Data Protection & Privacy

The legal framework for data protection can be found in article 19 No. 4 of the Political Constitution of the Republic of Chile, which guarantees that the processing and protection of personal data shall be carried out in the manner and under the conditions laid down by law. In addition, Chile has a dedicated data protection law, Law No. 19,628 on Privacy Protection, which was published in the Official Gazette on 28 August 1999 (the Law). The current Law is not based on any international instrument on privacy or data protection in force (such as the OECD guidelines, Directive 95/46/EC, EU General Data Protection Regulation or the European Convention on Human Rights and Fundamental Freedoms).

Back to top

There is no special data protection authority in Chile; data protection overseeing is addressed by general courts with general powers. A summary procedure is established by law if the person responsible for the personal data registry or bank fails to respond to a request for access, modification, elimination or blocking of personal data within two business days, or refuses a request on grounds other than the security of the nation or the national interest.

Back to top

Currently, there is no data protection authority in Chile. A bill has been discussed in the Congress that will reform the whole data protection environment in the country and will create the first data protection authority in Chile.

Back to top

Yes. Breaches of data protection caused by improper processing of data may eventually lead to fines determined by the Law (ranging from 48,741 Chilean peso to 487,410 Chilean peso, or from 487,410 Chilean peso to 2.437 million Chilean peso if the breach comes from financial data). Fines are viewed and determined in a summary procedure.

The Law establishes a general rule under which both non-monetary and monetary damages that result from wilful misconduct or negligence in the processing of personal data shall be compensated. In those cases, the amount of compensation shall be established reasonably by the civil judge, considering the circumstances of the case and the relevance of the facts.

Back to top

The Law applies to both private and public sector organisations and agencies. However, regarding public sector organisations, there are some special rules for consent of the subject: personal data about sentences for felonies, administrative sanctions or disciplinary failures and the records of personal data banks in government agencies. In addition, regarding public sector organisations, individuals may only exercise the right of information, not the right to modify information.

Back to top

The Data Protection Law does not cover interception of communications or monitoring and surveillance of individuals. Both matters are regulated by:

• Law No. 19,223 (the Computer Crime Law);
• article 161-A, 369-ter, 411-octies of the Penal Code; and
• articles 222 to 226 of the Criminal Code of Procedure.

The Data Protection Law does cover electronic marketing, in the sense of establishing that no authorisation is required to make electronic marketing when the information comes from sources available to the public (registries or collection of personal data, public or private, with unrestricted or unreserved access to the requesters).

Back to top

In addition to the laws set forth above, there are numerous other laws that address privacy issues, for example:

• Law No. 20,584, which contains provisions regarding the privacy of medical records along with the same Law No. 19,628, which contains provisions stipulating that a doctor’s prescriptions and laboratory analyses or exams and services related to health are confidential;
• Law No. 19,496, which contains provisions regarding credit information along with the same Law No. 19,628, which contains provisions about personal data related to obligations of an economic, financial, banking or commercial character;
• Law No. 18,290, which contains provisions regarding the privacy of a driver’s information;
• Law No. 19,799 regarding electronic signatures, which contains the right to privacy of the holder of an electronic signature; and
• article 154-bis of the Labour Code, which establishes that the employer shall keep confidential all the information and private data of the worker to which he or she has access on occasion of the employment relationship. In addition, article 5 of the Labour Code establishes that the exercise of powers granted to the employer by law is limited by respect for the constitutional guarantees of the workers, especially when they may affect their privacy, private life or honour.

Back to top

All formats of personal data are covered by the Law, regardless of whether they are in electronic records or manual files.

Back to top

The Law does not contain an explicit provision in this respect; however, taking into account the other provisions of the Law, its reach is limited to data owners and data processors established or operating in the Chilean jurisdiction.

Back to top

Yes, all processing of PII is covered. ‘Data processing’ is broadly defined in the Law as any operation or set of technical operations or procedures, automated or not, that make it possible to collect, store, record, organise, prepare, select, extract, match, interconnect, dissociate, communicate, assign, transfer, transmit or cancel personal data, or use it in any form.

There is no distinction made between those who control or own PII and those who provide PII processing services to owners. The Law only refers to the ‘person responsible for a data registry or a bank’, which means any private legal entity or individual, or government agency, that has the authority to implement the decisions related to the processing of personal data. Therefore, there are no different duties for owners, controllers or processors. However, government agencies can only process data regarding matters within their respective legal authority and subject to the rules set out in the Law.

