Personal Data:

In Chile, the protection of personal data is guaranteed by Law No. 19.628 (hereinafter the current “Data Protection Act”) and Article 19 N° 4 of Chile’s Political Constitution, which since 2018 recognizes the right of data protection as a constitutional guarantee. Law No. 19.628 establishes that the collection, registration, organization, structuring, conservation, use, communication by transmission, suppression, destruction, etc., of personal data requires consent or legal authorization. Any operation carried out with personal data, whether automated or not, is considered to be the processing of personal data. The law protects sensitive personal data, except in exceptional cases such as safeguarding the life or health of the person, or when the owner grants consent.

Law No. 21.719: On December 13, 2024, a comprehensive reform to the Data Protection Act was published in the Official Gazette through Law No. 21.719, which will become fully in force on December 1, 2026. This legal reform will put Chile in a similar scope to the European General Data Protection Regulation (“GDPR”), already adapted by a large number of Latin American countries, and together with the recently published Law No. 21.633 (the Cybersecurity Framework Act) brings Chile closer to the highest standards of compliance in these matters, fostering a culture of protection, while allowing national companies to compete on equal terms both in the country and in their internationalization processes.

In particular, this reform: (i) Expands the catalog of rights recognized to the holders of personal data; (ii) Establishes new sources of lawfulness for processing personal data; (iii) Promotes self-regulation of individuals by incorporating figures such as the Data Protection Officer (“DPO”) and the recognition of compliance plans in this area; (iv) Expressly defines principles that must inform the activities of collection and processing of personal data by data controllers; (v) Specifically regulates international personal data transfers, which through adequacy decisions will facilitate the creation of businesses intensive in cross-border data traffic; (vi) Creates a Data Protection Agency, which will be in charge of interpreting the Data Protection Act, issuing instructions and guidelines for its application, supervising its compliance and imposing sanctions for its infringement; and, (vii) Substantially increases the sanctions for infringing the law with penalties of up to 20.000 monthly tax units (USD 2,828,797 approx.), without prejudice to the imposition of other sanctions.

The provisions of the new Personal Data Act will apply to all persons processing personal data of third parties, whether natural or legal, public or private, for profit or not-for-profit, regardless of their size or turnover, when such processing is carried out under any of the following circumstances:

1. When the controller or processor is established or incorporated or in Chile.
2. When the processor, regardless of its place of establishment or incorporation, performs personal data processing operations on behalf of a controller established or incorporated in Chile.
3. When the controller or processor is not established in Chile, but its personal data processing operations are intended to offer goods or services to data subjects who are in the country, regardless of whether they are required to pay, or to monitor the behavior of data subjects who are in Chile, including their analysis, tracking, profiling or prediction of behavior.

Extraterritoriality: The new Personal Data Act will also apply to processing of personal data carried out by a data controller who, not being established in the Chilean territory, is subject to Chilean legislation due to a contract or international law.

Basis of Lawfulness: The new Personal Data Act provides that the processing of personal data must be founded on a Basis of Lawfulness. Until now, the law contemplated two bases of lawfulness: the consent of the data subject and the law.

The new Personal Data Act shall also recognize as lawful bases:

1. Execution or fulfillment of a legal obligation;
2. Processing of data relating to economic, financial, banking or commercial obligations;
3. Data processing necessary for the conclusion or performance of a contract between the data controller and the data subject, including pre-contractual measures;
4. Data processing necessary for the satisfaction of legitimate interests that do not affect the rights and freedoms of the subject; and,
5. Data processing necessary for the formulation, exercise or defense of a right before the courts of law or public entities.

Principles:

The new Personal Data Act incorporates 6 new data protection principles, each linked to legal obligations that data controllers must comply with, with consequences on how data must be collected, processed, protected and communicated. This has repercussions on the obligations of companies inwardly, and also on how to demonstrate their compliance to users and the authorities, in order to avoid fines, whether these arise precisely from the violation of these principles and which are alleged by personal data subjects in accordance with the procedure established in the Personal Data Act or from infractions imposed by the Data Protection Agency or other regulatory bodies.

The list of principles in the updated Data Protection Act are the following:

1. Lawfulness and fairness: personal data may only be processed lawfully and fairly, and it is the responsibility of the data controller to prove lawfulness.
2. Purpose: personal data must be collected for specified, explicit and legitimate purposes. Processing must be limited to the fulfillment of these purposes
3. Proportionality: the personal data processed must be strictly limited to that which is necessary, appropriate and relevant in relation to the purposes of the processing.
4. Quality: personal data must be accurate, complete, current and relevant in relation to its origin and the purposes of the processing.
5. Responsibility: those who process personal data will be legally responsible for compliance with these principles and with the obligations and duties established in the respective law.
6. Security: in the processing of personal data, the data controller must guarantee adequate security standards, protecting the data against unauthorized or illicit processing, and against its loss, leakage, accidental damage or destruction. The security measures must be appropriate and in accordance with the processing to be carried out and with the nature of the data.
7. Transparency and information: the data controller must provide the data subject with all the information necessary for the exercise of the rights established by law, including the policies and practices regarding the processing of personal data, which must also be permanently accessible and available to any interested party in a precise, clear, unequivocal and free manner.
8. Confidentiality: the person responsible for personal data and those who have access to it must keep it secret or confidential. The data controller shall establish appropriate controls and measures to preserve secrecy or confidentiality.

Rights of the personal data holders:

Prior to the amendments included in Law No. 21.719, law No. 19.628 recognized 4 main rights of data holders: Access, Rectification, Cancellation and Opposition (known as “ARCO” rights). Law No. 21.719 introduces two new additional rights:

The new law recognizes two new rights:

• A Right of Portability: the right to obtain a copy of personal data processed by a data controller, under certain circumstances, and to have it transmitted from data controller to data controller; and
• A Right regarding Automated individual decisions, including profiling: the right of the data subject to object and not be subject to decisions based on the automated processing of their personal data, including profiling that produces legal effects on them or significantly affects them.

Transfer of personal data:

A series of very strict obligations are created regarding the way in which data can be transferred to third parties (either to third party providers or within a holding), requiring the drafting of specific contracts (“DPAs” for data processing agreements) to avoid possible infringements and to delineate responsibilities in the event of violations.

The Data Protection Act also, for the first time, will regulate cross-border transfers of personal data, which are treated strictly to prevent personal data from being transferred to jurisdictions with lower levels of protection than the country from which it originates. This is of utmost relevance for any business operating with information storage in data centers or public or private cloud services outside Chile, or within Chile with redundancy in services outside the national territory.

Sanctions:

The new Data Protection Act has a comprehensive sanctioning system based on a specific description of infringing acts, based on the act’s severity:

• Minor infringements include, among others, breaches to the duty of information and transparency; the lack of communication channels and for the exercise of rights; late or incomplete responses to requests from holders; failure to comply with general instructions from the Data Protection Agency.
• Serious infringements include, among others, the processing of data without legal basis, or for purposes other than those informed; the communication or transfer of data for unauthorized purposes; hindering the exercise of subjects’ rights; processing data of minors in violation of the law; violating the security obligations of the law in the processing of data; omitting notifications of breaches of security measures; carrying out international data transfer operations in breach of the law.
• Very serious infringements include, among others, processing personal data fraudulently; knowingly processing sensitive personal data or data of minors in violation of the law; deliberately failing to notify security breaches; failing to carry out a privacy impact assessment; knowingly carrying out international data transfers in violation of the law;

Type of infringement and fine:

• Minor infringement: Written warning or fine of up to 5,000 UTM (USD 353,550 approx.);
• Serious infringement: Fine of up to 10,000 UTM (USD 707,101 approx.).
• Very serious infringement: Fine of up to 20,000 UTM (USD 1,414,202 approx.).

Recidivism: In case of two or more sanctions in a period of 30 months, the Agency may treble the fine originally imposed. And if the controller is a large company (as defined in Law No. 20.416), the penalty for recidivism of serious or very serious infringements will be the higher one between the amounts mentioned above or an amount equivalent to 2% (in the case of serious infringements) or 4% (in the case of very serious infringements) of the holder’s yearly income for sales and services and other activities of its business within the last calendar year.

Suspension of data processing operations: In addition, in case of recidivism of very serious violations, the Personal Data Agency may order the partial or total suspension of the data processing operations and activities of the offending controller for up to 30 days, unless the rights of the data subjects are affected.

Entry into force: the new Data Protection Act will enter into force on December 1, 2026, a fairly tight deadline to adapt all these processes, mainly for large companies that handle a high volume of personal data, which will mean a greater impact on the companies’ operations. However, all the ancillary regulations contained in the new Data Protection Act must be issued within 6 months after publication of Law No. 21.719 in the Official Gazette, and the first appointment of the directors of the Board of Directors of the Data Protection Agency and the president and vice-president of the Board shall be made within 60 days prior to the entry into force of the law. However, the 6th transitory article of the new Data Protection Act established a differentiated regime for sanctions to smaller companies (as defined in Law No. 20.416), establishing a period of 12 months from the entry into force of the Data Protection Act for the Data Protection Agency to admonish them in writing and indicate the faults to be corrected.

Likewise, there are sectorial regulations that were approved prior to the reform implemented by Law No. 21.719:

Consumer Protection Act.

