On 14 November, and after many years of negotiations, Chile adopted a new Data Protection Act (la Ley que regula la protección y el tratamiento de los datos personales y crea la Agencia de protección de datos personales). This new Data Protection Act (DPA) aims to provide Chile with an updated regulatory framework for the protection of personal data, by replacing the law that had been in force since 1999. The DPA is also expected to align with international privacy and data protection standards, such as the General Data Protection Regulation in Europe (GDPR), the General Data Protection Law in Brazil (LGPD), or the Personal Data Protection Law in Argentina (LPDP).
What’s New?
The new Chilean DPA introduces a new set of definitions, principles and requirements that can be summarized as follows:
1) The DPA clarifies the roles of companies that carry out and take part in the processing of personal data. The concepts of “controller” (Responsable de datos) and “processor” (Tercero mandatario o Encargado) are clearly defined to allocate responsibility and allow individuals to exercise their privacy and data protection rights in an efficient manner.
2) The territorial scope of applicability of the DPA is expanded. Unlike the previous law of 1999, the DPA will also apply to non-Chilean based companies that offer goods or services to individuals located in Chile. Foreign companies that monitor the behavior of individuals in Chile will also have to comply with the requirements of the DPA (this includes the analysis, tracking, profiling, and behavioral prediction of individuals). Finally, companies that act as the processor (Tercero mandatario o Encargado) of a Chilean controller will also have to comply with DPA-related requirements, regardless of where they are based.
3) Similarly to the GDPR, the DPA introduces new data protection principles that must be always complied with by companies processing personal data. These include the lawfulness and fairness principles (Principios de licitud y lealtad), the purpose limitation principle (Principio de finalidad), the proportionality principle (Principio de proporcionalidad), the quality principle (Principio de calidad), the accountability principle (Principio de responsabilidad), the security principle (Principio de seguridad), the transparency and information principle (Principio de transparencia e información), and the confidentiality principle (Principio de confidencialidad).
4) The DPA reinforces the rights of individuals whose personal data is being processed (Titulares de datos), which were already provided for in the law of 1999 (incl. the rights of access, modification, and restriction to processing). The new law also offers new rights to individuals, such as the right to object to a certain processing, the right to data portability, and the right to object to automated decision-making.
5) The DPA clarifies how consent of individuals can be used as a legal basis to process personal data. However, the DPA now also allows companies to process personal data to comply with a legal obligation, to perform a contract with an individual (such as an employment contract), for the establishment, exercise, or defence of legal claims in court or administrative proceedings, and for the purposes of the legitimate interests pursued by the controller, provided such interests do not outweigh the fundamental rights of individuals. Such interests include, by way of example, the prevention of fraud or the protection of network and information security systems.
6) The DPA imposes new obligations on controllers. By way of example, controllers must provide and keep permanently available to the public (e.g., on their website), privacy policies that describe the personal data processing activities that they carry out (incl. information on the categories of data subjects and the types of personal data processed, details on the purposes for processing, the legal bases relied upon to process personal data, the recipients of personal data, etc.). Controllers are also required to observe the principle of data protection by design and by default before processing personal data, to implement appropriate security measures, to perform data protection impact assessments for activities that are likely to result in a high risk to the rights and freedoms of individuals (Evaluación de impacto en protección de datos personales), and to report personal data breaches to the Chilean data protection regulator (and in some cases, to affected individuals).
7) The DPA establishes a new Chilean data protection regulator (Autoridad de control en materia de protección de datos personales o Agencia). This is one of the most important developments of the Chilean privacy and data protection framework that up until now, did not have an independent authority overseeing data protection law requirements. This new regulator will monitor and enforce the application of the DPA and is also expected to issue guidance to help companies navigate the new DPA requirements. The regulator will have the power to sanction companies that fail to comply with the DPA, depending on the seriousness of a violation (minor, serious, or very serious). The Chilean regulator can impose fines of up to $1,450,000 or 4% of a company’s total worldwide annual turnover.
8) The DPA introduces new rules on the transfer of personal data outside of Chile. Similarly to data transfer restrictions in other jurisdictions, the DPA now allows for cross-border data transfers a) to recipients located in foreign countries considered as “adequate” by the Chilean data protection regulator; b) on the basis of model contractual clauses that can be pre-approved by the data protection regulator; and c) on the basis of a certification mechanism that establishes adequate transfer guarantees.
What’s Next?
The DPA is expected to become fully applicable in 2026. The DPA can be of relevance to any company that conducts business in Chile or exchanges personal data with Chilean companies. Companies with business activities impacting Chile are advised to assess to what extend the DPA may apply to their activities. Moreover, the DPA’s data transfer restrictions may impact businesses abroad (e.g., in the U.S. or the EU) that are on the receiving end of personal data that is transferred from Chile. Such non-Chilean based companies may be asked to agree to contractual obligations and implement measures that aim to ensure the same level of protection as under Chilean data protection law.
