Updates on international data transfers.

Updates on international data transfers.

Recently, the Executive Council of the Regulatory and Control Unit of Personal Data (“URCDP”) issued Resolution No. 70/2023 dated December 5, 2023 (“the Resolution”), establishing new obligations for organizations that carry out - or seek to carry out - international data transfers. This Resolution complements Resolutions No. 23/021 and 63/023.

Updates on international data transfers.

Uruguay establishes specific guidelines and limitations regarding international data transfers, which involve the flow of personal data from Uruguayan territory (in this case) to recipients established in foreign countries.

 

Article 23 of Law No. 18.331 – “Personal Data Protection Law” provides that, unless an exception is met, the transfer of data to countries or organizations that do not guarantee adequate levels of data protection will be prohibited. All in accordance with current national and international legal standards.

 

For this purpose, Resolution No. 23/2021 established the appropriate jurisdictions for international data transfers (members of the European Union and the European Economic Area, Andorra, Argentina, the private sector of Canada, Guernsey, Isle of Man, Faroe Islands, Israel, Japan, Jersey, New Zealand, United Kingdom, and Switzerland).

 

In most cases, it will not be necessary to obtain the express and informed consent of the data subject to transfer information. This significantly simplifies business operations, especially for customers who use cloud services or digital providers whose servers are located in the United States.

 

Subsequently, Resolution No. 63/2023 expanded the previous list and included as appropriate entities or organizations:

 

- Entities subject to the Personal Information Protection Act of the Republic of Korea.

- Organizations included in the data Privacy Shield list published by the U.S. Department of Commerce.

 

In this context, and in order to complement the aforementioned resolutions, the URCDP Resolution introduced new obligations regarding international data transfers:

 

(i) Obligated parties must inform data subjects: the destination, the role of the data importer, the transfer period, the legal basis, and the processing operations to be carried out.

(ii) Controllers and processors will have 6 months to adjust their privacy policies as established above.

(iii) Registering the database in the Personal Data Database Registry will be a prerequisite for any processing, including international data transfers.

(iv) Controllers and processors intending to make international transfers to organizations under the EU-US Privacy Shield must provide a statement from the importing organization regarding the implementation of data protection measures for data transferred from Uruguay.

 

This statement:

a. may be submitted at the time of registering the database or prior to the transfer, but

b. will not be necessary if there are existing contractual provisions (between the organization and the importer) that offer adequate guarantees, with URCDP's approval.

 

Final considerations

 

Once again, Uruguay demonstrates being at the forefront of international data protection trends, adopting appropriate measures to ensure information safeguarding.

 

In this context, it is advisable to review (and adjust) internal data transfer policies to comply with the new obligations, while also taking advantage of the benefits and flexibility provided by the newly incorporated jurisdictions.

 

 

Montevideo, December 18, 2023.

Compartir:

Contact us

Fill in the form with your data and we will contact you as soon as possible, thank you!

Newsletter subscription