ANALYSIS OF THE ADEQUACY OF PROTECTION OF PERSONAL DATA PROVIDED IN URUGUAY Final report PREPARED BY : Claire GAYREL and Florence de VILLENFAGNE under the supervision of Prof. dr. Yves POULLET CRID (Research Center in IT and Law), University of Namur (Belgium) AND : Dr. Pablo Palazzi Buenos Aires (Argentina) Report delivered in the framework of contract JLS/2007/C4/003 between CRID and the Directorate General Justice, Freedom and Security. 30 April 2009 With an update on 30 June 2009 Table of content Abbreviations ________________________________________________________6 I. Introduction _____________________________________________________7 A. Aim of the report ____________________________________________________ 7 B. Methodology________________________________________________________ 8 1. General remarks __________________________________________________________8 2. Principal assessment criteria_________________________________________________9 2.1. Legal criteria________________________________________________________9 2.2. Methodological criteria________________________________________________9 II. Context of the data protection regime of Uruguay ____________________11 A. Constitutional system and political regime ______________________________ 11 1. Executive Power_________________________________________________________11 2. Legislative Power________________________________________________________12 3. Judiciary Power _________________________________________________________12 4. Local Government _______________________________________________________13 5. Legal system____________________________________________________________13 B. Constitutional background on privacy and fundamental rights_____________ 14 1. Data protection and Privacy as fundamental rights? _____________________________14 2. Constitutionally foreseen remedy____________________________________________16 C. International Human Rights texts effective in Uruguay ___________________ 16 D. Legislative History of the Data Protection Act ___________________________ 17 1. From a first bill to the final adoption of a general Data Protection Act _______________17 III. Assessment of the Data Protection Act of Uruguay ___________________21 A. Preliminary remarks________________________________________________ 21 B. Definitions of the Data Protection Act__________________________________ 22 1. General definitions corresponding to the EU Directive ___________________________22 2. Definitions peculiar to the Uruguayan Act_____________________________________25 C. Scope of the Act ____________________________________________________ 26 1. Substantive scope ________________________________________________________27 1.1. With regard to the controller___________________________________________27 1.2. With regard to the data subjects ________________________________________27 1.3. With regard to the means of processing __________________________________28 1.4. Exceptions in certain fields and special rules for certain kinds of data___________29 1.4.1 Principles applicable to databases owned by Armed forces, Police and Intelligence agencies 30 1.4.2 Other specific regimes _____________________________________________32 2. Territorial scope _________________________________________________________33 D. Basic principles of the Data Protection Act: grounds for lawfulness of processing 34 1. Preliminary remark_______________________________________________________34 2. The consent: main ground for lawfulness______________________________________34 3. Other grounds for lawfulness _______________________________________________35 E. Content Principles __________________________________________________ 38 1. Purpose limitation principle ________________________________________________38 1.1. Definition of WP12__________________________________________________38 1.2. Provisions of the Act_________________________________________________39 1.3. Exemptions ________________________________________________________40 2. Data quality and proportionality principle _____________________________________42 2 2.1. Definition of WP12__________________________________________________42 2.2. Provisions of the Act_________________________________________________42 3. Transparency principle ____________________________________________________43 3.1. Definition of WP12__________________________________________________43 3.2. Provisions of the Act_________________________________________________43 3.2.1 The obligation of information at the time of collection ____________________43 3.2.2 Obligation of information at the time of communication___________________45 3.3. Exemptions ________________________________________________________46 3.3.1 At the time of communication _______________________________________46 3.3.2 At the time of collection or communication: when the data subject’s consent is not required 48 3.3.3 Exemption to the public sector_______________________________________50 4. Security principle ________________________________________________________50 4.1. Definition of WP12__________________________________________________50 4.2. Provisions of the Act_________________________________________________51 5. Right of access, rectification and opposition ___________________________________54 5.1. Definition of WP12__________________________________________________54 5.2. Provisions of the Act_________________________________________________54 5.2.1 Right of access ___________________________________________________54 5.2.2 Right of rectification and deletion ____________________________________56 5.3. Exemptions ________________________________________________________58 5.3.1 Exemptions to the right of deletion whether in the public or private sector_____58 5.3.2 Exemptions to the rights of access, rectification and deletion in the public sector59 6. Restrictions on onward transfers ____________________________________________60 6.1. Definition of WP12__________________________________________________60 6.2. Provisions of the Act_________________________________________________60 6.3. Exemptions ________________________________________________________61 6.4. Relation between the two sets of exemptions ______________________________64 6.5. Adequate safeguards _________________________________________________65 F. Additional principles to be applied to specific types of processing___________ 66 1. Sensitive data ___________________________________________________________66 1.1. Definition of WP12__________________________________________________66 1.2. Provisions of the Act_________________________________________________67 2. Direct marketing_________________________________________________________69 2.1. Definition of WP12__________________________________________________69 2.2. Provisions of the Act_________________________________________________69 3. Automated individual decisions _____________________________________________70 3.1. Definition of WP12__________________________________________________70 3.2. Provisions of the Act_________________________________________________70 IV. Statutory safeguard outside data protection legislation ________________72 A. List of other norms enacted in Uruguay ________________________________ 72 B. Financial sector regulations __________________________________________ 74 C. Employment regulation _____________________________________________ 75 D. Statistics regulation_________________________________________________ 76 E. Regulation related to Youth and Minors________________________________ 76 F. Access to public information Regulations _______________________________ 76 1. Freedom of Information Act________________________________________________76 2. Links between the Data Protection Act and the Freedom of Information Act __________80 3. Memory Regulation ______________________________________________________81 G. Criminal Code _____________________________________________________ 83 1. Interception of correspondence or communications______________________________83 2. Professional secrecy ______________________________________________________83 3. Prohibition of slander and defamation ________________________________________84 V. Important Uruguayan Case Law related to privacy and data protection ____85 3 A. Case law before the enactment of the data Protection Law ________________ 85 1. Gender and data protection_________________________________________________85 2. Privacy in internet. _______________________________________________________85 3. Credit reporting _________________________________________________________86 4. Access to personal information _____________________________________________86 5. Infringement to the right of image ___________________________________________86 6. Identity theft (2007) ______________________________________________________87 7. Identification of parties in case law __________________________________________87 B. Case law after the enactment of the data Protection Law __________________ 87 1. Freedom of expression and privacy __________________________________________87 2. Right of access to personal data hold by Armed forces ___________________________88 VI. Procedural and enforcement mechanisms __________________________90 A. A good level of compliance with the data protection rules _________________ 90 1. Data Protection Supervisory authority ________________________________________91 1.1. Independence of the Data Protection Authority ____________________________91 1.1.1 Structural, functional