-
1.
Legislative framework
Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?The legal framework for data protection can be found in article 19 No. 4 of the Political Constitution of the Republic of Chile, which guarantees that the processing and protection of personal data shall be carried out in the manner and under the conditions laid down by law. In addition, Chile has a dedicated data protection law, Law No. 19,628 on Privacy Protection, which was published in the Official Gazette on 28 August 1999 (the Law). The current Law is not based on any international instrument on privacy or data protection in force (such as the OECD guidelines, Directive 95/46/EC, EU General Data Protection Regulation or the European Convention on Human Rights and Fundamental Freedoms).
-
2.
Data protection authority
Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.There is no special data protection authority in Chile; data protection overseeing is addressed by general courts with general powers. A summary procedure is established by law if the person responsible for the personal data registry or bank fails to respond to a request for access, modification, elimination or blocking of personal data within two business days, or refuses a request on grounds other than the security of the nation or the national interest.
-
3.
Legal obligations of data protection authority
Are there legal obligations on the data protection authority to cooperate with data protection authorities, or is there a mechanism to resolve different approaches?Currently, there is no data protection authority in Chile. A bill has been discussed in the Congress that will reform the whole data protection environment in the country and will create the first data protection authority in Chile.
-
4.
Breaches of data protection
Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?Yes. Breaches of data protection caused by improper processing of data may eventually lead to fines determined by the Law (ranging from 48,741 Chilean peso to 487,410 Chilean peso, or from 487,410 Chilean peso to 2.437 million Chilean peso if the breach comes from financial data). Fines are viewed and determined in a summary procedure.
The Law establishes a general rule under which both non-monetary and monetary damages that result from wilful misconduct or negligence in the processing of personal data shall be compensated. In those cases, the amount of compensation shall be established reasonably by the civil judge, considering the circumstances of the case and the relevance of the facts.
-
5.
Exempt sectors and institutions
Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?The Law applies to both private and public sector organisations and agencies. However, regarding public sector organisations, there are some special rules for consent of the subject: personal data about sentences for felonies, administrative sanctions or disciplinary failures and the records of personal data banks in government agencies. In addition, regarding public sector organisations, individuals may only exercise the right of information, not the right to modify information.
-
6.
Communications, marketing and surveillance laws
Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.The Data Protection Law does not cover interception of communications or monitoring and surveillance of individuals. Both matters are regulated by:
- Law No. 19,223 (the Computer Crime Law);
- article 161-A, 369-ter, 411-octies of the Penal Code; and
- articles 222 to 226 of the Criminal Code of Procedure.
The Data Protection Law does cover electronic marketing, in the sense of establishing that no authorisation is required to make electronic marketing when the information comes from sources available to the public (registries or collection of personal data, public or private, with unrestricted or unreserved access to the requesters).
-
7.
Other laws
Identify any further laws or regulations that provide specific data protection rules for related areas.In addition to the laws set forth above, there are numerous other laws that address privacy issues, for example:
- Law No. 20,584, which contains provisions regarding the privacy of medical records along with the same Law No. 19,628, which contains provisions stipulating that a doctor’s prescriptions and laboratory analyses or exams and services related to health are confidential;
- Law No. 19,496, which contains provisions regarding credit information along with the same Law No. 19,628, which contains provisions about personal data related to obligations of an economic, financial, banking or commercial character;
- Law No. 18,290, which contains provisions regarding the privacy of a driver’s information;
- Law No. 19,799 regarding electronic signatures, which contains the right to privacy of the holder of an electronic signature; and
- article 154-bis of the Labour Code, which establishes that the employer shall keep confidential all the information and private data of the worker to which he or she has access on occasion of the employment relationship. In addition, article 5 of the Labour Code establishes that the exercise of powers granted to the employer by law is limited by respect for the constitutional guarantees of the workers, especially when they may affect their privacy, private life or honour.
-
8.
PII formats
What forms of PII are covered by the law?All formats of personal data are covered by the Law, regardless of whether they are in electronic records or manual files.
-
9.
Extraterritoriality
Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?The Law does not contain an explicit provision in this respect; however, taking into account the other provisions of the Law, its reach is limited to data owners and data processors established or operating in the Chilean jurisdiction.
-
10.
Covered uses of PII
Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?Yes, all processing of PII is covered. ‘Data processing’ is broadly defined in the Law as any operation or set of technical operations or procedures, automated or not, that make it possible to collect, store, record, organise, prepare, select, extract, match, interconnect, dissociate, communicate, assign, transfer, transmit or cancel personal data, or use it in any form.
