WorldLII [Home] [Databases] [WorldLII] [Search] [Feedback]

EPIC --- Privacy and Human Rights Report

You are here:  WorldLII >> Databases >> EPIC --- Privacy and Human Rights Report >> 2006 >>

[Database Search] [Name Search] [Recent Documents] [Noteup] [Help]

EPIC --- Privacy and Human Rights Report 2006

Title Page Previous Next Contents | Country Reports >Republic of Uruguay

Republic of Uruguay

The Constitutional Framework

The Constitution does not explicitly regulate the right to privacy, however jurists and the national courts unanimously hold that the right to privacy has constitutional standing[5697] in Article 72 of the Constitution,[5698] which provides: "The enumeration of rights, duties, and protections established in the Constitution, does not exclude other rights which are inherent to the human personality or are derived from the republican form of government." This provision permits incorporation with Constitutional standing of any right that, while not explicitly recognized, is inherent to the human person.

Regarding the subject of inviolability of correspondence, Article 28[5699] protects individuals' documents and correspondence of any nature (letters, telegraphic or telephone communications) from all sorts of interception, unless those procedures are performed in compliance with applicable laws. When referring to telephone communications, some scholars have interpreted that such rules not only guarantee the inviolability of the content of the conversation, but also the inviolability of the records containing the list of calls made and received by a particular person.[5700]

If the Constitution does not explicitly recognize the right to privacy, obviously it also does not explicitly include habeas data. Before Law No. 17.838[5701] was enacted, constitutional scholars had suggested that the habeas data be incorporated in Article 72, since that article incorporates the essence of natural law, and hence protects and warrants the inherent rights of men, and the general principles of law derived from human dignity that the Constitution recognizes.[5702] The recent enactment of Law No. 17.838 explicitly incorporates habeas data to the Uruguayan legal framework.

Data Protection Framework

The Uruguayan Penal Code[5703] establishes several offences related to the violation of privacy. Article 296 of the Penal Code guarantees the privacy of correspondence, establishing that whoever opens an envelope containing a letter (that is not directed to that person) with the intent of learning about its content is guilty of a felony. Article 298 also punishes the disclosure of information obtained by any means similar to those referred to in Article 296. Article 297 punishes the interception of telephone or telegraphic communications.[5704] Moreover, Articles 300 and 301 increase the maximum penalty when said "information was known by means of fraud and the document was supposed to remain secret by reason of its content or nature." The law also punishes a person who reveals confidential information that has been learned through his job. This provision establishes the obligation to respect professional secrecy. Article 333 of the Penal Code provides the penalty of up to three years' imprisonment for the defamation or slander of any person who can be subject to public scorn. Article 334 provides punishment to any person who by means of speech, gestures, writings, or actions offends the honour of another.

At various times the courts have reviewed disputes in which the right to information conflicts with the right of honor. The courts generally analyze the case and determine: whether the information disseminated concerns events of public interest; whether the description is objective and in accordance with reality; whether it is not aggravating; whether the purpose of providing the information was excessive; or whether the information was published when it was not necessary.[5705]

The Uruguayan Tax Code[5706] and Banking Law No. 15.322,[5707] also regulate privacy and confidentiality in their respective areas. Article 68[5708] of the Tax Code authorizes the Government to require taxpayers and parties in positions of responsibility to produce business records, documents, and correspondence. This documentation is not protected by professional confidentiality, since the taxpayer himself is obligated to produce it. "Business records" are understood to mean the journal and the inventory of assets and liabilities.

The Banking Law establishes the obligation to protect the confidentiality of funds or securities in the checking accounts, deposit accounts, or other accounts belonging to a specific individual or legal entity, and any confidential information received by the bank from its clients. There is some doctrinal discussion about whether secrecy is limited to operations that create liabilities, or also includes operations that create assets. While the financial system has always been opposed to the expansion of banking secrecy to include asset operations, in practice both types of transactions have always been kept secret.

