Introduction
Chile’s Law No. 21.719, widely referred to as the Chilean Personal Data Protection Law, represents a comprehensive reform of the country’s data protection laws and marks a decisive shift toward modern data protection frameworks. The law regulates the processing of personal data carried out by public and private bodies, whether by automated processing or non-automated data processing systems, and applies to all natural or legal persons that handle personal data within Chile. Its primary objective is to strengthen personal data protection as a fundamental right, ensuring respect for private life, dignity, and informational self-determination of data subjects. Chile’s Law No. 21.719 aligns with international privacy standards such as the GDPR and the LGPD.
The law establishes a robust personal data protection framework that brings Chile closer to international standards, particularly those reflected in the General Data Protection Regulation. By introducing clear general data protection principles, enforceable data subject rights, and structured compliance obligations, Law No. 21.719 enhances legal certainty for organizations while increasing accountability in personal data processing activities. These general data protection principles underpin the law’s compliance and rights framework, shaping how organizations must approach data processing and protection. It also aligns with other legal instruments, including the cybersecurity framework law, reinforcing a coordinated approach to data security and risk management.
A defining feature of the new law is its broad scope of application. It applies to all public and private bodies, regardless of size or sector, as long as they engage in the processing of personal data in Chile or target individuals located in the country. This includes first-party data management activities, cross-border data transfers, and processing activities carried out by data controllers and data processors acting on their behalf. Both natural persons and legal persons are subject to the law when processing data outside purely personal or domestic contexts.
Finally, Law No. 21.719 introduces new rights and compliance mechanisms designed to empower data subjects and modernize data governance. Concepts such as data portability, enhanced consent requirements, and stronger oversight by a national data protection authority significantly raise the bar for data privacy and data security. For businesses, understanding how the law establishes obligations and allocates responsibilities is essential to avoiding non-compliance and mitigating legal, operational, and reputational risk. The law was approved on August 26, 2024, and will become fully effective on December 1, 2026.
- No coding required
- Works with all Shopify themes
- Blocks tracking before consent
- Google Consent Mode v2 ready
- Trusted by 170k+ stores
- 2,600+ 5-star reviews
- Google CMP Partner
Key Concepts
At the core of Law No. 21.719 is the recognition of personal data protection as a fundamental right. Personal data is defined as any information relating to an identified or identifiable natural person, whether directly or indirectly identifiable through identifiers linked to physical or moral characteristics, economic situation, cultural identity, or aspects of private life. The law governs all forms of processing personal data, including collection, storage, use, disclosure, and deletion, regardless of whether such processing is automated or manual.
The law distinguishes between ordinary personal data and sensitive personal data. Sensitive data includes information that, if misused, could pose a reasonable risk to the rights and freedoms of data subjects. This category explicitly covers health data, biometric data, children’s data, and information related to racial or ethnic origin, political opinions, religious beliefs, or sexual life. Processing sensitive data is subject to stricter conditions, higher security measures, and enhanced accountability, especially where a breach involves sensitive data. Data subject’s consent must be informed, explicit, and obtained in advance, and serves as a lawful basis for processing sensitive and children’s data.
Law No. 21.719 clearly defines the roles of data controllers and data processors. A data controller is a natural or legal person, or a public or private entity, that decides the purposes and methods for processing personal data. A data processor processes personal data on behalf of the controller, under documented instructions. Both roles carry direct legal obligations, including the duty to adopt technical and organizational measures, ensure data security, and document processing activities. All data processing activities must have a valid legal basis, including consent, contractual necessity, legal obligation, or legitimate interests.
Institutionally, the law establishes the Personal Data Protection Agency as the national data protection authority. This independent data protection authority is responsible for supervising compliance, issuing guidelines, administering sanctions, and acting as the central point for international judicial cooperation in data protection matters. Its creation represents a significant institutional shift, providing Chile with a dedicated national data protection authority comparable to those in other jurisdictions with advanced data protection regimes.
International data transfers are another critical concept. Cross-border data transfers are permitted only where appropriate safeguards are in place, such as adequacy decisions, binding corporate rules, certification mechanisms, or contractual clauses. Certification mechanisms serve as a recognized tool for demonstrating compliance and facilitating lawful cross-border data transfers. These mechanisms ensure that such data continues to benefit from a level of protection consistent with Chilean data protection principles, even when processed abroad.
Data Subject Rights
Law No. 21.719 significantly expands and clarifies data subject rights, placing individuals at the center of the personal data protection system. Data subjects have the right to access their personal data, obtain information about processing activities, and understand the purposes, legal basis, and recipients of such processing. They also have the right to request rectification of inaccurate or outdated data and deletion where processing is no longer lawful or necessary.
