Urenda Rencoret Orrego & Dörr
What law(s) specifically govern personal data / information?
Law No. 19,628 on the Protection of Private Life ('Current Privacy Law') is the main data protection law in Chile. There are also other laws and regulations that refer to or contain certain data privacy provisions, such as the Labour Code, Law No. 19,496 on Consumers' Rights ('CRL'), Law No. 20,285 on access to public information, etc.
In addition, the Chilean Political Constitution guarantees the respect and protection of the private lives of all people and their families, and the protection of their personal data, setting forth that the processing and protection of said data shall be carried out in the manner established by law.
However, we note that Law No. 21,719 amends the Current Privacy Law as of December 1, 2026, which will be renamed as the Personal Data Protection Law ('New Privacy Law'), mostly aligning Chile’s regulatory framework with the standards set forth in the European Union’s General Data Protection Regulation ('GDPR'). In this regard, together with reinforcing data subjects’ rights, the New Privacy Law creates a Data Protection Agency, establishes specific and higher fines for infringements, institutes a special complaint procedure, regulates cross-border transfer of personal data, etc. As previously mentioned, the New Privacy Law will enter into force on December 1, 2026.
What are the key data protection principles in this jurisdiction?:
Processing of personal data (i.e. data related to any information regarding individuals, either identified or identifiable) can only be carried out when authoriszed by law or when the data holdersubject expressly consents thereto in writing. The data holderssubjects must be duly informed with respect to the purpose of the storage of their personal data and the possible communication of the same to the public. The referred to authoriszation can be revoked by the data holdersubject, in writing.
The Current Privacy sets forth that no consent is required for the processing of personal data, which:
- comes or is collected from public sources and is of economic, financial, banking or commercial nature;
- is contained in lists relating to a category or group of persons that only make reference to information such as the belonging of individuals to said group, their profession or activity, educational degrees, addresses or dates of birth; or
- is required for commercial communications of direct response or direct sale of goods or services.
Also, no authorization is required if private legal entities handle personal data for their exclusive use or the use of their associates and entities to which they are affiliated, provided it is used for statistic or rate-setting purposes only or for any general benefit of those indicated above.
With respect to sensitive data (i.e. personal data referred to individuals' physical or moral characteristics or facts, or circumstances of their private life or intimacy, such as personal habits, race, political views, religious beliefs, physical or mental health and their sexual life), the Current Privacy Law sets forth that it may only be transferred or used if authorization is granted by law or by the data subject, or if such data is necessary for determining or granting health benefits to the data subject.
Main obligations regarding the processing of personal data:
Aside from obtaining the relevant consent when required, the following are the main obligations of the party responsible for a registry or data bank where personal data is processed:
- Personal data shall be used solely for the purpose for which it was collected, except if it comes or was collected from publicly available sources. The processed data shall be accurate, current and reflect the actual situation of the data subject. The processing of personal data relating to economic, financial, banking or commercial obligations, may only be done in connection with commercial risk assessment and the credit granting process. Therefore, this type of data may only be communicated to established businesses, for said purpose. Also, the referred to data may not be requested in connection with recruitment or preschool, school or higher education admission processes, for urgency medical attentions, or in order to apply to a public office or governmental job.
- The party responsible of a data bank shall cancel or eliminate personal data when there is no legal basis for the storage of the same, or when the personal data has expired. Likewise, when erroneous, inaccurate, misleading or incomplete, personal data shall be rectified. If accuracy or validity of personal data may not be determined, it shall be blocked (if elimination is not required). Said actions shall be taken even in the absence of a request by the data subject. If cancelled or rectified personal data had previously been informed to a third party, the party responsible of the data bank shall inform the cancellation or amendment to the third party, as soon as possible.
- Those working in the processing of personal data shall keep the confidentiality of the same, provided that the information was collected from non-publicly available sources.
- The party responsible of a data bank where personal data is stored shall take due care of said data, being liable for any damages.
In turn, the New Privacy Law expressly establishes the following guiding principles:
- Principle of Legality and Loyalty. Personal data may only be processed lawfully and fairly. The data controller (defined in the New Privacy Law as any individual or entity who decides on the purposes and the means for the processing of personal data, regardless of whether the data is processed directly by them or through an agent or data processor) must be able to prove the lawfulness of the processing of personal data it carries out.
