Urenda Rencoret Orrego & Dörr
The following law(s) specifically govern personal data / information:
Law No. 19,628 on the Protection of Private Life (“DPL”) is the main data protection law in Chile. There are also other laws and regulations that refer to or contain certain data privacy provisions, such as the Labour Code, Law No. 19,946 on Consumers’ Rights (“CRL”), Law No. 20,285 on access to public information, etc.
In addition, the Chilean Political Constitution guarantees the respect and protection of private life and honour of all persons and their families, and the protection of their personal data, setting forth that the processing and protection of said data shall be carried out in the manner established by law.
Congress is currently discussing a bill to amend the DPL (the “Bill”) setting higher standards for data protection, including the creation of a Data Protection Agency, the establishment of specific fines for infringements to the DPL and a special complaint procedure, the regulation of cross-border transfer of personal data, etc.
The key data protection principles in this jurisdiction are:
Any person may engage in the processing of personal data provided that it is made in a manner consistent with the DPL, for purposes permitted by law and respecting the rights of the data holders.
Processing of personal data (i.e., data related to any information regarding individuals, either identified or identifiable) can only be carried out when authorized by law or when the data holder expressly consents thereto in writing. The data holder must be duly informed with respect to the purpose of the storage of their personal data and the possible communication of the same to the public. The referred to authorization can be revoked by the data holder, in writing.
The DPL sets forth that no consent is required for the processing of personal data, which:
- comes or is collected from public sources and is of economic, financial, banking or commercial nature;
- is contained in lists relating to a category or group of persons that only make reference to information such as the belonging of individuals to said group;
- their profession or activity, educational degrees, addresses or dates of birth; or
- is required for commercial communications of direct response or direct sale of goods or services.
Also, no authorization is required if private legal entities handle personal data for their exclusive use or the use of their associates and entities to which they are affiliated, provided it is used for statistic or rate-setting purposes only or for any general benefit of those indicated above.
With respect to sensitive data (i.e., personal data referred to individuals’ physical or moral characteristics or facts, or circumstances of their private life or intimacy, such as personal habits, race, political views, religious beliefs, physical or mental health and their sexual life), the DPL sets forth that it may only be transferred or used if authorization is granted by law or by the data holder, or if such data is necessary for determining or granting health benefits to the data holder.
Main obligations regarding the processing of personal data:
Aside from obtaining the relevant consent when required, the following are the main obligations of the party responsible for a registry or data bank where personal data is processed:
- Personal data shall be used solely for the purpose for which it was collected, except if it comes or was collected from publicly available sources. The processed data shall be accurate, current and reflect the actual situation of the data holder.
- The party responsible of a data bank shall cancel or eliminate personal data when there is no legal basis for the storage of the same, or when the personal data has expired. Likewise, when erroneous, inaccurate, misleading or incomplete, personal data shall be rectified. If accuracy or validity of personal data may not be determined, it shall be blocked (if elimination is not required). Said actions shall be taken even in the absence of a request by the data holder. If cancelled or rectified personal data had previously been informed to a third party, the party responsible of the data bank shall inform the cancellation or amendment to the third party, as soon as possible.
- Those working in the processing of personal data shall keep the confidentiality of the same, provided that the information was collected from non-publicly available sources.
- The party responsible of a data bank where personal data is stored shall take due care of said data, being liable for any damages.
The supervisory authority / regulator in charge of data protection is:
Chile does not currently have a Data Protection Agency. However, the Bill seeks to create such a Data Protection Agency. Chile does not currently have a Data Protection Agency. However, the Bill seeks to create such a Data Protection Agency.
The Transparency Council, among its other tasks, is in charge of overseeing that public entities comply with the DPL.
Is there a requirement to register with a supervisory authority / regulator?
Is there a requirement to notify the supervisory authority / regulator?
Is it possible to register with / notify the supervisory authority / regulator online?
The key data subject rights under the data protection laws of this jurisdiction are:
In general terms, data holders can request the party responsible of the registry or data bank where their personal data is being processed to:
- Provide them with access to information regarding their personal data, including the purpose of the storage and processing, the origin of the data, recipients of the same, etc.
