Uruguay discusses data protection landscape, upcoming conference

The European Union

in September that Uruguay had achieved adequacy for personal data protection.

Prior to that, in 2008, the country passed its data protection act. Since that time, the Unit for the Regulation and Control of Personal Data (URCDP) has been established to field data protection complaints and educate the public and database controllers, in both the private and public sector, of their duties and obligations under the act.

“We started working with the databases responsible because we thought we had to prepare them, explaining what their new duties were with the data protection act, what kind of measure they had to implement to responses to requests from the people,” says Federico Monteverde, member of the Executive Council of the URCDP. “When one person goes and asks them, ‘give me all the personal information you have about me,’ they have to be prepared to respond to that request.”

The unit’s focus since then has shifted to educating the general public of their rights to request their own data and to change or update data stored in databases. The unit is working on advertising campaigns and online education courses “not for specialists or lawyers but for anybody who wants to be engaged or wants to know more on this,” Monteverde says.

The URCDP is now preparing to host the 34th International Conference of Data Protection and Privacy Commissioners, a task Monteverde says has kept it very busy.

“The effort is amazing,” he says.

The right to privacy and the right to the protection of personal data are considered fundamental rights and, therefore, are protected in the Constitution of the Eastern Republic of Uruguay based on Article 72 and Act 18.331 on the Protection of Personal Data and “Habeas Data” Action—LPDP, 11 August, 2008.

In order to regulate this right, Uruguay has adopted the European model by following the provisions stated in Convention 108 (ETC), Strasbourg 1981, and the Directive 95/46/EC of 1995. According to these legal instruments, Act 18.331 aims to streamline the fundamental right at stake through a series of other instrumental prerogatives—also called rights—which are by its order as follows:

To that effect, the data subject is granted two consecutive instances: First, prejudicial (petition to databases controller); second, judicial (Habeas Data Action) without prejudice to the competencies of the Supervisory Authority to intervene in order to provide advice or control in the matter.

The Unit for the Regulation and Control of Personal Data (URCDP) has enabled a mechanism for citizens to submit their complaints online, apart from the fact that citizens can submit their complaints without having to resort to justice.

These rights add up to a group of other categories and legal devices—general principles, specially protected data, obligation of registration of the databases, special regime for public-sector ownership databases, statutes of the Organ of Control and special judiciary action—to conform a sound regulatory judiciary system of the fundamental related right to the protection of personal data.

So as to ensure the effective protection of this right, the URCDP was created as a decentralized organ from the Agency for the Development of the Government’s Electronic Management and the Society of Information and Knowledge (AGESIC). The mission of the unit is to ensure the control and observance of this right and to foster the dissemination of this knowledge among citizens, thus contributing to the effectiveness of this will, which can be seen through its decisions, resolutions, assessments and reports.

The unit is responsible for the Register of Databases and is in charge of processing and responding to the complaints of any interested party.

The

of the UCRDP is where all the information related to the action plan of the unit can be accessed.

The act establishes the guiding principles concerning the treatment and use of personal data stored in databases from either the private or public sector, leaving out of its scope databases owned by individuals exercising purely personal or household activities; those which have public security or defense and state security as purpose, and those regulated by law.

One particularity is that the act protects personal data of legal persons, when it corresponds.

On 21 August the European Commission adopted the Decision of Execution C(2012) 5704-(2012/484/UE), relative to the adequate protection of personal data by the Eastern Republic of Uruguay with regards to the automated processing of personal data.

With this decision, Uruguay has consolidated as a reference country in the region in every aspect related to protection of personal data.

On the other hand, since the moment this news was broadcast through the different mass media in our country, the number of questions and complaints received at the URCDP from the citizens have risen significantly, in relation to the prior year.

The main reasons for complaints submitted so far are spam, inclusion in the database of credit card institutions, the right of oblivion due to an inclusion of a lapsed sanction in an official website and communication of personal data and video surveillance systems, among others.

The most urgent issues relate to the promotion and dissemination of the rights as well as the training of the people in charge.

In this sense, the URCDP is devoted to the elaboration of a set of guidelines, manuals and e-learning courses, addressed to the general public, as well as the different sectors of the society—telecommunications, health, education, public administration—with the objective of disseminating, promoting and offering training in relation to the right and the responsibilities.

The main lines of action of the URCDP have been and will continue to be to raise awareness among our citizens that the protection of personal data is a citizen’s right. Therefore, our action plan is to continue organizing information sessions and training sessions for the different social sectors. Our aim is twofold, to continue informing about the contents of the right and its means of protection—that is, administrative or jurisdictional—and furthermore, to make known the procedures that each person or entity shall assume in order to protect his own data, especially when using electronic means of information and communication.

The organization and the hosting of the 34th International Conference of Data Protection and Privacy Commissioners have mapped out the agenda of the coming months.

On the other hand, another topic of great interest is the ratification by Uruguay of the Treaty of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data (Série des Traités Européens–STE-N 181) approved in Strasbourg in 1981 and the Additional Protocol regarding supervisory authorities and transborder data flows (Série des Traités Européens – STE- N 181) approved in Strasbourg in 2001.

In this sense, on 29 September, 2011, the Executive Power in Agreement passed a bill to ratify it—which constitutes a significant milestone as it represents the coronation of an initiative started by the URCDP, since up to this day, the Eastern Republic of Uruguay is the only non-EU country invited to adhere to Convention N 108 and its Additional Protocol N 181.