CMS Expert Guide: Data Law Navigator

Chile’s current data protection regime is governed by Law No. 19.628 on the Protection of Private Life, which remains in force and fully applicable until November 30, 2026.

However, on December 13, 2024, Chile enacted Law No. 21.719 on the Protection of Personal Data, a comprehensive reform that modernizes the legal framework, brings it closer to international standards (such as the GDPR) and establishes a dedicated Data Protection Authority. This new law will enter into force on December 1, 2026.

Other legal provisions that regulate some aspects of personal data processing include:

• The Chilean Constitution, in its article 19 No. 4 and No. 5, which enshrine the right to privacy, as well as the protection of personal data, and also;
• Law 19.496 (Consumer Protection Law) that establishes the regulation regarding unsolicited commercial marketing communications for consumers.

The Personal Data Protection Law (Official Gazette of Montenegro Nos. 79/2008, 70/2009, 44/2012, 22/2017 and 77/2024) ("the PDPL").

On 1 March 2023, the National Assembly of Montenegro adopted a new Personal Data Protection Act (“New PDPA”), which entered into force on 1 July 2023 and replaced the previous PDPL. The New PDPA is broadly aligned with the General Data Protection Regulation (GDPR) of the European Union, introducing stricter requirements for data controllers and processors, including enhanced data subject rights, new data breach notification obligations, and higher penalties for non-compliance.) 1  

As of now, Montenegro’s Personal Data Protection Law (PDPL), originally adopted in 2008 (Official Gazette Nos. 79/08, 70/09, 44/12, 22/17), is still in force, with only one minor amendment introduced in August 2024 (Official Gazette No. 77/2024).

The Agencia de Protección de Datos Personales (APDP) will act as the supervisory authority in Chile, with regulatory, investigative and sanctioning powers.

While the APDP has been created by Law No. 21.719, it is not yet operational. Until its formal implementation, Chile remains without a functioning authority in charge of overseeing data protection compliance.

Agency for Personal Data Protection and Free Access to Information (“the Agency”):

• http://www.azlp.me/en/home

Under the New PDPA, the Agency has gained administrative enforcement powers. It can now impose administrative fines for breaches of the New PDPA without recourse to criminal or offence proceedings.) 2

The reform is no longer pending: Law No. 21.719 has been enacted. Its main features include:

• A modernized legal definition of personal data and sensitive data, aligned with international standards;
• Expanded lawful bases for processing: consent, legal obligations, contract performance, vital interests, public interest, and legitimate interest;
• Establishment of the APDP as a fully empowered supervisory authority;
• Regulation of international data transfers based on adequacy decisions, safeguards (standard clauses, binding corporate rules), or informed consent;
• A structured catalogue of infringements with fines of up to 20,000 UTM, or 2% to 4% of annual revenue for large enterprises in case of repeated violations;
• Introduction of a formal complaint mechanism before the APDP, with judicial review before the Court of Appeals.

Changes of the PDPL are anticipated soon, first drafts of the law are already being negotiated.

The new law entered into force on 1 July 2023, as noted above, and no further major legislative changes in personal data protection are currently expected before 2026.) 

Sanctions in Chile are now administrative rather than solely judicial. The new framework distinguishes between minor, serious and very serious infringements, with fines of up to 5,000, 10,000 and 20,000 UTM, respectively.

In addition, for large enterprises, repeated infringements may give rise to fines of up to 2% or 4% of annual revenues, whichever amount is greater. This marks an important difference with the former regime, where only civil courts could impose sanctions through civil court proceedings.

Controllers and processors must keep a register of processing activities, detailing the categories of data, purposes, lawful basis, transfers, and security measures. Controllers must also document the lawful basis relied upon for each processing activity.

Setting up a personal data filing system is subject to notification. After setting up a data filing system, the data controller must appoint a person responsible for the protection of personal data (if the data controller employs more than ten people who process personal data).

Under the New PDPA, registration or notification requirements have largely been replaced with an accountability-based approach, whereby data controllers must be able to demonstrate compliance with all principles of data processing. However, the obligation to appoint a data protection officer remains if the controller employs more than ten people, or if the data processing activities pose heightened risks to data subjects.

Data processing: 

According to the New CDLP the processing of all data shall be carried out:

• In a manner consistent with the law;
• For the purposes permitted by the legal system; and
• With attention to the full exercise of the fundamental rights of the data subject.

Consent of the data subject: Article 12 of the law establishes that the processing of personal data is permitted only when subject expressly consents or authorises it.