Act 16.713[5709] protects the confidentiality of employment history and other labor records. The employment history includes information about the length of employment, the benefits and contributions paid by each company reported, and the outcome of inspections. The employee can ask for the correction of inexact information. While there are no regulations that protect information in the contractual stage, some writers have contended that it is unlawful to request information about criminal convictions or data about family status, political beliefs, religious beliefs, or union affiliations.[5710]

Law No. 16.616,[5711] enacted on October 20, 1994, regulates the national statistical system. It establishes that the individual information obtained must be treated with the utmost confidentiality, and that a link should exist between the data requested and the objectives of the statistics or census.[5712]

Law No. 16.011, which regulates the writ of relief, offers a procedural base to articulate the habeas data.[5713] In October 2004, the Parliament approved Law No. 17.838 on the Protection of Personal Data,[5714] also called the DBA. The Law regulates data banks containing commercial information[5715] and establishes the institution of habeas data.[5716]

In Uruguay, an individual's access to credit is determined by his credit information. Being aware of this fact, the legislators regulated the handling of credit information with the intention of facilitating access to credit by establishing clear norms in this area.[5717] In Uruguay commercial reports are a very sensitive issue, considering the small population of the country (approximately 3,000,000 inhabitants). A single bad credit report takes a person out of the formal market for credit. Even though the law only regulates credit reports, its Section II regulates habeas data action in such a way as to enable a petitioner to access any information related to him and, if his information is erroneous, inaccurate or discriminatory, enables him to ask for its suppression or rectification. The law also innovates by establishing a data protection authority, which functions under the Ministry of Economy.

The DBA regulates "the recording, storage, distribution, transmission, modification, deletion, and in general, the processing of personal data contained in archives, registers, databases, and other media, whether public or private, designed to provide business reports." This means that any and every method of recording data about individuals or legal entities that are stored for the purpose of providing objective business information is regulated. While the law is vague, parliamentary history allows us to determine the meaning of "objective business information": any information that facilitates evaluation of the ability of individuals to meet their payment obligations.[5718] Possibly this is limited to credit data covering information about operations that create both liabilities and assets.[5719]

In principle, the law provides that individuals who possess data are the owners of the data, and their consent is therefore required for the inclusion of the data in data banks. However, various exceptions establish that certain types of data may be entered without their holder's consent, including, for example, data from public information sources, data collected for the performance of legal assignments or functions, and personal credit data, including data used by companies to meet their own needs.

The data controller is responsible for ensuring that the data collected is true, appropriate, and impartial. Also, the data entered must not be excessive in view of the purpose for which it was collected and the scope of the consent given by the holder of the data.

The legislation establishes the "right to oblivion" (derecho al olvido) insofar as credit data entries must be deleted five years from their recording. If at the end of this period the obligation to the creditor has not been extinguished, the creditor may apply for maintenance of the record for an additional five years.

The DBA also provides that any individual may request access to any information pertaining to him that exists in any data bank, as well as the right to correct erroneous information. Individuals or companies may submit a request for information. If the information is not provided within 20 business days, or its delivery is refused for an unjustifiable reason, the applicant has the right to commence an action for habeas data. Deletion is permitted only if the error or the inaccuracy is obvious, or may cause damage to other individuals. The information must then be reviewed and, if appropriate, corrected within 20 business days from the filing of the request for correction. During this period, an entry must be made in the data bank to show that this information is being reviewed. If by the end of the 20-day period the information has not been corrected or deleted, the applicant has the option of starting an action of habeas data. Such action is aimed at persuading the court to order access to, or correction of, the information. Such an action can therefore be commenced in two cases: a) when the information has not been provided within the required period; or b) when the errors have not been corrected.

The DBA established that an action for habeas data must be treated in the same way as the action for protection of constitutional rights.[5720] The judge must schedule a public hearing within three days after commencing a habeas data action.[5721] The DBA designated the Ministry of Economy and Finance as the authority in charge of monitoring compliance with the law.[5722] The Ministry may punish violating companies by issuing warnings or assessing fines, or even shutting down the data bank.

