Advanced Search

2012/484/EU: Commission Implementing Decision of 21 August 2012 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the Eastern Republic of Uruguay with regard to automated processing


Published: 2012-08-21

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.

23.8.2012   

EN

Official Journal of the European Union

L 227/11


COMMISSION IMPLEMENTING DECISION

of 21 August 2012

pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the Eastern Republic of Uruguay with regard to automated processing of personal data

(notified under document C(2012) 5704)

(Text with EEA relevance)

(2012/484/EU)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1), and in particular Article 25(6) thereof,

After consulting the European Data Protection Supervisor (2),

Whereas:

(1)

Pursuant to Directive 95/46/EC, Member States are required to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and if the Member States’ laws implementing other provisions of the Directive are complied with prior to the transfer.

(2)

The Commission may find that a third country ensures an adequate level of protection. In that case, personal data may be transferred from the Member States without additional guarantees being necessary.

(3)

Pursuant to Directive 95/46/EC the level of data protection should be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations and giving particular consideration to a number of elements relevant for the transfer and listed in Article 25 thereof.

(4)

Given the different approaches to data protection in third countries, the adequacy assessment should be carried out, and any decision based on Article 25(6) of Directive 95/46/EC should be made and enforced in a way that does not arbitrarily or unjustifiably discriminate against or between third countries where like conditions prevail, nor constitute a disguised barrier to trade, regard being had to the European Union’s present international commitments.

(5)

The Political Constitution of the Eastern Republic of Uruguay, passed in 1967, does not expressly recognise the rights to privacy and the protection of personal data. However, the catalogue of fundamental rights is not a closed list since Article 72 of the Constitution provides that the listing of rights, obligations and guarantees made by the Constitution does not exclude others that are inherent to the human personality or that derive from the republican form of government. Article 1 of Act No 18.331 on the Protection of Personal Data and ‘Habeas Data’ Action of 11 August 2008 (Ley No 18.331 de Protección de Datos Personales y Acción de ‘Habeas Data’) expressly sets out that ‘the right to the protection of personal data is inherent to the human being and it is therefore included in Article 72 of the Constitution of the Republic’. Article 332 of the Constitution provides that the application of the provisions of this Constitution that acknowledge individuals’ rights as well as those awarding rights and imposing obligations on public authorities, shall not be impaired by of the lack of specific regulation; rather, it shall be based, through recourse to the underlying principles of similar laws, on the general principles of the law and generally accepted doctrines.

(6)

The legal standards for the protection of personal data in the Eastern Republic of Uruguay are largely based on the standards set out in Directive 95/46/EC and are laid down in Act No 18.331 on the Protection of Personal Data and ‘Habeas Data’ Action (Ley No 18.331 de Protección de Datos Personales y de Acción de ‘Habeas Data’) of 11 August 2008. It covers natural persons and legal persons.

(7)

This Act is further complemented by Decree No 414/009 of 31 August 2009, adopted in order to clarify several aspects of the Act and to lay down the detailed regulation of the organisation, powers and functioning of the data protection supervisory authority; The Preamble of the Decree sets out that it is appropriate to adjust the national legal system on this matter to the most accepted comparable legal regime, essentially that established by European countries through Directive 95/46/EC.

(8)

Data protection provisions are also contained in a number of special acts that create and regulate databases, namely, acts regulating certain public registries (public deeds, industrial property and trade marks, personal acts, real estate, mining or credit reporting). Act No 18.331 applies additionally to these acts in relation to those issues that are not governed by these specific legal instruments, pursuant to Article 332 of the Constitution.

(9)

The legal data protection standards applicable in the Eastern Republic of Uruguay cover all the basic principles necessary for an adequate level of protection for natural persons, and also provide for exceptions and limitations in order to safeguard important public interests. These legal data protection standards and the exceptions reflect the principles laid down by Directive 95/46/EC.