The consent of the data subject must be freely given, informed, and specific as to its purpose or purposes. Consent must also be given in advance and unequivocally, by means of a verbal, written or equivalent electronic statement, or by an affirmative act that clearly indicates the data subject's will.

Article 3 of the law establishes the principles on which the entity responsible for processing personal data must act. The principles are:

Article 3(a): Principles of lawfulness and fairness. Personal data may only be processed in a lawful and fair manner.

Article 3(b): Principle of purpose. Personal data must be collected for specific, explicit and lawful purposes. The processing of personal data must be limited to the fulfilment of these purposes.

Article 3(c): Principle of proportionality. The personal data processed must be strictly limited to what is necessary, appropriate and relevant in relation to the purposes of the processing.

Article 3(d): Principle of quality. Personal data must be accurate, complete, up-to-date and relevant in relation to its source and the purposes for which it is processed.

Article 3(e): Principle of responsibility. Those who process personal data shall be legally responsible for complying with the principles contained in this article and with the obligations and duties under the law.

Article 3(f): Principle of security. When processing personal data, the controller must ensure adequate security standards, protecting it against unauthorized or unlawful processing, and against loss, leakage, accidental damage or destruction. Security measures must be appropriate and proportionate with the processing to be carried out and the nature of the data.

Article 3(g): Principle of transparency and information. The controller must provide the data subject with all the information necessary for the exercise of the rights established by this law, including policies and practices regarding the processing of personal data, which must also be permanently accessible and available to any interested party in a precise, clear, unambiguous and free manner.

Article 3(h): Principle of confidentiality. The controller of personal data and those who have access to it must maintain secrecy or confidentiality regarding such data. The controller shall establish appropriate controls and measures to preserve secrecy or confidentiality. This obligation shall remain in force even after the relationship with the data subject has ended.

Sensitive data: Article 16 of the law prescribes that sensitive personal data, defined as any information regarding characteristics of a physical or moral nature of an individual or facts or circumstances of his private life, such as personal habits, racial or ethnic origin, ideologies and political opinions, religious beliefs or convictions, physical or mental health and sexual life, cannot be processed unless:

• The data subject expressly consents to said processing;
• Without consent when:
  • the processing refers to sensitive personal data that the subject has made manifestly public and its processing is related to the purposes for which it was published;
  • the processing is based on a legitimate interest pursued by a legal entity governed by public or private law that does not pursue profit-making purposes and certain conditions are met;
  • the processing of the data subject's personal data is essential to safeguard the life, health or physical or mental integrity of the data subject or another person;
  • the data processing is necessary for the establishment, exercise, or defence of legal claims before courts of law or administrative entities;
  • data processing is necessary for the exercise of rights and the fulfilment of obligations of the data controller or data subject, in the field of employment or social security, and is carried out within the framework of the law; and
  • the processing of sensitive personal data is expressly authorized or mandated by law.

• Information requirement;
• Consent requirements, unless processing is required by the law;
• Notification requirement.

Under the New PDPA, data controllers and processors must also implement data protection by design and by default, conduct data protection impact assessments for high-risk processing, and maintain detailed records of processing activities.

Law No. 21.719 establishes a comprehensive set of rights for data subjects, which are personal, non-transferable, non-waivable, and may not be contractually limited. These rights may also be exercised by the data subject's legal representative or, in the event of death, by their heirs (subject to certain restrictions). The rights include:

Right of Access:

Data subjects have the right to know whether their personal data is being processed, access it, and receive information about its origin, purposes, recipients, retention period, and, in the case of automated decisions, the logic involved and potential effects.

Right to Rectification:

This right allows individuals to request the correction, update, or completion of their personal data when it is inaccurate, outdated, or incomplete. The data controller must suspend processing until the data is rectified.

Right to Erasure (“Right to be Forgotten”):

Individuals can request the deletion of their data when it is no longer necessary, consent has been withdrawn, data has been unlawfully processed, or deletion is required by law or judicial decision, subject to certain legal exceptions.

Right to Object:

Data subjects may object to the processing of their data on compelling personal grounds or when it is used for direct marketing purposes, unless the controller can demonstrate overriding legitimate reasons for the processing.

Right Not to Be Subject to Automated Decisions:

This right ensures individuals are not subject to decisions based solely on automated processing (including profiling) that produce legal effects or significantly affect them, except in certain lawful circumstances with appropriate safeguards.

Right to Data Portability:

Subjects can request a copy of their data in a structured, commonly used, and machine-readable format and transfer it to another controller, provided the processing is based on consent and conducted through automated means.

Right to Restriction of Processing (Blocking):

Data subjects may request the restriction of processing (i.e., blocking) in specific situations, such as when data accuracy is contested, the processing is unlawful but erasure is not desired, or the data is no longer needed but required for legal claims.