After an amendment to Chile’s Consumer Protection Act (Law No. 19.496) was passed in 2018, the Consumer Protection Agency (SERNAC) was provided with authority to supervise compliance with the provisions of the Data Protection Act in consumer agreements. After Law No. 21.719 was approved, this authority was restricted but will still allow SERNAC to file class actions resulting from infractions to the Data Protection Act when they appear in a relationship between providers and consumers.

Law No. 21.595 on Economic Crimes.

Law No. 20.393, on criminal liability of legal persons, whose catalog of felonies was complemented in 2023 by Law No. 21.595, which systematizes economic crimes. As a result, there are more than 200 crimes provided for in different laws that are now considered “economic crimes”. In such a way that the penalties that they entailed in their respective original norms are now aggravated and extended to the legal and natural persons involved or benefited by them.

Within this catalog, the so-called “computer crimes” (Law No. 21.459) could be of special concern for companies, which are expressly punished by the law both for attacking the integrity of computer systems and for receiving computer data from any of these conducts. For example, Article 6 of this law considers the receipt of computer data (Whoever, knowing its origin or being unable but to know it, commercializes, transfers or stores with the same object or other illicit purpose, in any title, computer data, coming from an illicit access, illicit interception or computer forgery) as a crime.

Law No. 21.521 that promotes competition and financial inclusion through innovation and technology in the provision of financial services (the Fintech Act).

The Fintech Act is relevant from the perspective of the processing of personal data, for several reasons:

a) Consent: Pursuant to Article 23 of the Fintech Act, consent to make inquiries or initiate payments under the Open Finance System must be given in advance and explicitly, through expeditious and secure electronic or digital means or channels. In addition, consent must be freely given (without coercion), informed (allowing a full understanding of what they are consenting to and the effects thereof, safeguarding the rights of customers and their autonomy), express (under an explicit manifestation of will) and specific as to the type of financial information, the purpose and the maximum period of validity of the authorization.

b) Purpose: One of the principles of Chile’s updated Data Protection Act is the Principle of Purpose, which informs that personal data must be collected for specific, explicit and lawful purposes, and the processing must be limited to them, so that personal data cannot be processed for purposes other than those informed at the time of collection (with certain exceptions).

General Regulation (“NCG”) N° 514, issued by the Financial Market Commission as part of the rules necessary to implement the Open Finance System, expressly details the permitted purposes: exchange, processing, transfer or acquisition, and initiating and making payments. Each of these use cases involves the specific “purpose” referred to in the definition of consent under the Open Financial System.

All of the above will have an effect on how Information Based Service Providers (“IBSPs”) and Payment Initiation Service Providers (“PISPs”) must act, and will be particularly relevant with respect to the portability of customers between different players in the Fintech ecosystem, as well as inquiries and payment orders through the Open Finance System made by IBSPs and PISPs when consent is revoked or has expired.

c) Penalties: Article 19 of the Fintech Act provides that those who have committed very serious and repeated violations within a period of twenty-four months of the legal obligations regarding the protection of personal data may not be registered in the Registry of PSBI or voluntarily participate as PSBI. Then, Article 20 states that the PSIPs that have committed very serious and repeated infringements in a period of twenty-four months to the legal obligations regarding personal data protection may not participate in the Open Finance System as a PSBI.

Cybersecurity

Law No. 21.663 (Cybersecurity Framework Act).

This law establishes the institutional framework, principles and general regulations that will allow structuring, regulating and coordinating the cybersecurity actions of State agencies and between them and individuals; establishing the minimum requirements for the prevention, containment, resolution and response to cybersecurity incidents; establishing the powers and obligations of State agencies, as well as the duties of the institutions and the control, supervision and liability mechanisms in the event of violations.

The Cybersecurity Framework Act also created:

1. The National Cybersecurity Agency (“ANCI”), in charge of establishing standards in cybersecurity prevention and management, overseeing compliance with the law and applicable regulations, requiring access to systems and conducting tests to demonstrate operational continuity plans, summoning partners, directors and/or collaborators of a company to testify, officiating to obligated subjects, certifying entities, among others; and
2. The National Cybersecurity Incident Response Team (“CSIRT”) in charge of the coordination, protection and security of the networks and systems of the Ministry of National Defense and of the essential services and operators of importance vital to the national defense, in addition to performing such tasks as may be entrusted to it, for the purpose of safeguarding national defense and security.

The Cybersecurity Framework Act will be of great importance for companies in the sector given the classification of financial services, means of payment and information technology services managed by third parties as essential services, being obliged to adopt the cybersecurity measures set forth in this law.

Additionally, the Cybersecurity Framework Act empowers the ANCI to classify as operators of vitgal importance (“OIVs”) those providers of essential services that meet the following requirements: a) That the provision of such service depends on computer networks and systems, and; b) That the affectation, interception, interruption or destruction of its services has a significant impact on security and public order, on the continuous and regular provision of essential services, on the effective fulfillment of the functions of the State or, in general, of the services that it must provide or guarantee.

The ANCI may also qualify as OIVs private institutions that, although not having the quality of essential service providers, meet the requirements indicated above and whose qualification is indispensable for having acquired a critical role in the supply of the population, the distribution of goods or the production of those indispensable or strategic for the country; or for the degree of exposure of the entity to risks and the probability of cybersecurity incidents, including their severity and the associated social and economic consequences.

In such terms the obligated institutions shall adopt permanent measures in order to prevent, report and resolve cybersecurity incidents, which may be of a technological, organizational, physical or informational nature.

Duties: ANCI will set in due time the protocols and standards that it will apply to the obligated entities in terms of prevention and management of cybersecurity risks, as well as the containment and mitigation of the impact that the incidents may have on the operational continuity of the service provided or the confidentiality and integrity of the information or of the networks or computer systems, always considering the application of differentiated measures according to the type of organization and especially bearing in mind the characteristics and possibilities of small and medium-sized companies as defined by Law No. 20.416.

For the issuance of rules referring to standards or procedures in matters of prevention and management of cybersecurity risks, ANCI must submit them to a public consultation procedure, having to inform justifiably the rejection or modification of the observations made.

Obligations: notwithstanding the foregoing, those agents that are qualified by ANCI as OIVs must comply with the various obligations set forth in the Cybersecurity Framework Act; among them:

1. Implement a continuous information security management system in order to determine those risks that may affect the security of networks, computer systems and data, and the operational continuity of the service.
2. Maintain a record of the actions carried out that make up the information security management system, in accordance with the regulations to be promulgated for such purposes.
3. Prepare and implement operational continuity and cybersecurity plans, which must be certified by Certification Centers authorized by ANCI, and undergo periodic reviews by the regulated entities, at least every two years.
4. Continuously carry out review operations, exercises, drills and analysis of networks, computer systems and systems to detect actions or computer programs that compromise cybersecurity and communicate the information related to such actions or programs to the National CSIRT.
5. Adopt in a timely and expeditious manner the necessary measures to reduce the impact and spread of a cybersecurity incident, including restricting the use of or access to computer systems, if necessary.
6. Have the certifications through the Certification Centers authorized by ANCI or in accordance with the respective approval rules.
7. Inform those potentially affected, to the extent that they can be identified and when so required by the Agency, about the occurrence of incidents or cyber-attacks that could seriously compromise their information or computer networks and systems.
8. To have training, formation and continuous education programs for its employees and collaborators, including cyber hygiene campaigns.
9. Designate a cybersecurity delegate, who will act as a counterpart of the Agency and will report to the authority or management defined by the company.

Likewise, the subjects bound by the Cybersecurity Framework Act, will have the obligation to report cyber-attacks and cybersecurity incidents to the National CSIRT, as soon as possible, according to a procedure provided for in the same law.

Failure to comply with the Law may be sanctioned by the respective sectorial authorities and, failing that, by the ANCI, applying fines that distinguish between minor, serious and very serious infractions, which will be analyzed in detail in the respective question of this document.

As mentioned in the previous question, both the Data Protection Agency created by Law No. 21.719 and the National Cybersecurity Agency will have to issue a series of secondary regulations in the coming months and years.

Regarding personal data, the Data Protection Agency must be operational by December 1, 2026, without prejudice that its Board of Directors must be formed at least 60 days before that date.

Additionally, the updated Data Protection Act provides that the new Data Protection Agency must initially issue a series of regulations and instructions on guidelines on international transfers, guidelines on cookies, rules on pre-impact assessments, standard clauses for data transfer agreements and many more.

For its part, the National Cybersecurity Agency has already begun its work of issuing secondary regulations, starting in March of this year with a regulation that contains the necessary steps to report incidents and a guide with the taxonomy of the different types of cybersecurity incidents. In March it also published the procedure for determining which companies will be considered OIVs. It is expected that around September 2025 the Agency will publish its first list of OIVs.

When it comes to data processing activity itself, the Chilean data protection and cybersecurity legislation do not require any prior licensing or registration.

Chile’s Data Protection Act currently in force, Law No. 19.628, contains a series of specific definitions in its Article 2 that will be replaced and, in some cases, repealed by the amendments contained in Law No. 21.719 that has been referenced in prior answers. Some key definitions include:

A) Data storage, the conservation or custody of data in a register or database.

B) Data blocking, the temporary suspension of any operation to process the stored data.