There is no distinction made between those who control or own PII and those who provide PII processing services to owners. The Law only refers to the ‘person responsible for a data registry or a bank’, which means any private legal entity or individual, or government agency, that has the authority to implement the decisions related to the processing of personal data. Therefore, there are no different duties for owners, controllers or processors. However, government agencies can only process data regarding matters within their respective legal authority and subject to the rules set out in the Law.
-
11.
Legitimate processing - grounds
Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?Yes, the Law provides that any person may process personal data if he or she meets the following requisites:
- the processing of personal data is authorised by one of the three following means:
- the Law;
- another legal provision; or
- the subject of the personal data (the individual to whom the personal data refers) specifically consents thereto;
- the rights granted by the Law to the subjects of the personal data are observed (right to know, right of access, and right to rectify, eliminate and block);
- the purpose of the personal data processing is permitted by the Chilean legal system;
- full exercise of the fundamental rights (rights established in the Political Constitution of Chile) of the subjects of the personal data is respected; and
- the authorisation granted by the subject related to the processing of his or her personal data must comply with the following requirements in order to be valid:
- it must be definitely stated;
- the person authorising must be properly informed about the purpose of the storage of his or her personal data and its possible communication to the public;
- it must be stated in writing; and
- the personal data must be used only for the purposes for which it has been collected, unless it comes or has been collected from sources available to the public. In any case, the information must be exact, updated and respond truthfully to the real situation of the subject of the data.
-
12.
Legitimate processing - types of PII
Does the law impose more stringent rules for specific types of PII?Yes. The Law imposes more stringent rules with regard to sensitive data, which is defined as that which refers to the physical or moral characteristics of persons or to facts or circumstances of their private life or intimacy, such as personal habits, racial origin, ideologies and political opinions, beliefs or religious convictions, conditions of physical or mental health and sex life.
The sensitive data may not be subject to processing, unless the law so authorises, there is consent from the subject or it is necessary data for the determination or granting of health benefits for the subjects.
The Law also contains special provisions that apply to PII included in an individual’s economic, financial, banking or commercial information and its communication.
Conditions of physical or mental health are considered sensitive data. The sensitive data may not be subject to processing, unless it is necessary for the determination or granting of health benefits. Thus, health data may be processed for the determination or granting of health benefits, in case the healthcare provider does not gain the authorisation of the individual.
Doctors’ prescriptions and laboratory analyses or exams and services related to health are confidential. Such content can only be revealed or copied with the express consent of the patient, granted in writing.
The aforementioned does not prevent pharmacies from publishing, for statistical purposes, the sales of pharmaceutical products of any nature, including the name and amount thereof. In no case shall the information provided by the pharmacies state the name of the patients who present the prescriptions, the name of the medical doctors that issued them or data that serves to identify them.
Finally, financial data may not be processed in the following cases:
- after five years since the respective obligation was enforceable;
- in the case of debts incurred during a period of unemployment;
- in the case of data relating to obligations that have been paid or extinguished by other legal means; and
- in the case of debts of electricity, water, telephone, gas and highways.
-
13.
Notification
Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?No, the Law does not require owners of PII to notify individuals whose data they hold. The Law requires authorisation, not notice. The authorisation must be definitely stated, stated in writing and informed about the purpose of the storage of his or her personal data and communication to the public.
-
14.
Exemption from notification
When is notice not required?Despite the fact that notice is not required, as mentioned, authorisation is required. Such authorisation is not required when:
- the personal data is processed by public organisations regarding matters within their respective legal authority and subject to the rules set out in the Law;
- the personal data is originated or is collected from sources available to the public when such data is:
- of an economic, financial, banking or commercial nature;
- contained in listings relating to a class of persons and is limited to indicating information such as the fact of belonging to such a group, the person’s profession or business activity, educational degrees and address or date of birth; or
- necessary for direct response commercial communications or direct sale of goods and services; or
- the personal data is processed by private legal entities for their exclusive use, or the exclusive use of their associates and entities that are affiliated with them, for statistical or rate-setting purposes or other purposes of general benefit to such private legal entities.
-
15.
Control of use
Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?Yes, at two levels. First, at the moment of gathering the data because the general rule is that authorisation is required; and second, after the data is gathered, individuals have the right of information, the right of modification and right of cancellation, among others.
In addition, individuals are entitled to demand information about data concerning themselves, its origin and addressee, the purpose of the storage and the identification of the persons or agencies to whom his or her data is regularly transmitted.
If the personal data is erroneous, inexact, equivocal or incomplete, and such situation has been evidenced, the individual shall have the right to have it amended.
