Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Chile - Data Protection Overview
September 2024
1. Governing Texts
Chile approved its first data privacy regulation back in 1999, Law No. 19.628 of August 18, 1999, on the Protection of Private Life (only available in Spanish here) (Law), which was the first of its kind in Latin America. Nevertheless, after a very short period, the Law became obsolete and had practically no enforcement due to the lack of a catalog of violations, no official data privacy authority, and low fines, among other flaws.
In 2010, Chile became a member of the Organisation for Economic Co-operation and Development (OECD) countries, committing to adapting data protection regulations and regularizing the cross-border data flow. In this sense, on March 15, 2017, the Government of Chile (Government) presented Bill No. 11144-07 Regulating the Processing and Protection of Personal Data and Creating the Data Privacy Authority (only available in Spanish here) (Bill) that modifies the Law, is based on the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) standards, and creates a data protection agency. Its legislative process has been very slow, with countless indications, at this date in the third legislative process at the Constitution Commission of the Chamber of Deputies. On July 24, 2024, the discussion of the Bill ended, and it is expected to be voted in the Chamber of Deputies and the Senate.
On October 7, 2021, the Government amended the Bill incorporating the creation of an Agency for the Protection of Personal Data as the data protection authority (Agency), as well as setting certain precisions to the structure of fines. Shortly after, and to expedite the legislative procedure, the Government placed 'urgency' on the Bill.
Moreover, in 2018, data protection was incorporated as a fundamental right in the Chilean Constitution (only available in Spanish here).
1.1. Key acts, regulations, directives, bills
The current regulation on data privacy is the Law.
The Law considers the law and data subject's consent as a legal basis for data processing. However, regarding consent, the Law considers broad exceptions that allow personal data to be processed without the data subject's consent. The Law also addresses personal and sensitive data, however, it does not consider specifically biometric, georeferenced, or minors' data.
Data subjects have the right of access, rectification, cancellation, and objection. Nevertheless, currently, these rights are not commonly exercised by data subjects. Despite this, the National Consumer Service (SERNAC), established in 2010 a 'Do Not Disturb List' (only available in Spanish here) to avoid unwanted (spam) promotional communications, which is enforced by SERNAC.
However, the Law does not include a detailed list of violations, thus hindering compliance and enforcement. The highest fines amount to $3,500 and, in the absence of a data privacy authority, claims are filed in court.
Given the absence of a specific authority in this area, there have been other authorities that have claimed jurisdiction in order to regulate data protection, such as SERNAC, the Commission for the Financial Market (CMF), and the Chilean Transparency Council (CPLT).
However, on December 24, 2021, came into force pro consumer Law No. 21.398 of December 24, 2021, that Establishes Measures to Encourage the Protection of Consumer Rights (only available in Spanish here) (Pro Consumer Law). The Pro Consumer Law grants SERNAC supervisory power regarding personal data processed within a consumer relation, provided that such faculties do not fall within the legal competence of another regulatory entity. Consequently, the foregoing leaves the power of the Agency safe, as proposed in the Bill.
Likewise, the Pro Consumer Law allows class actions to protect the consumer collective or diffuse interest, to request compensation upon breaches in relation to their personal data.
Within this new power, SERNAC has issued two interpretative circulars related with data privacy:
- Consumer protection against the use of artificial intelligence (AI) systems (only available in Spanish here): it sets out a series of rules for providers that use AI systems in their consumer relations, such as the provision of accurate, timely and transparent information, securing the freedom of choice, consumer safeness, prohibition of arbitrary discriminations, and protection of consumers' personal data; and
- Fairness criteria in adherence contracts (only available in Spanish here): it states that the clauses authorizing providers to collect and process consumers' personal data, which are usually found in privacy policies and terms and conditions, should be examined based on consumer protection regulation, specifically, related with fairness of contractual provisions.
As previously mentioned, in 2017 the Bill was introduced to National Congress, which aims to modify the Law and create the Agency for the Protection of Personal Data. The relevant aspects of the Bill are:
- Scope: Applies to public and private organizations and regulates personal and sensitive data of identified and identifiable natural persons.
