(5)
The Political Constitution of the Eastern Republic of Uruguay, passed in 1967, does not expressly recognise the rights to privacy and the protection of personal data. However, the catalogue of fundamental rights is not a closed list since Article 72 of the Constitution provides that the listing of rights, obligations and guarantees made by the Constitution does not exclude others that are inherent to the human personality or that derive from the republican form of government. Article 1 of Act No 18.331 on the Protection of Personal Data and ‘Habeas Data’ Action of 11 August 2008 (Ley No 18.331 de Protección de Datos Personales y Acción de ‘Habeas Data’) expressly sets out that ‘the right to the protection of personal data is inherent to the human being and it is therefore included in Article 72 of the Constitution of the Republic’. Article 332 of the Constitution provides that the application of the provisions of this Constitution that acknowledge individuals’ rights as well as those awarding rights and imposing obligations on public authorities, shall not be impaired by of the lack of specific regulation; rather, it shall be based, through recourse to the underlying principles of similar laws, on the general principles of the law and generally accepted doctrines.
(11)
Uruguayan data protection authorities have provided explanations and assurances as to how the Uruguayan law is to be interpreted, and have given assurances that the Uruguayan data protection legislation is implemented in accordance with such interpretation. In particular, Uruguayan data protection authorities have explained that, pursuant to Article 332 of the Constitution, Act No 18.331 applies additionally to special acts that create and regulate specific databases in relation to those issues that are not governed by these specific legal instruments. They have also clarified that, regarding the lists referred to in Article 9 C) of Act No 18.331, and which do not require the consent of the data subject for the processing, the Act also applies, namely the principles of proportionality and finality, the rights of data subjects and that they are subject to the supervision by the data protection authority. With regard to the transparency principle, the Uruguayan data protection authorities have informed that the obligation to provide the data subject with the necessary information applies in all cases. Regarding the right of access, the data protection authority has clarified that it is sufficient for a data subject to prove its identity when making a request. The Uruguayan data protection authorities have clarified that the exceptions relating to the principle on international transfers laid down in Article 23(1) of Act No 18.331 cannot be understood as having a broader application than that of Article 26(1) of Directive 95/46/EC.
(13)
The Eastern Republic of Uruguay is also party to the American Convention of Human Rights (‘Pact of San José de Costa Rica) of 22 November 1969, and in force since 18 July 1978 (3). Article 11 of this Convention lays down the right to privacy and Article 30 sets out that restrictions that, pursuant to this Convention, may be placed on the enjoyment or exercise of the rights or freedoms recognised by the Convention may not be applied except in accordance with laws enacted for reasons of general interest and in accordance with the purpose for which such restrictions have been established (Article 30). Moreover the Eastern Republic of Uruguay has accepted the jurisdiction of the Inter-American Court of Human Rights. Furthermore at the 1118th meeting of the Ministers’ Deputies of the Council of Europe held on 6 July 2011, the Deputies invited the Eastern Republic of Uruguay to accede the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No 108) and to its Additional Protocol (ETS No 118), after a favourable opinion of the relevant Consultative Committee (4).