The “Law”
The Chilean legal framework for data protection can be found in Article 19, No 4 of the Political Constitution of the Republic of Chile, which guarantees that the processing and protection of personal data will be carried out in the manner, and under the conditions, laid down by law. In addition, Chile has a dedicated data protection law, Law No 19.628 on Privacy Protection (the “Law”), which was published in the Official Gazette on 28 August 1999. The current Law is not based on any international instrument on privacy or data protection (such as the OECD Guidelines, Directive 95/46/EC, the EU General Data Protection Regulation or the European Convention on Human Rights and Fundamental Freedoms).
The “New Law”
However, on Friday 13 December 2024, Law No 21.719 on Personal Data Protection (the “New Law”), which reforms and updates Law No 19.628, was published in the Official Gazette. This regulation – inspired by the General Data Protection Regulation of the EU – brings with it important modifications and raises the standards by which the information of clients, data subjects, collaborators and partners is handled and protected by various institutions, databases, data controllers and data processors.
As of the date of publication of the law, a 24-month legal vacancy period began, during which the obligations of companies and public bodies regarding the processing of personal data must be adapted to the new regulations, before the Personal Data Protection Agency (the “Agency”) begins its functions, which include imposing sanctions for non-compliance. This chapter will carefully review the current regulations applicable in Chile on the protection of personal data, and will highlight the fundamental changes that the new Law No 21.719 will bring about once it comes into force in December 2026.
At present, and in general, the main regulators of data protection are the civil courts under the Law. However, this will change in December 2026 when the Agency created by the New Law becomes functional.
In the meantime, other entities currently have powers in matters of personal data protection, the main ones being the following.
Consumer Rights
Currently, the National Consumer Service (Servicio Nacional del Consumidor, or SERNAC) is the supervisory body for the protection of personal data in the context of consumer relations, until the Agency is established in December 2026.
Although it does not have sanctioning powers, SERNAC can exercise its powers to file individual or class actions before the courts, supervise, inspect, investigate, and issue interpretative circulars that are mandatory for SERNAC officials when applying the regulation and the Law (eg, at the time of audit).
Public Sector
The Council for Transparency (the “Council”) is responsible for ensuring compliance with the Law by the organs of state administration. The Council has issued Recommendations on the Protection of Personal Data by the Organs of State Administration, the Guide on Protection of Personal Data for Public Institutions (2021) and Resolution No 489/2022, which approved the Procedure for Processing Requests for the Exercise of ARCO Rights made before the Council. ARCO rights are those of access, rectification, cancellation or elimination, opposition and blocking of personal data held, in this case, by the Council.
Financial Sector
The Financial Market Commission (Comisión para el Mercado Financiero, or CMF) is the control body in the financial sector and has regulatory and supervisory powers in matters of personal data protection, information security and cybersecurity.
Under Chapters 18-5, on information about debtors from financial institutions, and Chapters 20-6 and following of the Updated Compilation of Standards (Recopilación Actualizada de Normas de Bancos, or RAN) of the CMF on business continuity, information security and outsourcing of services, financial institutions must have an internal policy on security and management of debtor information (Política Interna de Seguridad y Manejo de la Información sobre Deudores, or PISMID), which must follow international principles and best practices on personal data processing.
Law No 21.521, known as the “Fintech Law”, to “[promote] competition and financial inclusion through innovation and technology in the provision of financial services”, mandates the CMF to dictate the cybersecurity and personal data protection standards that financial institutions participating in the future Open Finance System must comply with.
Cybersecurity
In the area of cybersecurity, Chile has the Cybersecurity Framework Law No 21.663, which created the National Cybersecurity Agency that came into force on 1 January 2025. The Cybersecurity Framework Law applies to two types of entities: providers of essential services (telecommunications, digital services, digital infrastructure, water, health; energy, utilities, etc.) and operators of vital importance (operadores de importancia vital, or OIVs), the latter designated after a special procedure led by the National Cybersecurity Agency at least every three years.