(10)

The application of the legal data protection standards is guaranteed by administrative and judicial remedies, in particular, by the ‘habeas data’ action, which enables a data subject to take a data controller to court in order to enforce his right of access, rectification and deletion, and by independent supervision carried out by the supervisory authority, the Unit for the Regulation and Control of Personal Data (Unidad Reguladora y de Control de Datos Personales (URCDP)), which is invested with powers of investigation, intervention and sanction in line with Article 28 of Directive 95/46/EC, and which acts completely independently. Moreover, any interested party is entitled to seek judicial redress for compensation for damages suffered as a result of the unlawful processing of his personal data.

(11)

Uruguayan data protection authorities have provided explanations and assurances as to how the Uruguayan law is to be interpreted, and have given assurances that the Uruguayan data protection legislation is implemented in accordance with such interpretation. In particular, Uruguayan data protection authorities have explained that, pursuant to Article 332 of the Constitution, Act No 18.331 applies additionally to special acts that create and regulate specific databases in relation to those issues that are not governed by these specific legal instruments. They have also clarified that, regarding the lists referred to in Article 9 C) of Act No 18.331, and which do not require the consent of the data subject for the processing, the Act also applies, namely the principles of proportionality and finality, the rights of data subjects and that they are subject to the supervision by the data protection authority. With regard to the transparency principle, the Uruguayan data protection authorities have informed that the obligation to provide the data subject with the necessary information applies in all cases. Regarding the right of access, the data protection authority has clarified that it is sufficient for a data subject to prove its identity when making a request. The Uruguayan data protection authorities have clarified that the exceptions relating to the principle on international transfers laid down in Article 23(1) of Act No 18.331 cannot be understood as having a broader application than that of Article 26(1) of Directive 95/46/EC.

(12)

This Decision takes into account these explanations and assurances and it is based upon them.

(13)

The Eastern Republic of Uruguay is also party to the American Convention of Human Rights (‘Pact of San José de Costa Rica) of 22 November 1969, and in force since 18 July 1978 (3). Article 11 of this Convention lays down the right to privacy and Article 30 sets out that restrictions that, pursuant to this Convention, may be placed on the enjoyment or exercise of the rights or freedoms recognised by the Convention may not be applied except in accordance with laws enacted for reasons of general interest and in accordance with the purpose for which such restrictions have been established (Article 30). Moreover the Eastern Republic of Uruguay has accepted the jurisdiction of the Inter-American Court of Human Rights. Furthermore at the 1118th meeting of the Ministers’ Deputies of the Council of Europe held on 6 July 2011, the Deputies invited the Eastern Republic of Uruguay to accede the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No 108) and to its Additional Protocol (ETS No 118), after a favourable opinion of the relevant Consultative Committee (4).

(14)

The Eastern Republic of Uruguay should therefore be regarded as providing an adequate level of protection for personal data as referred to in Directive 95/46/EC.

(15)

This Decision should concern the adequacy of protection provided in the Eastern Republic of Uruguay with a view to meeting the requirements of Article 25(1) of Directive 95/46/EC. It should not affect other conditions or restrictions implementing other provisions of that Directive that pertain to the processing of personal data within the Member States.

(16)

In the interest of transparency and in order to safeguard the ability of the competent authorities in the Member States to ensure the protection of individuals as regards the processing of their personal data, it is necessary to specify the exceptional circumstances in which the suspension of specific data flows may be justified, notwithstanding the finding of adequate protection.

(17)

The Commission should monitor the functioning of the Decision and report any pertinent findings to the Committee established under Article 31 of Directive 95/46/EC. Such monitoring should cover, inter alia, the Eastern Republic of Uruguay’s regime applicable to transfers in the framework of international treaties.

(18)

The Working Party on the protection of individuals with regard to the processing of personal data established under Article 29 of Directive 95/46/EC has delivered a favourable opinion on the level of adequacy as regards protection of personal data which has been taken into account in the preparation of this Decision (5).