-
16.
Data accuracy
Does the law impose standards in relation to the quality, currency and accuracy of PII?Yes. The Law requires that the information must be exact, updated and respond truthfully to the real situation of the subject of the data. The Law also establishes that personal data shall be blocked if its accuracy cannot be established or its validity is doubtful and its cancellation is not appropriate.
-
17.
Amount and duration of data holding
Does the law restrict the amount of PII that may be held or the length of time it may be held?Yes, the Law does restrict the length of time PII may be held. Personal data must be eliminated or cancelled when there are no legal grounds for its storage or when the data has expired. So, if the data has expired, it must be eliminated.
In addition, personal data related to obligations of an economic, financial, banking or commercial nature, and relating to an identified or identifiable individual, may not be communicated five years after the respective obligation began.
As regards government agencies that process personal data about sentences for felonies, administrative infractions or disciplinary failures, they may not communicate them after the statute of limitations applicable to the criminal or administrative action, sanction or penalty has elapsed, or after the sanction or penalty has been served.
-
18.
Finality principle
Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?Yes. As previously stated, the Law expressly foresees that personal data must be used only for the purposes for which it has been collected, and those purposes must be permitted by the Chilean legal system. In any case, the information must be exact, updated and respond truthfully to the real situation of the subject of the data.
-
19.
Use for new purposes
If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?The limit of the finality principle is given by the purposes permitted by the Chilean legal system and according to the Law’s provisions. Purposes beyond the scope of the Law or the Chilean legal system are not allowed.
There is one exception to the aforesaid principle, and it comes when the data has been collected from sources available to the public.
-
20.
Security obligations
What security obligations are imposed on PII owners and service providers that process PII on their behalf?The Law does not impose any type of security measures that data owners and entities must take in relation to PII. Instead, it mentions that the person responsible for the registries or bases where personal data is stored after its collection shall take care of them with due diligence, assuming responsibility for damages. However, there are specific rules regarding banks and data of their clients and their wire transfers, in which encryption is mandatory.
-
21.
Notification of data breach
Does the law include (general or sector-specific) obligations to notify the supervisory authority or individuals of data breaches? If breach notification is not required by law, is it recommended by the supervisory authority?No. The Law does not impose any obligations to notify the regulator or individuals of security breaches, because currently in Chile there is no data regulator.
-
22.
Data protection officer
Is the appointment of a data protection officer mandatory? What are the data protection officer’s legal responsibilities?No. There is no data protection officer in Chile.
-
23.
Record keeping
Are owners or processors of PII required to maintain any internal records or establish internal processes or documentation?No, owners or processors of PII are not required to maintain any internal records or establish internal processes or documentation.
However, regarding personal data processing by government agencies, the Service of Civil Registration and Identification shall keep a record of personal data banks managed by such agencies.
-
24.
New processing regulations
Are there any obligations in relation to new processing operations?No, currently there are no obligations in relation to new processing operations.
-
25.
Registration
Are PII owners or processors of PII required to register with the supervisory authority? Are there any exemptions?No. There are no registration requirements for data-processing activities in Chile. However, as previously mentioned, the Service of Civil Registration and Identification shall keep a record of personal data banks managed by government agencies.
-
26.
Formalities
What are the formalities for registration?As previously stated, there is no registration process for private entities. However, regarding personal data processing by government agencies, the Service of Civil Registration and Identification shall keep a record of personal data banks managed by such agencies. In this case, there is no fee payable.
-
27.
Penalties
What are the penalties for a PII owner or processor of PII for failure to make or maintain an entry on the register?There is no registration process for private entities in Chile.
-
28.
Refusal of registration
On what grounds may the supervisory authority refuse to allow an entry on the register?There is no registration process for private entities in Chile.
-
29.
Public access
Is the register publicly available? How can it be accessed?Regarding personal data processing by government agencies, this record shall be public. The Law does not contemplate how it can be accessed as a public record.
-
30.
Effect of registration
Does an entry on the register have any specific legal effect?No. The Law does not establish any specific legal effect for entry on the register maintained by the Service of Civil Registration and Identification for personal data banks managed by government agencies.
-
31.
Other transparency duties
Are there any other public transparency duties?No, currently the Law does not contemplate any public transparency duty.
-
32.
Transfer of PII
How does the law regulate the transfer of PII to entities that provide outsourced processing services?At present, the Law does not contain a specific provision in this respect. However, considering that transfer of data is deemed as data processing according to the Law, it follows that it will require authorisation of the individual, unless there are exceptions contemplated by the Law and the authorisation is not subject to the exceptions mentioned in question 14.