In the context of personal data protection, the Cybersecurity Framework Law establishes the obligation for both essential service providers and OIVs to notify cybersecurity incidents with significant effects to the National Computer Security Incident Response Team (Equipo Nacional de Respuesta a Incidentes de Seguridad Informática, or National CSIRT), including incidents affecting computer systems containing sensitive personal data.
There is currently no privacy regulator or data protection authority in Chile, although there is a legal action (habeas data) that data subjects may exercise in the event of a breach of data. Thus, data protection enforcement is addressed by general courts with general powers. A summary court procedure is established by the Law if the person responsible for the personal data registry or bank fails to respond to a request for access, rectification, suppression or blocking of personal data within two business days, or refuses a request on grounds other than the security of the nation or the national interest.
Breaches of data protection caused by improper processing of data may eventually lead to fines determined by the Law (USD70 to USD700, and USD700 to USD3,490 approximately). Fines are determined in a summary court procedure. The Law establishes a general rule under which both non-monetary and monetary damages that result from wilful misconduct or negligence in the processing of personal data will be compensated. In those cases, the amount of compensation will be established reasonably by the civil judge, considering the circumstances of the case and the relevance of the facts.
On the other hand, the New Law advances from judicial logic to administrative logic, where the body in charge of overseeing this new regulatory standard will be the Personal Data Protection Agency, an administrative body of a technical nature, with regulatory, interpretive, supervisory and sanctioning powers.
With regard to the sanctioning regime, in the event of non-compliance with the New Law, the Agency may:
Due to the fact that a protection system based on judicial logic is currently in force, there is no precedent of relevant administrative sanctioning procedure in this jurisdiction. This will eventually change when the New Law comes into force in December 2026.
The National AI Policy 2024–2031 (the “Policy”), with its respective Action Plan, was officially launched on 2 May 2024. The objective of the Policy is to promote the development and ethical and responsible use of AI in Chile, so that this technology can help to promote the country’s new development and growth model.
The 2021 Policy
Chile published its first National Artificial Intelligence Policy in 2021, which had among its objectives to position Chile at the Latin American level in AI and insert it in the vanguard and global collaboration related to AI, which was based on four cross-cutting principles: AI with a focus on people’s well-being, respect for human rights and security; AI for sustainable development; inclusive AI; and globalised AI.
The 2021 Policy had three pillars:
The New National AI Policy 2024–2031
During the year 2023, and as a result of the work carried out by the Ministry of Science with various stakeholders through multiple spaces of participation, the need arose to update the third pillar on “governance and ethics”. The update of this pillar was done in collaboration with UNESCO and its readiness assessment methodology (RAM) in the context of its “Recommendations on the Ethics of AI” published in 2021.
Thus, in this version, topics such as training new talent, improving infrastructure, empowering citizens, boosting industry and creating research funds dedicated to AI were included.
Among the main changes introduced in this version, the following stand out:
Action Plan
With regard to the Action Plan of the new national AI policy, which translates the Policy into concrete measures to be implemented until 2031, the following targeted measures stand out:
Consumer Protection
SERNAC issued an interpretive circular on consumer protection against the use of AI systems. This circular includes a series of interpretive rules that aim to establish the meaning and scope of the regulations on the protection of consumer rights, and the protection of personal data that SERNAC is responsible for monitoring, in the face of risks derived from AI systems in the context of a consumer relationship:
Public Sector
In the public sector, the current institutional ecosystem of AI governance is led by the Ministry of Science and the Interministerial Council for Science, Technology, Knowledge and Innovation. In this sense, the different ministries that make up the institutional ecosystem could potentially exercise their regulatory competences in the field of AI.
In this regard, the Ministry of Science and the Digital Government Division of Chile published a circular in mid-December 2023 with “Recommended Guidelines for the Use of AI by State Agencies”, which started to be implemented during 2024. The circular contains recommendations related to human-centred AI guidelines; transparency and explainability; as well as privacy and data use.
