The enactment of Law 21.719 has introduced the formal requirement for certain organisations in Chile to appoint a Data Protection Officer (DPO). This represents a significant shift in the Chilean data protection landscape, which previously had no such obligation. Drawing on models established by the GDPR and other international frameworks, the DPO role under Chilean law is designed to ensure that organisations maintain ongoing compliance with data protection requirements and have a designated point of contact for both the supervisory authority and data subjects. This guide explains when a DPO is required, what qualifications are needed and what responsibilities the role entails.
When Is a DPO Required?
Law 21.719 establishes specific criteria that determine when an organisation must appoint a DPO. The requirement applies to the following categories of data controllers and processors:
- Public bodies and authorities: All government agencies and public sector entities that process personal data are required to designate a DPO, reflecting the significant volumes and sensitivity of data processed in the public sector
- Large-scale processing: Organisations whose core activities involve the regular and systematic monitoring of data subjects on a large scale must appoint a DPO. This includes companies engaged in behavioural tracking, profiling, location monitoring and similar activities
- Sensitive data processors: Organisations that process special categories of personal data on a large scale, including health data, biometric data, genetic data, political opinions, religious beliefs and data concerning criminal convictions, must have a DPO in place
Even where appointment is not strictly mandatory, the Agencia de Protección de Datos Personales encourages all organisations to consider designating a DPO voluntarily. Having a dedicated data protection professional demonstrates a commitment to compliance and can be a mitigating factor in the event of regulatory proceedings.
DPO Qualifications and Expertise
The law requires that the DPO possess professional qualifications and expert knowledge of data protection law and practice. While it does not prescribe specific certifications or academic degrees, the DPO must have sufficient expertise to fulfil the responsibilities of the role effectively. Key areas of competence include:
- Legal knowledge: A thorough understanding of Chilean data protection law, including Law 21.719, as well as familiarity with international frameworks such as the GDPR where relevant to the organisation's operations
- Technical understanding: Sufficient knowledge of data processing operations, information security practices and the technical measures used to protect personal data
- Regulatory experience: Practical experience in dealing with supervisory authorities, managing compliance programmes and conducting data protection impact assessments
- Communication skills: The ability to advise senior management, train staff and communicate with data subjects and the Agencia on data protection matters
The level of expertise required should be proportionate to the complexity and volume of the organisation's data processing activities. Organisations handling particularly sensitive or large-scale processing will need a DPO with correspondingly deeper expertise.
Independence and Position Within the Organisation
A fundamental principle of the DPO role under Law 21.719 is independence. The DPO must be able to perform their duties without receiving instructions regarding the exercise of their tasks. This means that the organisation must not penalise or dismiss the DPO for performing their functions, and the DPO must not hold a position that creates a conflict of interest with their data protection responsibilities.
The DPO should report directly to the highest level of management within the organisation. This ensures that data protection considerations are integrated into strategic decision-making and that the DPO has the authority and visibility needed to be effective. The DPO must also be provided with adequate resources, including access to personal data processing operations, sufficient time to fulfil their duties and ongoing professional development opportunities.
Core Responsibilities of the DPO
The DPO's responsibilities under Law 21.719 encompass a broad range of advisory, monitoring and liaison functions. The following are the principal duties that the DPO must perform.
Monitoring Compliance
The DPO is responsible for monitoring the organisation's compliance with Law 21.719 and any related regulations or internal policies. This includes conducting regular audits, reviewing data processing activities, verifying that data protection impact assessments are carried out where required and identifying areas of non-compliance that need to be addressed.
A structured compliance platform like the ResGuard Data Protection Manager can significantly enhance the DPO's ability to monitor compliance across the organisation by centralising records, automating assessments and providing real-time visibility into the compliance posture.
Advising on Data Protection Impact Assessments
When the organisation plans to undertake data processing activities that are likely to result in a high risk to the rights and freedoms of individuals, a data protection impact assessment (DPIA) must be conducted. The DPO plays a central advisory role in this process, providing guidance on whether a DPIA is required, the methodology to be used and the measures needed to mitigate identified risks.
The DPO does not conduct the DPIA themselves but advises the data controller throughout the process and reviews the assessment to ensure it is thorough and compliant.
Cooperating with the Agencia de Protección de Datos Personales
The DPO serves as the primary contact point between the organisation and the Agencia. This includes responding to inquiries from the supervisory authority, facilitating inspections and audits, submitting notifications as required by law and consulting with the Agencia on data protection matters.
Maintaining a constructive and transparent relationship with the Agencia is essential. The DPO should proactively engage with the supervisory authority and stay informed about regulatory guidance, enforcement priorities and best practices.
Training and Awareness
The DPO is responsible for ensuring that staff members who handle personal data understand their data protection obligations. This involves developing and delivering training programmes, creating internal guidance documents and fostering a culture of data protection awareness throughout the organisation. Effective awareness training is a cornerstone of any compliance programme.
Handling Data Subject Requests
While the organisation as a whole is responsible for responding to data subject requests, the DPO typically oversees the process to ensure that requests are handled correctly and within the required timelines. The DPO may also serve as a point of contact for data subjects who have questions or concerns about how their personal data is processed.
Outsourced vs. In-House DPO
Law 21.719 permits organisations to appoint either an internal employee or an external service provider as their DPO. Each approach has distinct advantages.
An in-house DPO has the advantage of being embedded within the organisation, with direct access to systems, processes and personnel. However, this requires finding or developing an employee with the necessary expertise, which can be challenging and costly.
An outsourced DPO brings specialised expertise, independence and experience gained from working across multiple organisations and industries. This option is particularly attractive for small and medium-sized enterprises that may not have the resources to employ a full-time DPO. Outsourced DPO services can also provide supplementary DPO support to organisations that have an in-house DPO but require additional capacity or expertise.
Reporting to the Agencia
The DPO must ensure that the organisation's contact details for the DPO role are communicated to the Agencia de Protección de Datos Personales. This enables the supervisory authority to contact the DPO directly when necessary. The DPO's contact information should also be made available to data subjects, typically through the organisation's privacy notice.
In the event of a data breach, the DPO plays a key role in coordinating the notification process, ensuring that the Agencia and affected individuals are informed within the required timelines.
Practical Steps for Appointing a DPO
Organisations subject to the DPO requirement should follow these practical steps to ensure a smooth appointment process:
- Assess whether a DPO is required: Review your data processing activities against the criteria established by Law 21.719 to determine whether appointment is mandatory
- Define the role: Develop a clear job description or service specification that outlines the DPO's responsibilities, reporting lines and resource requirements
- Select the right candidate: Choose a DPO with the appropriate qualifications, expertise and independence to fulfil the role effectively
- Ensure independence: Verify that the DPO role does not create conflicts of interest and that the DPO has direct access to senior management
- Provide resources: Allocate sufficient budget, time and tools, including a compliance management platform, to support the DPO's work
- Notify the Agencia: Register the DPO's contact details with the Agencia de Protección de Datos Personales as required
- Integrate into governance: Embed the DPO role into the organisation's governance framework, ensuring regular reporting to the board or senior leadership
Conclusion
The introduction of DPO obligations under Law 21.719 reflects Chile's commitment to building a robust data protection framework. Whether appointed in-house or outsourced, the DPO plays a vital role in ensuring compliance, protecting data subjects and managing the organisation's relationship with the Agencia. Organisations should act promptly to assess their obligations, appoint a qualified DPO and provide the support needed for effective data protection governance. For a complete overview of Chile's new data protection law, see our guide to Law 21.719.