In addition to traditional rights, the law introduces enhanced rights aligned with the General Data Protection Regulation. This includes the right to data portability, which enables data subjects to get their personal data in a structured, widely used format and transfer it to another data controller. The law also recognizes the right to object to processing data under certain circumstances, as well as the right to block processing where the law applies but specific conditions are met.
A notable innovation is the explicit right to object to automated processing, including profiling, where such processing produces legal effects or significantly affects the data subject. This provision reflects growing concerns around algorithmic decision-making and reinforces the need for transparency and human oversight in data processing systems.
To exercise their data subject rights, individuals may submit a request directly to the data controller. Controllers must respond within a legally defined and reasonable timeframe, providing clear and accessible information. Failure to respond adequately or within the prescribed period may constitute non-compliance and expose the organization to enforcement action by the data protection authority.
International Data Transfers
Under the Chilean Data Protection Law, international data transfers are subject to strict requirements to ensure that personal data remains protected when it leaves Chilean territory. Data controllers may transfer personal data abroad only if they can guarantee that the destination country offers an adequate level of data protection, as determined by the data protection agency. Where such adequacy is not recognized, transfers are permitted if appropriate safeguards are in place, such as binding corporate rules, contractual clauses, or other legal instruments that ensure the continued protection of personal data.
Before initiating any international data transfers, organizations must assess the legal framework of the recipient country and implement safeguards that align with Chilean data protection laws. The law also requires data controllers to notify the Chilean Data Protection Agency about the transfer, providing details such as the categories of personal data involved, the purposes of the transfer, and the countries to which the data will be sent. This process ensures transparency and enables the data protection agency to monitor and, if necessary, intervene in cross-border data flows.
By adhering to these requirements and utilizing recognized legal instruments, businesses can facilitate international data transfers while maintaining compliance with the Chilean data protection law and upholding the rights of data subjects.
Cybersecurity Framework
Law No. 21.719 integrates personal data protection with Chile’s broader cybersecurity framework law, creating a unified approach to data security and risk management. The law establishes obligations aimed at preventing accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data. These obligations apply to both data controllers and data processors, regardless of sector or organizational size.
Organizations must implement appropriate technical and organizational measures tailored to the nature of processing data, the volume of data, and the level of risk involved. These include the legal obligation to adopt security measures, such as encryption, access controls, pseudonymization, secure authentication mechanisms, and continuous monitoring of data processing systems. The emphasis is on proportionality, requiring security measures that are adequate to the specific risks posed by such processing.
A key requirement under the law is the obligation to conduct periodic risk assessments. These assessments must identify vulnerabilities, evaluate potential impacts on affected data subjects, and inform the adoption of additional security measures where necessary. Data controllers are required to perform a data protection impact assessment (DPIA) when processing data that could pose a high risk to the rights of data subjects. For high-risk processing activities, organizations may be required to carry out a data protection impact assessment to systematically analyze risks and mitigation strategies.
Oversight of the cybersecurity framework is shared with the National Cybersecurity Agency, which coordinates with the personal data protection agency to ensure consistency between data protection laws and national cybersecurity policies. This institutional coordination reinforces Chile’s commitment to data security as a matter of national and economic resilience, particularly for organizations providing essential services.
Data Breaches and Incidents
Law No. 21.719 establishes a clear and structured regime for managing data breaches and security incidents. A data breach is broadly defined to include any incident leading to the accidental or unlawful destruction, loss, alteration, or unauthorized access to personal data. When a breach occurs, organizations must assess whether it poses a reasonable risk to the rights and freedoms of data subjects.
If the breach meets the notification threshold, the data controller must notify the national data protection authority without undue delay. The LPPD requires organizations to notify the Personal Data Protection Agency of any data breaches without undue delay when there is a reasonable risk to the rights and freedoms of data subjects. The notification must include details about the nature of the incident, the categories of data affected, the number of impacted individuals, and the security measures adopted or proposed to mitigate harm. Transparency and timeliness are central to the law’s incident response framework.
Where a breach involves sensitive personal data or otherwise poses a high risk, organizations are also required to notify affected data subjects directly. If the breach involves children’s data, organizations must notify data subjects clearly and promptly, in line with stricter requirements for handling such data. This communication must be clear, accessible, and informative, enabling individuals to take appropriate steps to protect themselves. Failure to notify may constitute a serious infringement under the law.
To ensure preparedness, organizations must maintain an incident response plan as part of their overall compliance model. This includes internal reporting procedures, coordination with data processors, documentation of incidents, and post-incident reviews. Data protection impact assessments play a crucial role in anticipating and reducing the likelihood and impact of future data breaches.
Essential Services and Compliance
The law applies equally to organizations that provide essential services, such as telecommunications, financial services, healthcare, and digital platforms. Given the volume and sensitivity of personal data they handle, these organizations are subject to heightened expectations regarding data governance, security measures, and accountability. Compliance is not optional and extends across all processing activities involving personal data.