- Principle of Finality. Personal data must be collected for specific, explicit, and lawful purposes. The processing of personal data must be limited to the fulfillment of these purposes.
- Principle of Proportionality. The personal data processed must be strictly limited to the data that is necessary, adequate, and relevant in relation to the purposes of the processing.
- Principle of Quality. Personal data must be accurate, complete, current and relevant to their provenance and the purposes of the processing.
- Principle of Responsibility. Those who process personal data shall be legally responsible for compliance with the principles, obligations and duties pursuant to the New Privacy Law.
- Principle of Security. In the processing of personal data, the data controller must ensure adequate security standards, protecting it against unauthorised or unlawful processing, and against its loss, leakage, accidental damage or destruction. The security measures must be appropriate and proportionate to the processing to be carried out and the nature of the data.
- Principle of Transparency and Information. The data controller must provide the data subject with all the information necessary for the exercise of the rights established in the New Privacy Law. The data controller must adopt appropriate and timely measures to provide the data subject with access to all the information mentioned in the New Privacy Law, as well as any other communication related to the processing it carries out.
- Principle of Confidentiality. The data controller and those who have access to personal data shall maintain secrecy or confidentiality of such data. The data controller shall establish adequate controls and measures to preserve secrecy or confidentiality. This duty subsists even after the relationship with the data subject has ended.
The New Privacy Law broadens the lawful bases for the processing of personal data but includes higher standards in general for the obligations set forth in the Current Privacy Law, and contemplates additional ones, such as:
- The data controller shall maintain a privacy policy and other relevant information permanently available to the public.
- The data controller shall report to the Data Protection Agency and data subjects certain breaches of security measures in connection with personal data.
- The data controller shall apply appropriate technical and organisational measures in the processing of personal data. These measures must be integrated into the design of systems (data protection by design) and ensure that, by default, only necessary and specific data is processed (data protection by default).
- In certain circumstances, the data controller shall carry out a personal data protection impact assessment prior to the processing.
What is the supervisory authority / regulator in charge of data protection?
Currently, Chile does not have a Data Protection Agency. However, the Transparency Council, among its other tasks, is in charge of overseeing that public entities comply with the Current Privacy Law. Also, the National Consumers Agency has certain supervisory powers regarding personal data of consumers processed within a consumer relationship.
The New Privacy Law considers a Data Protection Agency, responsible for ensuring the effective protection of the rights guaranteeing individuals’ private life and personal data, in accordance with the provisions of the New Privacy Law, and for enforcing its provisions.
Is there a requirement to register with a supervisory authority / regulator?
The Current Privacy Law does not establish this requirement.
The New Privacy Law sets forth that, in the case of legal entities not established in Chile, the data controller must provide to the Data Protection Agency, an email address or an equivalent valid and operational electronic means of communication of an individual or legal person capable of acting on its behalf. This is for the purpose of allowing data subjects to exercise their rights and communicate with the data controller, and where valid administrative communications and notifications required by law can be made. The data controller must keep this information updated.
Is there a requirement to notify the supervisory authority / regulator?
The Current Privacy Law does not stipulate this obligation.
The New Privacy Law establishes that the data controller must notify the Data Protection Agency, by the most expeditious means possible and without undue delay, certain breaches of security measures in connection with personal data. In addition, when a data controller rejects a data subject’s request for the temporary restriction of processing in connection with a request for rectification, erasure or objection, it shall electronically inform its decision to the Data Protection Agency.
Is it possible to register with / notify the supervisory authority / regulator online?
This is not applicable under the Current Privacy Law.
Although certain implementing regulations remain pending, this is expected to be the case under the New Privacy Law.
What are the key data subject rights under the data protection laws of this jurisdiction?
In general terms, the Current Privacy Law establishes that data subjects can request the party responsible for the registry or data bank where their personal data is being processed to:
- Provide them with access to information regarding their personal data, including the purpose of the storage and processing, the origin of the data, recipients of the same, etc.
- Rectify the personal data when the same is erroneous, inaccurate, misleading or incomplete.
- Where applicable, cancel, eliminate, or block personal data, mainly when there is no legal basis for the storage of the same, or when the same is not current.
