On January 14th,  Bill No.18.060-07 was introduced in the Senate, a legislative proposal aimed at adjusting Law No. 21.719 (the “Law”), which regulates the protection and processing of personal data and creates the Personal Data Protection Agency (APDP, for its initials in Spanish). The proposal seeks to balance the protection of data subjects with the free flow of information, and to improve the applicability and implementation of the Law, which enters into force on December 1st of this year. 

Main amendments: 

1. Extraterritoriality rules: 
   The provision establishing broad extraterritorial application of the Law is eliminated, as it created scenarios that were difficult to anticipate and could generate internal inconsistencies, in addition to imposing burdens on foreign companies without a real supervisory capacity. 

2. Definition of sensitive personal data: The amendment narrows the definition by excluding categories such as “physical or moral characteristics or circumstances of private life or intimacy,” “socioeconomic situation,” and “political and professional association” (replacing the latter with “political opinions” and “trade union membership”). 

3. Regulation of publicly accessible sources: The definition of publicly accessible sources is expanded to expressly include both public and private databases, while clarifying that access must be lawful and not subject to legal restrictions. 

4. Regulation of erasure, objection, and blocking rights: The regulation of erasure and objection rights is reorganized for greater clarity and coherence. The right to object to automated personal assessments is reinstated. In addition, Article 8 ter —which established blocking as an independent right— is eliminated, returning blocking to its original function as an accessory procedural measure within a claim procedure. 

5. Obligation for foreign data controllers: The requirement to appoint a representative domiciled in Chile is removed, limiting the obligation to maintaining an operational contact mechanism for data subjects and for the Personal Data Protection Agency (APDP, for its initials in Spanish).  

6. International data transfers: A special enabling ground is introduced to authorize data transfers between companies belonging to the same corporate group, if standards policies for processing and governance are applied.  

7. Adjustments to the sanctions regime: The maximum ranges of fines for minor, serious, and very serious infringements are significantly reduced: 

• Minor infringements: Reduced from a maximum of 5,000 UTM to a range of 1 to 100 UTM. 

•  Serious infringements: Reduced from up to 10,000 UTM to a range of 101 to 1,000 UTM. 

• Very serious infringements: Reduced from up to 20,000 UTM to a range of 1,001 to 5,000 UTM. 

The amendment also adjusts the rules on recidivism, limiting fine increases and narrowing the application of percentage-based criteria tied to annual income.  

8. Compliance programs and infringement prevention models: 

A specific chapter on prevention models and compliance programs is reinstated, recognizing their value as a regulatory incentive and as an internal management tool for controllers and processors.