Data Law Navigator | Chile
Information on Data Protection and Cyber Security laws from CMS experts
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Last reviewed 8 October 2018
* Poor data protection regulation. No authority or sanctions to be applied in the event of an infringement. No regulator.
The principal data protection legislation is Law 19.628 on protection of personal data (also known as the Chilean Data Protection Law or “CDPL”)
There are also two other legal provisions:
- The Chilean Constitution, in its article 19 No.4 and No. 5 which enshrines the right to privacy, as well as the protection of personal data, and also;
- Law 19.496 (Consumer Protection Law) that establishes the regulation regarding unsolicited commercial marketing communications for consumers.
There is no regulatory authority to oversee compliance with data protection laws by the private sector. Public entities are under the control of The Council for Transparency.
Anticipated changes to law
A new law that will replace the current one and that will raise the protection standards is currently being discussed in Congress.
- A new legal definition: The objective will be to update and expand it, in accordance with international standards.
- The creation of a Data Protection Authority: A National Directorate for Personal Data Protection with the obligation to register databases.
- Cross-Border Data Transfer: It will be regulated for the first time. According to the current law, there is no statement that controls cross-border data transfers.
- A new set of infringements.
- A complaint procedure: This procedure will consist of three (3) steps. First, a direct claim to the data processor. Secondly, an administrative claim before the new National Directorate for Personal Data Protection, and finally, a judicial claim that disputes the decision of the National Directorate for Personal Data Protection.
If applicable: stage of legislative implementation of GDPR
On 6 July 2018, the government submitted several amendments to the bill, modifying certain articles and designating The Council for Transparency as the Data Protection Authority (DPA).
The CDPL applies to all natural persons or legal private entities, or to the respective public body that processes personal data as defined by law.
Territory: The CDPL applies to all data processors with respect to the data collected and processed.
Since there is no Data Protection Authority, sanctions can only be imposed by a judge (in a civil procedure). To this end, Law 19.628 establishes a special procedure called “habeas data”. However, it is common practice to also use the “Remedy for the Protection of Constitutional Rights”, a constitutional action, to protect the fundamental rights affected by an illegal or arbitrary treatment of personal data.
Registration / Notification
There is no registration or notification obligation since there is no data protection authority in Chile and the law does not establish this requirement.
Main obligations and processing requirements
Data processing: The processing of all data will be carried out:
i) In a manner consistent with the law;
ii) For the purposes permitted by the legal system; and
iii) With attention to the full exercise of the fundamental rights of the data subject.
Consent of the data subject: Article 4 of the law establishes that the processing of personal data is permitted only when the law authorises it, or the subject expressly consents or authorises it. However, the law does not provide a definition of what the “authorisation” or “consent” of the data subject means or entails.
Quality: Article 6 of the law establishes that personal data will be: destroyed or cancelled when the purpose of its storage has no legal basis or when it has expired; modified when it is inaccurate, inexact, misleading or incomplete; and blocked when it cannot be destroyed or cancelled, and its accuracy cannot be established or whose validity is doubtful.
Confidentiality: Article 7 of the law establishes that people who work in the processing of personal data, in the private and public sector, must maintain confidentiality when the data comes from sources not accessible to the public, as well as with respect to other data information related to the data bank; an obligation that does not cease upon completion of its functions or activities in that field.
Purpose: Personal data will be used only for the purposes for which it was collected, unless it is obtained from sources accessible to the public (Article 9 of the law)
Personal data: Article 10 of the law prescribes that sensitive personal data, defined as any information regarding characteristics of a physical or moral nature of an individual or facts or circumstances of his private life, such as personal habits, racial or ethnic origin, ideologies and political opinions, religious beliefs or convictions, physical or mental health and sexual life, cannot be processed unless:
i) The law authorises it
ii) The data subject expressly accepts said processing
iii) Such data is necessary to establish or grant health benefits that pertain to the respective data subject.
Data subject rights
Access to data:
The rights pertaining to all data subjects to demand from the person responsible for any public or private data bank, any information that pertains to them, its source, the purpose for collecting, the legality of the data processing and the name of the individuals or entities to which the data is regularly transmitted.
Correction and deletion
Correction or modification: The right of all data subjects to request the modification of inaccurate, incomplete, misleading or outdated data that concerns them.
The right of all data subjects to demand the destruction or cancellation of personal data when the purpose of its storage has no legal basis or when it has expired.
Data subjects have the right to request the cancellation of data, if the data storage is not authorised by law or if the authorisation has expired. The data subject is also entitled to exercise this right even if this data has been voluntarily provided or is being used for commercial communications, and he no longer wishes to appear in such records, temporarily or permanently.
The Consumer Protection Law regulates unsolicited commercial or marketing communications sent by email to consumers. That communication must obtain a valid email address to which the recipient may request the suspension of future communications.
The only way to object to the illegal treatment of personal data is through legal proceedings.
Processing by third parties
There is no regulation on the processing of personal data by third parties.
Transfers out of the Country
The law does not establish specific requirements or restrictions on transfers of personal data abroad.
In spite of that, the law contains rules for the automated transmission of data. Article 5 of the law prescribes that the person responsible for the database can establish an automated system for the transmission of personal data, provided that it adequately ensures the rights or interests of the parties involved and such transmission is strictly related to the duties and objectives of the participating entities.
In the case of a request for the transmission of personal data through an electronic network, the following shall be recorded:
a) Identification of the requesting party
b) Reason and purpose of the request
c) Type of data transmitted
The law does not restrict transfers of personal data to third countries.
Since there are no data transfer restrictions, companies only use the standard clause established by EU legislation, when Chilean companies have received personal data from Europe.
The transfer of personal data does not requireregistration/notification or prior approval from the relevant data protection authority or entity (given the fact that this body does not exist)
Data Protection Officer
Does not apply. There is no legal requirement for the implementation of a Data Protection Officer.
It is not necessary to take the appropriate technical and security measures to protect personal data, but the data processor will always be liable for the damages caused by the leaking of information.
It is not necessary to notify breaches of information to any entity responsible for data protection.
Direct marketing is regulated by the Consumer Protection Law. This Law regulates unsolicited commercial marketing communications sent by email to consumers, specifying, among other things, that such communications must contain a valid email address to which the recipient may request the suspension of further communications, also known as an opt-out system. From the moment the recipient requests the suspension of sending further emails, any communication or unsolicited email is prohibited by law.