Chile - Data Protection Overview
1. Governing Texts
Chile approved its first regulation on data privacy back in 1999, Law No. 19.628 Protection of Private Life 1999 (only available in Spanish here) ('the Law'), which was the first of its kind in Latin America. Nevertheless, after a very short period, the Law became obsolete and has practically no enforcement due to the lack of a catalogue of violations, no official data privacy authority, and low fines, among other flaws.
In 2010, Chile became a member of the Organisation for Economic Co-operation and Development ('OECD') countries, committing to adapt data protection regulation and regularise the cross-border data flow. In this sense, on 15 March 2017, the Government of Chile ('Government') presented Bill No. 11144-07 Regulating the Processing and Protection of Personal Data and Creating the Data Privacy Authority (only available in Spanish here) ('the Bill') that modifies the Law, is based on the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') standards, and creates a data protection agency. Its legislative process has been very slow, with countless indications, and it is still in the first legislative process. On 7 October 2021, the Government amended the Bill incorporating the creation of an Agency for the Protection of Personal Data as the data protection authority ('the Agency'), as well as setting certain precisions to the structure of fines. Shortly after, and in order to expedite the legislative procedure, the Government placed an 'urgency' to the Bill.
Moreover, in 2018, data protection was incorporated as a constitutional guarantee.
The current regulation on data privacy is the Law.
The Law considers the law and data subject's consent as a legal basis for data processing. However, regarding consent, the Law considers broad exceptions which allows personal data to be processed without the data subject's consent.
The Law addresses personal and sensitive data, however, it does not consider biometric, georeferenced, or minors' data.
Data subjects have the right of access, rectification, cancellation, and objection. Nevertheless, currently these rights are not commonly exercised by data subjects, and in general, companies have not implemented the process to comply with these rights. Despite this, the National Consumer Service ('SERNAC'), established in 2010 a 'Do Not Disturb List' (only available in Spanish here) to avoid unwanted (spam) promotional communications, and SERNAC strictly enforces compliance with this.
However, the Law does not include a detailed list of violations, thus hindering compliance and enforcement. The highest fines amount to $3,500 and, in absence of a data privacy authority, claims are filed in court.
Given the absence of a specific authority in this area, there have been other authorities that have claimed jurisdiction in order to regulate data protection, such as SERNAC, the Commission for the Financial Market ('CMF'), and the Chilean Transparency Council ('CPLT').
However, in August 2021, the National Congress of Chile ('National Congress') dispatched the pro-consumer Bill No. 12.409-03 to Establish Measures to Encourage the Protection of Consumer Rights (only available in Spanish here) ('the Consumer Protection Bill'), which is expected to come into force before the end of 2021. This law grants SERNAC supervisory powers regarding personal data processed within a consumer relationship. These powers are, as mentioned, limited to the extent of a consumer relationship, provided that such faculties do not fall within the legal competence of another regulatory entity. Consequently, the foregoing leaves the powers of the Agency safe, as proposed in the Bill.
Likewise, the Consumer Protection Bill allows class actions to protect the collective or diffuse interest of consumers and request compensation upon breaches in relation to their personal data.
As previously mentioned, in 2017 the Bill was introduced to the National Congress, which aims to modify the Law and create a data privacy agency. The relevant aspects of the Bill are:
- Scope: Applies to public and private organisations and regulates personal and sensitive data of identified and identifiable natural persons.
- Legal basis: Consent, law, contract, and legitimate interest.
- Consent's characteristic: Express, unequivocal, specific, previously informed, and free.
- Data: Personal, sensitive (biometric, georeferenced, minor's data, health and genetic).
- Authority: Creates the Agency, which will be the data protection authority responsible for claims regarding data processing under the Bill and its decisions can be appealed to a Court of Appeals.
- Fines: Up to $670,000.
- Compliance: The Bill considers compliances programs and the designation of a data protection officer ('DPO') being mitigating factors in case of infringements.
- Data subject rights (ARCO rights and others): Access, rectification, cancellation, objection, objection to automated decisions, and data portability.
- Controller and processor: The Bill clearly distinguishes between the controller and the processor, and their obligations.
- Controller's obligations: These include proving a legal basis for data processing, implement adequate technical and organisational security information measures, data breach notifications, confidentiality, and duty of information.
On 15 December 2020, the CPLT published recommendations for data processing performed by the Government (only available in Spanish here). These recommendations are oriented to the regulation contained in the Bill and GDPR principles. They set a demanding standard and to comply it requires a complex process of revision and adequacy (compliance).