C) Data communication or transmission, making personal data known in any way to persons other than the data subject, whether they are determined or indeterminate.

D) Expired data is that which has become out of date by law, by fulfillment of the condition or the expiry of the period indicated for its validity or, if there is no express rule, by the change of the facts or circumstances that it records.

E) Statistical data is data that, at its origin, or as a consequence of its processing, cannot be associated with an identified or identifiable subject.

F) Personal data or personal information refers to any information concerning identified or identifiable natural persons.

G) Sensitive data, personal data referring to the physical or moral characteristics of persons or to facts or circumstances of their private life or intimacy, such as personal habits, racial origin, political ideologies and opinions, religious beliefs or convictions, physical or mental health and sexual life.

H) Deletion or erasure of data, the destruction of data stored in registers or databases, whatever the procedure used to do so.

I) Publicly accessible sources, the registers or compilations of personal data, public or private, with access not restricted or reserved to the applicants.

J) Modification of data, any change in the content of the data stored in registers or databases.

K) Public bodies, the authorities, State bodies and organizations, described and regulated by the Political Constitution of the Republic, and those included in the second paragraph of Article 1 of Law No. 18.575, Constitutional Organic Law on the General Bases of the State Administration.

L) Data dissociation procedure: any processing of personal data in such a way that the information obtained cannot be associated with a specific or identifiable person.

M) Data register or database: the organized set of personal data, whether automated or not and whatever the form or modality of its creation or organization, which allows the data to be related to each other, as well as to carry out all types of data processing.

N) The person responsible for the register or database is the private individual or legal entity, or the respective public body, who is responsible for decisions related to the processing of personal data.

O) The data subject is the individual to whom the personal data refers.

P) Data processing: any operation or set of operations or technical procedures, automated or not, that enable the collection, storage, recording, organization, processing, selection, extraction, comparison, interconnection, dissociation, communication, assignment, transfer, transmission or deletion of personal data, or their use in any other way.

Law No. 21.719 introduced the following changes regarding definitions, which will come into force on December 1, 2026:

C) Communication of personal data: the disclosure by the data controller, in any form, of personal data to persons other than the data subject, without actually transferring or transferring the data.

F) Personal data: any information linked or referring to an identified or identifiable natural person. Any person whose identity can be determined, directly or indirectly, in particular by means of one or more identifiers, such as name, identity card number, analysis of elements of the physical, physiological, genetic, psychic, economic, cultural or social identity of that person, shall be considered identifiable.

To determine if a person is identifiable, all objective means and factors that could reasonably be used for such identification at the time of processing must be considered.

G) Sensitive personal data: this status will be given to personal data that refers to the physical or moral characteristics of persons or to facts or circumstances of their private life or intimacy, that reveal ethnic or racial origin, political, trade union or professional affiliation, socio-economic status, ideological or philosophical convictions, religious beliefs, data relating to health, the human biological profile, biometric data, and information relating to the sexual life, sexual orientation and gender identity of a natural person.

I) Publicly accessible sources: all those databases or sets of personal data, which can be accessed or consulted lawfully by any person, such as the Official Gazette, the media or public registers provided for by law. The processing of personal data from publicly accessible sources shall be subject to the provisions of this law.

m) Personal database: an organized set of personal data, whatever the purpose, form or modality of its creation, storage, organization and access, which allows the data to be related to each other, as well as to be processed.

n) Data controller or responsible party: any natural or legal person, public or private, who decides on the purposes and means of processing personal data, regardless of whether the data is processed directly by them or through a third party or agent.

ñ) Data subject or holder: an identified or identifiable natural person to whom the personal data relate.

o) Data processing: any operation or set of operations or technical procedures, automated or not, that enable the collection, processing, storage, communication, transmission or use of personal data or sets of personal data in any way.

Law No. 21.719 also added the following new definitions:

• Anonymization: irreversible procedure by virtue of which personal data cannot be linked or associated with a specific person, nor allow their identification, because the link with the information that links, associates or identifies that person has been destroyed or eliminated. Anonymized data is no longer personal data.
• Pseudonymization: the processing of personal data in such a way that it can no longer be attributed to a data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
• Consent: any free, specific, unequivocal and informed expression of will, granted through a declaration or a clear affirmative action, by which the data subject, his or her legal representative or agent, as the case may be, authorizes the processing of personal data concerning him or her.
• Right of access: the right of the data subject to request and obtain from the data controller confirmation as to whether or not their personal data is being processed, to access it where appropriate, and to obtain the information provided for in this law.
• Right of rectification: the right of the data subject to request and obtain from the data controller the modification or completion of their personal data when it is being processed by the data controller and is inaccurate, out of date or incomplete.
• Right to erasure: the right of the data subject to request and obtain from the data controller the erasure or removal of their personal data, in accordance with the grounds provided by law.
• Right to object: the right of the data subject to request and obtain from the data controller that a specific data processing operation not be carried out, in accordance with the grounds provided by law.
• Right to personal data portability: the right of the data subject to request and obtain from the data controller a copy of their personal data in a structured, generic and commonly used electronic format that can be operated by different systems, and to be able to communicate or transfer them to another data controller. The data subject shall have the right to have their personal data transmitted directly from data controller to data controller whenever technically possible.

Law No. 19.628 currently in force does not establish a catalog of principles, but they are inferred from various articles of its text, including the principle of legality (articles 4 and 20); quality (article 9); purpose (article 9); security (article 11); confidentiality (article 7); special protection of sensitive personal data (article 10); and information (articles 4 and 20).

Regarding the bases of legality, Law 19.628 only contemplates a legal mandate or consent as bases for processing personal data. Finally, the law currently in force does not contain a systematic treatment of the principle of transparency.

However, the amendments to the Data Protection Act introduced by Law No. 21.719 formally incorporate 6 new principles of personal data protection, each one linked to legal obligations that the data controller must comply with, with repercussions on the way in which data should be collected, processed, protected and communicated. The full set of principles recognized in Law No. 21.719 are the following:

1. Lawfulness and fairness: personal data may only be processed lawfully and fairly, and it is the responsibility of the data controller to prove lawfulness.
2. Purpose: personal data must be collected for specified, explicit and legitimate purposes. Processing must be limited to the fulfillment of these purposes.
3. Proportionality: the personal data processed must be strictly limited to that which is necessary, appropriate and relevant in relation to the purposes of the processing.
4. Quality: personal data must be accurate, complete, current and relevant in relation to its origin and the purposes of the processing.
5. Responsibility: those who process personal data will be legally responsible for compliance with these principles and with the obligations and duties established in the respective law.
6. Security: in the processing of personal data, the data controller must guarantee adequate security standards, protecting the data against unauthorized or illicit processing, and against its loss, leakage, accidental damage or destruction. The security measures must be appropriate and in accordance with the processing to be carried out and with the nature of the data.
7. Transparency and information: the data controller must provide the data subject with all the information necessary for the exercise of the rights established by law, including the policies and practices regarding the processing of personal data, which must also be permanently accessible and available to any interested party in a precise, clear, unequivocal and free manner.
8. Confidentiality: the person responsible for personal data and those who have access to it must keep it secret or confidential. The data controller shall establish appropriate controls and measures to preserve secrecy or confidentiality.

Regarding the legal basis for processing personal data, the reform introduced by Law No. 21.719 includes, in addition to legal mandates and consent, the following:

1. Execution or fulfillment of a legal obligation.
2. Processing of data relating to economic, financial, banking or commercial obligations.
3. Data processing necessary for the conclusion or execution of a contract between the data controller and the data subject, including pre-contractual measures.
4. Data processing necessary for the satisfaction of legitimate interests that do not affect the rights and freedoms of the data subject; and,
5. Data processing necessary for the formulation, exercise or defense of a right in court or before public bodies.

Article 4 of Law No. 19.628 currently in force states that the processing of personal data can only be carried out when authorized by the Data Protection Act or other legal provisions or when the subject expressly consents to it. The data subject who authorizes the processing of their data must be duly informed of the purpose of the storage of their personal data and its possible communication to the public, and this authorization must be in writing, with means equivalent to a written signature, such as in Terms and Conditions, being acceptable. Consent for the processing of personal data can be revoked, although without retroactive effect, which must also be done in writing.

Likewise, authorization is not required for the processing of personal data that comes from or is collected from publicly accessible sources, when it is of an economic, financial, banking or commercial nature, is contained in lists relating to a category of persons that are limited to indicating background information such as the individual’s membership of that group, their profession or activity, their educational qualifications, address or date of birth, or are necessary for direct response marketing communications or the direct marketing or sale of goods or services. Authorization is also unnecessary for processing personal data when carried out by private legal persons for their exclusive use of themselves, their associates and the entities to which they are affiliated, for statistical, pricing or other purposes of general benefit to them. When these amendments enter into force, the following rules shall apply:

• Article 12: Consent must be free, informed and specific as to its purpose or purposes. Consent must also be given in advance and unequivocally, by means of a verbal or written statement or expressed via an equivalent electronic medium, or by means of an affirmative act that clearly reflects the will of the subject. The means used to grant or revoke consent must be expeditious, reliable, free of charge and permanently available to the subject. It is presumed that consent to process data has not been freely given when the data controller collects it in the context of the execution of a contract or the provision of a service in which it is not necessary to carry out such collection.