Law No. 21.719 introduces a structured compliance model based on accountability. Data controllers must be able to demonstrate compliance with data protection principles, including lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality. Documentation of processing activities, internal policies, and training programs is a key element of this model.
Organizations are encouraged, and in some cases required, to appoint a data protection officer. The data protection officer acts as an internal advisor on personal data protection law, monitors compliance, and serves as a contact point with the data protection authority. This role is particularly relevant for organizations engaged in large-scale processing or processing sensitive data.
The national data protection authority is responsible for supervising compliance, conducting investigations, and imposing sanctions. Periodic audits, whether internal or external, are an essential tool for identifying gaps and preventing non-compliance. Sanctions may include fines, corrective measures, and, in severe cases, restrictions on data processing activities.
Data Privacy and Security
Law No. 21.719 establishes a comprehensive framework for data privacy and data security that requires organizations to integrate privacy considerations into their operational and technological decisions. Data protection by design and by default is implicit in the requirement to adopt technical and organizational measures from the earliest stages of processing activities.
Obtaining a valid data subject’s consent is a central pillar of lawful processing. Consent must be informed, specific, and freely given, particularly when processing sensitive data or children’s data. Organizations must be able to demonstrate that consent was obtained and must provide mechanisms for withdrawal without detriment to the data subject.
The law also emphasizes data governance as an ongoing organizational responsibility. This includes defining roles and responsibilities, maintaining accurate records, managing international data transfers, and ensuring appropriate safeguards for cross-border data transfers. Certification mechanisms and recognized standards may be used to demonstrate compliance and strengthen trust.
Regular periodic risk assessments, combined with continuous improvement of security measures, are essential to maintaining compliance over time. Data security is not a one-time exercise but a dynamic process that must adapt to evolving threats, technological changes, and regulatory expectations.
Non Compliance
Non-compliance with the Chilean Data Protection Law carries significant consequences for organizations engaged in data processing activities. The law establishes a tiered system of administrative fines, with penalties escalating based on the severity of the infraction. Minor violations can result in fines of up to 5,000 national tax units, while serious and very serious breaches may lead to fines of up to 10,000 or 20,000 national tax units, respectively. These penalties are designed to incentivize robust data protection practices and deter negligent or willful disregard for the law.
Beyond financial penalties, the data protection agency has the authority to impose corrective measures, such as requiring organizations to implement specific security measures, suspend certain data processing activities, or even revoke authorization to process personal data in extreme cases. The agency may also mandate independent audits to verify compliance and ensure that any deficiencies are promptly addressed.
Given the potential for substantial fines and operational disruption, it is essential for businesses to prioritize compliance with the Chilean data protection law, regularly review their data processing activities, and adopt proactive security measures to mitigate the risk of non-compliance.
Enforcement Agency
The Chilean Data Protection Agency (Agencia de ProtecciΓ³n de Datos de Chile) serves as the primary enforcement body for the Chilean Data Protection Law. This independent authority is empowered to oversee compliance, investigate complaints, and enforce the law through a range of regulatory actions. The agency can conduct audits, request information from data controllers, perform on-site inspections, and seize relevant documents or equipment as part of its investigative powers.
In addition to enforcement, the data protection agency plays a crucial role in supporting organizations by issuing guidance, clarifying legal requirements, and promoting best practices in data protection. The agency is also tasked with raising public awareness about data protection rights and responsibilities, helping both businesses and individuals understand the implications of the Chilean data protection law.
To ensure effective oversight, the agency collaborates with other regulatory bodies within Chile and participates in international cooperation efforts, particularly in matters involving cross-border data transfers and global data protection standards. This comprehensive approach ensures that the data protection agency remains a central pillar in the ongoing development and enforcement of data protection in Chile.
Conclusion
Chile’s Law No. 21.719 represents a major milestone in the evolution of personal data protection in Chile. By establishing a modern, rights-based framework aligned with international data protection standards, the law strengthens trust in data-driven activities and reinforces the protection of private life in an increasingly digital economy.
For businesses, the law establishes clear obligations around personal data processing, data security, and accountability. New concepts such as data portability, enhanced data subject rights, and structured breach notification requirements require organizations to reassess existing practices and invest in robust compliance models.
Enforcement by the national data protection authority underscores the seriousness of the new regime. Organizations that fail to comply may face significant penalties, operational disruption, and reputational harm. Conversely, proactive compliance can support better data governance, stronger customer trust, and long-term operational resilience.
Understanding Law No. 21.719 and its practical implications is therefore essential for any organization that handles personal data in Chile. By adopting appropriate technical and organizational measures, aligning processing activities with data protection principles, and embedding data privacy into corporate culture, businesses can navigate the new law effectively and responsibly.
