La nueva Ley de Privacidad de Datos de Chile: Una guía de cumplimiento para la legislación aprobada 21.719

The Chilean government approved and passed Law No. 21.719, its long-anticipated personal data protection law (PDPL), aligning the country more closely with international privacy standards such as the General Data Protection Regulation in Europe (GDPR), el General Data Protection Law in Brazil (LGPD), and other Latin American countries. The challenge now is not just understanding what’s required, but operationalizing compliance at scale to meet these new standards.

BigID is uniquely positioned to help organizations meet these obligations with a privacy-by-design platform built for automation, actionability, and scale. Here’s what you need to know about Chile’s Personal Data Protection Law (PDPL) and how BigID empowers compliance.

What is Chile’s Personal Data Protection Law (PDPL)?

On August 26, 2024, the Chilean government approved the reformed Chilean legislation, which was then published on December 13, 2024, and will go into full effect on December 1, 2026. The purpose of this new proposed law is to address enforcement gaps, which were originally based on Spain’s data protection framework. The “Protection of Private Life” Law No.19628 was established in 1999, which created the foundation for personal data protection, but over time, the legal framework needed to be evolved to address the broader scope of data protection and privacy.

The law introduces a new compliance mandate, with specific obligations around data subject rights, risk assessments, data governance, accountability, and stricter obligations on data controllers and processors. The law also calls to establish Chile’s first national data protection authority, the Personal Data Protection Agency. The new regulator will monitor compliance and apply fines and sanctions for data breaches and non-compliance.

Updated Requirements of Chile’s Data Privacy Law

Ámbito territorial

Chile’s PDPL extends its territorial scope like other regional regulations and the GDPR; the PDPL has extraterritorial reach and applies to individuals and organizations—both public and private—when personal data is processed under the following conditions:

• When a data controller or processor operates from within Chile.
• When a processor or third party, regardless of where they are located or incorporated, handles personal data on behalf of a controller based in Chile.
• When the controller or processor is located outside of Chile, but their data processing activities target individuals in Chile—either by offering goods or services (whether paid or free) or by monitoring individuals’ behavior, including tracking, profiling, or behavioral analysis.

Responsibilities of Data Controllers

Similar to the GDPR, the law establishes new data protection principles that organizations must consistently follow when processing personal data. These principles, along with defined responsibilities, shape the obligations of data controllers and align with modern data protection frameworks. These principles consist of lawfulness & fairness, purpose limitation, proportionality, quality, accountability, security, transparency, and confidentiality.

Processing of Personal & Sensitive Data

Under Chile’s new Personal Data Protection Law (PDPL), sensitive personal data can only be processed with the individual’s express consent—whether written, verbal, or via equivalent technological means—unless specific exceptions apply. These include cases where the data was made public by the individual for a specific purpose, or when processing is based on legitimate interests that meet certain legal conditions, particularly by non-profit entities. Additionally, the law allows processing of personal data without consent when necessary to fulfill legal obligations, perform contractual duties (such as employment contracts), support legal claims, or pursue legitimate interests like fraud prevention or network and information security, as long as such interests do not override the individual’s fundamental rights.

New Data Subject Rights (“Derechos ARCOP”)

The existing law had already granted Chilean citizens enhanced rights over their personal data, including the derecho de acceso, rectification, and supresión. After the reform, Chilean citizens were granted additional rights over their personal data, such as the right to data portability, the right to object to a certain processing, and the right to object to automated decision-making, AI, and/or profiling.

Additionally, as it relates to responding to data subject requests, organizations have 30 days to respond to data subjects’ requests, and are allowed a one-time 30-day extension.

Evaluaciones de riesgos de privacidad

Similar to the GDPR, the law mandates that controllers must carry out a data protection impact assessment (DPIA) specifically when processing data is “likely to result in a high risk to the rights of data subjects” and requires controllers to demonstrate that personal data is handled appropriately. A DPIA is highly recommended in these instances:

• When the data processing involves a systematic and thorough assessment of individuals’ personal characteristics through automated methods, such as profiling.
• High-volume or extensive data processing
• Processing that includes continuous observation or surveillance of a publicly accessible area
• Processing of sensitive or legally protected personal data

The law requires data controllers to detail the processing activities and their purposes, assess the necessity and proportionality of the processing in relation to those purposes, evaluate potential risks, and outline the mitigation measures implemented.

Transferencias transfronterizas de datos

Similar to GDPR and other regional frameworks, transferencias transfronterizas de datos are permitted based on specific mechanisms: (i) adequacy decisions; (ii) contractual clauses, binding corporate rules, or other legal instruments between the sender and recipient; or (iii) recognized compliance models, or certifications with appropriate safeguards. Additionally, a published list of countries considered “adequate” under the law, and also publish model contractual clauses and other approved transfer mechanisms.