However, the preceding provisions shall not apply where the only consideration required by the person offering goods, services or benefits is consent to process data.

It is the responsibility of the data controller to prove that they had the consent of the data subject and that the data processing was carried out in a lawful, fair and transparent manner.

Likewise, there are categories of data for which enhanced consent is required or which allow the processing of personal data (including sensitive data) without the consent of the data subject, which we will separate below.

The processing of sensitive personal data can only be carried out when the subject to whom this data refers gives their express consent, granted through a written or verbal declaration or by equivalent technological means. However, the processing of sensitive personal data is lawful, without the consent of the data subject, in the following cases:

1. When the processing refers to sensitive personal data that the subject has made manifestly public and its processing is related to the purposes for which it was published.
2. When the processing is based on a legitimate interest carried out by a legal person under public or private law that is not for profit and the following conditions are met:
   1. Its purpose is political, philosophical, religious, cultural, trade union or professional;
   2. The processing carried out refers exclusively to its members or affiliates;
   3. The purpose of the data processing is to fulfill the specific purposes of the institution;
   4. The legal entity provides the necessary guarantees to avoid leaks, theft or unauthorized use or processing of the data, and
   5. The personal data is not communicated or transferred to third parties.
3. If these conditions are met, the data controller will not require the consent of the data subject to process their data, including sensitive personal data. In case of doubt or administrative or judicial controversy, the data controller must prove the existence of these requirements. Finally, when a member of the legal entity ceases to belong to it, their data must be anonymized or deleted, even though a specific period of time has not been set by law for this.
3. When processing the personal data of the subject is essential to safeguard the life, health or physical or psychological integrity of the subject or of another person, or when the subject is physically or legally unable to give consent. Once the impediment ceases, the person responsible must inform the subject in detail of the data that was processed and the specific processing operations that were carried out.
4. When the processing of the data is necessary for the formulation, exercise or defense of a right before the courts of justice or an administrative body.
5. When the processing of data is necessary for the exercise of rights and the fulfillment of obligations of the controller or data subject, in the labor or social security sphere, and is carried out within the framework of the law.
6. When the processing of sensitive personal data is expressly authorized or mandated by law.

The exceptions for processing data without consent, mentioned for this section, are understood to be applicable to the processing of data that is not sensitive in nature.

Other specific rules for certain type of data are defined, including: sensitive personal data relating to health and the human biological profile (its processing may also be carried out when the data subject expressly consents to it, given through a written or verbal statement or by an equivalent technological means, and may only be processed for the purposes provided for by special laws on health matters, but there are exceptional cases where sensitive personal data relating to the data subject’s health and biological profile may be processed without the data subject’s consent. Law No. 21.719 still prohibits the processing and transfer of data relating to the health and biological profile of a data subject and biological samples associated with an identified or identifiable person, including the storage of biological material, when the data or samples have been collected in the workplace, in education, in sports, in social settings, insurance, security or identification, unless the law expressly authorizes its processing in qualified cases and it refers to any of the cases mentioned in this article); Biometric personal data (may only be processed when the subject to whom this data refers gives their express consent, granted through a written or verbal declaration or by an equivalent technological means and provided that the controller informs the data subject about the biometric system used, the specific purpose for which the data collected by the biometric system will be used, the period during which the biometric data will be used and the way in which the holder can exercise his or her rights. The rule also recognizes exceptions where biometric data may be processed without the holder’s consent); Personal data relating to children and adolescents (can only be carried out in their best interests and with respect for their progressive autonomy. To process the personal data of children, consent of their parents or legal guardians or of the person responsible for the personal care of the child is required, unless expressly authorized or mandated by law.

The Data Protection Act considers children to be under fourteen years of age, and adolescents to be over fourteen and under eighteen years of age); Geolocation data (processing of the holder’s personal geolocation data may be carried out under the same sources of legality referenced above examined above. For its processing, the data subject must be informed in a clear, sufficient and timely manner of the type of geolocation data that will be processed, the purpose and duration of the processing and whether the data will be communicated or transferred to a third party for the provision of a value-added service).

See question 6.

While describing the framework of the data protection laws in Chile we have described all derogations, exemptions, exclusions or limitations.

The Data Protection Act currently in force does not mention risk analysis. However, the amendments introduced by Law No. 21.719 that will enter into force in December 2026 provide in Article 15 ter, as a general guideline, the obligation to carry out a pre-impact assessment when it is likely that a type of processing, due to its nature, scope, context, technology used or purposes, may produce a high risk to the rights of the data subjects. The same article requires mandatory pre-impact assessment in the following cases:

1. Systematic and comprehensive evaluation of personal aspects of data subjects, based on automated processing or decisions, such as profiling, that produce significant legal effects on them.
2. Massive or large-scale data processing.
3. Processing involving systematic observation or monitoring of a publicly accessible area.
4. Processing of sensitive and specially protected data, in the hypotheses of exception of consent.

The Data Protection Agency (created by Law No. 21.719) shall establish and publish an indicative list of the types of processing operations that do or do not require an impact assessment. The Agency will also establish the minimum guidelines for carrying out this assessment, considering at least in such criteria, the description of the processing operations, their purpose, the assessment of necessity and proportionality with respect to their purpose, the assessment of risks and mitigation measures. Controllers may consult the Data Protection Agency when, by virtue of the result of the assessment, the processing proves to be of high risk in order to obtain recommendations from such entity.

No such specific codes of practice exist so far.

The Personal Data Act currently in force does not describe these processes as necessary. However, according to Article 11 of the Data Protection Act currently in force, the controllers of personal data must take care of the personal data they process with due diligence, being liable for damages.

In the Recommendations for processing activities indicated in Article 11 of the Data Protection Act currently in force, this obligation has been specified in terms of the duty to adopt all security measures (including computer security and cybersecurity), both organizational, technical and human capital training, to safeguard the integrity, confidentiality and availability of the data contained in their records. This, in order to avoid the alteration, breach, loss, transmission and unauthorized access to them.

The amendments in Law No. 21.719 do not describe in detail these internal procedures, but maintains and extends the security obligations, including the duty (punishable by fine) to report security breaches that have affected personal data.

The Data Protection Act currently in force contains a generic designation for the retention of personal data by addressing the Principle of Proportionality in  Article 3, stating  that personal data may be retained only for the period of time necessary to fulfill the purposes of the processing, after which they must be deleted or anonymized, without prejudice to the exceptions established by law. A longer period of time requires legal authorization or consent of the holder. Additionally, Article 6 states that personal data must be deleted or cancelled when their storage lacks legal basis or when they have expired, and that they must be modified when they are erroneous, inaccurate, misleading or incomplete. It also requires blocking of personal data whose accuracy cannot be established or whose validity is doubtful and for which deletion is not appropriate. The person in charge of the personal data bank shall proceed to the deletion, modification or blocking of the data, if necessary, without the need for a request from the holder.

Finally, with respect to financial and commercial data, the law currently in force, provides in Article 18 that in no case may this data, which relates to an identified or identifiable person, be communicated after five years have elapsed since the respective obligation became due.

Notwithstanding the foregoing, there is no clarity as to the retention periods, so it is expected that the new Data Protection Agency will issue guidelines as to the retention time of the data.

However, certain sectorial regulation already applies. For instance, regarding clinical records of patients who have been treated in hospital care centers, the applicable law obliges those institutions to retain this information for 15 years.

Finally, Law No. 21.719 will introduce a new Article 14 quinquies that recognizes the obligation to maintain security measures and to proceed to pseudo-anonymization in case it is necessary to preserve the integrity of the information.

The Data Protection Act currently in force did not create nor does it recognize a data protection regulator, notwithstanding the Chilean Consumer Protection Agency’s (SERNAC) authority to supervise compliance with the Data Protection Act within consumer agreements. Once Law No. 21.719 enters into force in December 2026, a new Data Protection Agency shall begin operations, leaving SERNAC basically with the authority to file class actions against providers when, within the framework of a provider-consumer relationship, the provider infringes the Data Protection Act. And some of the new additions to the Data Protection Act approved in Law No. 21.719, shall require coordination with this Agency, such as rules on how to carry pre-impact assessments or how to report security incidents.

The figure of the compliance officer does not exist in the current Personal Data Act. The amendments introduced by Law No. 21.719 do not mandate an obligation to appoint a compliance officer, but Article 50 recognizes this position and provides a series of requirements for his appointment, as well as his duties and functions. But it is voluntary.

No such requirements exist in the Data Protection Act in force, nor where they recognized in Law No. 21.719.

No such requirement exists in the Data Protection Act in force. However, it is recognized in Law No. 21.719 with respect to the Principle of Transparency and Information (Article 3 letter g)), which states that the data controller must provide the data subject with all the information necessary for the exercise of the rights established by the Data Protection Act, including the policies and practices on the processing of personal data, which must also be permanently accessible and available to any data subject in a precise, clear, unequivocal and free manner. The data controller must adopt the appropriate and timely measures to provide the holder with access to all the information indicated in this law, as well as any other communication related to the processing it carries out.

