October 2023

1. Governing Texts

Chile approved its first data privacy regulation back in 1999, Law No. 19.628 of August 18, 1999, on the Protection of Private Life (only available in Spanish here) ('the Law'), which was the first of its kind in Latin America. Nevertheless, after a very short period, the Law became obsolete and has practically no enforcement due to the lack of a catalogue of violations, no official data privacy authority, and low fines, among other flaws.

In 2010, Chile became a member of the Organisation for Economic Co-operation and Development ('OECD') countries, committing to adapting data protection regulations and regularizing the cross-border data flow. In this sense, on March 15, 2017, the Government of Chile ('Government') presented Bill No. 11144-07 Regulating the Processing and Protection of Personal Data and Creating the Data Privacy Authority (only available in Spanish here) ('the Bill') that modifies the Law, is based on the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') standards, and creates a data protection agency. Its legislative process has been very slow, with countless indications, at this date is in the second legislative process at the Constitution Commission of the Chamber of Deputies. On October 7, 2021, the Government amended the Bill incorporating the creation of an Agency for the Protection of Personal Data as the data protection authority ('the Agency'), as well as setting certain precisions to the structure of fines. Shortly after, and to expedite the legislative procedure, the Government placed 'urgency' on the Bill.

Moreover, in 2018, data protection was incorporated as a fundamental right in the Chilean Constitution (only available in Spanish here).

1.1. Key acts, regulations, directives, bills

The current regulation on data privacy is the Law.

The Law considers the law and data subject's consent as a legal basis for data processing. However, regarding consent, the Law considers broad exceptions that allow personal data to be processed without the data subject's consent. The Law also addresses personal and sensitive data, however, it does not consider specifically biometric, georeferenced, or minors' data.

Data subjects have the right of access, rectification, cancellation, and objection. Nevertheless, currently, these rights are not commonly exercised by data subjects. Despite this, the National Consumer Service ('SERNAC'), established in 2010 a 'Do Not Disturb List' (only available in Spanish here) to avoid unwanted (spam) promotional communications, which is enforced by SERNAC.

However, the Law does not include a detailed list of violations, thus hindering compliance and enforcement. The highest fines amount to $3,500 and, in the absence of a data privacy authority, claims are filed in court.

Given the absence of a specific authority in this area, there have been other authorities that have claimed jurisdiction in order to regulate data protection, such as SERNAC, the Commission for the Financial Market ('CMF'), and the Chilean Transparency Council ('CPLT').

However, on December 24, 2021, came into force pro consumer Law No. 21.398 of December 24, 2021, that Establishes Measures to Encourage the Protection of Consumer Rights (only available in Spanish here) ('Pro Consumer Law'). The Pro Consumer Law grants SERNAC supervisory power regarding personal data processed within a consumer relation, provided that such faculties do not fall within the legal competence of another regulatory entity. Consequently, the foregoing leaves the power of the Agency safe, as proposed in the Bill.

Likewise, the Pro Consumer Law allows class actions to protect the consumer collective or diffuse interest, to request compensation upon breaches in relation to their personal data.

Within this new power, SERNAC has issued two interpretative circulars related with data privacy:

• Consumer protection against the use of artificial intelligence ('AI') systems (only available in Spanish here): it sets out a series of rules for providers that use AI systems in their consumer relations, such as the provision of accurate, timely and transparent information, securing the freedom of choice, consumer safeness, prohibition of arbitrary discriminations, and protection of consumers' personal data; and
• Fairness criteria in adherence contracts (only available in Spanish here): it states that the clauses authorizing providers to collect and process consumers' personal data, which are usually found in privacy policies and terms and conditions, should be examined based on consumer protection regulation, specifically, related with fairness of contractual provisions.

