147 sumaria del proceso, la vigencia del summary nature of the process, ensure principio de contradictorio. the effectiveness of the contradiction Cuando se planteare la principle. inconstitucionalidad por vía de excepción If a motion adducing unconstitutionality o de oficio (numeral 2) del artículo 509 y is alleged as a defense or by the court numeral 2) del artículo 510 del Código (paragraph 2 of section 509 and General del Proceso) se procederá a la paragraph 2 of section 510 of the suspensión del procedimiento sólo Procedural Code) the proceeding shall be después que el Magistrado actuante haya postponed provided that the Judge dispuesto la adopción de las medidas hearing the case ordered the enforcement provisorias referidas en la presente ley o, of the provisionary measures set forth in en su caso, dejando constancia this Act, or has exposed the reasons why circunstanciada de las razones de said measures are deemed to be considerarlas innecesarias. unnecessary. Artículo 46. (Adecuación de las bases de Section 46. (Databases adjustment). All datos).- Las bases de datos deberán databases shall adjust to this Act within a adecuarse a la presente ley dentro del term of one year from its coming into plazo de un año de su entrada en vigor. effect.

Artículo 47. (Traslado del órgano de Section 47. (Transfer of the control referente a datos comerciales).- Se commercial data controlling establece el plazo de ciento veinte días authority). Within one hundred twenty corridos para que el actual órgano de running days the current controlling control en materia de protección de datos authority for commercial data protection comerciales, a cargo del Ministerio de run by the Ministry of Economy and Economía y Finanzas, realice el traslado Finance shall transfer all information and de la información y documentación a la documentation to AGESIC. AGESIC. Artículo 48. (Derogación).- Se deroga la Section 48. (Repeal). Law no. 17,838 of Ley Nº 17.838, de 24 de setiembre de September 24, 2004 is hereby repealed. 2004.

Artículo 49. (Reglamentación).- El Poder Section 49. (Regulation). The Ejecutivo deberá reglamentar la presente regulations of this Act will be enacted by ley dentro de los ciento ochenta días de su the Executive Power within one hundred promulgación. eighty days from the enactment of this law. Fin End

148