Article 8 of the Data Protection Act in force addresses this matter in a generic way, following the civil law normative tradition on mandates, stating that in the event that the processing of personal data is carried out by mandate, the general rules shall apply. The mandate must be given in writing, with a specific statement of the conditions for the use of the data. The data processor must respect these stipulations in the performance of his or her duties.

This norm is substantially defined by Law No. 21.719, deepening the relationship between controller and data processor, as provided in Article 15 bis, regarding data processing through a third-party mandatary or processor:

• The data controller may process data directly or through a third-party agent or processor. In the latter case, the third party agent or processor carries out the processing of personal data in accordance with the order and instructions given by the data controller, and is prohibited from processing them for a purpose other than that agreed with the data controller, as well as from transferring or delivering them in cases where the data controller has not expressly and specifically authorized it in order to fulfill the purpose of the order.
• If the third party agent or data processor processes the data for a purpose other than that agreed upon, or transfers or delivers them without having been authorized in the preceding terms, he/she shall be considered the data controller for all legal purposes, and shall be personally liable for the infringements incurred and jointly and severally with the data controller for the damages caused, without prejudice to the contractual liabilities that may correspond to him/her with respect to the principal or data controller.
• The processing of data through a third-party agent or data processor shall be governed by the contract entered into between the data controller and the data processor, in accordance with the legislation in force. The contract must establish the purpose of the assignment, the duration of the assignment, the purpose of the processing, the type of personal data processed, the categories of data subjects to whom the data pertain, and the rights and obligations of the parties.
• The processor may not delegate part or all of the assignment, except with the specific written authorization of the data controller. The processor who delegates part or all of the assignment to another processor shall remain jointly and severally liable for the assignment and may not exempt himself from liability on the grounds that he has delegated the processing. The Data Protection Agency shall make model contracts available to the public on its web site.
• The third-party agent or processor must comply with the provisions of articles 14 bis and 14 quinquies (i.e. duty of secrecy or confidentiality and duty to adopt security measures). The differentiation of compliance standards established in the first paragraph of article 14 septies (which refers to this differentiation) will also be applicable to the third-party agent or person in charge. In the event of a breach of security measures, the third party or agent must report this fact to the person in charge.
• Upon completion of the provision of the processing service by the third-party agent or processor, the data in its possession must be deleted or returned to the data controller, as the case may be.

The Data Protection Act currently in force contains a generic reference to these restrictions, mainly from the perspective of the holder’s right of opposition, recognized in Article 3 which states that in any collection of personal data carried out through surveys, market research or public opinion polls or other similar instruments, without prejudice to the other rights and obligations regulated by said law, individuals must be informed of the mandatory or optional nature of the responses and the purpose for which the information is being requested. The communication of the results must omit any information that may allow the identification of the persons consulted. It also states that the subject may object to the use of his personal data for advertising, market research or opinion polls. Likewise, in the case of commercial information, Article 9 of the Act prohibits making any kind of commercial risk predictions or evaluations that are not based solely on objective information relating to the delinquencies or protests of the natural or legal persons of which they are reported. Infringement of this prohibition will oblige the immediate elimination of such information by the person responsible for the database and will give rise to the corresponding compensation for damages.

However, Law No. 21.719 establishes clearer and more profound rules on these matters: article 8 bis, regarding automated individual decisions, including profiling, states that the data subject has the right to oppose and not be subject to decisions based on the automated processing of his personal data, including profiling, that produce legal effects on him or significantly affect him. However, this right shall not apply: (a) When the decision is necessary for the conclusion or performance of a contract between the holder and the data controller; (b) When there is prior and express consent of the subject in the manner prescribed in article 12 of the Act (which provides the general rule regarding consent); (c) When so provided by law, to the extent that the law provides for the use of safeguards to the rights and freedoms of the subject. In all cases of decisions based on the automated processing of personal data, including those indicated in letters (a),( b) and (c) above, the data controller must adopt the necessary measures to ensure the rights and freedoms of the data subject, his right to information and transparency, the right to obtain an explanation, to human intervention, to express his point of view and to request a review of the decision.

Neither the Data Protection Act currently in force nor the amendments introduced by Law No. 21.719 address the issue of cookies, although it is expected that the Data Protection Agency will issue guidelines on this matter when it begins operating.

These terms are not defined in the Data Protection Act or in the provisions of Law No. 21.719, but the applicable rule would be those detailed in the previous answer.

No regulation specific regulation addresses the sale of personal databases, notwithstanding the data subject’s rights regarding his personal information, including the right to object. Regulation that may apply includes considering this act of processing in a fraudulent manner as a serious infringement of the Data Protection Act once the amendments by Law No. 21.719 enter into force (Article 34 letter a)) and also Article 6 of the Computer Crimes Act (Law No. 21.459) which typifies as a felony  the fraudulent data base reception (Whoever, knowing its origin or being unable but knowing it, commercializes, transfers or stores with the same object or other illicit purpose, in any way, computer data, coming from the conducts described in articles 2°, 3° and 5° of Law No. 21.459, shall suffer the penalty assigned to the respective crimes, reduced by one degree).

These are not defined in the Data Protection Act. However, on February 13, 2025, Exempt Resolution No. 286 was published by the Undersecretary of Telecommunications, establishing very strict conditions for this type of activity: solicited commercial calls must come from numbers that use the 600 prefix, while unsolicited commercial calls must come from numbers that use the 809 prefix.

Companies have until August of 2025 to implement the corresponding numbering. After this time, it will be forbidden to make communications using any other type of numbering different from the ones defined.

Likewise, Article 28, letter b of the Consumer Protection Act (Law No. 19.496) states that any promotional or advertising communication sent by electronic mail must indicate the subject or matter on which it deals, the identity of the sender and contain a valid address to which the recipient may request the suspension of the mailings, which shall thereafter be prohibited. Suppliers who send promotional or advertising communications to consumers by mail, fax, phone calls or telephone messaging services, must indicate an expeditious way in which the recipients may request the suspension of the same. Once this is requested, sending new communications shall be prohibited.

As previously mentioned above, the Data Protection Act currently in force does not address biometric data, although it should be considered in the definition of sensitive data. The amendments introduced by Law No. 21.719 expressly includes biometric data as sensitive data, and its special framework is recognized in Article 16 ter: biometric personal data is that obtained from specific technical processing relating to the physical, physiological or behavioral characteristics of a person that allow or confirm their unique identification, such as fingerprints, irises, hand or facial features and voice. This data may only be processed when the provisions of the first paragraph of Article 16 are complied with (obtaining express consent) and provided that the data controller provides the data subject with the following specific information: the identification of the biometric system used, the specific purpose for which the data collected by the biometric system will be used, the period during which the biometric data will be used and the way in which the holder can exercise his or her rights. Biometric personal data may be processed without consent only in the cases indicated in the second paragraph of Article 16 bis (see answer 5 above for consent for sensitive data).

Chile does not currently have any laws data protection laws in force addressing AI, although there is a Bill currently being discussed in Congress on this subject, which may be approved this year.

The Data Protection Act currently in force does not recognize obligations or restrictions in this matter, notwithstanding the fact that it has been understood that international data transfers constitute data processing which therefore must follow the general rules of the Act.

However, Law No. 21.719 regulates it exhaustively in Articles 27, 28 and 29. The rules are the following:

• Article 27 provides the general rule of authorization: provided that the requirements that, in accordance with the law, authorize the processing of data are met, international data transfer operations are lawful in any of the following cases:
  1. When the transfer is made to a public or private person, entity or organization, subject to the legal system of a country that provides adequate levels of personal data protection, in accordance with the provisions of Article 28.
  2. When the data transfer is protected by contractual clauses, binding corporate rules, or other legal instruments signed between the controller carrying out the transfer and the processor or third-party agent receiving it, and adequate guarantees are established in them, in accordance with the provisions of Article 28.
  3. When the data controller carrying out the transfer and the data processor or third-party agent receiving the transfer adopt a compliance model or certification mechanism and adequate safeguards are established in accordance with Article 28.

In the absence of a decision on adequacy or adequate safeguards, a specific and non-routine transfer may be carried out if any of the following conditions are met:

1. When there is express consent from the data subject to carry out a specific and determined international data transfer.
2. When it refers to specific bank, financial or stock market transfers that are carried out in accordance with the laws that regulate these transfers.
3. When data must be transferred to comply with obligations acquired in international treaties or agreements that have been ratified by the Chilean State and are in force.
4. When the transfer is necessary for the application of cooperation, information exchange or supervision agreements that have been signed by public bodies for the fulfillment of their functions and in the exercise of their competencies.
5. When the transfer of data by a natural or legal person, public or private, has been expressly authorized by law and for a specific purpose.
6. When the transfer is made for the purpose of providing or requesting international judicial collaboration.
7. When the transfer is necessary for the conclusion or execution of a contract between the subject and the controller, or for the execution of pre-contractual measures adopted at the request of the subject.
8. When it is necessary to adopt urgent measures in medical or health matters, for the prevention or diagnosis of diseases, for medical treatments or for the management of health services.