As previously mentioned, in 2017 the Bill was introduced to National Congress, which aims to modify the Law and create a data privacy agency. The relevant aspects of the Bill are:

• Scope: Applies to public and private organizations and regulates personal and sensitive data of identified and identifiable natural persons.
• Legal basis: Consent, law, contract, and legitimate interest.
• Consent characteristic: Express, unequivocal, specific, previously informed, and free.
• Data: Personal, sensitive, biometric, georeferenced, minor's data, health and genetic.
• Authority: Creates the Agency, which will be the data protection authority responsible for claims regarding data processing under the Bill and its decisions can be appealed to a Court of Appeals.
• Fines: Following international standards, depending on the nature and seriousness of the infraction, the Bill raises the applicable fines to $375,000 or, in the case of companies, a fine of up to the equivalent of 4% of the annual income from sales and services and other activities of the business in the last calendar year, with a maximum of $750,000 (in the case of recidivism, the fine may be multiplied by three).
• Compliance: The Bill considers infringement prevention models as mitigating factors in case of infringements.
• Data subject rights: Access, rectification, cancellation, objection, objection to automated decisions, and portability rights.
• Controller and processor: The Bill clearly distinguishes between the controller and the processor, and their obligations.
• Controller's obligations: These include proving a legal basis for data processing, implement adequate technical and organizational security information measures, data breach notifications, confidentiality, and duty of information.

1.2. Guidelines

Currently, there is no data protection authority, thus the Bill creates this authority, which will be exercised by the Agency.

However, as aforementioned, the Pro Consumer Law, granted enforcement power to SERNAC, who may start class actions to protect the consumer collective or diffuse interest, in order to compensate consumers whose personal data have been violated.

In addition, to the circulars detailed in section above on key acts, regulations, directives, and bills, SERNAC has issued notices regarding the use of cookies and reports on dark patterns, emphasizing its intention to protect consumers' personal data.

1.3. Case law

In 2019, based on consumer law, SERNAC sued the Chilean Mail Service due to a security breach that affected a US vendor that provided PO BOX services to the Chilean Mail Service's consumers. The affected data was contact and credit card information.

In 2020, the Chilean Association of Telecommunications claimed before the CPLT that the Subsecretary of Telecommunications ('SUBTEL') recurrently requested telecommunications companies to submit their customer databases, including customers' names, phone numbers, addresses, services contracted, and other data.

2. Scope of Application

2.1. Personal scope

The Law applies to public and private organizations and regulates personal and sensitive data of identified and identifiable natural persons. However, it does not consider biometric, georeferenced, and minors' data processing, which is included in the Bill.

2.2. Territorial scope

The Law applies to the territory of Chile. Nevertheless, the Bill shall be applicable to the processing of personal data that is carried out under any of the following circumstances:

• when the controller or processor is established or incorporated into the national territory;
• when the processor, regardless of its domicile or incorporation place, carries out the personal data processing operations on behalf of a controller established or incorporated in the national territory; or
• when the controller or processor is not established in the national territory but their personal data processing operations are intended to offer goods or services to data subjects who are in Chile, regardless of whether they are required to pay or to monitor the behavior of data subjects who are in the national territory, including their analysis, tracking, profiling or prediction of behavior.

The Bill also applies to the processing of personal data carried out by a controller who, not being established on national territory, is subject to national law by virtue of a contract or international law.

2.3. Material scope

Any operation or set of operations or technical procedure, whether automated or not, that allows, collects, processes, stores, communicates, transmits, or uses in any way personal data or sets of personal data.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

Currently, there is no data protection authority. The Bill will create this authority, which will be exercised by the Agency, whose purpose will be to ensure the effective exercise, enforcement, and fulfillment of the data subjects' rights.

The Agency has the power to enforce and apply sanctions, such as fines and accessory sanctions (e.g. suspension of data processing).

Following international standards, depending on the nature and seriousness of the infraction, the Bill raises the applicable fines to $375,000 or, in the case of companies, a fine of up to the equivalent of 4% of the annual income from sales and services and other activities of the business in the last calendar year, with a maximum of $750,000 (in the case of recidivism, the fine may be multiplied by three).

Nevertheless, the Pro Consumer Law, granted SERNAC supervisory powers regarding personal data process within a consumer relation., and to persecute the compensation of damages suffered by consumers.

3.2. Main powers, duties and responsibilities

As noted above, the Law does not provide any specific authority to enforce the regulations and protect data subjects’ claims filed with courts.

Nevertheless, the Bill creates the Agency. All claims must be filed with the Agency and its decisions can be appealed to a Court of Appeals.