Data subjects have the right to:

• be informed in connection with the data processing
• access data relating to them;
• request that the data be corrected, modified, updated or deleted; 
• request a stay and suspension of processing; 
• have the data processing stayed or suspended if they have challenged the correctness, completeness and accuracy of the data. 

The New PDPA introduces the right to data portability, aligning Montenegro’s legislation more closely with the GDPR. Data subjects are now entitled to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit those data to another controller if technically feasible.

Under Law No. 21.719, personal data may be processed by a third party acting as a data processor (“encargado del tratamiento”) on behalf of a data controller (“responsable del tratamiento”), provided that such processing is carried out under the controller’s instructions and responsibility. The relationship must be governed by a written agreement that clearly defines the scope, purpose, and duration of the processing, as well as the obligations of the processor to ensure data security, confidentiality, and compliance with the law. The processor must not use the data for its own purposes and must return or delete the data once the processing is complete or upon the controller’s request. Subprocessing is only allowed with prior written authorization.

According to the PDPL, a third party i.e. user of personal data, is any natural or legal person, state body, state administration body, local self-government body or local administration and other entities exercising public authority, which has the right to process personal data, and it is not a person whose personal data is processed, the original data controller of a data filing system, the processor of personal data or a person employed by the controller of the data filling system or the processor of personal data. A data controller is obliged to inform a person if his/her data will be processed by the third party.

Under the New PDPA, the concept of “third party” remains similar. Data controllers must ensure that any third-party processor provides sufficient guarantees to implement appropriate technical and organisational measures so that processing meets the requirements of the law and ensures the protection of data subject rights.

Article 27 of the law establishes that, provided the requirements authorizing data processing are met, international data transfer operations are lawful in any of the following cases:

• When the transfer is made to a person, entity, or public or private organization subject to the legal system of a country that provides adequate levels of personal data protection, as determined by the APDP;
• When the transfer of data is covered by contractual clauses, binding corporate rules, or other legal instruments signed between the controller making the transfer and the controller or third-party agent receiving it, and these establish adequate safeguards; and
• When the controller making the transfer and the controller or third-party agent receiving it adopt a compliance model or certification mechanism and these establish adequate protection.

In the absence of an adequacy decision or appropriate safeguards, a specific and non-routine transfer may be made if one of the following conditions is met:

• The data subject has given express and informed consent;
• The transfer relates to specific banking, financial, or stock market operations governed by applicable sectoral laws;
• The transfer is necessary to comply with obligations arising from international treaties or agreements ratified by the Chilean State.
• The transfer is required under cooperation, information exchange, or supervision agreements signed by public bodies to carry out their functions;
• The transfer is expressly authorized by law for a specific purpose;
• The transfer is necessary for purposes of international judicial cooperation;
• The transfer is required for the conclusion or performance of a contract with the data subject; or
• The transfer is necessary for urgent medical or health-related measures, such as disease prevention or treatment, or the management of health services.

The APDP may also authorize specific transfers when sufficient guarantees are demonstrated, and it may issue recommendations, suspend transfers, or impose measures to safeguard the rights of data subjects.

The Agency's approval is required for the transfer of personal data from Montenegro to a state that is not party to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. The Agency determines whether the requirements are met and whether safeguards are in place for the transfer of data from Montenegro.

Under the New PDPA, cross-border transfers to countries that do not ensure an adequate level of protection may also be carried out if appropriate safeguards are in place, including standard contractual clauses or binding corporate rules approved by the Agency. The Agency generally follows the adequacy framework outlined in the EU GDPR.

Not mandatory. Article 49 of the CDPL establishes that data controllers may voluntarily adopt an infringement prevention model (modelo de prevención de infracciones) consisting of a compliance program. This program must include, among other elements, the designation of a Personal Data Protection Officer (PDPO), who will be responsible for overseeing the controller’s compliance with data protection obligations.

The personal data collection manager is obliged, after the establishment of automatic personal data collection, to appoint a person responsible for the protection of personal data. A data controller with more than ten employees who process personal data must designate a person responsible for protecting personal data.

The New PDPA clarifies that a Data Protection Officer (DPO) must be appointed by all public authorities, as well as private entities whose core activities require regular and systematic monitoring of data subjects on a large scale or involve large-scale processing of special categories of data.

Under article 14 quinquies, data controllers must implement appropriate technical and organizational measures to comply with the security principle. These measures must ensure the confidentiality, integrity, availability and resilience of the data processing systems and services. They should be proportionate to the nature and volume of data processed and must prevent unauthorized access, alteration, destruction, loss, or unlawful processing.