- Legal basis: Consent, law, contract, and legitimate interest.
- Consent characteristic: Express, unequivocal, specific, previously informed, and free.
- Data: Personal, sensitive, biometric, georeferenced, minor's data, health and genetic.
- Authority: Creates the Agency, which will be the data protection authority responsible for claims regarding data processing under the Bill and its decisions can be appealed to a Court of Appeals.
- Fines: In accordance with international standards, the bill increases the applicable fines to up to CLP $1,400,000,000 (approx. $1,507,035), depending on the nature and severity of the violation. In the case of recidivism, the Agency may impose a fine of up to three times the amount allocated to the violation committed. If the violator is an entity other than those defined as small businesses that repeatedly commits a serious or very serious violation, the fine may be up to an amount equal to 2% or 4% of the annual revenue from sales and services and other activities of the entity in the previous calendar year, depending on whether the violation is serious or very serious.
- Compliance: The Bill considers voluntary infringement prevention models as mitigating factors in case of infringements.
- Data subject rights: Access, rectification, suppression, objection, objection to automated decisions, blocking of data, and portability rights.
- Controller and processor: The Bill clearly distinguishes between the controller and the processor, and their obligations.
- Controller's obligations: These include proving a legal basis for data processing, implementing adequate technical and organizational security information measures, data breach notifications, confidentiality, and duty of information.
1.2. Guidelines
Currently, there is no data protection authority, thus the Bill creates this authority, which will be exercised by the Agency.
However, as aforementioned, the Pro Consumer Law, granted enforcement power to SERNAC, who may start class actions to protect the consumer collective or diffuse interest, in order to compensate consumers whose personal data have been violated.
In addition, to the circulars detailed in the section above on key acts, regulations, directives, and bills, SERNAC has issued notices regarding the use of cookies and reports on dark patterns, emphasizing its intention to protect consumers' personal data.
1.3. Case law
In 2019, based on consumer law, SERNAC sued the Chilean Mail Service due to a security breach that affected a US vendor that provided PO BOX services to the Chilean Mail Service's consumers. The affected data was contact and credit card information.
In 2020, the Chilean Association of Telecommunications claimed before the CPLT that the Subsecretary of Telecommunications (SUBTEL) recurrently requested telecommunications companies to submit their customer databases, including customers' names, phone numbers, addresses, services contracted, and other data.
2. Scope of Application
2.1. Personal scope
The Law applies to public and private organizations and regulates personal and sensitive data of identified and identifiable natural persons. However, it does not consider biometric, georeferenced, and minors' data processing, which is included in the Bill.
2.2. Territorial scope
The Law applies to the territory of Chile. Nevertheless, the Bill shall be applicable to the processing of personal data that is carried out under any of the following circumstances:
- when the controller or processor is established or incorporated into the national territory;
- when the processor, regardless of its domicile or incorporation place, carries out the personal data processing operations on behalf of a controller established or incorporated in the national territory; or
- when the controller or processor is not established in the national territory but their personal data processing operations are intended to offer goods or services to data subjects who are in Chile, regardless of whether they are required to pay or to monitor the behavior of data subjects who are in the national territory, including their analysis, tracking, profiling or prediction of behavior.
The Bill also applies to the processing of personal data carried out by a controller who, not being established on national territory, is subject to national law by virtue of a contract or international law.
2.3. Material scope
Any operation or set of operations or technical procedure, whether automated or not, that allows, collects, processes, stores, communicates, transmits, or uses in any way personal data or sets of personal data.
3. Data Protection Authority | Regulatory Authority
3.1. Main regulator for data protection
Currently, there is no data protection authority. The Bill will create this authority, which will be exercised by the Agency, whose purpose will be to ensure the effective exercise, enforcement, and fulfillment of the data subjects' rights.
The Agency has the power to enforce and apply sanctions, such as fines and accessory sanctions (e.g. suspension of data processing).
