(5)
The Political Constitution of the Eastern Republic of Uruguay, passed in 1967, does not expressly recognise the rights to privacy and the protection of personal data. However, the catalogue of fundamental rights is not a closed list since Article 72 of the Constitution provides that the listing of rights, obligations and guarantees made by the Constitution does not exclude others that are inherent to the human personality or that derive from the republican form of government. Article 1 of Act No 18.331 on the Protection of Personal Data and ‘Habeas Data’ Action of 11 August 2008 (Ley No 18.331 de Protección de Datos Personales y Acción de ‘Habeas Data’) expressly sets out that ‘the right to the protection of personal data is inherent to the human being and it is therefore included in Article 72 of the Constitution of the Republic’. Article 332 of the Constitution provides that the application of the provisions of this Constitution that acknowledge individuals’ rights as well as those awarding rights and imposing obligations on public authorities, shall not be impaired by of the lack of specific regulation; rather, it shall be based, through recourse to the underlying principles of similar laws, on the general principles of the law and generally accepted doctrines.
(6)
The legal standards for the protection of personal data in the Eastern Republic of Uruguay are largely based on the standards set out in Directive 95/46/EC and are laid down in Act No 18.331 on the Protection of Personal Data and ‘Habeas Data’ Action (Ley No 18.331 de Protección de Datos Personales y de Acción de ‘Habeas Data’) of 11 August 2008. It covers natural persons and legal persons.
(10)
The application of the legal data protection standards is guaranteed by administrative and judicial remedies, in particular, by the ‘habeas data’ action, which enables a data subject to take a data controller to court in order to enforce his right of access, rectification and deletion, and by independent supervision carried out by the supervisory authority, the Unit for the Regulation and Control of Personal Data (Unidad Reguladora y de Control de Datos Personales (URCDP)), which is invested with powers of investigation, intervention and sanction in line with Article 28 of Directive 95/46/EC, and which acts completely independently. Moreover, any interested party is entitled to seek judicial redress for compensation for damages suffered as a result of the unlawful processing of his personal data.