Doing Business Chile 2026 · Chapter IX

Personal data protection

Chile changed the rules for processing personal data. Law No. 21,719, published on December 13, 2024, substantially reforms the previous regime, brings it closer to the European standard and creates an authority with the power to inspect and fine. It takes effect on December 1, 2026, so a foreign company processing data of people in Chile has a limited window to adapt before the new obligations and fines become enforceable.

Share this reportLinkedInWhatsAppXEmail

REGIME CHANGE

The regime change and why it matters

For twenty-five years, personal data processing in Chile was governed by Law No. 19,628 on the Protection of Private Life, published on August 28, 1999. A regional pioneer, it fell behind the digital economy. It allowed data processing with undemanding consent, provided no specialized supervisory authority and left compliance, in practice, to civil actions by affected parties before the ordinary courts. To a company accustomed to the EU’s General Data Protection Regulation (GDPR), the Chilean regime seemed lax — and that perception is about to end.

Law No. 21,719, which regulates the protection and processing of personal data and creates the Personal Data Protection Agency, substantially amends Law No. 19,628 and brings it close to the GDPR model. It introduces express processing principles, redefines consent, expands data subject rights, imposes documentary obligations on the controller, regulates international data transfers explicitly for the first time and creates an administrative authority with inspection and sanctioning powers. The text sets fines of up to 20,000 monthly tax units for the most serious infringements.

With a vacancy of nearly twenty-four months, Law No. 19,628 in its original wording remains in force until December 1, 2026; from that day the reformed framework applies in full. That gap defines the adaptation timeline for any company with operations or customers in Chile.

For a foreign company, the relevant point is territorial scope. When the controller is not established in Chile, subjection to the Chilean framework must be reviewed case by case under the territorial scenarios provided by the law and the processing’s effective connection with data subjects located in the country. A company headquartered abroad that offers services to people in Chile or monitors their behavior can fall within the law’s scope even without a local office — an extraterritoriality taken from the European model.

OGC view

December 1, 2026 should govern your compliance plan, and it is unwise to wait until that date to start, because the record of processing activities, impact assessments, processor contracts and international transfer mechanisms take months to implement.

CONSTITUTIONAL GUARANTEE

The fundamental right of Article 19 No. 4

Personal data protection is a constitutional guarantee in Chile. Article 19 No. 4 of the Constitution, in the text fixed by Decree 100 of 2005, assures all persons respect and protection of private life and, after the reform introduced by Law No. 21,096, published on June 16, 2018, the protection of their personal data, whose processing is governed by law.

Law No. 21,719 is the legal development of that right. Article 1 of Law No. 19,628, as amended, declares that it regulates the form and conditions of personal data processing in accordance with Article 19 No. 4 of the Constitution. For a company, non-compliance is not just an administrative fine risk, but the impairment of a constitutional guarantee, with the reputational burden and exposure to actions that entails.

OGC view

Treat data protection as compliance with a fundamental right, not a formality. The underlying question is not whether you published a privacy policy, but whether the processing respects the informational self-determination of the people whose data you handle.

CORE CONCEPTS

Scope and core concepts

Law No. 21,719 works on four concepts that define who is accountable and why.

Personal data. Any information linked or referring to an identified or identifiable natural person. The identifiability standard is broad and not limited to a name or tax ID; an online identifier, an IP address or a combination of data that singles out a person can constitute personal data.

Sensitive personal data is a special category with a reinforced regime. It covers data revealing ethnic or racial origin, political, union or trade affiliation, socioeconomic status, ideological or philosophical convictions, religious beliefs, data on health, human biological profile, sex life, sexual orientation and gender identity, as well as biometric data. Its processing is allowed only with the data subject’s express consent or in the enumerated cases the law authorizes, and the burden of proving the lawful basis falls on the controller.

Data controller. The individual or legal entity that decides the purposes and means of the processing, and who answers to the data subject and the Agency. In the typical structure of a foreign company, the parent that defines what data is collected and for what purpose will, as a general rule, be the controller.

The data processor is whoever processes data on the controller’s behalf, under a contract. The cloud infrastructure provider, the mass-mailing platform or the payment processor usually act as processors. The law requires the relationship to be in writing and the processor to apply appropriate technical and organizational measures to ensure a level of security adequate to the risk.

OGC view

Map your data flows and define, contract by contract, who is controller and who is processor. The same vendor can play different roles depending on the purpose, and that classification determines the clauses you need and the allocation of liability.