In accordance with international standards, the bill increases the applicable fines to up to CLP $1,400,000,000 (approx. $1,507,430), depending on the nature and severity of the violation. In the case of recidivism, the Agency may impose a fine of up to three times the amount allocated to the violation committed. If the violator is an entity other than those defined as small businesses that repeatedly commits a serious or very serious violation, the fine may be up to an amount equal to 2% or 4% of the annual revenue from sales and services and other activities of the entity in the previous calendar year, depending on whether the violation is serious or very serious.
Nevertheless, the Pro Consumer Law, granted SERNAC supervisory powers regarding personal data process within a consumer relation., and to persecute the compensation of damages suffered by consumers.
3.2. Main powers, duties and responsibilities
As noted above, the Law does not provide any specific authority to enforce the regulations and protect data subjects’ claims filed with courts.
Nevertheless, the Bill creates the Agency. All claims must be filed with the Agency and its decisions can be appealed to a Court of Appeals. The Agency is responsible for ensuring the effective exercise and fulfillment of the rights that the Bill recognizes for the data subjects.
Regarding SERNAC, this institution has broad supervisory powers regarding the protection of consumers' personal data, and usually, the enforcement is highly publicized, which can have a reputational impact. Nonetheless, if the Bill is passed and turns into an effective law, the supervisory powers of SERNAC will be revoked (the Agency will have those powers), although SERNAC will remain class actions under the Consumer Law.
4. Key Definitions
Data controller: Any natural or legal person, public or private, who decides on the purposes and means of personal data processing, regardless of whether the data is processed directly by them or through a third party processor (Article 2(n) of the Law, see also Article 2(n) of the Bill).
Data processor: Any person who processes data on behalf of the data controller (Article 8 of the Law, see also Article 2(x) of the Bill).
Personal data: Any information related to or referring to a natural person, identified or identifiable (Article 2(f) of the Law). The Bill redefines personal data as any information relating to or concerning an identified or identifiable natural person. An identifiable person is any person whose identity can be established, directly or indirectly, in particular by means of one or more identifiers, such as name, identity card number, analysis of elements of the physical, physiological, genetic, psychological, economic, cultural or social identity of that person (see also Article 2 (f) of the Bill).
Sensitive data: Personal data referring to physical or moral characteristics of a person or to facts or circumstances concerning his or her private life or intimacy, such as personal habits, racial origin, political ideologies and opinions, religious beliefs or convictions, physical or mental health, and sex life (Article 2(g) of the Law). The Bill redefines sensitive data as personal data referring to physical or moral characteristics of a person or facts or circumstances concerning their private life or intimacy, revealing racial or ethnic origin, political, trade union or guild-union membership, socioeconomic situation, ideological or philosophical convictions, religious beliefs, data concerning health, human biological profile, biometric data, and information concerning the sex life, sexual orientation, and gender identity of a person. The Bill removes personal habits as sensitive data (see also Article 2 of the Bill).
Health data: Health-related data, biological profile, genetic, proteomic, or metabolic data (Article 2 (g) and 16 bis of the Bill).
Biometric data: Those obtained from a specific technical treatment, related to the physical, physiological, or behavioral characteristics of a person that allow or confirm their unique identification, such as fingerprint, iris, hand or facial features, and voice (Article 16 ter of the Bill).
Pseudonymization: The processing of data performed in such a way that the data can no longer be associated with a data subject without using additional information, and such additional information is contained separately and is subject to technical and organizational measures designed to ensure that the personal data cannot be associated with an identified or identifiable natural person (Article 2(l) of the Bill).
Consent: Any free, specific, unequivocal, and informed expression of will, by means of which the data subject, their legal representative, or agent, as appropriate, authorizes the processing of personal data that concerns them (Article 2(p) of the Bill).
Data processing: any operation or set of operations or technical procedures, whether automated or not, which makes it possible in any way to collect, process, store, communicate, transmit or use personal data or sets of personal data (Article 2(o) of the Bill).
