Understanding Uruguay’s Personal Data Protection Law (PDPL)

Q: Is Uruguay’s data privacy law similar to the EU’s GDPR?

Uruguay’s PDPL aligns with GDPR , sharing core principles, transparency, data subject rights, scope, sensitive data, and breach notification. However, both laws also have some minor differences, including treatment of children's data, consent recordings, lawful basis, and enforcement.

Uruguay’s personal data Protection Law (PDPL) came into effect in 2008. It sets standards for businesses that collect and manage the personal data of Uruguay's citizens.

This law marked a significant advance in protecting the rights of Uruguayan citizens by setting clear guidelines for data collection, storage, and processing.

The establishment of the Regulatory and Control Unit for Personal Data (URCDP) strengthened the enforcement of the law.

Uruguayan data privacy law aligns with high international data safety standards, such as the EU’s General Data Protection Regulation (GDPR), making Uruguay a regional leader in privacy compliance.

If your business collects or manages personal data from citizens of Uruguay, you must comply with Uruguay’s Personal Data Protection Law. Thus, understanding the country’s legislation is essential.

This guide covers the major aspects of Uruguay’s PDPL and gives best practices to ensure compliance.

What Is Uruguay’s Personal Data Protection Law (PDPL)?

Uruguay’s Personal Data Protection Law (PDPL) is the primary privacy legislation governing the collection, use, and storage of personal data of Uruguay’s citizens, aiming to protect individuals' privacy while setting obligations and requirements for businesses.

Uruguay’s Personal Data Protection Law, also known as Law No. 18.331, came into effect in 2008.

Uruguay was one of the first countries in Latin America to establish a solid legal framework for personal data protection.

Uruguay was the second Latin American country to achieve the adequacy decision in 2012 from the European Commission. Adequacy decisions simplify data transfers for businesses between the EU and Uruguay.

Uruguay’s Personal Data Protection Law requires businesses to implement adequate safeguards to protect personal data from unauthorized access, use, or disclosure, emphasizing the importance of data security. Non-compliance with the legislation can result in significant penalties, including fines and enforcement actions.

The PDPL has extraterritorial scope, meaning that Uruguay’s data privacy law applies to organizations operating within Uruguay and to foreign entities collecting and/ or processing data of Uruguayan citizens.

Who Must Comply with the PDPL in Uruguay?

Uruguay’s Personal Data Protection Law has a broad personal scope. It applies to any identified or identifiable natural persons, as well as to legal persons when applicable, whether said persons are private or public, responsible for the database or processing of personal data in Uruguay.

Territorial scope

The law applies if the processing is carried out in Uruguay by a controller or processor established there.

The PDPL also applies to controllers and/ or processors outside Uruguay if they fulfill at least one of these criteria:

Offer goods or services to individuals in Uruguay.
Monitor the behavior of individuals in Uruguay, or
Perform data processing activities in Uruguay using means established within the country, such as data centers or communication networks.

Exemptions from the law

The PDPL provides several exemptions:

Databases maintained by a natural person for exclusive personal or domestic use are exempt from the law.
Databases used for special purposes, serving national interest (public safety, defense, criminal investigations) are also exempt from the law.

Note that Uruguay's PDPL has an extra-territorial scope. You don’t have to explicitly target Uruguay consumers to fall under the PDPL. For example, if your company offers services in Spanish and collects or processes data of Uruguayan residents, your company will fall under the law, so you must comply with it.

Data Subject Rights Under the Uruguay’s PDPL

Under Uruguay’s legislation, individuals (data subjects) are granted several rights in respect of their personal data. These rights include:

Right to information
Data subjects have the right to know who collects their data, for what purpose, and with whom it is shared.
Right of access
Data subjects have the right to request access to personal data held by companies and organizations.
Right to rectification
Data subjects have the right to correct inaccuracies or incomplete data.
Right to object
Data subjects have the right to object to data processing under certain circumstances.
Right to deletion
Data subjects have the right to request deletion of data when it is no longer needed or if consent is withdrawn.
Right to data portability
Data subjects have the right to request transfer of data in a structured format.