PRINCIPLES

The processing principles

Article 3 of Law No. 19,628, as amended by Law No. 21,719, sets the principles governing all personal data processing. They are not statements of good intent, but enforceable, sanctionable standards of conduct.

Lawfulness and fairness Purpose limitation Lawfulness and fairness require processing data lawfully and Purpose limitation requires collecting data for specific, explicit fairly, with the controller able to prove the basis enabling the and lawful purposes, and limiting processing to those processing. purposes.

Proportionality Accuracy Proportionality restricts it to the data necessary, adequate Accuracy requires data to be exact, complete, current and and relevant to the purpose. relevant.

Accountability Security Accountability makes whoever processes the data legally Security requires guaranteeing adequate standards. responsible for complying with the principles.

Transparency and information Confidentiality Transparency and information require the controller to give Confidentiality imposes secrecy on those who process or the data subject what they need to exercise their rights. access the data.

Law No. 21,719 turns these principles — previously scattered and without ex officio enforcement — into the axis of the model, and hands them to an agency with sanctioning power.

OGC view

Proportionality is the principle that creates most friction with digital businesses, because collecting data just in case is no longer admissible. Review every form and permission in your application and, if a data point is not necessary for the declared purpose, stop asking for it.

D ATA S U B J E C T R I G H T S

Data subject rights

Law No. 21,719 expands and systematizes the rights of the person whose data is processed. The following table summarizes each right and contrasts it, where relevant, with the Law No. 19,628 regime.

Right Content under Law No. 21,719 Status under Law No. 19,628

Access Obtain confirmation of whether their data is processed, access it Recognized more narrowly, focused on and learn its origin, purpose and recipients. knowing what data is stored and to whom it is disclosed

Rectification Demand correction of inaccurate, outdated or incomplete data. Recognized for erroneous, inaccurate or incomplete data.

Erasure Demand deletion when no basis justifies the processing or consent Recognized when storage lacked a legal has been withdrawn. basis.

Objection Object to specific processing, including profiling and direct Not regulated as a standalone, general right. marketing.

Blocking Request temporary suspension of processing operations while a Law No. 19,628 provided for blocking, but rectification, erasure or objection request is resolved. not with the new regime’s systematic scope.

These rights are exercised before the controller, which must respond within the deadlines and in the form the law sets; if it fails to respond or responds insufficiently, the data subject may complain to the Agency. Portability and objection to profiling are new rights, with no equivalent in Law No. 19,628, and especially sensitive for business models dependent on behavioral analytics.

OGC view

You need an internal procedure to handle rights requests before the law takes effect: who receives the request, how the requester’s identity is verified, which systems are consulted and within what deadline the response is given. Objection to direct marketing also forces a review of your campaigns and lists.

OBLIGATIONS

Controller obligations

Law No. 21,719 shifts the weight of compliance onto the controller and makes it demonstrable through the following obligations.

The duty of information requires giving the data subject, at the time of collection, the controller’s identity and contact details, the processing purposes, the categories of data processed, the recipients or categories of recipients, the existence of international transfers and the rights available to them. It is the minimum content of a lawcompliant privacy policy.

The security duty requires the controller and processor to apply appropriate technical and organizational measures to ensure a level of security adequate to the risk. The law also incorporates privacy by design and by default, requiring data protection to be built into product and service design and only the data necessary for each purpose to be processed.

The record of processing activities requires maintaining a documentary inventory of processing operations, which the Agency may request and which is the first evidence of compliance a company must be able to produce.

A data protection impact assessment is required when processing, by its nature, scope, context, technology or purposes, may produce a high risk to data subjects’ rights. The law always requires it, among other cases, for systematic evaluations based on automated processing or decisions with significant legal effects, massive or large-scale processing, and systematic monitoring of publicly accessible areas. When it reveals a high risk the controller cannot mitigate, the Agency must be consulted.

The duty to report security breaches requires notifying the Agency of breaches affecting personal data and, depending on the severity and the type of data compromised, the affected data subject as well. A processor detecting a breach must report it to the controller.

The designation of a data protection officer is a figure the law contemplates to channel compliance and the relationship with the Agency. It is not a universal obligation for every controller, but should be assessed according to the operation and, especially, when the company adopts an infringement prevention model or certifiable compliance program. When designated, they act as a contact point and oversee observance of the framework.