Breach & Incident Notification

The Chilean regulation requires data controllers to notify the Personal Data Protection Agency (PDPA) by the fastest means possible and without undue delay of any incident that may result in the accidental or unlawful destruction, breach, loss, or alteration of personal data—or unauthorized access or disclosure—when there is a reasonable risk to the rights and freedoms of the affected individuals.

While the law does not specify an exact timeframe for notification, further guidance is expected from the PDPA. Controllers must also document these incidents with details on the nature of the breach, actual or potential impact, types of data, number of individuals affected, and the steps taken in response and to prevent recurrence. If the incident involves sensitive data, children’s data, financial, banking, or commercial records, the controller must notify data subjects in clear, accessible language. When direct notification is not feasible, a public notice must be issued through at least one major national media outlet.

Cumplimiento y multas

Creation of the Enforcement Agency

The Personal Data Protection Agency (PDPA) is a newly established governmental agency that will ensure organizations adequately protect Chilean citizens’ data and enforce compliance with the law.

The role of the PDPA also requires the agency to certify, register, and supervise organizations’ methods of prevention and compliance programs. Additionally, the agency must manage the National Registry of Sanctions and Compliance. This registry records all organizations sanctioned for violations and specifies the degree for up to 5 years.

Fines & Penalties

The Chilean law imposes strict penalties on noncompliant data controllers, categorized as minor, major, or severe violations. Depending on the seriousness of the offense, fines can reach up to USD 1,440,000. Repeat violations may result in penalties up to three times the original amount, and the agency may also suspend the controller’s data processing activities.

The BigID Approach to Chile’s PDPL Compliance

Chile’s new law signals a broader shift in LATAM toward rigorous data protection requirements and enforcement. Compliance with Chile’s data privacy law isn’t just about checking boxes—it’s about building a privacy program that scales with complexity. BigID is the only platform built to support a full data privacy lifecycle: from discovery to policy enforcement, from manual tasks to automated action.

BigID’s AI-Automated & Identity-Aware Data Privacy Management for Risk & Compliance provides the visibility, control, and automation needed to comply confidently with the PDPL. With BigID, organizations can:

• Identificar todos los datos: Automatically discover and classify data, AI assets, and models to build an inventory, map data flows, and gain visibility on all personal and sensitive information by person, sensitivity, type, context, & content that is subject to PDPL requirements.
• Aplicar políticas: Remediate policy-based risk with controls and workflows to take action on PDPL requirements to automate data lifecycle management across collection, retencióny supresión.
• Monitorear las transferencias transfronterizas de datos: Crear políticas y asignar residencia a fuentes de datos y datos de personas para hacer cumplir los requisitos de residencia de datos y monitorear y alertar sobre las transferencias de datos.
• Evaluar el riesgo: Automate data protection impact assessment (DPIA), data inventory reports, and remediation workflows to identify and reduce risks to maintain compliance.
• Evaluate Third-Party Risk: Automate third-party assessments to evaluate the security posture of third-party vendors, reduce third-party risk, and verify that all vendors adhere to security and data protection standards.
• Minimizar datos: Aplique prácticas de minimización de datos identificando, categorizando y eliminando datos personales innecesarios o excesivos para gestionar eficientemente el ciclo de vida de los datos.
• Automatizar la gestión de derechos de datos: Automatically manage data subject rights requests, preferences, and consent, including opting out of data selling, targeted advertising, and user profiling.
• Implantar controles de protección de datos: Automatizar los controles de protección de datos para hacer cumplir el acceso a los datos and other security measures crucial to safeguarding data and complying with the PDPL.

To learn how BigID can help you operationalize privacy and protection in line with Chile’s law, request a demo today!

Autor

Verrion Wright

Estrategia y desarrollo de contenidos

Verrion Wright es un ambicioso experto en marketing con más de 20 años de experiencia en marketing de productos, desarrollo de contenidos y estrategia digital. Centrado en la información basada en datos y el marketing integrado, ha ocupado puestos de responsabilidad en diversos sectores, como los servicios informáticos, la privacidad de datos, el marketing y la publicidad (planificación de medios). En BigID, Verrion es el Director de Estrategia y Desarrollo de Contenidos, que ayuda a elevar el contenido a través de todos los pilares, regiones y compradores, creando consistentemente contenido convincente a través de varios medios - incluyendo vídeo, artículos, listas de control, libros blancos y guías.