5. Legal Bases
The Law considers as legal basis for data processing, the data subject's consent, as well as any requirements under the law. However, regarding consent, the Law considers broad exceptions, which allow personal data to be processed without the data subject's consent (Article 4 of the Law).
The following legal bases correspond to those established by the Bill:
5.1. Consent
The Bill states that consent must be free, informed, and specific as to its purpose or purposes, and must also be expressed unequivocally, by means of a verbal or written statement, or expressed through equivalent electronic means, or by an affirmative act that clearly shows the will of the data subject.
Additionally, when consent is given by a representative of the data subject, the latter must be expressly authorized to do so.
5.2. Contract with the data subject
Not applicable at present. However, it is included as a legal basis in the Bill.
Data processing is lawful without the data subject's consent when such processing is necessary for the execution of a contract between the data subject and controller, or for the execution of pre-contractual measures taken at the request of the data subject.
5.3. Legal obligations
Data processing is lawful without the data subject's consent when such processing is necessary for the execution or fulfillment of a legal obligation, or where it is required by law.
5.4. Interests of the data subject
Not applicable.
5.5. Public interest
Not applicable.
5.6. Legitimate interests of the data controller
Not applicable at present. However, it is included as a legal basis in the Bill.
Data processing is lawful without the data subject's consent when such processing is necessary for the satisfaction of legitimate interests of the controller or a third party, provided that such processing does not affect the rights and freedoms of the data subject. In any case, data subjects may always demand to be informed about the processing that affects them, as well as the legitimate interest on which basis the processing is being conducted.
5.7. Legal bases in other instances
Currently, there are legal bases that allow personal data processing in certain circumstances, for example:
- medical records (see Law No 20.584 Which Regulates the Rights and Duties that People have in relation to Actions related to their Health Care (only available in Spanish here));
- personal data relating to economic, financial, banking, or commercial obligations (Article 17 of the Law);
- personal data collected from publicly accessible sources (Article 4 of the Law), although the Bill sets out that the processing of such data will be subject to the purposes for which such data is in the publicly accessible source (Article 4 of the Law) although the Bill removes this legal basis; and
- Law No 21.236 Which Regulates Financial Portability (only available in Spanish here).
6. Principles
The principles of the Bill are:
- lawfulness and fairness;
- purpose of the data processing;
- proportionality and minimization;
- quality;
- accountability;
- security;
- transparency; and
- confidentiality.
See also Article 3 of the Bill.
7. Controller and Processor Obligations
The Law refers to this briefly and only sets out certain obligations to anyone who processes personal data, namely:
- obligation of maintaining secrecy about personal data, when it comes from or has been collected from sources not accessible to the public;
- personal data should be used only for the purposes for which it was collected unless it comes from or has been collected from sources accessible to the public; or
- the data controller must store personal data with due diligence, being responsible for the damages caused.
Notwithstanding the above, the Bill establishes that the data controller has the following obligations:
- to inform and make available to data subjects the background information that proves the lawfulness of the data processing and to promptly deliver such information when requested;
- to ensure that personal data is collected from lawful sources for specific and explicit purposes and that its processing is limited to the fulfillment of these purposes;
- to communicate or transfer accurate, complete, and current information;
- to suppress or anonymize data subjects' personal data when it was obtained for the execution of pre-contractual measures; and
- to comply with other duties, principles, and obligations governing the processing of personal data provided in the Bill.
The data controller who is not domiciled in Chile and who processes data of persons residing in the national territory, must indicate and keep updated and operative, an e-mail address or other suitable means of contact to receive communications from the data subjects and the Agency.
7.1. Data processing notification
It is lawful to process personal data, given the data subject's consent (Article 12 of the Bill). In this respect, consent must be expressed unequivocally, by means of a verbal or written declaration, or expressed through an equivalent electronic means, or by an affirmative notice that clearly states the will of the data subject.
Where consent is given by a data processor, the processor must be expressly authorized to do so. The data subject may, at any time and without giving any reason, revoke the consent given by using similar or equivalent means to those used to obtain the consent. Withdrawal of consent shall not have retroactive effect.
