Chile's Personal Data Protection Law: what your company needs to know and do

Chile's new Personal Data Protection Law (Law 21,719) is now in effect, replacing the outdated framework that had governed data protection since 1999. The law establishes a comprehensive regulatory regime aligned with international standards, creates a dedicated enforcement authority — the Personal Data Protection Agency — and introduces obligations that affect virtually every company operating in Chile.

What changed

Law 21,719 overhauls Chile's data protection framework across several dimensions.

Lawful processing bases. The law establishes six lawful bases for processing personal data: consent, contractual necessity, legal obligation, vital interests, public interest, and legitimate interest. Each basis has specific conditions. Consent must be free, specific, informed, and unambiguous. Legitimate interest requires a balancing test between the controller's interest and the data subject's rights.

Data subject rights. The law enshrines a comprehensive set of rights: access, rectification, erasure, objection, portability, and the right to not be subject to solely automated decisions. Controllers must respond to rights requests within 20 business days.

Obligations for controllers and processors. Companies must implement appropriate technical and organizational security measures, maintain records of processing activities, conduct data protection impact assessments for high-risk processing, and appoint a data protection officer where required. Data processing agreements between controllers and processors are mandatory.

Cross-border transfers. Personal data may be transferred to countries or international organizations that provide an adequate level of protection, as determined by the Agency. In the absence of an adequacy determination, transfers require appropriate safeguards such as standard contractual clauses, binding corporate rules, or explicit consent.

Personal Data Protection Agency. The law creates a dedicated, autonomous agency with enforcement powers including the authority to investigate complaints, conduct audits, issue binding instructions, and impose fines. Maximum fines reach 20,000 UTM for the most serious infractions.

Sensitive data. Processing of sensitive data (health, biometric, genetic, ethnic origin, political opinions, religious beliefs, sexual orientation, union membership) requires explicit consent or a specific legal basis. The law imposes heightened protections and restricts automated processing of sensitive data.

What this could mean for your company

If your company collects, stores, uses, or shares personal data — of clients, employees, suppliers, or any natural person — you are a data controller under Law 21,719 and subject to its full set of obligations.

The most immediate operational impacts include:

• Consent management: If you rely on consent as your lawful basis, existing consents may not meet the new standard (free, specific, informed, unambiguous). Blanket consent clauses buried in terms of service are unlikely to be compliant.
• Rights fulfillment: You need a documented process to receive, verify, and respond to data subject rights requests within 20 business days. This requires coordination across legal, IT, and customer service teams.
• Vendor management: If you share personal data with service providers (cloud hosting, payroll processing, marketing platforms, CRM systems), you need data processing agreements that comply with the law's requirements.
• Cross-border transfers: If personal data is transferred outside Chile — including to cloud servers in other jurisdictions — you must verify that the destination provides adequate protection or implement appropriate safeguards.
• Security measures: The law requires technical and organizational measures proportional to the risk. A data breach notification obligation requires reporting to the Agency and affected individuals without undue delay.

What you can do

1. Map your data processing activities. Identify what personal data you collect, from whom, for what purpose, on what legal basis, where it is stored, who has access, and whether it is transferred to third parties or abroad. This is the foundation for any compliance program.
2. Review and update your privacy notices and consent mechanisms. Ensure they meet the new standard of transparency and specificity. If you process sensitive data, verify that you have explicit consent or a specific legal basis.
3. Implement a rights request management process. Establish a clear internal procedure for receiving, tracking, and responding to access, rectification, erasure, portability, and objection requests within the 20-business-day deadline.
4. Review vendor contracts. Ensure all service providers processing personal data on your behalf have data processing agreements in place that comply with Law 21,719.
5. Assess cross-border data flows. If personal data leaves Chile, verify the legal basis for the transfer and implement appropriate safeguards where needed.

If you need to assess your company's data protection compliance posture or design an implementation roadmap for Law 21,719, schedule a consultation with Cubillos Lama

This content is for informational purposes only and does not constitute legal advice for any specific case.