Back to top

Yes, the Law provides that any person may process personal data if he or she meets the following requisites:

• the processing of personal data is authorised by one of the three following means:
• the Law;
• another legal provision; or
• the subject of the personal data (the individual to whom the personal data refers) specifically consents thereto;
• the rights granted by the Law to the subjects of the personal data are observed (right to know, right of access, and right to rectify, eliminate and block);
• the purpose of the personal data processing is permitted by the Chilean legal system;
• full exercise of the fundamental rights (rights established in the Political Constitution of Chile) of the subjects of the personal data is respected; and
• the authorisation granted by the subject related to the processing of his or her personal data must comply with the following requirements in order to be valid:
• it must be definitely stated;
• the person authorising must be properly informed about the purpose of the storage of his or her personal data and its possible communication to the public;
• it must be stated in writing; and
• the personal data must be used only for the purposes for which it has been collected, unless it comes or has been collected from sources available to the public. In any case, the information must be exact, updated and respond truthfully to the real situation of the subject of the data.

Back to top

Yes. The Law imposes more stringent rules with regard to sensitive data, which is defined as that which refers to the physical or moral characteristics of persons or to facts or circumstances of their private life or intimacy, such as personal habits, racial origin, ideologies and political opinions, beliefs or religious convictions, conditions of physical or mental health and sex life.

The sensitive data may not be subject to processing, unless the law so authorises, there is consent from the subject or it is necessary data for the determination or granting of health benefits for the subjects.

The Law also contains special provisions that apply to PII included in an individual’s economic, financial, banking or commercial information and its communication.

Conditions of physical or mental health are considered sensitive data. The sensitive data may not be subject to processing, unless it is necessary for the determination or granting of health benefits. Thus, health data may be processed for the determination or granting of health benefits, in case the healthcare provider does not gain the authorisation of the individual.

Doctors’ prescriptions and laboratory analyses or exams and services related to health are confidential. Such content can only be revealed or copied with the express consent of the patient, granted in writing.

The aforementioned does not prevent pharmacies from publishing, for statistical purposes, the sales of pharmaceutical products of any nature, including the name and amount thereof. In no case shall the information provided by the pharmacies state the name of the patients who present the prescriptions, the name of the medical doctors that issued them or data that serves to identify them.

Finally, financial data may not be processed in the following cases:

• after five years since the respective obligation was enforceable;
• in the case of debts incurred during a period of unemployment;
• in the case of data relating to obligations that have been paid or extinguished by other legal means; and
• in the case of debts of electricity, water, telephone, gas and highways.

Back to top

No, the Law does not require owners of PII to notify individuals whose data they hold. The Law requires authorisation, not notice. The authorisation must be definitely stated, stated in writing and informed about the purpose of the storage of his or her personal data and communication to the public.

Back to top

Despite the fact that notice is not required, as mentioned, authorisation is required. Such authorisation is not required when:

• the personal data is processed by public organisations regarding matters within their respective legal authority and subject to the rules set out in the Law;
• the personal data is originated or is collected from sources available to the public when such data is:
• of an economic, financial, banking or commercial nature;
• contained in listings relating to a class of persons and is limited to indicating information such as the fact of belonging to such a group, the person’s profession or business activity, educational degrees and address or date of birth; or
• necessary for direct response commercial communications or direct sale of goods and services; or
• the personal data is processed by private legal entities for their exclusive use, or the exclusive use of their associates and entities that are affiliated with them, for statistical or rate-setting purposes or other purposes of general benefit to such private legal entities.

Back to top

Yes, at two levels. First, at the moment of gathering the data because the general rule is that authorisation is required; and second, after the data is gathered, individuals have the right of information, the right of modification and right of cancellation, among others.

In addition, individuals are entitled to demand information about data concerning themselves, its origin and addressee, the purpose of the storage and the identification of the persons or agencies to whom his or her data is regularly transmitted.

If the personal data is erroneous, inexact, equivocal or incomplete, and such situation has been evidenced, the individual shall have the right to have it amended.

Back to top

Yes. The Law requires that the information must be exact, updated and respond truthfully to the real situation of the subject of the data. The Law also establishes that personal data shall be blocked if its accuracy cannot be established or its validity is doubtful and its cancellation is not appropriate.

Back to top

Yes, the Law does restrict the length of time PII may be held. Personal data must be eliminated or cancelled when there are no legal grounds for its storage or when the data has expired. So, if the data has expired, it must be eliminated.

In addition, personal data related to obligations of an economic, financial, banking or commercial nature, and relating to an identified or identifiable individual, may not be communicated five years after the respective obligation began.

