Uruguay establishes specific guidelines and limitations in relation to international data transfers, which involve a flow of personal data from Uruguayan territory (in this case) to recipients established in foreign countries.

Article 23 of Law No. 18,331 – “Personal Data Protection Law” provides that, unless an exception is configured, the transfer of data to countries or organizations that do not guarantee adequate levels of data protection will be prohibited. All of this in accordance with current national and international legal standards.

For these purposes, resolution No. 23/2021 established the appropriate jurisdictions for the international transfer of data (the members of the European Union and the European Economic Area, Andorra, Argentina, the private sector of Canada, Guernsey, Isle of Man, Faroe Islands, Israel, Japan, Jersey, New Zealand, United Kingdom, and Switzerland).

In this way, in most cases, it will not be necessary to obtain the express and informed consent of the data subject to transfer information. This substantially simplifies commercial operations, mainly for those clients that use cloud services, or digital providers whose servers are located in the United States.

Subsequently, resolution No. 63/2023 expanded the previous list and included as appropriate entities or organizations:

• Entities subject to the Personal Information Protection Law of the Republic of Korea.
• Organizations included in the list of the Data Privacy Framework published by the Department of Commerce of the United States of America.

In this context, and with the purpose of complementing the aforementioned resolutions, the URCDP Resolution introduced new obligations regarding international data transfers:

1. The obligated subjects must communicate to the owners of the data: the destination, the role of the data importer, the transfer period, the basis of legitimacy, and the processing operations to be carried out.
2. Those responsible and in charge will have a period of 6 months to adjust their privacy policies as established above.
3. The registration of the database in the Registry of Personal Data Bases will be a prerequisite for any processing process, including international data transfers.
4. Those responsible and in charge who are going to make international transfers to organizations under the Privacy Framework of the European Union – United States, must present an express declaration from the importing organization regarding the implementation of protection measures for the data transferred from Uruguay. .

Said statement:

• May be presented at the time of registering the database or prior to the transfer, but,
• It will not be necessary if there are contractual provisions in force (between the organization and the importer) that offer adequate guarantees, with the agreement of the URCDP.

Final considerations

Once again, Uruguay demonstrates to be at the forefront of international trends in data protection, adopting appropriate measures to ensure the safeguarding of information.

In this context, it is advisable to review (and adjust) internal data transfer policies to adapt to the new obligations, but also taking advantage of the advantages and flexibility provided by the newly incorporated jurisdictions.