(7)
This Act is further complemented by Decree No 414/009 of 31 August 2009, adopted in order to clarify several aspects of the Act and to lay down the detailed regulation of the organisation, powers and functioning of the data protection supervisory authority; The Preamble of the Decree sets out that it is appropriate to adjust the national legal system on this matter to the most accepted comparable legal regime, essentially that established by European countries through Directive 95/46/EC.
(10)
The application of the legal data protection standards is guaranteed by administrative and judicial remedies, in particular, by the ‘habeas data’ action, which enables a data subject to take a data controller to court in order to enforce his right of access, rectification and deletion, and by independent supervision carried out by the supervisory authority, the Unit for the Regulation and Control of Personal Data (Unidad Reguladora y de Control de Datos Personales (URCDP)), which is invested with powers of investigation, intervention and sanction in line with Article 28 of Directive 95/46/EC, and which acts completely independently. Moreover, any interested party is entitled to seek judicial redress for compensation for damages suffered as a result of the unlawful processing of his personal data.
(11)
Uruguayan data protection authorities have provided explanations and assurances as to how the Uruguayan law is to be interpreted, and have given assurances that the Uruguayan data protection legislation is implemented in accordance with such interpretation. In particular, Uruguayan data protection authorities have explained that, pursuant to Article 332 of the Constitution, Act No 18.331 applies additionally to special acts that create and regulate specific databases in relation to those issues that are not governed by these specific legal instruments. They have also clarified that, regarding the lists referred to in Article 9 C) of Act No 18.331, and which do not require the consent of the data subject for the processing, the Act also applies, namely the principles of proportionality and finality, the rights of data subjects and that they are subject to the supervision by the data protection authority. With regard to the transparency principle, the Uruguayan data protection authorities have informed that the obligation to provide the data subject with the necessary information applies in all cases. Regarding the right of access, the data protection authority has clarified that it is sufficient for a data subject to prove its identity when making a request. The Uruguayan data protection authorities have clarified that the exceptions relating to the principle on international transfers laid down in Article 23(1) of Act No 18.331 cannot be understood as having a broader application than that of Article 26(1) of Directive 95/46/EC.
2. The competent supervisory authority of the Eastern Republic of Uruguay for the application of the legal data protection standards in the Eastern Republic of Uruguay is set out in the Annex to this Decision.
(a)
where a competent Uruguayan authority has determined that the recipient is in breach of the applicable standards of protection; or
(b)
where there is a substantial likelihood that the standards of protection are being infringed, there are reasonable grounds for believing that the competent Uruguayan authority is not taking or will not take adequate and timely steps to settle the case at issue, the continuing transfer would create an imminent risk of grave harm to data subjects and the competent authorities in the Member State have made reasonable efforts in the circumstances to provide the party responsible for processing established in the Eastern Republic of Uruguay with notice and an opportunity to respond.
2. The suspension shall cease as soon as the standards of protection are assured and the competent authority of the Member States concerned is notified thereof.
3. Where the information collected under Article 2 and under paragraphs 1 and 2 of this Article provides evidence that any body responsible for ensuring compliance with the standards of protection in the Eastern Republic of Uruguay is not effectively fulfilling its role, the Commission shall inform the competent Uruguayan authority and, if necessary, present draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC with a view to repealing or suspending this Decision or limiting its scope.
For the Commission
Viviane REDING
Vice-President
(1) OJ L 281, 23.11.1995, p. 31.
(2) Letter of 31 August 2011.
(3) Organisation of American States; OAS, Treaty Series, No 36, 1144 UNTS 123. http://www.oas.org/juridico/english/treaties/b-32.html
(4) Council of Europe: https://wcd.coe.int/wcd/ViewDoc.jsp?Ref=CM/Del/Dec(2011)1118/10.3&Language=lanEnglish&Ver=original&Site=CM&BackColorInternet=DBDCF2&BackColorIntranet=FDC864&BackColorLogged=FDC864
(5) Opinion 6/2010 on the level of protection of personal data in the Eastern Republic of Uruguay. Available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp177_en.pdf
ANNEX
Competent supervisory authority referred to in Article 1(2) of this Decision:
Unidad Reguladora y de Control de Datos Personales (URCDP)
Andes 1365, Piso 8
Tel. + 598 2901 2929 Int. 1352
11.100 Montevideo
