Chile has amended its data privacy law granting significant rights to data subjects, and imposing stricter obligations on data controllers and processors. Published in the Official Gazette (Diario Oficial) on December 13, 2024, Chile’s new Personal Data Protection Law takes effect on December 1, 2026.
Chile’s journey toward robust data protection began with the enactment of the “Protection of Private Life” Law No. 19,628 in 1999, which laid the foundation for personal data protection. Over the years, the legal framework has evolved to address the growing complexities of data privacy.
Key updates to the law include the following:
- Territorial scope. The PDPL extends its territorial scope to include entities located outside of Chile.
- Data subject rights. Data subjects have enhanced rights over their personal data, including access, rectification, deletion, and objection to data processing. The PDPL added the right to data portability, which allows data subjects to request and receive copies of the data about them in structured electronic formats and directly from controller to controller, if feasible.
- Data controllers. Data controllers must comply with newly established minimum security measures, conduct data protection impact assessments in some situations, and appoint a Data Protection Officer. They are also required to provide clear privacy notices and ensure lawful bases for data processing.
- Lawfulness of processing. As the legal bases for the processing of personal data, the PDPL recognizes the performance of an agreement, the legitimate interest of the controller or third party, and the exercise of the processor’s defense before courts or public authorities. These are in addition to the express consent of the data subject and the fulfillment of a legal obligation or authorization. The PDPL removes the processing of personal data obtained from publicly available sources as a legal basis for processing. Data processors must also comply with newly established minimum security measures.
- Regulatory authority. A new Personal Data Protection Agency has been established to oversee compliance and handle complaints.
- Data breach notification. Controllers will be required to notify the Agency of any data breaches that affect data subjects’ rights, and also to notify the subjects in certain cases.
- Responding to data subject requests. Controllers have 30 days to respond to data subjects’ requests, and are permitted a one-time 30-day extension if needed.
- Cross-border data transfers. The Agency will restrict transfers to non-adequate jurisdictions, and will determine which countries are considered to be adequate. The bases for “lawfulness” findings are similar to those established by the General Data Protection Regulation of the European Union: (1) when the transfer is covered by contractual clauses, (2) when the transfer is between companies belonging to the same business group, or (3) when a compliance model in personal data matters is adopted by both parties, among other grounds.
- Sanctions regime. The Chilean law introduces stringent penalties for noncompliant controllers, classified as “minor,” “major,” and “severe.” Controllers may be sanctioned, depending on the severity of the infringement, for as much as $1,440,000 USD. Recurrences carry fines up to three times the amount of the initial infringement, or the Agency may order the suspension of the processing by the controller.
Chile’s new data protection law aims to protect its residents’ personal data and aligns with international standards bringing Chile closer to being recognized as an “adequate” country by the EU under the GDPR, and reflecting a global trend toward stronger data privacy regulations.