Data controllers and data processors must take all necessary technical, human resources and organisational measures to protect data in accordance with established standards and procedures in order to protect data from loss, damage, inadmissible access, modification, publication and any other abuse. These measures must also include a data confidentiality obligation for all persons who work on data processing.

The New PDPA introduces additional requirements regarding encryption, pseudonymisation, and regular testing of security measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems.

Under Article 14 sexies of the CDPL, data controllers must report personal data breaches to the ADPD without undue delay when there is a reasonable risk to the rights and freedoms of data subjects. If the breach involves sensitive data, information about children under 14, or data related to financial or commercial obligations, controllers must also notify the affected data subjects in clear language. These obligations are without prejudice to any additional notification duties under other laws.

A breach notification is not regulated by the PDPL. However, under the Law on Information Security of Montenegro, users must report computer security incidents to the competent body.

Under the New PDPA, data controllers are required to notify the Agency of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where such risk is high, the affected data subjects must also be informed without undue delay.

Direct marketing is governed by Law No. 19.496 on Consumer Protection, which establishes that unsolicited commercial communications sent via email must clearly identify their commercial purpose and include a valid email address to allow recipients to opt out of future communications. Once the recipient requests to opt out, any further unsolicited emails are prohibited by law. The law is applicable to communications sent to individuals for consumer purposes.

Prior information consent of a data subject (a natural person) is required.

The New PDPA provides clearer provisions regarding direct marketing and unsolicited communications, requiring explicit and verifiable consent for electronic marketing messages.

The New CDPL does not directly regulate the use of cookies or similar technologies. However, their use may still be subject to general data protection principles, such as transparency, purpose limitation and consent, particularly when cookies process personal data.

Not regulated. General personal data protection rules apply.

Low

Moderate

• https://www.bcn.cl/leychile/navegar?idNorma=1209272 (New Chilean Data Protection Law)
• https://www.bcn.cl/leychile/navegar?idNorma=61438%C2%A0 (National Consumer Law)
• https://www.bcn.cl/leychile/navegar?idNorma=242302%20 (Chilean Constitution)

No official code of conduct has been published yet but regulatory guidelines may be issued by the Data Protection Agency in the future.

• http://www.azlp.me/en/home 

The Cybersecurity Framework Law No. 21.663, published in April 2024, establishes a comprehensive legal and institutional framework for cybersecurity architecture. The law creates the National Cybersecurity Agency (Agencia Nacional de Ciberseguridad, ANCI), a new public authority tasked with overseeing the implementation of cybersecurity policies, issuing technical standards, coordinating incident responses and imposing sanctions.

The law aligns with international standards and applies to both public and private entities managing Critical Information Infrastructure (CII) or essential services, based on their risk exposure and strategic relevance.

In addition to Law No. 21.663, several other laws govern aspects of cybersecurity and information protection in Chile:

• Law No. 20.285 (2008) - Law on Access to Public Information
• Law No. 17.336 (2004) - Intellectual Property Law
• Law No. 19.927 (2004) - Law amending criminal codes regarding child pornography
• Law No. 19.880 (2003) - Administrative Procedure Law for acts of State administration
• Law No. 19.799 (2002) - Law on Electronic Documents, Electronic Signatures, and Certification Services
• Law No. 20.478 (2010) - Law on Recovery and Continuity in Critical and Emergency Conditions of Public Telecommunications
• Law No. 21.459 (2022) - Cybercrime Law, which modernizes the criminal legal framework for addressing digital crimes, including unauthorized access, system interference and data breaches

Law on Information Security of Montenegro (Official Gazette of Montenegro Nos. 113/2024 ("the Law").

The new Law on Information Security of Montenegro (came into force in December 2024) establishes measures and rules for the protection of information systems and networks from cyber threats. It applies to state authorities, ministries, other administrative bodies, local self-government units, legal entities exercising public authority, companies, other legal entities, and individuals who access or handle data and use or manage network and information systems. The law covers both public and private sectors, with specific obligations for entities designated as "key" and "important" subjects, particularly those providing services essential for the life, health, and security of citizens and the functioning of the state.

The full implementation of Cybersecurity Framework Law No. 21.663 depends on future regulations to be issued by the ANCI. These will cover technical standards, risk management protocols, and classification criteria for Critical Information Infrastructure (CII). Meanwhile, Decree No. 295 (2025) has already established binding rules on cybersecurity incident reporting, applicable to both public and private entities.

N/A

The law applies to public and private entities operating CII or essential services. Applicability is based on risk and strategic relevance, not sector.