• Article 28 provides rules for determining which countries are adequate and additional rules regarding international data transfers: it is understood that the legal system of a country has adequate levels of data protection when it complies with standards similar to or higher than those established in the Data Protection Act. The Data Protection Agency shall make a reasoned determination as to which countries have adequate levels of data protection, considering at least the following:
  1. The establishment of principles governing the processing of personal data.
  2. The existence of rules that recognize and guarantee the rights of data subjects and the existence of a public jurisdictional or administrative authority of control or guardianship.
  3. The imposition of information and security obligations on data controllers and third-party processors.
  4. The determination of responsibilities in case of infringements.

Appropriate safeguards shall be considered to be those instruments, mechanisms and clauses that contain similar or greater principles, rights and guarantees than those offered by the Data Protection Act, and in particular, that grant enforceable rights and effective legal actions to the data subjects. The Data Protection Agency may approve model clauses and other legal instruments only if they contain such safeguards for the cross-border flow of data, which shall be made available to data controllers. The model clauses and other legal instruments that establish adequate guarantees approved by the Data Protection Agency shall not require any other additional guarantee or authorization.

The Agency shall make available to interested parties on its website a list of suitable countries and model contractual clauses and other legal instruments for the international transfer of data.

When the transfer is made between companies or entities belonging to the same business group, related companies or companies subject to the same controller under the terms provided in the Chilean Securities Act, provided that all of them operate under the same standards and policies regarding the processing of personal data, the transfers may be covered by binding corporate rules previously approved by the Data Protection Agency. The data controller carrying out the data transfer shall assume responsibility for any breach of the binding corporate standards and policies incurred by any of the members of the corporate group. The data controller may only be exonerated from this responsibility when it can be proven that the breach was not attributable to the member of the corresponding corporate group.

When none of the circumstances indicated in Article 27 are verified, the Data Protection Agency may authorize, by means of a reasoned decision, the international transfer of data for a particular case, provided that the transmitter and the recipient of the data provide adequate guarantees in relation to the protection of the rights of the persons who are these data subjects and the security of the information transferred, in accordance with the Data Protection Act.

It shall be incumbent upon the data controller who carried out the international data transfer to prove to the Data Protection Agency that it was carried out in accordance with the rules established in this law.

• Finally, Article 29 grants upon the Data Protection Agency the function of supervising international data transfers, with authority to issue recommendations, adopt conservation measures and, in qualified cases, temporarily suspend data transfers.

Under Article 11 of the Data Protection Act currently in force, data controllers must take due care of the personal data they process and are liable for any damages. In the Recommendations made in this Article 11, this obligation has been specified in terms of the duty to adopt all security measures (including IT security and cybersecurity), both organizational, technical and in terms of training of human capital, to safeguard the integrity, confidentiality and availability of the data contained in their records. This is with the aim of preventing their alteration, breach, loss, transmission and unauthorized access.

The amendments introduced by Law No. 21.719 include more specific regulations on the subject, such as:

• The duty of information and transparency, provided in Article 14 ter, which states that the data controller must provide and keep permanently available to the public, on its website or any other equivalent means of information, at least some information including the policy and security measures adopted to protect the personal databases it administers.
• The duty to adopt security measures, provided in Article 14 quinquies, which states that the data controller must adopt the necessary measures to safeguard compliance with the security principle established in the Act, considering the current state of the art and the costs of implementation, together with the nature, scope, context and purposes of the processing, as well as the likelihood of risks and the severity of their effects in relation to the type of data processed. The measures applied by the data controller must ensure the confidentiality, integrity, availability and resilience of the data processing systems. They must also prevent alteration, destruction, loss, or unauthorized access or processing.

In consideration of the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of data subjects, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, where appropriate, among others:

1. The pseudonymization and encryption of personal data;
2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. A process for regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of the processing.

In the event of a security incident, and in the event of legal or administrative dispute, it shall be incumbent upon the controller to prove the existence and functioning of the security measures adopted on the basis of the levels of risk and the available technology.

• The duty to report breaches of security measures, provided in Article 14 sexies, which states that the data controller shall report to the Data Protection Agency, by the most expeditious means possible and without undue delay, any breaches of security measures that result in the accidental or unlawful destruction, breach, loss or alteration of the personal data it processes or unauthorized communication of or access to such data, where there is a reasonable risk to the rights and freedoms of the data subjects. The data controller must record these communications, describing the nature of the violations suffered, their effects, the categories of data and the approximate number of data subjects affected, and the measures adopted to manage them and prevent future incidents. When these breaches refer to sensitive personal data, data relating to children under the age of fourteen or data relating to economic, financial, banking or commercial obligations, the controller must also make this communication to the data subjects, through their representatives, when appropriate. This communication must be made in clear and simple language, specifying the data affected, the possible consequences of the security breaches and the solution or safeguard measures adopted. The notification must be made to each affected subject and if this is not possible, it will be done by disseminating or publishing a notice in a mass social communication medium with national reach. The information duties indicated in this article do not preclude other information duties established by other laws.
• Rules on data processing through third-party agents or processors, provided in Article 15 bis, which states that the third-party agent or processor must comply with the provisions of Articles 14 bis and 14 quinquies. The differentiation of compliance standards established in the first paragraph of Article 14 septies shall also be applicable to the third-party agent or processor. In the case of a breach of security measures, the third party or processor must report this fact to the controller.
• Sanctions for infringement. As provided in Article 34 ter, the following are considered serious infringements:
  • Violating or infringing the security obligations in the processing of personal data established in Article 14 quinquies.
  • Omitting communications or records in cases of violation of the security measures established in Article 14 quinquies.
  • Adopting insufficient or unsuitable quality and security measures for the processing of personal data for historical, statistical or scientific purposes and for studies or research that serve purposes of public interest.

Likewise, there are cybersecurity reporting duties in the Cybersecurity Framework Act in force since 2024, which shall be analyzed in the respective section of this document.

Neither the Data Protection Act currently in force, nor the provisions of Law No. 21.719 contain definitions of security incidents, without prejudice to what will be analyzed in the respective section on Cybersecurity.

The Data Protection Act currently in force recognize four main rights of data subjects: Access, Rectification, Cancellation and Opposition (known as the “ARCO” rights).

When the amendments introduced by Law No. 21.719 enter into force, two new additional rights shall be recognized:

• A Right of Portability: the right to obtain a copy of personal data processed by a data controller, under certain circumstances, and to have it transmitted from data controller to data controller; and
• A Right regarding Automated individual decisions, including profiling: the right of the data subject to object and not be subject to decisions based on the automated processing of their personal data, including profiling that produces legal effects on them or significantly affects them.

Yes. The Personal Data Protection Act currently in force establishes a judicial procedure to activate the protection of the data subject’s rights, called “Habeas Data”. However, this procedure has hardly been used in practice, due to the complexity of triggering the defense mechanism, with affected data subjects choosing to action using a constitutional action (“Recurso de Protección”).

On the other hand, the amendments in Law No. 21.719 include both administrative procedures to claim the violation of rights before the Data Protection Agency and the possibility of pursuing damages in a subsequent judicial procedure.

Yes, both the Data Protection Act currently in force and the amended version approved in Law No. 21.719 recognize the right to pursue damages for infractions by those responsible. Although they do not include references to non-material injuries to feelings, emotional distress or similar sufficient damages, their provisions do not preclude from suing for relief of all damages, and  for such purposes that must be alleged in the respective judicial instances and, in fact, Article 47 of the new Act states as a general rule that the data controllers must indemnify all patrimonial and extra-patrimonial damages caused to the data subject.

As mentioned above, the enforcement of the Data Protection Act in force is contained in a rather cumbersome judicial process that has practically not been used. In recent years, there has been an increase in the use of constitutional actions, especially after Chile’s Constitution was amended in 2018 to recognize the right of data protection as a constitutional guarantee. Although these constitutional actions are faster to prevent the continuation of an infringement, they do not give grounds to pursue damages.

Also, as mentioned above, the amendments introduced by Law No. 21.719 to the Data Protection Act incorporate a prompt administrative procedure (there is an obligation for the Agency to rule within six months) and also the possibility of obtaining damages in a subsequent judicial process, once the sentence is issued by the Data Protection Agency, which shall begin operations in December of 2026.

The Data Protection Act currently in force does not establish a range of sanctions. The amendments in Law No. 21.719 do create a range of sanctions, as provided in Article 35: the penalties for infringements incurred by data controllers shall be as follows:

1. Minor infringements shall be sanctioned with a written warning or a fine of up to 5,000 monthly tax units¹.
2. Serious infringements shall be sanctioned with a fine of up to 10,000 monthly tax units.
3. Very serious infringements will be sanctioned with a fine of up to 20,000 monthly tax units.

In each case, the Data Protection Agency shall indicate the measures tending to correct the causes that gave rise to the sanction, which shall be adopted within a term not exceeding sixty days, otherwise a surcharge of 50% shall be imposed on the original fine, without prejudice to the provisions of article 49 (regulates infraction prevention models).

Recidivism: In case of two or more sanctions in a period of 30 months, the Data Protection Agency may treble the fine originally imposed. And if the controller is a large company (as defined in Law No. 20.416), the penalty for recidivism of serious or very serious infringements will be the higher one between the amounts mentioned above or an amount equivalent to 2% (in the case of serious infringements) or 4% (in the case of very serious infringements) of the holder’s yearly income for sales and services and other activities of its business within the last calendar year.

