Law No. 21.719 introduces a substantive reform to the Chilean personal data protection regime that will enter into force on December 1st, 2026. 

 
It applies to any natural or legal person that carries out the processing of personal data (of clients, employees, or suppliers), regardless of the sector or size of the organization. The Law reaffirms that personal data belongs to its data subjects, and its processing by third parties (companies, organizations, service providers) is lawful only to the extent that there is a legal basis that justifies it and a specific purpose that defines it. 

Main obligations 

Lawfulness of processing. Any processing activity must be based on a valid legal ground, such as the data subject’s consent, the performance of a contract, compliance with a legal obligation, or the controller’s legitimate interest, among others established by the Law. The controller must identify which ground applies to each processing activity and be able to demonstrate it, complying with the applicable requirements in each case. 

Sensitive personal data. Personal data relating to health, biometric data, ethnic origin, or religious or political affiliation, among others, are subject to a particularly restrictive regime. Consent for their processing must be explicit, and the exceptions allowing processing without consent are exhaustively set out in the Law. 

Duty to inform. Companies must maintain an accessible and up-to-date personal data processing policy, detailing the categories of data processed, the purposes, the legal basis, the recipients to whom the data is disclosed or transferred, the retention periods, and the security measures implemented. 

Contracts with third parties. Where processing is outsourced to a provider (processor), an agreement must be executed expressly regulating the conditions of such processing. The Law formalizes and expands this requirement compared to the previous framework. 

Data Protection Impact Assessment (EIPD, for its initials in Spanish). For processing activities involving large-scale processing or sensitive personal data, the Law establishes the obligation to carry out a prior impact assessment. 

Supervision and sanctions 

The Law creates the Personal Data Protection Agency (APDP, for its initials in Spanish), an autonomous authority with supervisory and enforcement powers. Sanctions range from written warnings to fines of up to 20,000 UTM (approximately CLP 1.4 billion) for very serious infringements. For repeat medium- and large-sized companies, fines may reach up to 4% of annual revenue. Sanctions will be recorded in a publicly accessible National Registry. 

Compliance with this regulation entails a process that includes mapping processing activities, reviewing existing contracts, updating policies and documentation, and, in many cases, implementing changes to internal data collection and management procedures. Therefore, it is advisable to begin this process with sufficient anticipation. 

For questions or further information, please contact our Corporate legal team.