Choose your region: Singapore & Asia Pacific Europe Latin America
RESGUARD
solutions

Cross-Border Data Transfers from Chile: Rules and Requirements

 

Navigating International Data Transfer Mechanisms Under Chile's Data Protection Framework

Home / Blog / Data Protection
28 February 2026 Data Protection 9 min read

As globalisation and digital transformation continue to reshape business operations, the ability to transfer personal data across borders has become essential. Chile, with its open economy and extensive international trade relationships, is a significant participant in global data flows. The enactment of Law 21.719 has introduced comprehensive rules governing the transfer of personal data outside of Chile, replacing the minimal requirements that existed under the previous framework. Understanding these new requirements is critical for any organisation that sends or receives personal data involving Chilean residents.

The Previous Framework Under Law 19.628

Under Chile's original data protection law, Law 19.628, cross-border data transfers were subject to very limited regulation. The law did not establish specific conditions or safeguards for international transfers, nor did it require authorisation from a supervisory authority. In practice, personal data could be transferred abroad with few restrictions, leaving Chilean residents with minimal protection when their data was processed in foreign jurisdictions.

This permissive approach was increasingly out of step with international standards, particularly as major trading partners such as the European Union implemented strict transfer mechanisms under the GDPR. The lack of robust transfer rules also hindered Chile's ability to obtain an adequacy decision from the European Commission, limiting opportunities for streamlined data flows with EU member states.

New Transfer Rules Under Law 21.719

Law 21.719 introduces a structured framework for international data transfers that closely follows the model established by the GDPR. Under the new regime, personal data may only be transferred outside of Chile when one of several permitted conditions is met. These conditions are designed to ensure that the personal data of Chilean residents continues to receive adequate protection regardless of where it is processed.

Adequacy Decisions

The Agencia de Protección de Datos Personales is empowered to issue adequacy decisions recognising that a foreign country, territory or international organisation provides a level of data protection that is essentially equivalent to that guaranteed under Chilean law. When an adequacy decision is in place, personal data may be transferred to the recognised jurisdiction without the need for additional safeguards.

The assessment considers factors such as the rule of law, the existence and functioning of an independent supervisory authority, the international commitments of the destination country and the effective enforcement of data subject rights. This mechanism is directly analogous to the adequacy decisions issued by the European Commission under the GDPR.

Standard Contractual Clauses

In the absence of an adequacy decision, organisations may rely on standard contractual clauses (SCCs) approved by the Agencia. These are pre-approved contract templates that impose binding data protection obligations on both the data exporter in Chile and the data importer abroad. SCCs must address key requirements including purpose limitation, data security measures, data subject rights, sub-processing restrictions and mechanisms for enforcement.

Organisations should carefully implement SCCs as part of their data processing agreements and conduct transfer impact assessments to verify that the legal framework of the destination country does not undermine the protections provided by the clauses.

Binding Corporate Rules

Multinational organisations may develop binding corporate rules (BCRs) to govern intra-group transfers of personal data. BCRs are internal policies that establish uniform data protection standards across all entities within a corporate group, regardless of their geographic location. To be valid under Law 21.719, BCRs must be approved by the Agencia and must demonstrate that all group entities are bound by enforceable data protection obligations.

While BCRs require a significant initial investment in terms of development and approval, they provide a flexible and scalable solution for multinational organisations that routinely transfer large volumes of personal data between affiliates.

Additional Transfer Mechanisms

The law also recognises several additional bases for international transfers, including:

  • Explicit consent: The data subject has given explicit and informed consent to the specific transfer after being advised of the potential risks
  • Contractual necessity: The transfer is necessary for the performance or conclusion of a contract between the data subject and the controller
  • Legal claims: The transfer is necessary for the establishment, exercise or defence of legal claims
  • Public interest: The transfer is necessary for important reasons of public interest recognised by law
  • Vital interests: The transfer is necessary to protect the vital interests of the data subject or another person

APEC Cross-Border Privacy Rules

Chile is a member of the Asia-Pacific Economic Cooperation (APEC) and participates in the APEC Cross-Border Privacy Rules (CBPR) system. The CBPR provides a framework for facilitating privacy-respecting data flows among participating APEC economies by establishing a set of baseline privacy principles that certified organisations must meet.

Under Law 21.719, APEC CBPR certification may serve as a recognised transfer mechanism, complementing the adequacy, SCC and BCR frameworks. This is particularly relevant for Chilean companies that engage in trade with Asia-Pacific partners, as CBPR certification can streamline compliance across multiple jurisdictions simultaneously.

Key Differences from GDPR Transfer Mechanisms

While Chile's new transfer framework is heavily inspired by the GDPR, several important differences exist that organisations should be aware of:

  • Supervisory authority: The Agencia de Protección de Datos Personales, rather than European Data Protection Authorities, is the competent authority for approving transfer mechanisms and issuing adequacy decisions
  • APEC integration: Chile's participation in the APEC CBPR system provides an additional transfer mechanism that is not available under the GDPR framework
  • Transition period: The full implementation of transfer requirements will occur in stages, giving organisations time to adapt their practices before enforcement begins
  • Regional context: Chile's adequacy assessments will consider the data protection landscape of Latin American and Asia-Pacific trading partners, which may differ from the EU's assessment priorities

Practical Guidance for Businesses

Organisations that transfer personal data out of Chile should take the following steps to ensure compliance with the new transfer rules:

  1. Map your data flows: Identify all transfers of personal data outside of Chile, including the destination countries, the categories of data transferred and the purposes of each transfer
  2. Assess transfer mechanisms: For each transfer, determine which mechanism is available and appropriate, whether it be an adequacy decision, SCCs, BCRs, consent or another recognised basis
  3. Implement appropriate safeguards: Draft and execute the required contractual arrangements and conduct transfer impact assessments where necessary
  4. Monitor regulatory developments: Stay informed about adequacy decisions issued by the Agencia and any updates to approved SCCs or guidance on BCR applications
  5. Update privacy notices: Ensure that your privacy policies inform data subjects about international transfers, the destination countries and the safeguards in place
  6. Document your compliance: Maintain records of all transfer mechanisms, assessments and decisions to demonstrate compliance in the event of a regulatory inquiry

A comprehensive compliance platform like the ResGuard Compliance Map can help organisations track their international data transfers, manage contractual safeguards and maintain the documentation required for regulatory compliance.

Conclusion

Chile's new cross-border data transfer rules represent a significant modernisation of the country's data protection framework. By establishing clear conditions and safeguards for international transfers, Law 21.719 protects the rights of Chilean data subjects while supporting the legitimate needs of businesses to operate globally. Organisations should act now to map their data flows, implement appropriate transfer mechanisms and prepare for the full enforcement of these requirements. For a broader understanding of Chile's new data protection law, see our comprehensive guide to Law 21.719.

Chile Cross-Border Transfers Data Protection International Compliance Law 21.719

Continue Reading

Related Articles

Chile's Data Protection Law (Law 21.719)

A comprehensive guide to Chile's landmark personal data protection reform.

DPO Obligations in Chile

Understand when and how to appoint a Data Protection Officer under Law 21.719.

Privacy by Design

Embed privacy into your systems and processes from the ground up.

Stay Informed

Explore Our Compliance Solutions

Browse all our cyber compliance resources or learn how our platform and expert services can help your organisation achieve and maintain compliance.

All Articles Contact Us
Contact Form