In October 2006, Uraguay establised a register of public and private entities that process personal data. Aimed to provide objective reports of commercial information, this register will be under the responsibility of the Advisory Board that assists the Data Protection Authority. The individuals that process personal data according to the DBA must enroll in the Register within the 90 days of the beginning of their activities. The existing databases should register within 90 days after this Decree entered into force.[5723]


In September 2005, the Children and Adolescents Code was approved.[5724] This Code states that any child or adolescent has the right to private life and the right to control their own image. Children’s images cannot be used in a harmful way that damage or identify them.[5725] The law creates the National Information System on Childhood and Adolescence, under the responsibility of the National Institute of the Minor. This System includes personal data about the child or adolescent who is under the responsibility of the Institute and of the institutions that take care of him or her.[5726] The law establishes that “this personal information cannot be used as a database to trace them once they reach the age to be considered adult” and that “the judicial and administrative records of the children and adolescents in conflict with the law must be destroyed immediately once they reached 18 years old or the measure cease to have effects.”[5727] Moreover, the law specifies that children are the only owners of their personal history.[5728]

On July 6, 2007, a Law related to the use of Electronic Signature and Electronic Signature Certification in Public Administration entered into force.[5729] The law establishes that State organizations must use electronic documents for all administrative proceedings.[5730] For that reason, the law authorizes the use of electronic and digital signatures that shall be equally valid and effective as those on paper provided they are properly authenticated trough passwords or other secure methods according to the software technology.

Decree No. 385/999 approved the adoption of an electronic personnel file for employees of the National Government. This file contains information about the career of each government employee and may include information about the sanctions applied in the performance of his duties. This regulation provides that the files will be available through the website of the National Civil Service Office. This Office is responsible for protecting and maintaining the confidentiality of this information.

Uraguay regulates the processing of personal data in public and private healthcare sectors.[5731] This decree provides that all clinical histories should only be used for healthcare; the patient's history should include clear information about the diagnosed or found illnesses and subsequent treatment; that personal data are confidential;, and that patients must have access to their data, not only for correction purposes, but also for other purposes, such as for consulting another doctor for a second opinion, changing healthcare provider, or verifying if malpractice has occurred.

Uraguay adopted the MERCOSUR Regional Trade Agreement’s resolution on consumers’ rights related to commercial transactions performed through the Internet. [5732] This regulation forces providers of goods and/or services located in a MERCOSUR country to include a privacy policy on their website. This norm also protects the electronic transactions of MERCOSUR customers and also includes other customer care obligations.[5733]

Anti-Terrorism Measures

Uraguay requires financial institutions to report to the Central Bank whether they have assets or activities related to individuals or associations linked with terrorism activities.[5734] The law entitles the Central Bank to transfer private data on individuals or institutions to other foreign Governmental authorities in order to prevent terrorism or money laundering activities.

Major Privacy Cases

In 2005, the Supreme Court of Justice confirmed a former decision that ordered the amendment of information about sex included on a birth certificate since the plaintiff had changed her sex by surgery. During the trial, the Supreme Court considered whether national regulations cover the right to determine the sexual orientation. The majority of the Supreme Court indicated that since the person had changed her social sexual appearance through a clinic intervention to modify her sexual organs, she is entitled to request and amend the sex included in her birth certificate. Otherwise, privacy over her sexuality will not be protected since her former sex will be disclosed on the birth certificate.[5735]

Open Government

Article 694 of Law No. 16.736 establishes the freedom of information at the governmental level and establishes the petitioner's right to amend or rectify erroneous or inaccurate information.[5736]

International Obligations

Uruguay is a signatory of the 1948 Universal Declaration of Human Rights, the 1966 International Covenant on Civil and Political Rights,[5737] and the American Convention on Human Rights, which recognizes the right of a person to not be subjected to arbitrary or unlawful interference with his privacy, home or correspondence, nor to unlawful attacks to his honor and reputation.[5738]