The Law applies to all entities that use or manage network and information systems, including state bodies, local government, public authorities, and private sector entities that handle data or provide services of public interest. The Law sets out obligations for these entities to implement information security measures to ensure the confidentiality, integrity, and availability of data.

National Cybersecurity Agency (ANCI)

• Ministry responsible for information society and e-government: Oversees state administration cybersecurity and acts as the national contact point.
• CIRT for State Administration: Handles incident response for state bodies.
• Cybersecurity Agency: Responsible for cybersecurity of all other key and important entities, conducts professional oversight, and enforces compliance.
• Council for Information Security: Advisory body for monitoring and improving information security.

Obligations for agencies subject to the law:

• Implementation of technical and organizational measures. Obligated organizations must implement a cybersecurity management system that includes: i) Information security policies; ii) Periodic risk assessments; iii) Technical and operational controls; iv) Vulnerability management; and v) Digital supply chain protection.
• Incident reporting: One of the core obligations is the mandatory reporting of cybersecurity incidents to the National CSIRT.
• Continuity and recovery plans: Entities must have documented and updated plans in place to: i) Ensure operational continuity in the event of disruptive events; ii) Restore services in a secure and orderly manner; and iii) Assess damage and prevent the incident from recurring.
• Audits and monitoring: Entities will be subject to periodic technical audits.
• Training and awareness: All organizations must regularly train their staff in cybersecurity, best practices, incident management and the safe use of information systems.

• Implementation of Security Measures: All entities must implement measures to ensure confidentiality, integrity, and availability of data, including physical, technical, and organizational safeguards.
• Risk Management: Key and important entities must conduct risk analyses, adopt incident response rules, business continuity plans, supply chain security policies, and apply cryptographic protection where necessary.
• Certification: Key entities must obtain and maintain certification under the Montenegrin standard for information security management (MEST ISO/IEC 27001) and undergo periodic compliance checks.
• Designation of Responsible Person: All entities must appoint a person responsible for monitoring the implementation of information security measures.
• Incident Reporting: Entities must assess the impact of cyber threats and incidents. If an incident could significantly affect service continuity, it must be reported to the Cybersecurity Agency (or CIRT for state bodies) within 24 hours. Ongoing and final reports are also required.
• Data Protection: Personal data must be processed in accordance with data protection laws.

The law provides a graduated penalty system for non-compliance, with fines of up to 40,000 UTM depending on the severity of the infringement (minor, serious, or very serious). Enforcement will be led by the ANCI, including its power to supervise, classify and sanction entities subject to the law.

Chile has a national Computer Security Incident Response Team (CSIRT), officially known as: CSIRT of the Government of Chile (CSIRT Nacional)

As of April 2024, the National CSIRT operates under the newly created National Cybersecurity Agency, established by Law No. 21.663.

It serves public institutions and plays a coordinating role for national and international cybersecurity incidents.

Its core functions include:

• Monitoring cyber threats nationwide.
• Coordinating responses to incidents affecting public services and critical infrastructure.
• Collaborating with sector-specific CSIRTs (defense, finance, energy, etc.).
• Issuing alerts, vulnerability reports, and technical guidelines.
• Sharing threat intelligence with international networks.

Montenegro has a national CERT/CSIRT structure composed of the CIRT for state administration (handling incidents for government bodies) and the Cybersecurity Agency (handling incidents for all other key and important entities). These bodies are mandated by law to coordinate incident response, ensure compliance, and represent Montenegro in international cybersecurity matters, ensuring a unified and effective national response to cyber threats and incidents.

The National CSIRT forms part of a centralized structure, coordinated by the ANCI, responsible for incident response, oversight, and strategic coordination across sectors.

• Incident Classification: Incidents are classified as low, medium, or high impact, with escalating reporting and response requirements.
• Sectors Covered: The Law defines key and important entities across sectors such as energy, transport, banking, health, water, digital infrastructure, public administration, and more.
• Crisis Management: In case of a major cyber crisis, the Ministry, with the Agency, can propose that the government declare a cyber crisis, triggering coordinated national response measures.

No.

• Awareness and Training: The Agency is tasked with organizing training for employees, raising public awareness, and collaborating with domestic and international partners.
• Sectoral and Central Registers: The Law mandates the creation of sectoral and consolidated registers of key and important entities, with strict confidentiality requirements.

New Cybercrime Law Status: 

• https://www.bcn.cl/leychile/navegar?idNorma=1202434
• https://www.csirt.gob.cl/
• https://www.bcn.cl/leychile/navegar?idNorma=1211466

• http://www.cirt.me/en/library/strategije?alphabet=lat