-
33.
Restrictions on disclosure
Describe any specific restrictions on the disclosure of PII to other recipients.There are no further restrictions on the disclosure of PII to other recipients other than the authorisation of the individual (if not subject to the exceptions aforementioned), the rights of the individual are safeguarded and the transmission is related to the tasks and purposes of the participating agencies.
-
34.
Cross-border transfer
Is the transfer of PII outside the jurisdiction restricted?The Law does not contain a specific provision in this respect. However, the transfer of PII outside the jurisdiction is considered as a use of data and will require authorisation.
-
35.
Notification of cross-border transfer
Does cross-border transfer of PII require notification to or authorisation from a supervisory authority?The Law does not contain a specific provision in this respect.
-
36.
Further transfer
If transfers outside the jurisdiction are subject to restriction or authorisation, do these apply equally to transfers to service providers and onwards transfers?The Law does not contain a specific provision in this respect. However, any use of the data will require authorisation, if it is not subject to the exceptions mentioned above.
-
37.
Access
Do individuals have the right to access their personal information held by PII owners? Describe how this right can be exercised as well as any limitations to this right.Yes. According to the Law, the individual has the right to demand information about data about him or herself, its origin and addressee, the purpose of the storage and the identification of the persons or agencies to whom his or her data is regularly transmitted. Notwithstanding the aforesaid, no information may be requested when it prevents or hinders proper compliance with the supervisory functions of the government agency requested or if it affects the confidentiality or secrecy established in legal or regulatory provisions, the security of the nation or the national interest.
To exercise the right to access, the data subject must address to the person responsible for the data registry or bank claiming his or her right to access his or her data. This right to access may refer to:
- the origins of the data (how this data was collected);
- the addressee of the data;
- the purpose of the storage of the data; and
- the identification of the persons or agencies to whom his or her data is regularly transmitted.
The information of personal data shall be absolutely free of charge. This right to access cannot be limited by means of any act or agreement, with the exception of the previous paragraph (government agency, the security of the nation or national interest). If the person responsible for the personal data registry or bank fails to respond to a request within two business days, or refuses a request on grounds other than the security of the nation or the national interest, the subject of the personal data shall have the right to attend before the civil court with jurisdiction over the domicile of the party responsible for the data registry or bank requesting protection to his or her right of access.
-
38.
Other rights
Do individuals have other substantive rights?Yes. In addition to the right to information or access, the Law also provides individuals the following rights:
- right of modification: if the personal data is erroneous, inexact, equivocal or incomplete, and such situation has been evidenced, the subject shall have the right to have it amended;
- right of blocking: to request the blocking of personal data when the individual has voluntarily provided his or her personal data or it is used for commercial communications and the subject does not want to continue to appear in the respective registry, either definitively or temporarily;
- right of cancellation or elimination: notwithstanding legal exceptions, the subject may also demand that data be eliminated if its storage lacks legal grounds or if it has expired, when the subject has voluntarily provided his or her personal data, it is used for commercial communications or he or she does not want it to continue appearing in the respective registry, either definitively or temporarily;
- right to free copy: the information, modification or elimination of personal data shall be absolutely free of charge, and a copy of the pertinent part of the registry that has been changed shall also be provided at the subject’s request. If new modifications or eliminations of data are made, the subject may obtain a copy of the updated registry without cost, as long as at least six months have passed since the last time he or she made use of this right; and
- right of opposition: the subject may oppose the use of his or her personal data for purposes of advertising, market research or opinion polls.
-
39.
Compensation
Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury to feelings sufficient?Yes. As mentioned in question 4, the Law establishes a general rule under which both non-monetary and monetary damages that result from wilful misconduct or negligence in the processing of personal data shall be compensated, notwithstanding its proceeding to eliminate, modify or block the data as required by the subject or, if applicable, as ordered by the court.
According to Chilean legislation, actual damage is required in order to be entitled to monetary damages or compensation.
-
40.
Enforcement
Are these rights exercisable through the judicial system or enforced by the supervisory authority or both?Yes, these rights are exercisable through the judicial system through a summary procedure established by law, if the person responsible for the personal data registry or data bank fails to respond within two business days to a request of access, modification, elimination or blocking of personal data, or refuses a request on grounds other than the security of the nation or the national interest.
-
41.
Further exemptions and restrictions
Does the law include any derogations, exclusions or limitations other than those already described? Describe the relevant provisions.Yes. No modification, cancellation or blocking of personal data may be requested when it prevents or hinders proper compliance with the supervisory functions of the government agency to which the request is made or if it affects the confidentiality or secrecy established in legal or regulatory provisions, the security of the nation or the national interest.