As regards government agencies that process personal data about sentences for felonies, administrative infractions or disciplinary failures, they may not communicate them after the statute of limitations applicable to the criminal or administrative action, sanction or penalty has elapsed, or after the sanction or penalty has been served.

Back to top

Yes. As previously stated, the Law expressly foresees that personal data must be used only for the purposes for which it has been collected, and those purposes must be permitted by the Chilean legal system. In any case, the information must be exact, updated and respond truthfully to the real situation of the subject of the data.

Back to top

The limit of the finality principle is given by the purposes permitted by the Chilean legal system and according to the Law’s provisions. Purposes beyond the scope of the Law or the Chilean legal system are not allowed.

There is one exception to the aforesaid principle, and it comes when the data has been collected from sources available to the public.

Back to top

The Law does not impose any type of security measures that data owners and entities must take in relation to PII. Instead, it mentions that the person responsible for the registries or bases where personal data is stored after its collection shall take care of them with due diligence, assuming responsibility for damages. However, there are specific rules regarding banks and data of their clients and their wire transfers, in which encryption is mandatory.

Back to top

No. The Law does not impose any obligations to notify the regulator or individuals of security breaches, because currently in Chile there is no data regulator.

Back to top

No. There is no data protection officer in Chile.

Back to top

No, owners or processors of PII are not required to maintain any internal records or establish internal processes or documentation.

However, regarding personal data processing by government agencies, the Service of Civil Registration and Identification shall keep a record of personal data banks managed by such agencies.

Back to top

No, currently there are no obligations in relation to new processing operations.

Back to top

No. There are no registration requirements for data-processing activities in Chile. However, as previously mentioned, the Service of Civil Registration and Identification shall keep a record of personal data banks managed by government agencies.

Back to top

As previously stated, there is no registration process for private entities. However, regarding personal data processing by government agencies, the Service of Civil Registration and Identification shall keep a record of personal data banks managed by such agencies. In this case, there is no fee payable.

Back to top

There is no registration process for private entities in Chile.

Back to top

There is no registration process for private entities in Chile.

Back to top

Regarding personal data processing by government agencies, this record shall be public. The Law does not contemplate how it can be accessed as a public record.

Back to top

No. The Law does not establish any specific legal effect for entry on the register maintained by the Service of Civil Registration and Identification for personal data banks managed by government agencies.

Back to top

No, currently the Law does not contemplate any public transparency duty.

Back to top

At present, the Law does not contain a specific provision in this respect. However, considering that transfer of data is deemed as data processing according to the Law, it follows that it will require authorisation of the individual, unless there are exceptions contemplated by the Law and the authorisation is not subject to the exceptions mentioned in question 14.

Back to top

There are no further restrictions on the disclosure of PII to other recipients other than the authorisation of the individual (if not subject to the exceptions aforementioned), the rights of the individual are safeguarded and the transmission is related to the tasks and purposes of the participating agencies.

Back to top

The Law does not contain a specific provision in this respect. However, the transfer of PII outside the jurisdiction is considered as a use of data and will require authorisation.

Back to top

The Law does not contain a specific provision in this respect.

Back to top

The Law does not contain a specific provision in this respect. However, any use of the data will require authorisation, if it is not subject to the exceptions mentioned above.

Back to top

Yes. According to the Law, the individual has the right to demand information about data about him or herself, its origin and addressee, the purpose of the storage and the identification of the persons or agencies to whom his or her data is regularly transmitted. Notwithstanding the aforesaid, no information may be requested when it prevents or hinders proper compliance with the supervisory functions of the government agency requested or if it affects the confidentiality or secrecy established in legal or regulatory provisions, the security of the nation or the national interest.

To exercise the right to access, the data subject must address to the person responsible for the data registry or bank claiming his or her right to access his or her data. This right to access may refer to:

• the origins of the data (how this data was collected);
• the addressee of the data;
• the purpose of the storage of the data; and
• the identification of the persons or agencies to whom his or her data is regularly transmitted.

The information of personal data shall be absolutely free of charge. This right to access cannot be limited by means of any act or agreement, with the exception of the previous paragraph (government agency, the security of the nation or national interest). If the person responsible for the personal data registry or bank fails to respond to a request within two business days, or refuses a request on grounds other than the security of the nation or the national interest, the subject of the personal data shall have the right to attend before the civil court with jurisdiction over the domicile of the party responsible for the data registry or bank requesting protection to his or her right of access.