The above rights may not be restricted by an agreement between parties.
The New Privacy Law recognises the following rights in general:
- Access. Data subjects have the right to request and obtain from the data controller confirmation as to whether their personal data is being processed by the data controller, and if so, to access such data and other information set forth in the law. The data controller is obliged to provide information and give access to the data except when a law expressly provides otherwise.
- Rectification. Data subjects have the right to request and obtain from the data controller, the rectification of their personal data that is being processed by the data controller, when they are inaccurate, outdated or incomplete.
- Erasure. Data subjects have the right to request and obtain from the data controller, the deletion of their personal data in certain cases set forth in the New Privacy Law.
- Objection. Data subjects have the right to request and obtain from the data controller that a specific data processing operation of their personal data not be carried out, in the cases provided for under the New Privacy Law.
- Restriction. Data subjects have the right to request the temporary restriction of any processing operation of their personal data when making a request for rectification, erasure or opposition, until such request is resolved.
- Portability. Data subjects have the right to request and receive a copy of their personal data provided to the data controller, in a commonly used, generic and structured electronic format that can be operated by different systems, and to communicate or transfer such data to other data controllers, when the processing is carried out in an automated manner, and is based on the data subject’s consent.
Data controllers must implement mechanisms and technological tools that allow data subjects to exercise their rights in an expeditious, agile and effective manner. The means provided by data controllers must be simple in their operation.
Is there a requirement to appoint a data protection officer (or equivalent)?
The Current Privacy Law does not provide for or regulate the role of a data protection officer.
The New Privacy Law establishes the appointment of a data protection officer as part of a voluntary prevention program that may be adopted (under certain conditions, said programs may be considered as a factor for reducing liability in the event of an infringement to the New Privacy Law).
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
The Current Privacy Law does not consider specific circumstances where a special data protection impact assessment is required.
The New Privacy Law considers the obligation of data controllers to carry out a privacy impact assessment before processing personal data, when it is likely that the type of processing, due to its nature, scope, context, used technology or purposes may produce a high risk to the rights of data subjects. Such assessment is always required in certain cases set forth in the New Privacy Law (e.g. cases of massive or large-scale data processing, processing involving systematic observation or monitoring of a publicly accessible area).
Under the Current Privacy Law, there is no requirement to notify data breaches.
The New Privacy Law provides that the data controller must report to the Data Protection Agency, by the most expeditious means possible and without undue delay, breaches of security measures that result in the accidental or unlawful destruction, leakage, loss or alteration of the personal data it processes, or the unauthorised disclosure of or access to such data, where there is a reasonable risk to the rights and freedoms of the data subjects.
The data controller must record these communications, describing the nature of the breaches suffered, their effects, the categories of data and the approximate number of data subjects affected, and the measures taken to manage them and prevent future incidents.
In case such breaches concern sensitive personal data, data relating to children under fourteen years of age or data relating to economic, financial, banking or commercial obligations, the data controller must also notify the data subjects.
Under the Current Privacy Law, there is no requirement to notify data breaches.
The New Privacy Law provides that the data controller must report to the Data Protection Agency, by the most expeditious means possible and without undue delay, breaches of security measures that result in the accidental or unlawful destruction, leakage, loss or alteration of the personal data it processes, or the unauthorised disclosure of or access to such data, where there is a reasonable risk to the rights and freedoms of the data subjects.
The data controller must record these communications, describing the nature of the breaches suffered, their effects, the categories of data and the approximate number of data subjects affected, and the measures taken to manage them and prevent future incidents.
In case such breaches concern sensitive personal data, data relating to children under fourteen years of age or data relating to economic, financial, banking or commercial obligations, the data controller must also notify the data subjects.
What restrictions apply to the international transfer of personal data / information?
The transfer of personal data to other jurisdictions is not specifically regulated or restricted in the Current Privacy Law, so general rules apply.
The New Data Privacy Law regulates this matter, expressly allowing cross -border transfer of personal data in the following cases:
- When the recipient is subject to a legal system that provides adequate level of protection to personal data, in accordance with the provisions of the New Privacy Law.
- When the transfer of data is governed by contractual provisions, binding corporate rules or other legal instruments, including adequate safeguards in accordance with the provisions of the New Privacy Law.
