Law Name

Protección de Datos Personales y Acción de “Habeas Data”, Ley N. 18.331 (2008)

Link to the Law


Data Transfer

Data cannot be transferred from database to database without the consent of the data subject. The agency responsible should notify the data subject of any amendments or changes that were made to the data transferred. Data can only be transferred to international organisms or countries that have a proportionate level of adequate protection that are in accordance with the standards of the “Derecho Internacional o Regional”. Transfers will be complied with for judicial cooperation, medical data transfers, bank transfers and data relative to crime.

Data Sharing

Data that is collected should be true, adequate and not excessive in relation to the reason in which it was obtained. Data must be collected through appropriate means and by gaining consent. Data should be updated and actualized if need be. Data should be eliminated once it is no longer necessary for the purpose it was collected. The exception with elimination of data comes with historical value, use for statistics and scientific purposes, in these cases the data should be conserved. Consent isn’t necessary when data is coming from public databases; data is used for the state and legal purposes or for contractual or scientific reasons. Sensitive data can only be used and processed if it was expressly consented to. Public or private sanitation establishments can collect and process personal data relative to physical and mental health that they have treated while respecting the principles of professional privacy.

Data Retention

The data subject has the right to access their data and should receive the data requested within 5 days of being requested. The information should be presented in a clear manner with explanations. The data subject has the right to rectify, actualize, include or suppress information if there is an error, or exclude false information. The data subject has the right to bring habeas data into effect. This allows the data subject the right to enact a judicial action to access their data and the purpose for collection and if there is an error or falsity then it should be amended.


The agency responsible should adopt measures that are necessary to guarantee the security and confidentiality of the personal data. To secure data it should be ensured that alteration, loss, or non-authorized access to data is avoided and that risks to security whether technical or human error are limited and avoided. The agency responsible for the database is responsible for any violations of the law. The agency responsible should correct and amend any errors in information that are presented by the data subject.


The regulatory body is the “Agencia para el Desarollo del Gobierno de Gestión Electrónica y la Sociedad de la Información y del Conocimiento” (AGESIC). A counsel directs it with three members. The law indicates who these three members are and for how long they can serve. The organism in control should take the necessary actions to comply with the objects and dispositions stated in the law. They dictate the norms and regulations, solicit information amongst other responsibilities.

Breach Notification

The organism of control can implement sanctions to the agency responsible for a database or people who are in charge of processing data in case of infringements.

Health Privacy Law


Ley 9202 del 12.1.34, Ley Orgánica

The law outlines public health norms that must be followed along with regulations that medical professionals must follow

Electronic Health Records Law

In 2018, the Law 19670 established that any public and private organization that uses sensible personal information must appoint a “Data Delegate”, that is, an individual who is responsible for protecting personal information. There is no reference to EHR