Regarding SERNAC, this institution has broad supervisory powers regarding the protection of consumers' personal data, and usually, the enforcement is highly publicized, which can have a reputational impact. Nonetheless, in case the Bill is passed and turns into an effective law, the supervisory powers of SERNAC will be revoked -the Agency will have those powers-, although SERNAC will remain class actions under the Consumer Law.

4. Key Definitions

Data controller: Any natural or legal person, public or private, who decides on the purposes and means of personal data processing, regardless of whether the data is processed directly by them or through a third party (Article 2(n) of the Law, see also Article 2 of the Bill).

Data processor: Any person who processes data on behalf of the data controller (Article 2 of the Bill).

Personal data: Any information related to or referring to a natural person, identified or identifiable through means that can reasonably be used (Article 2(f) of the Law, see also Article 2 of the Bill).

Sensitive data: Personal data revealing racial or ethnic origin, political, trade union or guild affiliation, personal habits, ideological or philosophical convictions, religious beliefs, data concerning health, human biological profile, biometric data, and information concerning a natural person's sex life, sexual orientation, and gender identity (Article 2(g) of the Law, see also Article 2 of the Bill).

Health data: Health-related data, biological profile, genetic, proteomic, or metabolic data (Article 2 of the Bill).

Biometric data: Those obtained from a specific technical treatment, related to the physical, physiological, or behavioral characteristics of a person that allow or confirm their unique identification, such as fingerprint, iris, hand or facial features, and voice (Article 2 of the Bill).

Pseudonymization: The processing of data performed in such a way that the data can no longer be assigned to a data subject without using additional information, and such additional information is contained separately and is subject to technical and organizational measures designed to ensure that the personal data is not assigned to an identified or identifiable natural person (Article 2 of the Bill).

Consent: Any free, specific, unequivocal, and informed expression of will, by means of which the data subject, their legal representative or agent, as appropriate, authorises the processing of personal data that concerns them (Article 2 of the Bill).

5. Legal Bases

The Law considers as legal basis for data processing, the data subject's consent, as well as any requirements under the law. However, regarding consent, the Law considers broad exceptions, which allow personal data to be processed without the data subject's consent (Article 4 of the Law).

The following legal bases correspond to those established by the Bill:

5.1. Consent

The Bill states that consent must be free, informed, and specific as to its purpose or purposes, and must also be expressed unequivocally, by means of a verbal or written statement, or expressed through equivalent electronic means, or by an affirmative act that clearly shows the will of the data subject.

Additionally, when consent is given by a representative of the data subject, the latter must be expressly authorized to do so.

5.2. Contract with the data subject

Not applicable at present. However, it is included as a legal basis in the Bill.

Data processing is lawful without the data subject's consent when such processing is necessary for the execution of a contract between the data subject and controller, or for the execution of pre-contractual measures taken at the request of the data subject.

5.3. Legal obligations

Data processing is lawful without the data subject's consent when such processing is necessary for the execution or fulfillment of a legal obligation, or where it is required by law.

5.4. Interests of the data subject

Not applicable.

5.5. Public interest

Not applicable.

5.6. Legitimate interests of the data controller

Not applicable at present. However, it is included as a legal basis in the Bill.

Data processing is lawful without the data subject's consent when such processing is necessary for the satisfaction of legitimate interests of the controller or a third party, provided that such processing does not affect the rights and freedoms of the data subject. In any case, data subjects may always demand to be informed about the processing that affects them, as well as the legitimate interest on which basis the processing is being conducted.

5.7. Legal bases in other instances

Currently, there are legal bases that allow personal data processing in certain circumstances, for example:

• medical records (see Law No 20.584 Which Regulates the Rights and Duties that People have in relation to Actions related to their Health Care (only available in Spanish here);
• personal data relating to economic, financial, banking, or commercial obligations (Article 17 of the Law);
• personal data collected from publicly accessible sources (Article 4 of the Law), although the Bill sets out that the processing of such data will be subject to the purposes for which such data is in the publicly accessible source; and
• Law No 21.236 Which Regulates Financial Portability (only available in Spanish here).

6. Principles

The principles of the Bill are:

• lawfulness;
• purpose of the data processing;
• proportionality and minimization;
• quality;
• accountability;
• security;
• transparency; and
• confidentiality.