OGC view

The record of processing activities is the document to start with, because it forces you to map what data you process, for what purpose, on what lawful basis and with what recipients. With that map, the privacy policy, impact assessments and processor contracts are drafted far more easily.

TRANSFERS

Processors and international transfers

The relationship between the controller and its vendors processing data on its behalf must be set out in a processing agreement. The law requires the processor to process data only per the controller’s instructions, apply appropriate security measures, keep confidentiality and report any breaches it detects. When it subcontracts, the sub-processing chain is subject to the same requirements and liability is not diluted merely by subcontracting.

International data transfer receives, for the first time, express regulation. The general rule is that it is admissible when the destination country has an adequate level of protection, understood as a legal system with standards similar to Chilean law. When it lacks an adequate level, the transfer proceeds if the controller adopts safeguards justifying it, such as contractual clauses, binding corporate rules or other legal instruments. The Agency may issue recommendations, adopt precautionary measures and, in qualified cases, temporarily suspend the sending of data abroad.

On December 19, 2025, Exempt Resolution 202503748 of the Ministry of Economy was published, approving standard contractual clauses for international transfers, reducing the burden of negotiating instrument by instrument and giving predictability to companies moving data between Chile and other jurisdictions.

OGC view

For a foreign company, international transfer is usually the critical point, because its normal operation involves sending data of people in Chile to servers outside the country. Check where your data goes and under what safeguard; if the destination lacks an adequate level, standard contractual clauses are the most direct route, and don’t assume you’re covered just because your vendor is a well-known global company.

THE AGENCY

The Personal Data Protection Agency

Law No. 21,719 creates the Personal Data Protection Agency as an autonomous public-law corporation, technical in nature, decentralized, with its own legal personality and assets. It is the missing piece in the Law No. 19,628 regime and the one that fundamentally changes the incentive to comply.

The Agency oversees compliance with the law’s principles, rights and obligations, resolves data subjects’ complaints against controllers, investigates and determines infringements, imposes sanctions and adopts preventive or corrective measures. It also has powers over international transfers, where it can suspend data transmissions, and issues instructions and criteria clarifying how the law should be applied.

Institutional preparation is already under way. Decree 12, published on June 17, 2025, created a ministerial advisory commission for implementing Law No. 21,719.

OGC view

There is now an authority that can inspect ex officio, demand documentation and fine. Being able to show it your record of processing activities, your impact assessments and your processor contracts is what separates a prepared company from an exposed one.

FINES

The fines regime

Law No. 21,719 establishes a tiered sanctions regime based on the severity of the infringement, with the fine caps per category summarized in the following table.

Up to 5,000 Up to 10,000 Up to 20,000 monthly tax monthly tax monthly tax units units units maximum fine maximum fine maximum fine

The data subject retains, in parallel to the administrative route, their civil action for damages caused by the unlawful processing, liability that may fall on the controller or the processor depending on their involvement in the infringement.

OGC view

The cap in monthly tax units adjusts over time, so it’s worth calculating in current currency. But what should weigh most in an investment decision is the recidivism-aggravated rule, because it exposes companies that don’t qualify as smaller businesses to a percentage of annual business revenue.

P R E PA R AT I O N P L A N

Effective-date timeline and preparation plan

From December 1, 2026, the new framework’s obligations and the Agency’s sanctioning powers are enforceable. A reasonable plan chains together, in order, the record of activities, the lawful basis of each processing operation, the privacy policy, processing agreements, enabling international transfers, high-risk impact assessments, the rights-request procedure and the breach-response protocol, and the eventual designation of a delegate.

OGC view

A full adaptation program at a mid-sized company with digital operations takes several months. And data protection is not something you close out and file away — it is an ongoing function that changes with every new product, vendor or purpose, and that the Agency will keep refining through its instructions. Starting with margin, and sustaining it over time, is what separates arriving prepared from arriving exposed. Will your company be ready when Law No. 21,719 takes effect SCHEDULE A MEETING on December 1, 2026?

Free download

Download the full report

Get the full 175-page PDF, in Spanish or English, with the comparison tables and the detail of every chapter.

This content is for informational purposes only and does not constitute legal advice. Before making investment decisions, we recommend obtaining advice on your specific situation.

Want to bring this to your specific case?

Talk to a Cubillos Lama partner about how the Chilean legal framework applies to your operation.

Response within 24 business hours.