As for mitigating and aggravating circumstances of liability, Article 36 states that the following shall be considered extenuating circumstances:

1. The unilateral remedial actions taken by the controller and the remedial agreements reached with the affected data subjects.
2. The collaboration provided by the infringer in the administrative investigation carried out by the Data Protection Agency.
3. The absence of previous sanctions by the data controller.
4. Self-reporting to the Data Protection Agency. Together with the self-denunciation, the infringer shall communicate the measures adopted for the cessation of the facts that originated the infringement or the mitigation measures implemented, as appropriate.
5. Having diligently fulfilled its duties of management and supervision for the protection of the personal data subject to processing, which shall be verified with the certificate issued in accordance with the provisions of article 51 (certification of the infraction prevention model).

The following shall be considered aggravating circumstances:

1. Recidivism exists when the controller has been sanctioned on two or more occasions, in the last thirty months, for infringement of the Data Protection Act. The resolutions that apply the respective sanctions must be final or enforceable.
2. The continuous nature of the infraction.
3. Having jeopardized the security of the rights and freedoms of the subjects in relation to their personal data.

Footnote(s):

¹ UTM means “Unidad Tributaria Mensual”. It is an official indicator managed by the tax authority and updated on a monthly basis depending on inflation. Currently 1 UTM corresponds to USD 70 approximately.

The Data Protection Act currently in force does not contemplate calculation rules or elements for calculating penalties. The amendments introduced by Law No. 21.719 establish the following parameters:

• Article 37 regulates how the amount of the fines is determined, stating that the Data Protection Agency shall for this purpose apply the following criteria:

1. The severity of the conduct.
2. Whether the conduct was carried out with lack of diligence or care in those cases in which these elements are not considered in the configuration of the infraction.
3. The damage caused as a result of the infringement, especially the number of data subjects affected.
4. The economic benefit obtained as a result of the infringement, if any.
5. Whether the processing carried out includes sensitive personal data or personal data of children and adolescents.
6. The economic capacity of the offender.
7. The sanctions previously applied by the Data Protection Agency in the same circumstances.
8. The mitigating and aggravating circumstances.

In the event that a conduct gives rise to two or more infringements, or when one infringement is a means to commit another, a single fine shall be imposed, always considering the sanction of the most serious infringement. In the event of two or more infringing conducts, independent of each other, the penalties corresponding to each of them shall be accumulated.

When for the same facts and legal grounds, the offender could be sanctioned according to the Data Protection Act and another or other laws, of the possible sanctions, the most serious shall be imposed.

Article 38 regulates accessory penalties: In the event that fines are imposed for repeated very serious infringements, within a period of twenty-four months, the Data Protection Agency may order the suspension of the data processing operations and activities carried out by the data controller, for a period of up to thirty days. This suspension shall not affect the storage of data by the data controller. The suspension ordered by the Data Protection Agency as an accessory sanction may be partial or total, and may not be ordered when it affects the rights of the data subjects. During this period, the data controller must adopt the necessary measures in order to adapt its operations and activities to the requirements set forth in the resolution that ordered the suspension.

If the controller does not comply with the provisions of the temporary suspension resolution, this measure may be extended indefinitely, for successive periods of a maximum of thirty days, until the controller complies with the order. When the suspension affects an entity subject to supervision by a public supervisory body, the Data Protection Agency shall previously bring the background information to the attention of the corresponding regulatory authority, in order to protect the rights of the users of such entity.

• Article 39 regulates the National Registry of Sanctions and Compliance, administered by the Data Protection Agency. The Registry shall be public and its access shall be free of charge. It shall be consulted and kept in electronic form. It shall include the data controllers who have been sanctioned for infringing the rights and obligations established in the Act. It shall be distinguished according to the severity of the infringement. In addition, the conduct infringed, the mitigating and aggravating circumstances and the sanction imposed shall be recorded. Also recorded are the persons responsible for adopting certified models for the prevention of infractions, in force. The annotations in the register will be of public access for a period of five years, as of the date on which they are made.
• Article 40 provides the statute of limitations: Actions to prosecute liability for the infringements provided for in the Act shall be subject to the statute of limitations within four years, counted from the occurrence of the event that originated the infringement. In the case of continuous infringements, the statute of limitations of the referred actions shall be counted from the day on which the infringement ceased. The statute of limitations shall be interrupted with the notification of the initiation of the corresponding administrative procedure. Penalties imposed for an infringement of the Act shall be subject to the statute of limitations within a period of three years, counted from the date on which the resolution imposing the sanction becomes enforceable.

Yes, in both the Data Protection Act currently in force and the version approved through Law No. 21.719.

In the case of the Act in force, Article 16 Letter f) and following provides that the claim shall clearly state the infraction committed and the facts that configure it, and shall be accompanied by evidence to prove them, if applicable. The claim is notified to that data controller, which must then file its defense within five working days and attach the evidence that proves the facts on which it is based. If they are not available, they shall express this circumstance and the court shall set a hearing for a fifth working day in order to receive the evidence offered and not attached. The final judgment shall be rendered within the third day after the expiration of the prior stage, whether or not the pleadings have been filed. If the court ordered an evidentiary hearing, this term shall run after the expiration of the term set for it.

Under the new rules approved by Law No. 21.719, the judicial procedure is regulated in Article 43, and operates as follows: the interested natural or juridical persons who consider that an administrative act that paralyzes the procedure, or a final or terminating resolution emanating from the Data Protection Agency, is illegal, may file a claim of illegality before the Court of Appeals of Santiago or that of the place where the claimant is domiciled, at the choice of the latter. The claim must be filed within fifteen working days following the notification of the challenged resolution.

As we have pointed out previously, the new Data Protection Act provides a standard similar to that of GDPR, so once the new norms contained in Law No. 21.719 enter into force, on December 1, 2026, they will trigger a series of interventions by the new Data Protection Agency in the case of issuing secondary regulation such as guidelines on international data transfers, cookies, rules on pre-impact assessments; model contractual clauses for data transfers, and many more.

Yes, under the Cybersecurity Framework Act (Law No. 21.663), those companies or government agencies that provide Essential Services² and are categorized as Operators of Vital Importance (“OIVs”) must implement the measures provided in Article 8 of this law:

1. Implement a continuous information security management system in order to determine those risks that may affect the security of the networks, computer systems and data, and the operational continuity of the service. This system shall make it possible to assess both the probability and the potential impact of a cybersecurity incident.
2. Maintain a record of the actions carried out that make up the information security management system, in accordance with the provisions of the regulation.
3. Prepare and implement operational continuity and cybersecurity plans, which shall be certified in accordance with article 28 of the law,³ and shall be subject to periodic reviews by the regulated entities, at least every two years. However, the National Cybersecurity Agency may instruct one or more OIVs, with good grounds and for serious supervening reasons, to certify their operational continuity or cybersecurity plans within a shorter term than that indicated above; however, the Agency may only exercise this power with respect to each OIV, provided that the certification is valid for at least one year.
4. Continuously carry out review operations, exercises, drills and analysis of networks, computer systems and systems to detect actions or computer programs that compromise cybersecurity and communicate the information relating to such actions or programs to the National Cybersecurity Incident Response Team (“CSIRT”), in the manner determined by regulation.
5. Adopt in a timely and expeditious manner the necessary measures to reduce the impact and spread of a cybersecurity incident, including the restriction of use or access to computer systems, if necessary.
6. To have the certifications referred to in Article 28 of the law (see footnote, in this answer).
7. Inform those potentially affected, to the extent that they can be identified and when so required by the National Cybersecurity Agency, about the occurrence of incidents or cyber-attacks that could seriously compromise their information or computer networks and systems, especially when they involve personal data and there is no other legal provision requiring their notification; or when it is necessary to prevent the occurrence of new incidents or to manage one that has already occurred.
8. To have training, education and continuing education programs for its employees and collaborators, including cyber hygiene campaigns.
9. Designate a cybersecurity delegate, who will act as a counterpart of the National Cybersecurity Agency and will report to the authority or head or superior head of the organ or service of the State Administration or to the directors, managers, administrators or main executives, as defined by the private institutions.

All public and private institutions indicated in Article 4° shall have the obligation to report to the National CSIRT cyber-attacks and cybersecurity incidents that may have significant effects in the terms of Article 27, as soon as possible and according to the following scheme:

1. Within a maximum period of three hours counted from the time they become aware of the occurrence of the cyberattack or cybersecurity incident that may have significant impacts, an early warning shall be sent regarding the occurrence of the event.
2. Within seventy-two hours at the latest, an update of the information referred to in letter a), including an initial assessment of the incident, its severity and impact, as well as indicators of compromise, if available. However, in the event that the affected institution is an OIV and the provision of its essential services is affected by the incident, the information update shall be provided to the National CSIRT within twenty-four hours of becoming aware of the incident.
3. Within a maximum period of fifteen calendar days from the sending of the early warning referred to in letter a), a final report containing at least the following elements:
   1. A detailed description of the incident, including its severity and impact.
   2. The type of threat or root cause that is likely to have caused the incident.
   3. The mitigation measures implemented and in progress.
   4. If applicable, the transboundary impact of the incident.
4. In the event that the incident is still ongoing after the submission of the report referred to in c) above, the report shall be replaced by a status report at that time. The final report shall be submitted within fifteen calendar days after the incident has been handled.