(19)

The measures provided for in this Decision are in accordance with the opinion of the Committee established under Article 31(1) of Directive 95/46/EC,

HAS ADOPTED THIS DECISION:

Article 1

1.   For the purposes of Article 25(2) of Directive 95/46/EC, the Eastern Republic of Uruguay is considered as ensuring an adequate level of protection for personal data transferred from the European Union.

2.   The competent supervisory authority of the Eastern Republic of Uruguay for the application of the legal data protection standards in the Eastern Republic of Uruguay is set out in the Annex to this Decision.

Article 2

1.   Without prejudice to their powers to take action to ensure compliance with national provisions adopted pursuant to provisions other than Article 25 of Directive 95/46/EC, the competent authorities in Member States may exercise their existing powers to suspend data flows to a recipient in the Eastern Republic of Uruguay in order to protect individuals with regard to the processing of their personal data in the following cases:

(a)

where a competent Uruguayan authority has determined that the recipient is in breach of the applicable standards of protection; or

(b)

where there is a substantial likelihood that the standards of protection are being infringed, there are reasonable grounds for believing that the competent Uruguayan authority is not taking or will not take adequate and timely steps to settle the case at issue, the continuing transfer would create an imminent risk of grave harm to data subjects and the competent authorities in the Member State have made reasonable efforts in the circumstances to provide the party responsible for processing established in the Eastern Republic of Uruguay with notice and an opportunity to respond.

2.   The suspension shall cease as soon as the standards of protection are assured and the competent authority of the Member States concerned is notified thereof.

Article 3

1.   Member States shall inform the Commission without delay when measures are adopted on the basis of Article 2.

2.   The Member States and the Commission shall inform each other of cases where the action of bodies responsible for ensuring compliance with the standards of protection in the Eastern Republic of Uruguay fails to secure such compliance.

3.   Where the information collected under Article 2 and under paragraphs 1 and 2 of this Article provides evidence that any body responsible for ensuring compliance with the standards of protection in the Eastern Republic of Uruguay is not effectively fulfilling its role, the Commission shall inform the competent Uruguayan authority and, if necessary, present draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC with a view to repealing or suspending this Decision or limiting its scope.

Article 4

The Commission shall monitor the functioning of this Decision and report any pertinent findings to the Committee established under Article 31 of Directive 95/46/EC, including any evidence that could affect the finding in Article 1 of this Decision, that protection in the Eastern Republic of Uruguay is adequate within the meaning of Article 25 of Directive 95/46/EC and any evidence that this Decision is being implemented in a discriminatory way.

Article 5

Member States shall take all the measures necessary to comply with the Decision within three months of the date of its notification.

Article 6

This Decision is addressed to the Member States.

Done at Brussels, 21 August 2012.

For the Commission

Viviane REDING

Vice-President


(1)  OJ L 281, 23.11.1995, p. 31.

(2)  Letter of 31 August 2011.

(3)  Organisation of American States; OAS, Treaty Series, No 36, 1144 UNTS 123. http://www.oas.org/juridico/english/treaties/b-32.html

(4)  Council of Europe: https://wcd.coe.int/wcd/ViewDoc.jsp?Ref=CM/Del/Dec(2011)1118/10.3&Language=lanEnglish&Ver=original&Site=CM&BackColorInternet=DBDCF2&BackColorIntranet=FDC864&BackColorLogged=FDC864

(5)  Opinion 6/2010 on the level of protection of personal data in the Eastern Republic of Uruguay. Available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp177_en.pdf


ANNEX

Competent supervisory authority referred to in Article 1(2) of this Decision:

Unidad Reguladora y de Control de Datos Personales (URCDP)

Andes 1365, Piso 8

Tel. + 598 2901 2929 Int. 1352

11.100 Montevideo

URUGUAY

Contact e-mail: http://www.datospersonales.gub.uy/sitio/contactenos.aspx

Online complaints: http://www.datospersonales.gub.uy/sitio/denuncia.aspx

Website: http://www.datospersonales.gub.uy/sitio/index.aspx