7. Controller and Processor Obligations

The Law refers to this briefly and only sets out certain obligations to anyone who processes personal data, namely:

• obligation of maintaining secrecy about personal data, when it comes from or has been collected from sources not accessible to the public;
• personal data should be used only for the purposes for which it was collected unless it comes from or has been collected from sources accessible to the public; or
• the data controller must store personal data with due diligence, being responsible for the damages caused.

Notwithstanding the above, the Bill establishes that the data controller has the following obligations:

• to inform and make available to data subjects the background information that proves the lawfulness of the data processing and to promptly deliver such information when requested;
• to ensure that personal data is collected from lawful sources for specific and explicit purposes, and that its processing is limited to the fulfillment of these purposes;
• to communicate or transfer accurate, complete, and current information;
• to cancel or anonymize data subjects' personal data when it was obtained for the execution of pre-contractual measures; and
• to comply with other principles and obligations governing the processing of personal data provided in the Bill.

The data controller who is not domiciled in Chile and who processes data of persons residing in the national territory must indicate, and keep updated and operative, an e-mail address or other suitable means of contact to receive communications from the data owners and the Agency.

7.1. Data processing notification

It is lawful to process personal data, given the data subject's consent (Article 12 of the Bill). In this respect, consent must be expressed unequivocally, by means of a verbal or written declaration, or expressed through an equivalent electronic means, or by an affirmative notice that clearly states the will of the data subject.

7.2. Data transfers

Personal data may be transferred with the data subject's consent and for the fulfillment of the data processing purposes.

The Bill states that international data transfers are allowed when the organization is subject to an order that provides adequate levels of protection of personal data. In the event that such a country does not have an adequate level of protection, the existence of guarantees justifying such transfer should be reported. Instruments, mechanisms, and clauses that contain similar or greater principles, rights, and guarantees to those offered by the Bill and, in particular, that grant enforceable rights and effective legal actions to the data subjects, shall be considered adequate guarantees. The Agency may impose preconditions for the transfer to be verified and may approve model clauses containing such guarantees, which shall be available to data controllers.

7.3. Data processing records

Data processors must keep records of the rights exercised by the data subjects.

7.4. Data protection impact assessment

Even though the Law states the security obligation, it does not explicitly consider a Data Protection Impact Assessment ('DPIA').

Nevertheless, the Bill requires carrying out a DPIA whenever a type of processing, by its nature, scope, context, technology used, or purposes, is likely to result in a high risk to the rights of data subjects.

Moreover, the data controller must adopt the technical and organizational measures both prior to and during the data processing. Therefore, DPIAs must be performed before beginning any given data processing.

7.5. Data protection officer appointment

DPOs are not regulated under the Law, however, they are introduced by the Bill through the infringement prevention model provisions. The DPO must be appointed by the highest authority of the institutions, usually a board of directors, and must have autonomy regarding the privacy matters conducted.

The DPO must meet the requirements of suitability, ability, and specific knowledge for the exercise of their functions. The DPO may perform other duties, if they are compatible, and do not constitute a conflict of interest.

7.6. Data breach notification

The Law does not establish the obligation to give notice of a data breach. Nevertheless, in 2018 the CMF regulated the obligation for banks and financial institutions to notify data breaches to the CMF, which shall be given within 30 minutes from the acknowledgement of the data breach. The same obligation applies to insurance and reinsurance companies.

Regarding the Bill, the data controller and processor must notify the Agency by the most expeditious means possible and without undue delay of any violations of the security measures.

If the breach concerns sensitive data, minors' data, or financial data, data subjects must also be notified.

7.7. Data retention

Based on the proportionality principle, data must be kept for the time needed to fulfil the purposes of the data processing unless law provides a different deadline.

7.8. Children's data

The Law does not regulate the processing of minors' data.

Nevertheless, regarding the Bill, children are under 14 years old, and adolescents are over 14 years old and under 18 years old. Adolescents may provide their consent validly in their own personal capacity, except for sensitive data of adolescents under 16 years of age, which can only be processed with the consent of the parents or legal guardian, unless expressly authorized or mandated by law.

Children's data processing must be performed accordingly with their best interests and progressive autonomy.

7.9. Special categories of personal data

The Bill introduces the following special categories of personal data:

• biometric data;
• georeferentiation data;
• health-related data; and
• biological data: data related to the genetic, proteomic, or metabolic profile.