The means used to grant or revoke consent must be rapid, reliable, free of charge, and permanently available to the data subject.
Consent to the processing of data is presumed not to have been freely given if the data controller collects the data in the context of the performance of a contract or the provision of a service where such collection is not necessary.
The onus is on the data controller to prove that it has the data subject's consent and that the data processing has been carried out in a lawful, fair, and transparent manner.
7.2. Data transfers
Personal data may be transferred with the data subject's consent and for the fulfillment of the data processing purposes.
The Bill states that international data transfers are allowed when the organization is subject to an order that provides adequate levels of protection of personal data. The Agency will make a reasoned decision as to which countries provide an adequate level of data protection, considering at least the following elements:
- the establishment of principles governing the processing of personal data;
- the existence of rules recognising and guaranteeing the rights of data subjects and the existence of a public judicial or administrative authority for control or supervision;
- the imposition of information and security obligations on controllers and third party processors and on appointed third parties; or
- the determination of liabilities in the event of breaches.
See Article 28 of the Bill.
7.3. Data processing records
Data processors must keep records of the rights exercised by the data subjects.
7.4. Data protection impact assessment
Even though the Law states the security obligation, it does not explicitly consider a Data Protection Impact Assessment (DPIA).
Nevertheless, the Bill requires carrying out a DPIA whenever a type of processing, by its nature, scope, context, technology used, or purposes, is likely to result in a high risk to the rights of data subjects.
Moreover, the data controller must adopt the technical and organizational measures both prior to and during the data processing. Therefore, DPIAs must be performed before beginning any given data processing.
The impact assessment must be required in cases of:
- a systematic and comprehensive evaluation of personal aspects of data subjects based on automated processing or decisions, such as profiling, and having significant legal effects on them.
- mass or large-scale processing of data; or
- processing involving the systematic observation or monitoring of a publicly accessible area; or
- processing of sensitive and specially protected data in cases where consent is not required.
7.5. Data protection officer appointment
DPOs are not regulated under the Law, however, they are introduced by the Bill throughout the provisions of the infringement prevention model, which consists of compliance programs. The Bill sets out the minimum requirements for an infringement prevention model and regulates its certification process and registration in a National Register of Sanctions and Compliance, which will be administered by the Agency. It will be mandatory to have a Data Protection Officer if it is decided to adopt an infringement prevention model. The DPO must be appointed by the highest authority of the institutions, usually a board of directors, and must have autonomy regarding the privacy matters conducted.
The DPO must meet the requirements of suitability, ability, and specific knowledge for the exercise of their functions. The DPO must maintain strict secrecy or confidentiality of the personal data known to him in the exercise of his position. The DPO may perform other duties, if they are compatible, and do not constitute a conflict of interest.
The DPO may perform the following duties:
- To inform and advise the data controller, third party data processors or agents, and the data controller's employees, regarding the legal and regulatory provisions relating to the right to the protection of personal data and the regulation of their processing.
- Promote and participate in the policy established by the data controller regarding the protection and processing of personal data.
- Supervise, within the scope of their competence, the compliance with this Law and with the policy issued by the data controller.
- Ensure the ongoing training of persons involved in data processing operations.
- Assist the members of the organization in identifying the risks associated with the processing activity and the measures to be adopted to safeguard the rights of the holders of personal data.
- Develop an annual work plan and report on its results.
- Respond to queries and requests from data subjects.
- Cooperate with and act as a contact point for the Agency.
7.6. Data breach notification
The Law does not establish the obligation to give notice of a data breach. Nevertheless, in 2018 the CMF regulated the obligation for banks and financial institutions to notify data breaches to the CMF, which shall be given within 30 minutes of the acknowledgement of the data breach. The same obligation applies to insurance and reinsurance companies.
Regarding the Bill, the data controller and processor must notify the Agency by the most expeditious means possible and without undue delay of any violations of the security measures resulting in the accidental or unlawful destruction, leakage, loss, or alteration of the personal data processed or to the unauthorized communication or access to such data, where there is a reasonable risk to the rights and freedoms of data subjects.
