Today, December 13^th, 2024, Law No. 21.719 was published, regulating the protection of personal data and establishing the Personal Data Protection Agency. After a long legislative process that began in 2017, this law modernizes the existing framework and raises current standards.

Some of the most relevant aspects include:

• Creation of a new institution for personal data protection, through the establishment of the Personal Data Protection Agency. Its primary objective is to oversee compliance with the new regulations and impose sanctions when necessary.
  
  

• Expanded scope of application for personal data regulations. Compliance is now required not only for data controllers established within Chile but also for those outside the country who process data on behalf of a Chile-based controller or whose processing activities target individuals located in Chile by offering them goods or services.
  
  

• New legal bases for processing personal data, in addition to consent. The law allows data processing without the data subject’s consent in specific cases, such as when:
   
  – Processing relates to obligations of an economic, financial, banking, or commercial nature. 
  – Required to fulfill a legal obligation, execute a contract, or when mandated by law. 
  – Necessary to satisfy the legitimate interests of the controller or a third party. 
  – Required for the formulation, exercise, or defense of a right before courts or public authorities.
   

For sensitive data, the general rule is that processing requires the data subject’s consent, with limited legal exceptions applicable to very specific cases as defined by the law.

• Expanded catalog of data subjects’ rights, including rights of access, rectification, deletion, objection, portability, and blocking. The law establishes procedures and mechanisms for data subjects to exercise these rights against those handling their personal data.
   
  

• Obligations for data controllers, for example: Data controllers must inform and provide data subjects with evidence of the legality of the data processing. The law outlines an extensive minimum content requirement for information that must be provided to data subjects. Data used in any operation must be strictly necessary, appropriate, and relevant to the purposes for which it is being processed.
   
  

• Specific framework for international data transfers, defining the conditions under which such transfers are permitted. The law includes a closed list of cases where data can be transferred from Chile and specifies which countries are considered adequate recipients of such data. Additionally, the Agency is empowered to oversee international data transfer operations, issue recommendations, adopt protective measures, and, in exceptional cases, temporarily suspend data transfers.
  
  

• Catalog of offenses and penalties: Offenses are categorized as minor, serious, and very serious, with fines of up to 5,000 UTM, 10,000 UTM, and 20,000 UTM, respectively. Mitigating factors (e.g., collaboration or self-reporting) and aggravating factors (e.g., recidivism or continuous violations) are considered when determining penalties. In cases of recidivism (two or more sanctions within 30 months), the Agency may triple the fine or suspend the data processing activities of the infringing party for up to 30 days, unless this affects the rights of the data subjects. The Agency will also mandate corrective actions, and failure to comply may result in a 50% fine increase.
  
  

• Preventive measures for data controllers: Both public and private entities must take actions to prevent violations. The law introduces a voluntary Compliance Program that can be certified by the Agency. This program includes the appointment of a Data Protection Officer (DPO), who will act as the primary contact with the Agency. The DPO must be designated by the highest administrative authority and have the autonomy to advise the data controller, processors, and employees on compliance with data protection regulations.
  
  

The law will take effect on the first day of the 24th month following its publication in the Official Gazette, meaning December 2026. However, the regulations referred to in the law must be issued within six months of its publication in the Official Gazette.