[5697] Justino Jiménez de Aréchaga, La Constitución Nacional, Vol. I Fundación de Cultura Universitaria (Montevideo, at 232; José Korseniak, Derecho Constitucional, Vol. II Fundación de Cultura Universitaria (Montevideo), at 87; Martín Risso Ferrand, Derecho Constitucional, Vol. III Ingranusi Ltda. (Montevideo), at 130; Gonzalo Secco, "Bases de Datos y Protección de la Privacidad," VI Congreso Iberoamericano de Derecho e Informática (Montevideo, 1997), at 62.
[5698] Constitution of the Republic of Uruguay, available at <> (in Spanish).

[5699] Id. at Article 28: "Papers belonging to individuals, and their correspondence in the form of letters, cables, or any other medium are inviolable, and may be recorded, inspected, or intercepted only in conformity with the laws established for reasons of public interest."
[5700] Hector Gros Espiell, "El Art. 28 de la Constitución y las Comunicaciones Telefónicas," 86 Revista de Admnistración Pública No. 25 (Montevideo, 1999).

[5701] Law No. 17.838 (October 23, 2004), available at <> (in Spanish).
[5702] Carlos E. Delpiazzo, "Posibles Medios de Protección frente a las Responsabilidades Derivadas de la Gestión de Bases de Datos en el Derecho Uruguayo," 382 Congreso Internacional de Informática y Derecho (Buenos Aires, 1990); Alberto Ramón Real, "Estado de Derecho y Humanismo Personalista," 5 (F.C.U., Montevideo, 1974); Héctor Gros Espiell, "La Dignidad Humana en los Instrumentos Internacionales de Derechos Humanos," 9 Catedra UNESCO de Derechos Humanos (Universidad de la República, Montevideo, 2003); José Aníbal Cagnoni, "La Dignidad Humana. Naturaleza y Alcances," 11 Rev. de Derecho Público (2003, No. 23).

[5703] Penal Code of the Republic of Uruguay, available at <> (in Spanish).
[5704] Id.

[5705] See Judgment No. 13 from the Civil Court of Appeals, Term 3 from February 27, 1999 of the Civil Court of Appeals, Third Session.

[5706] Tax Code approved by Decree Law No. 14.306, available at <> (in Spanish).
[5707] Decree Law No. 15.322 (September 23, 1982), available at <> (in Spanish).

[5708] Tax Code, Article 68 "Powers of the Government": "The Government shall have full powers of investigation and inspection. In particular, the Government may require taxpayers and persons in positions of responsibility to produce their own and outside business records, documents, and correspondence, and may require them to appear before the government agency in order to provide information."

[5709] Law No. 16.713 (September 11, 1995), available at <> (in Spanish).
[5710] See Américo Pla Rodríguez, "Control de Supervisión Tecnológica del Trabajo y Privacidad del Trabajador" in Derecho Informático, Vol. III (Fundación de Cultura Universitaria, Montevideo).

[5711] Law No. 16.616 (October 31, 1994), available at <> (in Spanish).
[5712] Marcelo Bauza, Computer and Personal Data in Uruguay, Derecho Informático, Instituto de Derecho Informático (Fundación de Cultura Universitaria, Montevideo 2004).

[5713] Law 16.011 (December 1, 1988), available at <> (in Spanish).
[5714] Ley de Protección de Datos Personales para Ser Utilizados en Informes Comerciales y Acción de Habeas Data, available at <>.
[5715] Report prepared by the Instituto de Derecho Informático and sent to the Dean of the University of the Republic on August 6, 2003, with respect to the bill. It notes: "The bill concerns not all personal data but only 'business' data, and it has two primary objectives: One pertains to protection of personal data for business reporting purposes, and the other regulates the right to information by means of the institution of the Habeas Data action," in Derecho Informático, Vol. IV Fundación de Cultura Universitaria, at 427.
[5716] Initially the bill regulated the processing of any and all personal information, but enough support for this bill could not be mustered. When Senators Alberto Brause and Luis Alberto Heber limited the scope of the bill to personal credit data, the bill passed.