Fundamental Principles of Uruguay’s Data Protection Law

The Uruguay’s PDPL and its regulatory decrees establish several core principles that controllers and processors must respect. The main principles include:

Legality
Data processing must be based on a lawful purpose and comply with the law.
Consent
In order to process the personal data of Uruguayans, businesses need to obtain prior and explicit consent.
Purpose limitation
Businesses can only collect data for specific and legitimate purposes. The data could not be further processed in a way inconsistent with those purposes.
Data proportionality
Businesses must collect only data necessary for the declared purpose.
Data security
Businesses must implement appropriate technical and organizational measures to safeguard personal data from loss, unauthorized access, modification, or disclosure.
Accuracy and update
Data must be true, complete, accurate and kept up to date. Data subjects have the right of data rectification.
Confidentiality
Businesses or persons involved in data processing must maintain confidentiality, even after the termination of their relationship with the controller/processor.
Responsibility
The controller and processor must demonstrate compliance and proof of consent. The law introduced the concept of “proactive responsibility”.

These principles should guide you in designing data flows, drafting privacy policies, and implementing safeguards.

Obligations for Data Controllers and Processors

As is the case with many other data privacy laws globally, the Uruguay’s PDPL requires data controllers adhere to a variety of principles regarding the collection and processing of personal data. The above-mentioned principles include legality, consent, purpose limitation, data proportionality and security, accuracy, confidentiality, responsibility, and others.

Additionally, Uruguay’s data privacy legislation sets additional obligations that data controllers must abide by.

The obligations for data controllers and processors include:

Database registration
Businesses must register all databases containing personal data with Unidad Reguladora y de Control de Datos Personales (URCDP). This database must include the databases name, the data controller, the categories of data, how the data is collected and processed, the storage location and retention periods, the security measures, and means for data subjects to exercise their right to access, rectify, update, include, or delete their personal data.
Records of processing and proof of compliance
Controllers must adopt “proactive responsibility” measures, meaning that they must implement the privacy by design and by default principles. Controllers must also be able to demonstrate compliance- they need proof of consent. https://cookie-script.com/guides/automating-proof-of-consent
Data Protection Officer (DPO) appointment
Public entities or private entities processing sensitive data as their core activity or handling large volumes of data (>35,000 individuals) must appoint a DPO in accordance with the law.
Data protection impact assessments (DPIAs)
When processing sensitive data, large volumes of data, or vulnerable groups (e.g., minors or data from individuals with disabilities), data controllers are required to conduct DPIAs in accordance with guidelines issued by the law.
Security measures
Both public and private entities must implement appropriate technical and organizational measures to safeguard the personal data of individuals.
Data transfers
International data transfers are only permitted if the receiving organization is within a country that provides an adequate level of data protection.
Data breach notifications
In instances of data breaches, the data controller must inform both the URCDP and all data subjects who have been affected within 72 hours.

Cross-Border Data Transfers: Rules and Restrictions under the PDPL

If you collect personal data from Uruguayan citizens and want to transfer the data out of Uruguay, you must adhere to specific rules. The PDPL also sets some rules for entities that receive data into Uruguay.

The PDPL has the following rules regarding cross-border data transfers:

International data transfers are permitted only into countries that provide an adequate level of data protection.
If the country of destination does not provide an adequate level of data security, transfers to such countries are generally prohibited unless specific safeguards apply (data subject explicit consent, contractual clauses, or self-regulatory systems).
Transfer of personal data outside of Uruguay within the same corporate group is permitted when the branch or subsidiary has a conduct code duly registered with URCDP.

The extraterritorial scope of the law means foreign data controllers registered outside Uruguay may fall under the PDPL if targeting Uruguayan individuals. In these cases, foreign controllers must also respect Uruguay’s PDPL data transfer rules.

If your organization offers products or services globally and thus has multinational data-flow, you should map all your data flows, check which jurisdictions set obligations for compliance, and implement adequate data transfer safeguards.

Scan your website for free to see all cookies and where in the world you send data to.

Data Breach Notification Requirements under the PDPL

Uruguay’s PDPL set data breach-notification rules. When a security incident occurs, or data is leaked, entities must fulfill the following requirements:

Data controllers or processors must implement procedures to minimize the impact of incidents within the first 24 hours.
Upon confirmation of a security breach affecting personal data, the controller must notify URCDP within 72 hours of having become aware of the breach. The communication message must contain relevant information such as the true or estimated date of the breach, nature of the breach, categories of personal data affected, and the possible impacts generated. There is currently no standard form for this communication.
Entities must also inform the data breach to the data subjects who have suffered a significant impact on their rights. Use “clear and simple” language to inform the data subjects.
Once the data breach has been resolved, the controller must prepare a report detailing the data breach and take action to prevent the data breach in future. The report must be sent to the URCDP.