Currently, there is no data protection authority, thus the Bill creates this authority, which will be exercised by the Agency.
However, as aforementioned, in August 2021, the National Congress dispatched the Consumer Protection Bill, which is expected to come into force before the end of 2021. The Consumer Protection Bill allows the initiation of actions to protect the collective or diffuse interest of consumers and request compensation upon breaches in relation to their personal data.
1.3. Case law
In 2019, SERNAC sued the Chilean Mail Service due to a security breach that affected a US vendor which provided PO BOX services to the Chilean Mail Service's consumers. The affected data was contact and credit card information. It is worth mentioning this lawsuit is mainly based on consumer law. Due to the pandemic, the trial was suspended and should be resumed promptly.
In 2020, the Chilean Mobile Telephony Association ('ATELMO') claimed before the CPLT that the Subsecretary of Telecommunications ('SUBTEL') recurrently requested telecommunications companies to submit their customer databases, including customers' names, phone numbers, addresses, services contracted, and other data.
2. Scope of Application
The Law applies to public and private organisations and regulates personal and sensitive data of identified and identifiable natural persons. However, it does not consider biometric, georeferenced, and minors' data processing, which is included in the Bill.
The Law and the Bill apply to the territory of Chile.
Any operation or set of operations or technical procedure, whether automated or not, that allows, collects, processes, stores, communicates, transmits, or uses in any way personal data or sets of personal data.
3.1. Main regulator for data protection
Currently, there is no data protection authority. The Bill will create this authority, which will be exercised by the Agency, whose purpose will be to ensure the effective exercise, enforcement, and fulfilment of the rights that this new law will provide to the data subjects.
The Agency will make its object effective through, for example, the application of sanctions, such as fines to those who violate the regulations in question, as well as accessory sanctions, that is to say, order the suspension of operations and data processing activities to the data controller by a certain period of time.
These sanctions, specifically the amount of the fines, will be the highest among the current legislation, reaching the equivalent amount of up to 10,000 Monthly Tax Units (approx. $670,000 or €592,080).
Nevertheless, in August 2021, the National Congress dispatched the Consumer Protection Bill which grants SERNAC supervisory powers in case personal data is processed within a consumer relationship. Likewise, the Consumer Protection Bill allows the initiation of actions to protect the collective or diffuse interest of consumers and request compensation upon breaches in relation to their personal data.
3.2. Main powers, duties and responsibilities
As noted above, the Law does not provide any specific authority to enforce the regulations and protect data subjects. Claims are filed with courts.
Nevertheless, the Bill creates the Agency. All claims must be filed with the Agency and its decisions can be appealed to a Court of Appeals.
Regarding SERNAC, this institution has broad auditing powers, and usually the enforcement is highly publicised, which can have a reputational impact.
4. Key Definitions
Data controller: Any natural or legal person, public or private, who decides on the purposes and means of the personal data processing, regardless of whether the data is processed directly by them or through a third party (Article 2(n) of the Law, see also Article 2 of the Bill).
Data subject: Any natural person, identified or identifiable, to whom the personal data concerns or refers (Article 2(ñ) of the Law, see also Article 2 of the Bill).
Personal data: Any information related to or referring to a natural person, identified or identifiable through means that can reasonably be used (Article 2(f) of the Law, see also Article 2 of the Bill).
Sensitive data: Personal data revealing racial or ethnic origin, political, trade union or guild affiliation, personal habits, ideological or philosophical convictions, religious beliefs, data concerning health, human biological profile, biometric data, and information concerning a natural person's sex life, sexual orientation, and gender identity (Article 2(g) of the Law, see also Article 2 of the Bill).
Biometric data: Those obtained from a specific technical treatment, related to the physical, physiological, or behavioural characteristics of a person that allow or confirm their unique identification, such as fingerprint, iris, hand or facial features, and voice (Article 2 of the Bill).
Pseudonymisation: The processing of data performed in such a way that the data can no longer be assigned to a data subject without using additional information, and such additional information is contained separately and is subject to technical and organisational measures designed to ensure that the personal data is not assigned to an identified or identifiable natural person (Article 2 of the Bill).
Consent: Any free, specific, unequivocal, and informed expression of will, by means of which the data subject, their legal representative or agent, as appropriate, authorises the processing of personal data that concerns them (Article 2 of the Bill).
5. Legal Bases
The Law considers as a legal basis for data processing, the data subject's consent, as well as any requirements under the law. However, regarding the consent, the Law considers broad exceptions, which allows personal data to be processed without the data subject's consent (Article 4 of the Law).