In addition, the Law provides that the modification, cancellation or blocking of personal data stored by legal mandate may not be requested, except for cases contemplated in the respective law.
-
42.
Judicial review
Can PII owners appeal against orders of the supervisory authority to the courts?Yes. A final judgment issued by the general courts of Chile regarding the procedure briefly described in question 37 may be appealed to the respective court of appeals.
-
43.
Internet use
Describe any rules on the use of ‘cookies’ or equivalent technology.The Law does not contain a specific provision in this respect. However, ‘cookies’ are deemed as data processing according to the Law, hence will require the authorisation of the individual, unless there are exceptions contemplated by the Law, if not subject to the exceptions mentioned in question 14.
-
44.
Electronic communications marketing
Describe any rules on marketing by email, fax or telephone.As previously stated, the Law covers electronic marketing in the sense of establishing that no authorisation is required for electronic marketing when the information comes from sources available to the public.
In addition, Law No. 19,496 on the Protection of Consumer Rights contains a provision regarding marketing by email (also known as ‘spam’). In that case, every promotional or advertising communication sent by email must indicate the subject of what it is, the identification of the sender and a valid email address to which the recipient can request the suspension of the advertising communication, which will remain banned from then on. Providers that direct promotional or marketing communications to consumers via mail, fax, telephone calls or messaging services shall indicate an expedited way that the addressees may request the suspension thereof.
-
45.
Cloud services
Describe any rules or regulator guidance on the use of cloud computing services.There are no rules or regulatory guidance regarding the use of cloud computing services. Currently, the Law does not contain a specific provision regarding cloud providers; however, the activity of cloud providers may be considered as data processing. Data processing is defined as any operation or set of technical operations or procedures, automated or not, that make it possible to collect, store, record, organise, prepare, select, extract, match, interconnect, dissociate, communicate, assign, transfer, transmit or cancel personal data, or use it in any form.
For data processing, it is necessary to comply with the provisions contained in the Law, especially those regarding the authorisation or consent of the individual, the finality principle (personal data must be used only for the purposes for which they have been collected, and those purposes should be permitted by the Chilean legal system) and informing about the potential public communication of the data.
A failure to comply with those provisions (eg, absence of consent of the individual) represents a serious risk and is given a fine of between approximately US$75 to US$760, as well as the high risk of litigation (fines are viewed and determined in a summary procedure). In addition, the Law establishes a general rule under which both non-monetary and monetary damages that result from improper processing of personal data shall be compensated
-
Updates and trends
Key developments of the past year
46 Are there any emerging trends or hot topics in international data protection in your jurisdiction?
Since June 2018, data protection has been enshrined in our Constitution as a fundamental right that must be respected and protected (article 19 No. 4). The Constitution adds: ‘The processing and protection of personal data shall be carried out in the manner and under the conditions laid down by law.’
There is also a Bill that seeks to amend the current legislation on personal data, updating it and adapting it with OECD standard and EU Directive 95/46/EC. The Bill is in first constitutional stage in the Congress.

View profile
Magliona provides legal services of excellence both to local and multinational companies. We specialise in corporate matters, tax services, complex business litigation and finance structures, telecommunications, technology law, intellectual and industrial property and management of government relations and public policies, including, among others, corporate structuring, due diligence planning, mergers and acquisitions, financial assistance, syndicated loans, liability restructuring and leasing.
View more information about Magliona Abogados
Santiago
Andrés Bello 2687, 24th floorLas Condes
Santiago
Chile T: +56 2 32100030
Testimonials
We have received instruction from foreign counsel recently who found us through the publication
The comprehensive range of guides produced by GTDT provides practitioners with an extremely useful resource when seeking an overview of key areas of law and policy in practice areas or jurisdictions which they may otherwise be unfamiliar with.
My experience with GTDT Online so far has been wonderful. It is so useful when dealing with multijurisdictional legal matters. Two thumbs up for such a great tool and my congratulations to all of you for making my life easier.
Such a database is a fantastic tool to get access to the "basics" of many legal areas, almost everywhere. I do believe that GTDT has a real future and, according to me, it's one of the best legal database I've ever had access to in these last 10 years.
Briefing Signup
Sent approximately once a month, the free GTDT Briefing service alerts you of the latest titles to be published on GTDT Online.
Sign up to be notified of new content
SubscribeFollow Getting the Deal Through for the latest updates on law and regulation worldwide
Follow us on LinkedIn