[5717] See Marcelo Bauza, "Iniciativas para la Protección de los Datos Personales de Carácter Comercial," in Derecho Informático, Vol. IV, Fundación de Cultura Universitaria, at 294.

[5718] The Report on the bill sent to the Senate states: "This purpose of protection of personal business data contributes to the goal of ensuring greater transparency of the economy and of parties that grant and receive credit. It is an essential lever and tool for achieving genuine development." In its outline of the grounds for the law, the Report notes that: "Legislation with respect to the objectivity, transparency, and quality of information thus equates with facilitating and democratizing access to credit. The principal purpose is a public-policy purpose, since it promotes protection of the right to private life, transparency of the credit market, and protection of credit, and it facilitates their development by reducing their cost thanks to lower interest rates and indirect contribution to the fight against usury."
[5719] It is clear that the legislator intended to regulate only the processing of data that permits evaluation of an individual's economic solvency. However, the provision concerning data that makes it possible "to furnish objective business information" allows a broader interpretation that could be used by the courts.

[5720] Law No. 16011 (December 19, 1988), available at <>. This law provides that any individual may bring an action for protection of constitutional rights against any act, omission, or deed by the national authorities or by individuals that is manifestly unlawful and which prejudices, or is capable of prejudicing, any of the rights and freedoms implicitly or explicitly established by the laws and regulations.
[5721] The judge may decide not to schedule a public hearing only if the action commenced is manifestly improper.
[5722] To advise the Ministry, a seven-member Consulting Committee was established, with three members representing the Ministry of Economy and Finance (one of whom will serve as Chairperson of the Committee); two representatives of the Ministry of Education and Culture; one representative from the National Chamber of Commerce and Services; and, lastly, one representative from the Business Defence League.

[5723] Decree 399/006, October 30, 2006, available at <> (in Spanish).

[5724] Código de la Niñez y la Adolescencia [Children and Adolescents Code], September 14, 2004, available at <> (in Spanish).
[5725] Id. at 11.
[5726] Id. at article 218.
[5727] Id. at article 222.
[5728] Id. at article 221.

[5729] Ley de Servicios Públicos y Privados, Seguridad Publica y Condiciones en las que se Desarrollan las Actividades Productivas [Law of Public and Private Services, Public Security and Conditions in which Productive Activities are Developed], Law17243, July 06, 2007, available at <> (in Spanish).
[5730] Id. at article 24. “The electronic file is an ordered series of registered documents by computer means, coming from the Administration or from third parties, aimed to the formation of the administrative will in a specific matter with the same juridical and probatory validity as the traditional file of papers.”

[5731] Decree No. 396/003 (September 20, 2003), available at <> (in Spanish).

[5732] Decreto 246/005, August 11, 2005.
[5733] Decree 246/005, August 11, 2005.

[5734] Law 17835, September 29, 2004 , available at <> (in Spanish).

[5735] Corte Suprema de Justicia [Supreme Court of Justice], July 22, 2005, “La Justicia Uruguaya,” Case 15157, volume 132, (2005).

[5736] See Carlos E. Delpiazzo, "Automatización de la Actividad Administrativa en el Marco de la Reforma del Estado," 17 Anuario de Derecho Administrativo; also in "El Procedimiento Administrativo Electrónico y el Acto Administrativo Automático," 39 A.A.V.V. – "Recopilación de Conferencias y Exposiciones Realizadas" (UTE, Montevideo, 1999); "Marco Legal de la Automatización de la Actividad Administrativa. El Expediente Electrónico en Uruguay," 699 Informática y Derecho (Mérida, 1998); "Enfoque Jurídico de la Automatización de la Actividad Administrativa," 81 Rev. Informática y Derecho (Buenos Aires, 2002).

[5737] Signed February 21, 1967; ratified by Law No. 13.751.
[5738] Law No.13751 and Law No. 15.737 (March 8, 1985), available at <> (in Spanish).

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback