CRW

Home Wiki

Personal Data Protection Law

View on consumerrights.wiki ↗

Contents6
  1. Summary
  2. Responsibility for companies
  3. Penalties
  4. User's rights over their data
  5. Personal Data Protection Agency
  6. References
📰 This page or section is about an ongoing event.
Check again later for more coverage.

The Personal Data Protection Law, also known as "Ley de Protección de Datos Personales" in Spanish or Law N° 21,719) is a Chilean law created to increase protections for user's data. It is based on the General Data Protection Regulation (GDPR) from the EU. It was approved on August 19th 2024 and will come into force on December 1st, 2026[1].


Summary

The law introduces mofidications to the Law N° 19.628 to cover protections for personal data, responsibilities to the entities who gather and process the data, the rights of the people over their data, and the creation of a dedicated agency to manage, instruct and communicate about all related aspects to these legislations[2][3][4].

Responsibility for companies

Every company or third-party used by a company, whether they are national or international and operate in Chile that collects, process or stores personal data is mandated to comply with designated regulations in order to operate in the country.

First of all, any entity who collects users' data is prohibited to do so if the user hasn't done any explicit consent to allow this. If the user is under 16, companies may only process user's data if the parents or legal representatives have consented to do so.

Secondly, the responsible entities must be transparent, informing with details and transparency about how do they collect and manage users' data. They are prohibited to use the data for purposes that are not mentioned or informed. The entities also must provide an address for being contacted easily.

Adequate security measurements are also mandated and mentioned in the Article 14.5, with requirements that include aspects like data encryption, ability of data restoration in case of losses, and anonymization, this to prevent data breaches, misusage or deletion. The companies are allowed to retain users' data for a certain period of time, but they are mandated to delete or anonymize the data after it is processed.[2]

Penalties

Any company or third party that commits an infraction may be penalized for this. According to the Articles 34 and 35, the penalties for law violations are divided in three categories: Mild, Severe and Very Severe.

  • Mild penalties involve aspects such as lack of transparency on data management, lack of replying, vague replies or replying after the designated period to a user's request, lack of the mandated communications with the Agency or commiting minor violations to people's rights. The fine for commiting a mild penalty is up to 5,000 UTM (approximately 393,300 dollars)
  • Severe penalties involve aspects such as the treatment and processing of personal data without the user's consent, not allowing or difficulting an user to exercize their rights over their data and insufficient security measures to keep the data safe. The fine for commiting a mild penalty is up to 10,000 UTM (approximately 786,600 dollars)
  • Very severe penalties involve aspects such as the fraudulent treatment of personal data, the treatment of the data for malicious purposes, transference of data belonging to children and teenagers, not communicating security vulnerations that may affect data protection and integrity and not complying with the designated security evaluations to protect the data. The fine for commiting a mild penalty is up to 20,000 UTM (approximately 1,573,200 dollars)

The Article 36 states that an entity that has commited repetitive penalties during a period of 30 months may receive a fine with a tripled value.[2][5]

User's rights over their data

The law dictates any piece of personal data belongs exclusively to the user[5]. Any individual has the intransferible and indispensable rights of access, rectification, supression, opposition, portability and block their personal data unless another law does not allow it. If the data owner passes away, their heirs may perform the rights of the law. However, heirs may not perform these rights if the owner has forbidden this or any law prevents it.[2]

Opposition: The individual has the right to oppose to in the following cases:

  • When the treatment objective is the legitimate fulfillment of interests of the company.
  • If the data gathered is used for publicitary and profiling purposes.
  • If the data has been gathered from public databases and there's no legal fundament for its usage.

The right cannot be performed if the data is used for statistic, historic, scientific purposes or any public function or activity.

Block: The individual has the right to temporarily prevent companies to process their data when a supression, opposition or rectification request is done. This right does not affect the storage of data by the responsible company

Portability: The individual has the right to request responsible companies about the data they gather and process, if it belongs to consented and automated processed data.

Personal Data Protection Agency

The law dictates the creation of the Personal Data Protection Agency (Agencia de Protección de Datos Personales) 6 months before the law enforcement. This is a national entity related with the Chilean government that is dedicated to instruct and supervise if entities managing the data are complying with the Chilean legislations and regulations. It also is dedicated to solve users' reports about companies not complying or committing infractions.[4][2][5]

National Penalties and Compliance Registry

The National Penalties and Compliance Registry (Registro Nacional de Sanciones y Cumplimiento) is a digital registry managed by the Personal Data Protection Agency of public and free access that publishes registrations of companies and entities that have been penalized for not complying with the national data protection normatives and regulations. Any registry is accesible up to five years since its publishing date.[2]

References

  1. "Se aprueba Ley de Protección de Datos Personales: Revisa de qué se trata" [Personal Data Protection Law is approved: Check what it is about]. Gob.cl. Chilean Government. 27 Aug 2024. Retrieved 12 Apr 2026.{{cite web}}: CS1 maint: url-status (link)
  2. 2.0 2.1 2.2 2.3 2.4 2.5 "Ley 21719" [Law 21719]. Biblioteca del Congreso Nacional de Chile. 13 Dec 2024. Retrieved 12 Apr 2026.{{cite web}}: CS1 maint: url-status (link)
  3. Parada Barriga, Francisco Javier (Dec 2024). "Ley 21.719: Chile se pone serio con la protección de tus datos personales" [Law 21,719: Chile gets serious with the protection of your personal data]. Universidad de Concepción. Retrieved 12 Apr 2026.{{cite web}}: CS1 maint: url-status (link)
  4. 4.0 4.1 Carey, Guillermo; Mercado, José Ignacio; García, Gabriela (13 Dec 2024). "PUBLICAN LA LEY N° 21.719 QUE MODIFICA LA LEY N° 19.628 SOBRE PROTECCIÓN DE LA VIDA PRIVADA EN EL DIARIO OFICIAL" [PUBLISHED IN OFFICIAL DIARY THE LAW N° 21,719 THAT MODIFIES THE LAW N° 19,628 ABOUT PRIVATE LIFE PROTECTION]. Carey. Retrieved 12 Apr 2026.{{cite web}}: CS1 maint: url-status (link)
  5. 5.0 5.1 5.2 Paiva, Alexis (7 Apr 2026). "Ley de Protección de Datos Personales: qué cambios implementará y cómo pueden adaptarse las empresas" [Personal Data Protection Law: what changes is going to implement and how companies can adapt]. La Tercera. Retrieved 10 Apr 2026.{{cite web}}: CS1 maint: url-status (link)
Filed under