The following legal bases correspond to those established by the Bill. Note that whether a data subject has given their consent or the data controller has authorised the processing of data without such consent, the latter will always prove the processing to be lawful.
This is the main legal basis in order to perform data processing. The Bill states that consent must be free, informed, and specific as to its purpose or purposes, and must also be expressed unequivocally, by means of a verbal or written statement, or expressed through equivalent electronic means, or by an affirmative act that clearly shows the will of the data subject.
Additionally, when consent is given by a representative of the data subject, the latter must be expressly authorised to do so.
Not applicable at present. However, it is included as a legal basis in the Bill.
Data processing is lawful without the data subject's consent when such processing is necessary for the execution of a contract between data subject and controller, or for the execution of pre-contractual measures taken at the request of the data subject.
Data processing is lawful without the data subject's consent when such processing is necessary for the execution or fulfilment of a legal obligation, or where it is required by law.
Not applicable at present. However, it is included as a legal basis in the Bill.
Not applicable at present. However, it is included as a legal basis in the Bill.
Not applicable at present. However, it is included as a legal basis in the Bill.
Data processing is lawful without the data subject's consent when such processing is necessary for the satisfaction of legitimate interests of the controller or a third party, provided that such processing does not affect the rights and freedoms of the data subject. In any case, data subjects may always demand to be informed about the processing that affects them, as well as the legitimate interest on which basis the processing is being carried out.
Currently, there are legal bases that allow personal data processing in certain circumstances, for example:
- medical records (see Law No 20.584 Which Regulates the Rights and Duties that People have in relation to Actions related to their Health Care (only available in Spanish here));
- personal data relating to economic, financial, banking, or commercial obligations (Article 17 of the Law);
- personal data collected from publicly accessible sources (Article 4 of the Law); and
- Law No 21.236 Which Regulates Financial Portability (only available in Spanish here).
The principles of the Bill are:
- purpose of the data processing;
- proportionality and minimisation;
- transparency; and
7. Controller and Processor Obligations
The Law refers to this briefly and only sets out certain obligations to anyone who processes personal data, namely:
- obligation of maintaining secrecy about personal data, when it comes from or has been collected from sources not accessible to the public;
- personal data should be used only for the purposes for which it was collected unless it comes from or has been collected from sources accessible to the public; or
- the data controller must store personal data with due diligence, being responsible for the damages caused.
Notwithstanding the above, the Bill establishes that the data controller has the following obligations:
- to inform and make available to data subjects the background information that proves the lawfulness of the data processing carried out, and to promptly deliver such information when requested;
- to ensure that personal data is collected from lawful sources for specific and explicit purposes, and that its processing is limited to the fulfilment of these purposes;
- to communicate or transfer accurate, complete, and current information;
- to cancel or anonymise data subjects' personal data when it was obtained for the execution of pre-contractual measures; and
- to comply with other principles and obligations governing the processing of personal data provided in the Bill.
It is lawful to process personal data, given the data subject provides their consent (Article 12 of the Bill). In this respect, consent must be expressed unequivocally, by means of a verbal or written declaration, or expressed through an equivalent electronic means, or by an affirmative notice that clearly states the will of the data subject.
Personal data may be transferred with the data subject's consent and for the fulfilment of the data processing purposes.
The Bill states that international data transfers are allowed when the organisation is subject to an order that provides adequate levels of protection of personal data.
Data processors must keep records of the rights exercised by the data subjects.
Even though the Law states the security obligation, it does not consider a Data Protection Impact Assessment ('DPIA').
Nevertheless, the Bill introduces these concepts with regard to security measures. In that sense, the data controller must adopt the necessary measures to ensure compliance with the principle of security, considering the current state of the art and the costs of implementation, nature, scope, context, and purposes of the data processing, risks, and severity of its effects.
Moreover, the data controller must adopt the technical and organisational measures both prior to and during the data processing. Therefore, DPIAs must be performed before beginning any given data processing.
DPOs are not regulated under the Law, however they are introduced by the Bill. The DPO must be appointed by the highest authority of the institutions, usually a board of directors, and must have autonomy regarding the privacy matters conducted.
The DPO must meet the requirements of suitability, ability, and specific knowledge for the exercise of their functions. The DPO may performed other duties, if they are compatible, and do not constitute a conflict of interest.
The Law does not establish the obligation to give notice of a data breach. Nevertheless, in 2018 the CMF regulated the obligation for banks and financial institutions to notify data breaches that they have suffered to the CMF, which shall be given within at least 30 minutes since the acknowledgement of the data breach. The same obligation applies to insurance and reinsurance companies.
