CHILE: New Data Law Harmonizes with International Standards

The enactment of Law No. 21.719 in November 2024, marked a landmark moment in Chile’s legislative history regarding the protection of personal data. This law not only establishes a robust regulatory framework for the processing of personal data but also introduces the creation of a specialized body: the Personal Data Protection Agency. This regulation seeks to align the jurisdiction with international standards, such as the European Union’s General Data Protection Regulation (GDPR), and addresses both technical aspects and fundamental rights related to the handling of personal information.

The Personal Data Protection Agency is established as the authority responsible for the following:

• Ensuring compliance with the law;
• Overseeing proper data handling;
• Imposing sanctions; and
• Promoting privacy

This body has broad powers to issue technical guidelines, respond to inquiries, and supervise organizations that process personal data. It also manages the National Register of Sanctions, which records infringements committed by data controllers, providing a public tool to enhance transparency and accountability.

A key element of the framework established by Law No. 21.719 is the responsibility scheme it imposes on data controllers. They are required to ensure the lawfulness, security, and transparency of personal data processing. Major violations that can lead to sanctions include processing data without consent, failing to implement adequate security measures, failing to report a notifiable data breach, and failing to respect data subjects’ rights.

The sanctions outlined in the law are severe and proportional to the seriousness of the offenses. They include financial penalties that may reach a significant percentage of the infringing organization’s annual revenue, temporary suspension of data processing activities, and registration of violations in the National Register of Sanctions.

In extreme cases, civil and criminal liability may also apply.

Adapting to this new regulation presents significant challenges for companies. They must carry out deep internal adjustments to comply with the law’s guiding principles, such as lawfulness, purpose limitation, and proportionality. Organizations must also invest in advanced technologies to ensure data security, implement systems that enable efficient responses to data subject requests, and train employees in the proper handling of personal information.

A crucial aspect of compliance is the appointment of a data protection officer (DPO). This professional will act as a liaison between the organization, data subjects, and the Agency, ensuring compliance and managing privacy-related incidents. In smaller companies, this role may be assumed by management, provided the independence of the function is preserved.

The effective implementation of Law No. 21.719 also requires ongoing risk assessment and the development of proactive measures to mitigate potential vulnerabilities.

Although every effort has been made to verify the accuracy of this article, readers are urged to check independently on matters of specific concern or interest. Law & Practice updates are published without comment from INTA except where it has taken an official position.

© 2025 International Trademark Association