Enforcement of the PDPL: The Role of Uruguay’s Data Protection Authority

The regulatory authority of Uruguay’s PDPL is the Regulatory and Personal Data Control Unit (URCDP).

Key functions of the URCDP include:

Supervises compliance with the PDPL.
Maintains the database registry and issues guidance.
Performs inspections.
Has the power to sanction controllers and processors for breaches of the law.

Businesses must register properly at the URCDP, respond to any investigations, and treat the authority as an active regulator rather than a passive observer. All databases must be registered within the URCDP.

Penalties for Non-Compliance with Uruguay’s PDPL

In the case of data breaches, Uruguay’s regulatory authority has the power to issue:

warning;
a fine of up to five hundred thousand indexed units (approximately USD 65,000);
suspension of the offending database for up to five business days of the corresponding database while an investigation is underway; and
the cancellation of the database.

Treat compliance as a risk-management imperative and take proactive steps to ensure compliance. The above-mentioned sanctions may be applied on the grounds that data controllers shall take all necessary measures to ensure the security and confidentiality of the database.

Please note that the sanctions are gradual and, in some cases, based on the previous behavior and compliance records of the company.

How to File a Complaint Under Uruguay’s PDPL?

Data subjects who believe their rights have been violated may:

Submit a complaint to the URCDP via its portal or other available channels.
Seek the action of habeas data (a judicial remedy) under the law if necessary.

Entities must ensure they have all policies and processes to respond to data subject complaints (access, deletion, correction requests). Keep proof of consent to demonstrate evidence how you handled personal data. Also, monitor if any complaints reach URCDP that may indicate a weakness in your privacy efforts.

Best Practices for Businesses Operating in Uruguay to Comply with the PDPL

To align with the PDPL, businesses should follow these compliance recommendations:

Obtain and document consent
Obtain explicit, informed consent from data subjects. Be transparent about the purpose of data collection and respect data subject rights. Record consent logs for proof of compliance.
Respect purpose limitation and data minimization principles
Limit processing to specific, lawful purposes. Collect personal data for the purposes disclosed at the time of collection and not process it further in a manner incompatible with those original purposes.
Ensure data accuracy and relevance
All data must be accurate and relevant for the purposes collected.
Map your personal data flows
Identify where data is collected, processed, stored, and transferred. Take special care for cross-border data transfers.
Classify data by sensitivity
Sensitive data must be kept with higher security standards. Classify consumers’ data into categories and treat them accordingly.
Register databases with the URCDP
Register your databases with the URCDP and keep them updated. Some categories of data need to be updated every three months.
Implement security measures
Implement robust technical (encryption, access controls), organizational (policies, training), and procedural (incident response) security measures to protect data.
Appoint a DPO
If your business processes large volumes or sensitive data, your must appoint a DPO and establish data governance (privacy-by-design and by default, impact assessments).
Prepare for data breaches
Notify the URCDP of any data breaches. Prepare a breach-response plan and the actions on how to notify the URCDP and consumers, how to communicate and remediate data breaches.
Control cross-border data transfers
Review and update cross-border data transfers and ensure adequate safeguards or rely on consent or other exceptions.
Train employees
Train employees about data subject rights, internal processes for requests and data breaches.
Conduct annual data security audits
Conduct internal audits of compliance, documentation of decisions, and regular risk assessments.
Implement a Consent Management Platform (CMP)
A CMP is used to deliver cookie notice and inform individuals about their data collection, obtain and store cookie consent, create a Privacy Policy, and respect user consent choices.

CookieScript CMP delivers the right balance of compliance, affordability, and ease of use. You’ll get a fully compliant consent management tool for as little as €8 per month/ per domain for basic features or for €19 per month/ per domain for full compliance.

CookieScript CMP has the following features:

In Spring 2025, CookieScript received its fourth consecutive G2 badge as the Best Consent Management Platform.

The platform is also recognized as a Google-certified CMP in the Gold tier, highlighting its compliance with privacy and the latest consent management requirements.

How PDPL Aligns with GDPR and Other Global Privacy Laws

Uruguay’s PDPL is strongly influenced by the GDPR and aligns with GDPR's core principles like transparency, purpose limitation, and data subject rights.

Similarities between PDPL and GDPR

Uruguay is an adequacy decision country that was recognized by the European Commission as providing an adequate level of data protection under EU law.

