In December 2024, Chile enacted Law 21.719, a sweeping overhaul of the country's personal data protection framework. This landmark legislation replaces the outdated provisions of Law 19.628, which had governed data protection in Chile since 1999. The new law aligns Chile's regulatory landscape with international standards, drawing significant inspiration from the European Union's General Data Protection Regulation (GDPR). For businesses operating in Chile or handling data of Chilean residents, understanding this new law is essential for ensuring compliance and avoiding substantial penalties.
Why Was a New Law Needed?
Chile was among the first Latin American countries to enact data protection legislation when it passed Law 19.628 in 1999. However, the original law had significant shortcomings that became increasingly apparent over the past two decades. It lacked a dedicated supervisory authority for enforcement, imposed no meaningful penalties for violations and failed to address modern data processing practices such as cloud computing, artificial intelligence and cross-border data flows.
The absence of an independent enforcement body meant that individuals had to pursue data protection violations through the courts, a slow and costly process that effectively left most violations unaddressed. Businesses operated with minimal oversight, and Chile's data protection framework was widely regarded as insufficient by international standards. The constitutional reform of 2018, which elevated personal data protection to a fundamental right in Chile's constitution, set the stage for the comprehensive legislative reform that Law 21.719 represents.
Key Provisions of Law 21.719
The new law introduces a comprehensive regulatory framework that addresses the gaps of its predecessor and brings Chile into alignment with global best practices. The following sections outline its most significant provisions.
Enhanced Data Subject Rights
Law 21.719 significantly expands the rights available to data subjects. In addition to the existing rights of access, rectification and deletion, the new law introduces the right to data portability, the right to object to processing and the right not to be subject to automated decision-making. These rights closely mirror those established under the GDPR, providing individuals with meaningful control over their personal information.
Data controllers must respond to data subject requests within defined timelines and provide clear mechanisms for individuals to exercise their rights. Failure to facilitate these rights can result in regulatory action and penalties.
Strengthened Consent Requirements
Consent under Law 21.719 must be freely given, specific, informed and unambiguous. The law requires that consent be obtained through a clear affirmative action and prohibits the use of pre-ticked boxes or implied consent mechanisms. Data controllers must be able to demonstrate that valid consent was obtained and must provide straightforward means for individuals to withdraw their consent at any time.
For the processing of sensitive personal data, including health information, biometric data and political opinions, explicit consent is required unless a specific legal exception applies.
Data Breach Notification
The law establishes mandatory data breach notification requirements for the first time in Chile's data protection history. Data controllers must notify the Agencia de Protección de Datos Personales of any personal data breach that poses a risk to data subjects without undue delay. When the breach is likely to result in a high risk to individuals, the affected data subjects must also be notified directly.
Organisations must implement breach detection and response procedures to ensure timely compliance with these requirements.
Data Protection Officer Obligations
Law 21.719 introduces the requirement for certain organisations to appoint a Data Protection Officer (DPO). The DPO is responsible for overseeing the organisation's data protection strategy, monitoring compliance, advising on data protection impact assessments and serving as the primary contact point with the supervisory authority. For detailed guidance on DPO requirements, see our article on DPO obligations in Chile.
The Agencia de Protección de Datos Personales
Perhaps the most significant innovation of Law 21.719 is the creation of the Agencia de Protección de Datos Personales, Chile's first independent data protection authority. This autonomous body is empowered to investigate complaints, conduct audits, issue binding decisions and impose administrative penalties for non-compliance.
The Agencia has the authority to issue interpretive guidance, approve codes of conduct and certify compliance mechanisms. It will also play a central role in international cooperation on data protection matters, facilitating Chile's integration into the global data protection landscape.
Penalties and Enforcement
Law 21.719 introduces a robust penalty framework that represents a dramatic departure from the previous regime. The Agencia can impose fines of up to 10,000 UTM (Unidades Tributarias Mensuales) for serious infractions, which translates to substantial financial exposure for non-compliant organisations. Repeat offences and aggravating circumstances can lead to even higher penalties.
The penalty framework considers factors such as the nature and gravity of the violation, the number of affected data subjects, the degree of cooperation with the supervisory authority and whether the organisation took proactive measures to mitigate harm. Organisations that demonstrate robust compliance programmes and prompt remediation efforts may benefit from reduced penalties.
Transition Timeline
The law provides for a phased implementation period to allow businesses and the government to prepare for full compliance. Key milestones include the establishment of the Agencia and the development of supporting regulations. Organisations should use this transition period strategically to conduct gap assessments, implement necessary changes and train their staff.
It is important to note that certain provisions of the law take effect at different stages during the transition period. Businesses should work with legal counsel to understand the specific timelines applicable to their operations and prioritise their compliance efforts accordingly.
Implications for Cross-Border Data Transfers
The new law establishes specific rules governing the transfer of personal data outside of Chile, addressing a major gap in the previous framework. Transfers are permitted to countries that provide an adequate level of data protection, as determined by the Agencia, or through approved transfer mechanisms such as standard contractual clauses and binding corporate rules. For a detailed analysis, see our article on cross-border data transfers from Chile.
Practical Steps for Businesses
Preparing for compliance with Law 21.719 requires a systematic approach. The following steps provide a practical roadmap for organisations.
- Conduct a data mapping exercise: Identify all personal data your organisation collects, processes and stores, including where it is held and who has access to it
- Review and update privacy notices: Ensure your privacy policies accurately describe your data processing activities and comply with the enhanced transparency requirements
- Assess your lawful bases: Document the legal basis for each processing activity and implement processes for obtaining and managing consent where applicable
- Implement data subject request procedures: Establish workflows for handling access, rectification, deletion, portability and objection requests within the required timelines
- Develop breach response plans: Create and test incident response procedures to ensure timely detection and notification of data breaches
- Appoint a DPO if required: Determine whether your organisation needs a DPO and either hire one or engage an outsourced DPO service
- Train your workforce: Implement comprehensive data protection awareness training for all employees who handle personal data
- Review cross-border transfers: Assess your international data transfer arrangements and implement appropriate safeguards
Looking Ahead
Law 21.719 marks a transformative moment for data protection in Chile. It positions the country as a regional leader in privacy regulation and signals a clear commitment to protecting the personal data of Chilean citizens. Organisations that invest in compliance now will not only avoid regulatory penalties but also build trust with customers and partners in an increasingly privacy-conscious marketplace.
A structured compliance platform such as the ResGuard Compliance Map can help organisations navigate the complexities of Law 21.719, automate compliance workflows and maintain ongoing oversight of their data protection posture. Proactive preparation is the key to turning regulatory change into a competitive advantage.