- Rectify the personal data when the same is erroneous, inaccurate, misleading or incomplete.
- Where applicable, cancel, eliminate, or block personal data, mainly when there is no legal basis for the storage of the same, or when the same is not current.
The above rights may not be restricted by an agreement between parties.
Is there a requirement to appoint a data protection officer (or equivalent)?
The Bill considers the appointment of a data protection officer as part of a voluntary prevention program that may be adopted (under certain conditions, said programs may be considered as a factor for reducing liability in the event of an infringement to the DPL).
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
No, the DPL does not consider specific circumstances where a special data protection impact assessment is required.
Does this jurisdiction have any specific data breach notification requirements?
The Bill seeks to include the obligation to notify data breaches to the Data Protection Agency to be created, and to data subjects, in certain cases.
The following restrictions apply to the international transfer of personal data / information:
The transfer of personal data to other jurisdictions is not specifically regulated or restricted, so general rules of the DPL apply.
The Bill seeks to regulate this matter, expressly allowing cross border transfer of personal data in certain cases (e.g., when the recipient is subject to a legal system that provides adequate level of protection to personal data; when the transfer of data is governed by contractual provisions; when the data holder expressly consents to a specific transfer, etc.)
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
No, the DPL does not contain provisions establishing an “extra-territorial effect”.
The following rules specifically deal with marketing:
The CRL sets forth that suppliers that direct advertising communications to consumers through post mail, fax, calls or messaging services, shall inform an expeditious opt-out mechanism. If the consumer opts-out, further communications are prohibited.
Likewise, advertising communications sent by email shall clearly inform the matter of the message and the identity of the sender, and include a valid email address to which the recipient may request to opt-out. If the receiver opts-out, further emails are prohibited.
Do different rules apply to business-to-business and business-to-consumer marketing?
Yes. The CRL provisions mentioned above only apply to business-to-consumer marketing (except if the “consumers” are micro or small businesses, which are also protected by the CRL rules).
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
As mentioned above, the CRL sets forth rules with respect to advertising communications sent to consumers through email, calls or messaging services.
What are the consequences of non compliance with data protections laws (including marketing laws) within your jurisdiction? Please provide an overview of the level of fines that may be imposed by a supervisory authority/regulator.
The DPL sets forth that if the party responsible for a data bank does not duly and timely respond to a request made by a data holder to obtain information regarding their personal data, or to amend, cancel or block said data, or denies such a request based on reasons other than those established by law, then the data holder may file a claim before the relevant ordinary civil court of justice. If the claim is resolved in favor of the data holder, aside from any corrective measures, the court may also impose a fine against the party responsible of the data bank for an amount that ranges between 1 to 50 Monthly Tax Units (approx. US$72 to US$3,584, as of March 2021), depending on the type of breach.
The Bill seeks to materially increase fines, which would range between 1 to 10,000 Monthly Tax Units (approx. US$72 to US$716,748, as of March 2021), depending on the seriousness of the breach.
In addition, under the DPL, the data holder is entitled to pursue pecuniary and moral damages against the party responsible for the data bank that misused their personal data. The indemnification shall be set forth prudentially by the judge based on the circumstances of the case and the seriousness of the events.
Lastly, since the Chilean Political Constitution guarantees the protection of personal data, under certain circumstances, the disruption of this right may give rise to a constitutional protection action.
Under the CRL, breaches to the marketing provisions mentioned above may be fined with up to 300 Monthly Tax Units (approx. US$21,502, as of March 2021), plus potential corrective measures. In addition, the consumer is entitled to pursue damages against the relevant supplier.
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
Please see above.
Are there any upcoming data protection developments that a multinational organisation should be aware of?
As mentioned before, the Bill is currently being discussed in Congress. If passed, the Bill would largely align Chilean law on data protection with the EU’s General Data Protection Regulation ((EU) 2016/679). There is no clear date for the approval and enactment of said Bill.