Uruguay’s PDPL and Europe’s GDPR share these similarities:

Core principles
Both PDPL and GDPR are founded on principles like data minimization, purpose limitation, security, and accuracy.
Transparency
Both laws require organizations to be transparent about how they collect and process personal data.
Data subject rights
Both regulations grant individuals rights regarding their data, such as access and rectification.
Scope
Both laws have similar material, territorial, and personal scopes, and they exempt personal data processed for personal use.
Sensitive data
Both PDPL and GDPR provide special protection for sensitive personal data.
Breach-notification
The PDPL’s breach-notification timeframe (72 hours) is comparable to the GDPR’s standard.

Differences between PDPL and GDPR

However, PDPL and GDPR also share some differences. The main differences include:

Lawful basis
Uruguay’s PDPL does not include legitimate interest as a legal basis for data processing, contrary to the GDPR.
Children's data
PDPL does not set specific obligations for protecting children's data, unlike the GDPR.
Consent recordings
PDPL sets stricter and more extensive recordkeeping obligations for data processors, compared to the GDPR with fewer exceptions for smaller businesses.
Enforcement and penalties
GDPR enforcement is stricter. The penalties for non-compliance with the GDPR is much bigger (up to 4% of an organization’s annual turnover globally) than the penalties for non-compliance with the PDPL.
Cross-border data transfers
For international data transfers, the GDPR relies on adequacy decisions or specific safeguards like Standard Contractual Clauses. The PDPL has more restrictions on data transfers (e.g., in Saudi Arabia and Qatar), requiring additional permissions or a case-by-case analysis.

In conclusion, Uruguay’s data privacy law aligns with GDPR's core principles but also has some minor differences. Multinational businesses can leverage their global privacy controls and adapt them for Uruguay as part of a global privacy strategy.

Choose a Consent Management Platform (CMP) that offers geo-targeting. Your consent management system must be able to detect a user’s location and display the correct consent notice for their jurisdiction. A user in Uruguay needs to see a PDPL-compliant cookie notice, while a user in Italy needs a GDPR-compliant one.

CookieScript CMP offers the geo-targeting feature, that allows businesses to display the right Cookie Banner and comply with regional jurisdictions like Uruguay’s PDPL.

Frequently Asked Questions

Does Uruguay have a data privacy law?

Yes, Uruguay has a Personal Data Protection Law (PDPL) that came into effect in 2008. It sets standards for businesses collecting and managing the personal data of Uruguay’s citizens. The law aligns with high international data safety standards, such as the EU’s GDPR. If your business collects or manages personal data from citizens of Uruguay, you must comply with the PDPL. Use CookieScript CMP to comply with the PDPL.

Are Data Protection Officers mandatory under the Uruguay’s Personal Data Protection Law?

Yes, the Data Protection Officers (DPOs) is mandatory for organizations processing large volumes of data (>35,000 individuals) or sensitive data. Use CookieScript CMP to deliver a Cookie Banner and obtain consent to collect personal data.

Is there a requirement to register with a supervisory authority in Uruguay?

Yes, all databases must be registered with the Unidad Reguladora y de Control de Datos Personales (URCDP). This database must include the database’s name, the data controller, the categories of data, how the data is collected and processed, the storage location and retention periods, the security measures, and means for data subjects to exercise their right to access, rectify, update, include, or delete their personal data.

What are the penalties for non-compliance with Uruguay’s PDPL?

In the case of data breaches, Uruguay’s regulatory authority has the power to issue a warning, a fine of up to five hundred thousand indexed units (approximately USD 65,000), suspend the offending database for up to five business days, or cancel the database. Use CookieScript CMP to comply with the PDPL and avoid penalties.

Is Uruguay’s data privacy law similar to the EU’s GDPR?

Uruguay’s PDPL aligns with GDPR, sharing core principles, transparency, data subject rights, scope, sensitive data, and breach notification. However, both laws also have some minor differences, including treatment of children's data, consent recordings, lawful basis, and enforcement.

What are the rules for cross-border data transfers under the PDPL?

International data transfers are permitted only into countries that provide an adequate level of data protection. If a country of destination does not provide an adequate level of data security, transfers to such countries are generally prohibited unless specific safeguards apply. Transfer of personal data outside of Uruguay within the same corporate group is permitted when the branch or subsidiary has a conduct code duly registered with URCDP.

What are data breach notification requirements under the PDPL?

When a security incident occurs, data controllers or processors must implement procedures to minimize the impact of incidents within the first 24 hours and notify URCDP within 72 hours of having become aware of the breach. Entities must also inform the data breach to the data subjects who have suffered a significant impact on their rights. Once the data breach has been resolved, the controller must prepare a report detailing the data breach.

Privacy laws