Notwithstanding the above, both the National CSIRT and the competent sectoral authority may request relevant updates on the situation.

OIVs shall also inform the National CSIRT of their action plan as soon as it has been adopted. The deadline for the adoption of an action plan shall in no case be longer than seven calendar days from the date of knowledge of the occurrence of the incident.

In the case of State agencies, in order to comply with this reporting duty, the heads of service shall require information technology service providers to share information on vulnerabilities and incidents that may affect the computer networks and systems of State agencies, and provided that it is intended to prevent, detect or respond to incidents, recover from them or reduce their impact; or strengthen the level of cybersecurity and ensure, in turn, that the possible sensitive nature of the information shared is respected. In order to comply with the above, service provision contracts may not contain any clause that may restrict or hinder in any way the communication of threat information by the service provider, provided that this does not compromise security and data protection, including confidentiality and protection of intellectual property.

The National Cybersecurity Agency shall issue such instructions as may be necessary for the due making and receipt of these reports. In the event that there is an obligation to notify more than one authority, the National Cybersecurity Agency, through its National CSIRT, together with other sectorial authorities involved, as may be the case, shall endeavor to make available to the obligated parties a single window system that allows simultaneous notification.

A regulation issued by the Ministry in charge of public security shall regulate the content of the various types of reports detailed above.

Footnote(s):

² Essential Services are those provided by state administration agencies and the National Electricity Coordinator; those provided under a public service concession; and those provided by private institutions that carry out the following activities: electricity generation, transmission, or distribution; fuel transportation, storage, or distribution; drinking water supply or sanitation; telecommunications; digital infrastructure; digital services and information technology services managed by third parties; land, air, rail, or sea transportation, as well as the operation of their respective infrastructure; banking, financial services, and payment methods; administration of social security benefits; postal and courier services; institutional healthcare provision by entities such as hospitals, clinics, medical offices, and medical centers; and the production and/or research of pharmaceutical products..

³ Article 28 states that OIVs must obtain the cybersecurity certifications established by the Cybersecurity Framework Act and those determined by the National Cybersecurity Agency through regulations. For these purposes, only organizations that are part of the registry of authorized certification entities managed by the National Cybersecurity Agency will be authorized to issue valid certifications required by the law. To be included in this registry, it will be sufficient to prove compliance with the requirements established by the regulations, and to remain included, it is necessary to comply with the aforementioned requirements. The National Cybersecurity Agency may approve international or foreign technical certifications on cybersecurity through a reasoned resolution of its Director.

There are no special requirements for supply chain management, although all the provisions of the Cybersecurity Framework Act apply to them as they are considered Essential Services.

There are no information sharing obligations on the part of the companies, but they must comply with the requirements established in Article 27 of the Law (indicated in the previous question, regarding cybersecurity incidents.

Yes, for those entities that provide Essential Services and for OIVs.

The Cybersecurity Framework Act came to unify the criteria regarding cybersecurity in Chile. Notwithstanding the above, there is still a large amount of secondary legislation issued prior to its entry into force, in the health, financial and governmental industries that will have to be progressively harmonized. For instance, for regulated financial entities such as banks, specific information security and cybersecurity obligations are contained in Chapter 20-10 of the Updated Compiled Norms (“RAN”) issued by the Financial Market Commission.

Although neither the law nor the authorities impose the adoption of international standards, it is very common for the industry to operate under ISO 27701, for example, or its Chilean adaptation, NCH ISO 27701. Additionally, Article 28 of the Cybersecurity Framework Act indicates that the ANCI may approve international or foreign technical certifications on cybersecurity through a reasoned resolution by its Director.

Please refer to Answer 31.

The National Cybersecurity Agency (ANCI), created by the Cybersecurity Framework Act, is a governing body responsible for regulating, supervising, and sanctioning public and private institutions that provide essential services, with the goal of strengthening the country’s cybersecurity. The ANCI also advises the President of the Republic on cybersecurity, coordinates responses to cyber incidents, and establishes security standards.

Key Functions and powers of the ANCI:

• Advice: Advises the President on the National Cybersecurity Policy and other related matters.
• Regulation and Oversight: Regulates and supervises institutions that provide essential services and operators of vital importance (OIV).
• Coordination: Coordinates and supervises the National CSIRT and sectoral CSIRTs.
• Standard-Setting: Issues mandatory cybersecurity protocols, standards, and instructions.
• Administration: Manages the State Secure Connectivity Network (RCSE).
• Training and Dissemination: Designs and implements cybersecurity training and dissemination plans.
• Prevention and Response: Manage risks and incidents, including the authority to intervene in serious situations that compromise networks and infrastructure.
• Oversight and Sanctions: Oversee and sanction institutions that fail to comply with cybersecurity standards.

The Cybersecurity Framework Act defines the structure and the range of sanctions:

Article 37 of the Act regulates the sectorial authority’s powers, stating that it be competent to supervise, investigate and sanction the infringements, as well as to execute the sanctions as established in the regulations on cybersecurity that it has issued and whose effects are, at least, equivalent to those of the regulations issued by the National Cybersecurity Agency, as provided in article 26 of the Act. For this purpose, the sanctions and sanctioning procedures shall be those that correspond to the sectorial authority in accordance with its regulations. Apart from such cases, it shall be the National Cybersecurity Agency’s responsibility to supervise, investigate and sanction the infringements, as well as to execute the sanctions to the Act, without prejudice to the power of the State Administration agencies to inform the competent agency of the infringements to the regulation of which they become aware.

Article 38 classifies the infractions to the obligations of the Cybersecurity Framework Act as minor, serious and very serious infringements:

1. Minor infractions:
   1. Delivering after the deadline the information required when it is not necessary for the management of a cybersecurity incident.
   2. Failure to comply with the general or specific instructions issued by the Agency in cases that are not sanctioned as a serious or very serious infraction.
   3. Any infringement of the obligations established by the Act and which does not have a special sanction.
2. Serious infractions:
   1. Failure to have implemented the protocols and standards established by the Agency to prevent, report and resolve cybersecurity incidents.
   2. Failure to implement the particular cybersecurity standards.
   3. Delivering after the deadline the information required when it is necessary for the management of a cybersecurity incident.
   4. Providing the Agency with manifestly false or erroneous information.
   5. Failure to comply with the reporting obligation established in article 9.
   6. Unjustifiably refusing to comply with an instruction of the Agency or deliberately hindering the exercise of the Agency’s attributions during the management of a cybersecurity incident, provided that the attribution does not have a special sanction.
   7. Recidivism in the same minor infraction within a year.
3. Very serious infractions:
   1. Providing the Agency with manifestly false or erroneous information, when such information is necessary for the management of a cybersecurity incident.
   2. Failure to comply with the general or specific instructions given by the Agency during the management of an incident of significant impact.
   3. Failure to provide the information required when it is necessary for the management of an incident of significant impact.
   4. Recidivism in a serious infraction within one year.

Article 40 details the applicable penalties, which are basically fines paid to the State, based on the following scale:

1. Minor infractions shall be sanctioned with a fine of up to 5,000 monthly tax units (USD 353.550 approx.), or up to 10,000 monthly tax units (USD 707.101 approx.) in the case of an OIV.
2. Serious infractions will be sanctioned with a fine of up to 10,000 monthly tax units (USD 707,101 approx.), or up to 20,000 monthly tax units (USD 1,414,202 approx.) in the case of an OIV.
3. Very serious infractions will be sanctioned with a fine of up to 20,000 monthly tax units (USD 414,202 approx.), or up to 40,000 monthly tax units (USD 2,828,797 approx.) in the case of an OIV.

To determine the fine, consideration shall be given to the degree to which the offender adopted the necessary measures to safeguard the information security of the operations, the probability of occurrence of the incident, the degree of exposure of the offender to the risks, the seriousness of the effects of the attacks including their social or economic repercussions, the repetition of the infringement within a period of three years from the time the incident occurred, the size and economic capacity of the offender.

When for the same facts and legal grounds the offender could be sanctioned under the Cybersecurity Framework Act and under one or more other laws, of the possible sanctions, the most serious one shall be imposed. However, in no case may two or more administrative sanctions be applied to the offender for the same facts and legal grounds.

The offenses provided for in the Cybersecurity Framework Act shall be subject to the statute of limitations three years after they have been committed, which period shall be interrupted with the notification of the filing of charges for the facts constituting them.

Yes, the National Cybersecurity Agency’s decisions may be subject to appeal. Article 46 regulates the judicial claim procedure: the persons who consider that an administrative act that paralyzes the procedure, or a final or terminating resolution issued by the National Cybersecurity Agency, is illegal and causes them harm, may file a claim of illegality before the Court of Appeals of Santiago or the Court of the place where the claimant is domiciled, at the choice of the latter. The claim must be filed within fifteen working days following the notification of the challenged resolution.

As for personal data, the Cybersecurity Framework Act has only recently been implemented and the National Cybersecurity Agency is expected to act promptly by drafting secondary regulations. For example, in March of this year it published a regulation containing the necessary steps to report incidents and a guide with the taxonomy of the different types of cybersecurity incidents. In the same month it also published the procedure for determining which companies may be considered OIVs. It is expected that around September 2025 the National Cybersecurity Agency will publish its first list of OIVs.