The data controller must record such communications, describing the nature of the breaches suffered, their effects, the categories of data and the approximate number of data subjects affected, and the measures taken to manage and prevent future incidents.
If the breach concerns sensitive data, minors' data, or financial data, data subjects must also be notified.
The notification must be made in clear and simple language and must identify the data concerned, the possible consequences of the security breach, and the remedial or protective measures taken. It must also be provided to each affected data subject or, if this is not possible, by publication of a notice in a mass media of national scope.
7.7. Data retention
Based on the proportionality principle, data must be kept for the time needed to fulfill the purposes of the data processing unless the law provides a different deadline or consent of the data subject. The data must be deleted or anonymized upon the expiration of this period.
7.8. Children's data
The Law does not regulate the processing of minors' data.
Nevertheless, regarding the Bill, children are under 14 years old, and adolescents are over 14 years old and under 18 years old. Adolescents may provide their consent validly in their own personal capacity, except for sensitive data of adolescents under 16 years of age, which can only be processed with the consent of the parents or legal guardian, unless expressly authorized or mandated by law.
Children's data processing must be performed accordingly with their best interests and progressive autonomy.
7.9. Special categories of personal data
The Bill introduces the following special categories of personal data:
- biometric data;
- georeferentiation data;
- health-related data; and
- biological data: data related to the genetic, proteomic, or metabolic profile.
7.10. Controller and processor contracts
The Bill states that in these circumstances, data processing will be governed by a contract executed between the controller and processor, in accordance with the legislation in force. The contract must set forth the object of the engagement, its duration, the purpose of the processing, the type of personal data processed, the categories of data subjects to whom the data relates, and the rights and obligations of the parties.
The data processor may not delegate part or all the processing, except with the specific written authorization of the controller. Moreover, any data processor who delegates part or all of the processing to another data processor must remain jointly and severally liable for the processing and will not be exempted from liability on the grounds that they have delegated such processing.
8. Data Subject Rights
Under the Law, data subjects have the right of access, rectification, cancellation, and objection. As previously noted, currently these rights are not commonly exercised by data subjects, and in general, companies have not implemented the process to comply with these rights. Despite this, SERNAC established in 2010, the Do Not Disturb List to avoid unwanted (spam) promotional communications, and they strictly enforce compliance.
Nevertheless, the Bill includes said rights, defines them, creates new ones (detailed below), and adds an administrative procedure for claims, so that the data subjects can exercise them correctly.
These rights are personal, non-transferable, and inalienable and may not be limited by any law or convention. In the event of the death of the data subject, the rights recognized by the law may be exercised by his or her heirs. The heirs may not have access to the data of the deceased, nor may they request its rectification or suppression, if the deceased has expressly forbidden it or if it's established by law.
8.1. Right to be informed
The right to be informed is not considered per se as a data subject right in the Bill, but only as a requirement for consent as a basis to adequately process personal data.
8.2. Right to access
This is defined as the right to request and obtain from the controller, confirmation as to whether a data subject's personal data is being processed, to access such data where appropriate, and to information provided for in the Bill, such as:
- the processed data and its origin;
- the purpose or purposes of the processing;
- the categories, classes, or types of recipients, or the identity of each recipient, if so requested by the data subject, to whom the data have been communicated or transferred or is intended to be transferred;
- the period during which the data will be processed; and
- the legitimate interests of the data controller, when the processing has a different basis other than the consent of the data subject.
This right includes the right to access meaningful information about the logic applied in the case of automated individual decisions made by the controller, including profiling.
8.3. Right to rectification
This is defined as the right to request and obtain from the controller, the modification or completion of personal data when it is being processed and is inaccurate, outdated, or incomplete. The rectified data must be communicated to the persons, entities, or organizations to which the data controller has communicated or transferred the said data, except in cases where such communication is impossible or requires a disproportionate effort. Once the rectification has been carried out, the uncorrected data may not be processed again.
