South America Based Organisation


Data Protection in South America Part 1:

Data Protection in the International Market

South America contains many emerging economies and the MERCOSUR trading block incorporates many of these into a single economic powerhouse. With the increase in trade comes an increase in personal data, especially from overseas customers.  It is very important for organisations in South America to comply with the data protection laws in the countries where these people are from, otherwise they could not only face massive fines but may also find themselves unable to do business with these countries. 

In terms of requirements and restrictions, Europe’s General Data Protection Regulation (GDPR) is one of the strictest. The key points of the GDPR that will affect organisations based in South America are:

  • Organisations based outside the EU will need to designate a representative within an EU country. 
  • Transfer of data to countries outside the EU is prohibited unless certain conditions are met.
  • People have the right to know and access the data you hold on them.
  • People have the right to have their data updated, deleted and moved.
  • Organisations must take appropriate technical and organisational measures to protect the data that they hold.
  • Any suppliers that a company uses that has access to personal data must be governed by legally binding agreements on how they should process and protect that data.

Other countries South American organisations should be aware of are the United States and China, both of which are in the process of updating their data protection laws. China’s new data protection laws are likely to align to their previously published standards on data protection, the Personal Information Security Standard (PISS), which closely mirrors the restrictions and requirements within GDPR. American data protection law changes are being driven at the state level, with the state of California enacting the strictest regulations. 

South American countries will also need to consider their own laws. For example, Brazilian organisations must comply with the Brazilian Data Protection Law (LGPD), which includes restrictions on the use of sensitive personal data. Whereas Uruguay based organisations will need to comply with the Data Protection Act Law No. 18.331, which requires any organisations to register any databases that hold personal information with Unidad Reguladora y de Control de Datos Personales.

….To be continued in Part 2

If you want to speak to one of our experts about any of the content in this article, you can book a free 30 minute no commitment consultation here.