Back to top

Yes. In addition to the right to information or access, the Law also provides individuals the following rights:

• right of modification: if the personal data is erroneous, inexact, equivocal or incomplete, and such situation has been evidenced, the subject shall have the right to have it amended;
• right of blocking: to request the blocking of personal data when the individual has voluntarily provided his or her personal data or it is used for commercial communications and the subject does not want to continue to appear in the respective registry, either definitively or temporarily;
• right of cancellation or elimination: notwithstanding legal exceptions, the subject may also demand that data be eliminated if its storage lacks legal grounds or if it has expired, when the subject has voluntarily provided his or her personal data, it is used for commercial communications or he or she does not want it to continue appearing in the respective registry, either definitively or temporarily;
• right to free copy: the information, modification or elimination of personal data shall be absolutely free of charge, and a copy of the pertinent part of the registry that has been changed shall also be provided at the subject’s request. If new modifications or eliminations of data are made, the subject may obtain a copy of the updated registry without cost, as long as at least six months have passed since the last time he or she made use of this right; and
• right of opposition: the subject may oppose the use of his or her personal data for purposes of advertising, market research or opinion polls.

Back to top

Yes. As mentioned in question 4, the Law establishes a general rule under which both non-monetary and monetary damages that result from wilful misconduct or negligence in the processing of personal data shall be compensated, notwithstanding its proceeding to eliminate, modify or block the data as required by the subject or, if applicable, as ordered by the court.

According to Chilean legislation, actual damage is required in order to be entitled to monetary damages or compensation.

Back to top

Yes, these rights are exercisable through the judicial system through a summary procedure established by law, if the person responsible for the personal data registry or data bank fails to respond within two business days to a request of access, modification, elimination or blocking of personal data, or refuses a request on grounds other than the security of the nation or the national interest.

Back to top

Yes. No modification, cancellation or blocking of personal data may be requested when it prevents or hinders proper compliance with the supervisory functions of the government agency to which the request is made or if it affects the confidentiality or secrecy established in legal or regulatory provisions, the security of the nation or the national interest.

In addition, the Law provides that the modification, cancellation or blocking of personal data stored by legal mandate may not be requested, except for cases contemplated in the respective law.

Back to top

Yes. A final judgment issued by the general courts of Chile regarding the procedure briefly described in question 37 may be appealed to the respective court of appeals.

Back to top

The Law does not contain a specific provision in this respect. However, ‘cookies’ are deemed as data processing according to the Law, hence will require the authorisation of the individual, unless there are exceptions contemplated by the Law, if not subject to the exceptions mentioned in question 14.

Back to top

As previously stated, the Law covers electronic marketing in the sense of establishing that no authorisation is required for electronic marketing when the information comes from sources available to the public.

In addition, Law No. 19,496 on the Protection of Consumer Rights contains a provision regarding marketing by email (also known as ‘spam’). In that case, every promotional or advertising communication sent by email must indicate the subject of what it is, the identification of the sender and a valid email address to which the recipient can request the suspension of the advertising communication, which will remain banned from then on. Providers that direct promotional or marketing communications to consumers via mail, fax, telephone calls or messaging services shall indicate an expedited way that the addressees may request the suspension thereof.

Back to top

There are no rules or regulatory guidance regarding the use of cloud computing services. Currently, the Law does not contain a specific provision regarding cloud providers; however, the activity of cloud providers may be considered as data processing. Data processing is defined as any operation or set of technical operations or procedures, automated or not, that make it possible to collect, store, record, organise, prepare, select, extract, match, interconnect, dissociate, communicate, assign, transfer, transmit or cancel personal data, or use it in any form.

For data processing, it is necessary to comply with the provisions contained in the Law, especially those regarding the authorisation or consent of the individual, the finality principle (personal data must be used only for the purposes for which they have been collected, and those purposes should be permitted by the Chilean legal system) and informing about the potential public communication of the data.

A failure to comply with those provisions (eg, absence of consent of the individual) represents a serious risk and is given a fine of between approximately US$75 to US$760, as well as the high risk of litigation (fines are viewed and determined in a summary procedure). In addition, the Law establishes a general rule under which both non-monetary and monetary damages that result from improper processing of personal data shall be compensated

Back to top

Key developments of the past year

46 Are there any emerging trends or hot topics in international data protection in your jurisdiction?

Since June 2018, data protection has been enshrined in our Constitution as a fundamental right that must be respected and protected (article 19 No. 4). The Constitution adds: ‘The processing and protection of personal data shall be carried out in the manner and under the conditions laid down by law.’

There is also a Bill that seeks to amend the current legislation on personal data, updating it and adapting it with OECD standard and EU Directive 95/46/EC. The Bill is in first constitutional stage in the Congress.

Back to top