Regarding the Bill, the data controller and processor must notify the Agency by the most expeditious means possible and without undue delay of any violations of the security measures.
If the breach concerns sensitive data, minors' data, or financial data, data subjects must also be notified.
Based on the proportionality principle, data must be kept for the time needed to fulfil the purposes of the data processing unless law provides a different deadline.
The Law does not regulate the processing of minors' data.
Nevertheless, regarding the Bill, children are considered to be under 14 years old, and adolescents are over 14 years old and under 18 years old. Adolescents may provide their consent validly in their own personal capacity, except for sensitive data of adolescents under 16 years of age, which can only be processed with the consent of the parents or legal guardian, unless expressly authorised or mandated by law.
Children's data processing must be performed accordingly with their best interests and progressive autonomy.
The Bill introduces the following special categories of personal data:
- biometric data;
- georeferentiation data;
- health-related data; and
- biological data: data related to the genetic, proteomic, or metabolic profile.
The Bill states that in these circumstances, data processing will be governed by a contract executed between the controller and processor, in accordance with the legislation in force. The contract must set forth the object of the engagement, its duration, the purpose of the processing, the type of personal data processed, the categories of data subjects to whom the data relates, and the rights and obligations of the parties.
The data processor may not delegate part or all of the processing, except with the specific written authorisation of the controller. Moreover, any data processor who delegates part or all of the processing to another data processor must remain jointly and severally liable for the processing and will not be exempted from liability on the grounds that they have delegated such processing.
8. Data Subject Rights
Under the Law, data subjects have the right of access, rectification, cancellation, and objection. As previously noted, currently these rights are not commonly exercised by data subjects, and in general, companies have not implemented the process to comply with these rights. Despite this, SERNAC established in 2010, the Do Not Disturb List to avoid unwanted (spam) promotional communications, and they strictly enforce compliance.
Nevertheless, the Bill includes said rights, defines them, creates new ones (detailed below), and adds an administrative procedure for claims, so that the data subjects can exercise them correctly.
The right to be informed is not considered per se as a data subject right in the Bill, but only as a requirement for the consent as a basis to adequately process personal data.
This is defined as the right to request and obtain from the controller, confirmation as to whether a data subject's personal data is being processed, to access such data where appropriate, and to information provided for in the Bill, such as:
- the processed data and its origin;
- the purpose or purposes of the processing;
- the categories, classes, or types of recipients, or the identity of each recipient, if so requested by the data subject, to whom the data have been communicated or transferred or is intended to be transferred;
- the period during which the data will be processed; and
- the legitimate interests of the data controller, when the processing has a different basis other than the consent of the data subject.
This is defined as the right to request and obtain from the controller, the modification or completion of personal data, when it is being processed, and is inaccurate, outdated, or incomplete.
This is defined as the right to request and obtain from the controller, the deletion or removal of personal data, according to the conditions provided by law, especially when:
- the data is not necessary in relation to the purposes of the processing for which it was collected;
- the data subject has revoked their consent and the processing has no other legal basis;
- the data has been illegally obtained or processed by the controller;
- the data is outdated;
- the data must be deleted in order to comply with a court judgment or a legal obligation; and
- the data subject has exercised their right to object and there is no other legal basis for the data processing.
This is defined as the right to request and obtain from the controller, that a specific and determined processing of data is not carried out, in the following cases:
- if the processing affects any fundamental rights and freedoms;
- if the processing is carried out exclusively for the purpose of marketing or direct marketing of goods, products, or services; and
- if the processing is carried out with respect to data obtained from a publicly accessible source and there is no other legal basis for the processing.
This is defined as the right to request and obtain from the controller a copy of their personal data in a structured, generic, and common electronic format, which allows it to be operated by different systems, and to communicate or transfer it to another controller.
This is defined as the right to object to decisions concerning the data subject made by the controller based solely on the fact that they are made through automated processing of the data subject's personal data, including profiling. If exercised, the controller must take all necessary measures to ensure the rights of the data subject, in particular the right to obtain human intervention by the controller, to express their point of view, and to request a review of the decision.
The Law does not include a detailed list of violations, thus hindering compliance and enforcement. The highest fines amount to $3,500 and in absence of a data privacy authority, claims are filed in court.
Fines established by the Bill may amount to up to $750,000. Also, in case of recidivism, the Agency may apply a fine of up to three times the amount assigned to the infraction committed.
Moreover, the Bill states as a sanction the suspension of the data processing for 30 days, which may be extended for the same period.