8.4. Right to erasure
This is defined as the right to request and obtain from the controller, the deletion or removal of personal data, according to the conditions provided by law, especially when:
- the data is not necessary in relation to the purposes of the processing for which it was collected;
- the data subject has revoked their consent and the processing has no other legal basis;
- the data has been illegally obtained or processed by the controller;
- the data is outdated;
- the data must be deleted in order to comply with a court judgment or a legal obligation; and
- the data subject has exercised their right to object and there is no other legal basis for the data processing.
8.5. Right to object/opt-out
This is defined as the right to request and obtain from the controller, that specific and determined processing of data is not carried out, in the following cases:
- if the processing affects any fundamental rights and freedoms;
- if the processing is conducted exclusively for the purpose of marketing or direct marketing of goods, products, or services; and
- if the processing is carried out with respect to data obtained from a publicly accessible source and there is no other legal basis for the processing.
Deletion does not apply where the data processing is necessary:
- to exercise the right to freedom of opinion and freedom to provide information.
- to comply with a legal obligation or the performance of a contract entered into between the data subject and the data controller.
- for the performance of a public function or for the exercise of an activity in the public interest.
- for reasons of public interest in public health, in accordance with the conditions and guarantees set out in the law.
- for processing for historical, statistical, or scientific purposes, and for studies or research in the public interest; and
- for the formulation, exercise, or defense of administrative or judicial claims.
Objection to the processing of data shall not be admissible where the processing is carried out for the purposes of scientific or historical research or statistical purposes, provided that such processing is necessary for the performance of a public task or for the exercise of an activity carried out in the public interest.
8.6. Right to data portability
This is defined as the right to request and obtain from the controller a copy of their personal data in a structured, generic, and common electronic format, which allows it to be operated by different systems, and to communicate or transfer it to another controller.
The data subject may exercise this right in the following circumstances:
- the processing is carried out by automated means; and
- the processing is based on the data subject’s consent.
The data controller should use the quickest, least onerous, and unimpeded means to exercise this right.
The data controller must also communicate to the data subject in a clear and precise manner the measures necessary to obtain his personal data and specify the technical characteristics for carrying out these operations.
The data subject must have the right to have his personal data transmitted directly from controller to controller where technically feasible.
However, the exercise of the right of portability does not entail the deletion of the data from the transferring controller, unless the data subject so requests.
8.7. Right not to be subject to automated decision-making
This is defined as the right to object to decisions concerning the data subject made by the controller based solely on the fact that they are made through automated processing of the data subject's personal data, including profiling. If exercised, the controller must take all necessary measures to ensure the rights of the data subject, in particular the right to obtain human intervention by the controller, to express their point of view, and to request a review of the decision.
This right will not be applicable in the following cases:
- where the decision is necessary for the conclusion or performance of a contract between the data subject and the data controller;
- where the data subject has given prior express consent in the manner prescribed by law; or
- when provided for by law, to the extent that the law provides for the use of safeguards to the rights and freedoms of the data subject.
8.8. Other rights
Right to block data processing: The data subject has the right to request the temporary suspension of any processing operation of his or her personal data when making a request for rectification, erasure, or objection.
9. Penalties
The Law does not include a detailed list of violations, thus hindering compliance and enforcement. The highest fines amount to $3,500 and in the absence of a data privacy authority, claims are filed in court.
In accordance with international standards, the bill increases the applicable fines to up to CLP $1,400,000,000 (approx. $1,507,117), depending on the nature and severity of the violation. In the case of recidivism, the Agency may impose a fine of up to three times the amount allocated to the violation committed. If the violator is an entity other than those defined as small businesses that repeatedly commits a serious or very serious violation, the fine may be up to an amount equal to 2% or 4% of the annual revenue from sales and services and other activities of the entity in the previous calendar year, depending on whether the violation is serious or very serious.
Moreover, the Bill states as a sanction the suspension of the data processing for 30 days, which may be extended for the same period.
9.1 Enforcement decisions
Not applicable.