- When the transferor and the transferee adopt a compliance model or certification mechanism, including adequate safeguards in accordance with the provisions of the New Privacy Law.
In the absence of an adequacy decision or adequate safeguards, a specific and occasional transfer may be made in certain cases set forth in the New Privacy Law (e.g. when the data holder expressly consents to a specific international transfer; when it refers to specific bank, financial or stock exchange transfers that are made in accordance with the laws that regulate these transfers; when the transfer of data has been expressly authorised by law and for a specific purpose; when the transfer is necessary for entering into or performing a contract between the data subject and the data controller, or for the execution of pre-contractual measures at the request of the data subject).
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
The Current Privacy Law does not contain provisions establishing an 'extra-territorial effect'.
The New Privacy Law applies to the processing of personal data carried out under any of the following circumstances:
- When the data controller or its agent or processor are established or incorporated in Chile.
- b. When the agent or processor, regardless of where it is established or incorporated, processes personal data on behalf of a data controller established or incorporated in Chile.
- When the data controller or the agent or processor are not established in Chile but their data processing operations are aimed at offering goods or services to data subjects located in Chile, even when there is no payment by the data subjects, or at monitoring the behaviour of data subjects located in Chile, including the analysis, tracking, profiling, or prediction of such behaviour.
- When the data controller, although not established in Chile, is subject to Chilean laws by virtue of a contract or international law.
The New Privacy Law sets forth that the data controller that is not domiciled in Chile, who processes data of individuals residing in Chile, shall indicate and maintain an up-to-date and functional email address or other appropriate contact channel for the receipt of communications from data subjects and the Data Protection Agency.
What rules specifically deal with marketing?
The CRL sets forth that suppliers directing advertising communications to consumers through post mail, fax, calls or messaging services, shall inform an expeditious opt-out mechanism. If the consumer opts-out, further communications are prohibited.
Likewise, advertising communications sent by email shall clearly inform the matter of the message and the identity of the sender, and include a valid email address to which the recipient may request to opt-out. If the receiver opts-out, further emails are prohibited.
Do different rules apply to business-to-business and business-to-consumer marketing?
Yes. The CRL provisions mentioned above only apply to business-to-consumer marketing (except if the 'consumers' are micro or small businesses, which are also protected by the CRL rules).
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
As mentioned above, the CRL sets forth rules with respect to advertising communications sent to consumers through email, calls or messaging services.
What rules specifically deal with cookies?
The Current Privacy Law, the CRL and the New Privacy Law do not specifically regulate the use of cookies.
What are the consequences of non compliance with data protections laws (including marketing laws)?
The Current Privacy Law sets forth that if the party responsible for a data bank does not duly and timely respond to a request made by data subjects to obtain information regarding their personal data, or to amend, cancel or block said data, or denies such a request based on reasons other than those established by law, then the data subject may file a claim before the relevant ordinary civil court of justice. If the claim is resolved in favour of the data subject, aside from any corrective measures, the court may also impose a fine against the party responsible for the data bank for an amount that ranges between 1 to 50 Monthly Tax Units (approx. USD$71 to USD$3,537, as of August 2025), depending on the type of breach.
In addition, under the Current Privacy Law, the data holders are entitled to pursue pecuniary and moral damages against the party responsible for the data bank that misused their personal data. The indemnification shall be set forth prudentially by the judge based on the circumstances of the case and the seriousness of the events.
The New Privacy Law materially increases fines, which will range between 1 to 20,000 Monthly Tax Units (approx. USD$71 to USD$1,414,920, as of August 2025), depending on the seriousness of the breach.
In turn, since the Chilean Political Constitution guarantees the protection of personal data, under certain circumstances, the disruption of this right may give rise to a constitutional protection action.
Under the CRL, breaches to the marketing provisions mentioned above may be fined with up to 300 Monthly Tax Units (approx. USD$21,223, as of August 2025), plus potential corrective measures. In addition, the consumer is entitled to pursue damages against the relevant supplier.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Please see above.
What upcoming data protection developments should multinational organisations be aware of?
As previously mentioned, the New Privacy Law will enter into force on December 1, 2026, mostly aligning Chile’s regulatory framework with the standards set forth in the GDPR.