Uruguay: Data protection decree approved.
Uruguay: The Decree regulates new personal data protection obligations with important changes, including the obligation of all data controllers and data processors to inform the Uruguayan data protection authority (URCDP) about security breaches related to personal data within a maximum period of 72 hours. Establishing that such report should contain relevant information related to the security incident, including the actual or estimated date of the breach, the nature, the personal data affected and the possible impacts of the breach, and should also notify data subjects when their rights have been significantly affected.
An obligation to assess the effects of any data processing is established where the processing concerns specially protected data, the processing of large volumes of personal data (more than 35,000 persons) and international data transfers to unsuitable countries. The decree obliges private entities that process sensitive data as their main business operations, or that process large volumes of data, and public entities without exception, to appoint a DPO. Entities subject to the obligation must appoint, and notify such appointment of, the DPO to the authority within 90 days of the publication of the Decree.
Link decree: https://www.impo.com.uy/bases/decretos/64-2020