7.10. Controller and processor contracts

The Bill states that in these circumstances, data processing will be governed by a contract executed between the controller and processor, in accordance with the legislation in force. The contract must set forth the object of the engagement, its duration, the purpose of the processing, the type of personal data processed, the categories of data subjects to whom the data relates, and the rights and obligations of the parties.

The data processor may not delegate part or all the processing, except with the specific written authorization of the controller. Moreover, any data processor who delegates part or all of the processing to another data processor must remain jointly and severally liable for the processing and will not be exempted from liability on the grounds that they have delegated such processing.

8. Data Subject Rights

Under the Law, data subjects have the right of access, rectification, cancellation, and objection. As previously noted, currently these rights are not commonly exercised by data subjects, and in general, companies have not implemented the process to comply with these rights. Despite this, SERNAC established in 2010, the Do Not Disturb List to avoid unwanted (spam) promotional communications, and they strictly enforce compliance.

Nevertheless, the Bill includes said rights, defines them, creates new ones (detailed below), and adds an administrative procedure for claims, so that the data subjects can exercise them correctly.

8.1. Right to be informed

The right to be informed is not considered per se as a data subject right in the Bill, but only as a requirement for consent as a basis to adequately process personal data.

8.2. Right to access

This is defined as the right to request and obtain from the controller, confirmation as to whether a data subject's personal data is being processed, to access such data where appropriate, and to information provided for in the Bill, such as:

• the processed data and its origin;
• the purpose or purposes of the processing;
• the categories, classes, or types of recipients, or the identity of each recipient, if so requested by the data subject, to whom the data have been communicated or transferred or is intended to be transferred;
• the period during which the data will be processed; and
• the legitimate interests of the data controller, when the processing has a different basis other than the consent of the data subject.

This right includes the right to access meaningful information about the logic applied in the case of automated individual decisions made by the controller, including profiling.

8.3. Right to rectification

This is defined as the right to request and obtain from the controller, the modification or completion of personal data when it is being processed and is inaccurate, outdated, or incomplete.

8.4. Right to erasure

This is defined as the right to request and obtain from the controller, the deletion or removal of personal data, according to the conditions provided by law, especially when:

• the data is not necessary in relation to the purposes of the processing for which it was collected;
• the data subject has revoked their consent and the processing has no other legal basis;
• the data has been illegally obtained or processed by the controller;
• the data is outdated;
• the data must be deleted in order to comply with a court judgment or a legal obligation; and
• the data subject has exercised their right to object and there is no other legal basis for the data processing.

8.5. Right to object/opt-out

This is defined as the right to request and obtain from the controller, that specific and determined processing of data is not carried out, in the following cases:

• if the processing affects any fundamental rights and freedoms;
• if the processing is conducted exclusively for the purpose of marketing or direct marketing of goods, products, or services; and
• if the processing is carried out with respect to data obtained from a publicly accessible source and there is no other legal basis for the processing.

8.6. Right to data portability

This is defined as the right to request and obtain from the controller a copy of their personal data in a structured, generic, and common electronic format, which allows it to be operated by different systems, and to communicate or transfer it to another controller.

8.7. Right not to be subject to automated decision-making

This is defined as the right to object to decisions concerning the data subject made by the controller based solely on the fact that they are made through automated processing of the data subject's personal data, including profiling. If exercised, the controller must take all necessary measures to ensure the rights of the data subject, in particular the right to obtain human intervention by the controller, to express their point of view, and to request a review of the decision.

8.8. Other rights

Not applicable.

9. Penalties

The Law does not include a detailed list of violations, thus hindering compliance and enforcement. The highest fines amount to $3,500 and in the absence of a data privacy authority, claims are filed in court.

Following international standards, depending on the nature and seriousness of the infraction, the Bill raises the applicable fines to $375,000 or, in the case of companies, a fine of up to the equivalent of 4% of the annual income from sales and services and other activities of the business in the last calendar year, with a maximum of $750,000 (in the case of recidivism, the fine may be multiplied by three).

Moreover, the Bill states as a sanction the suspension of the data processing for 30 days, which may be extended for the same period.

9.1 Enforcement decisions

Not applicable.