National Data Centres Plan 2024–2030
On 5 December 2024, the National Data Centres Plan 2024–2030 (“PDATA”) was officially published by the Ministry of Science of Chile, and this was promoted in the context of the Ministerial Cabinet Pro-Growth and Employment of the Government. The plan aims to promote the growth of the data centre industry; promote a decentralised industry, with low socio-environmental impact, that is supported by renewable energies; and strengthen the country’s research and development capabilities, especially those focused on AI.
For this reason, the plan proposes a series of measures that will be adopted by the country until 2030:
Public Sector
The circular with the “Recommended Guidelines for the Use of AI by State Agencies” states that the processing of personal data, especially of a sensitive nature, when using AI tools should ensure compliance with Law No 19.628 on privacy protection and its amendments (the “New Law”), in particular to ensure that data processed for the development, training or use of AI tools is used exclusively for the purposes authorised by the data subjects or by law.
Likewise, the circular recommends that personal information, especially of a sensitive nature, should not be entered in generative AI tools, when these have not been contracted or developed by or for the state administration. In this regard, special care should also be taken with the confidential information of legal persons to which the administration has access.
Bill Regulating AI Systems
Since May 2024, the draft law filed by the government regulating AI systems has been under discussion in the Chamber of Deputies. The bill is in some respects inspired by the EU AI Act, especially when classifying the risk levels of the uses of AI systems (unacceptable/prohibited risk; high risk; limited risk; no evident risk).
In terms of personal data protection, the bill contemplates the principle of data governance, which would translate into specific obligations for operators of high-risk AI systems (eg, information management systems). In addition, the bill establishes that the Personal Data Protection Agency would be the supervisory authority with oversight and sanctioning powers of the law, while a Technical Advisory Council on AI and the Ministry of Science would concentrate the regulatory powers.
Recent cases in Chile suggest a rise in litigation related to privacy and personal data protection that has reached the public debate, particularly regarding the collection and use of biometric data. The case of Worldcoin, a company that scans people’s irises in exchange for cryptocurrency, exemplifies this trend. SERNAC has taken action against Worldcoin, filing a complaint in court for questionable data collection practices and even requesting the suspension of its operations in Chile. Numerous citizen complaints have also been filed with SERNAC, highlighting growing public concern about how companies handle personal data, especially sensitive biometric data.
In addition to the Worldcoin case, the National Economic Prosecutor’s Office (Fiscalía Nacional Económica, or FNE) has faced opposition from major universities when requesting student contact data for a market study. Universities refused to comply with the FNE’s request, arguing that the data requested, and its purposes, do not comply with the principle of proportionality in the processing of personal data.
These cases, in the context of the publication of the New Law which will come into force in December 2026, highlight a greater sensitivity on the part of the public regarding issues related to personal data protection in Chile.
SERNAC v WorldCoin (ongoing)
Universities v FNE
Sánchez v WorldCoin
Lagos v WorldCoin
SERNAC could bring collective actions on behalf of the collective or diffuse interests of consumers before the courts. The most recent and publicly relevant case has been the infringement complaint before the courts against WorldCoin, explained in the previous section (see 2.2 Recent Case Law).
The Law in Force
Purpose: Law No 19.628 on the protection of privacy in Chile aims to protect the privacy of individuals and prevent the misuse of their personal data.
Scope: The law applies to all processing of personal data carried out in the country. This includes public and private bodies that store personal data in registers or data banks.
Rights of data subjects:
The New Law
The purpose of the New Law will be to regulate the form and conditions under which the processing and protection of the personal data of natural persons is carried out. It applies to any processing of personal data carried out by a natural or legal person, including public bodies.
This does not apply:
With regard to the territorial scope of application, it applies:
In addition to the rights to which data subjects are entitled and which they may exercise vis-à-vis data controllers, the following have been added:
Currently, in Chile, the Law distinguishes between personal data and sensitive personal data. According to the Law, “sensitive data” means personal data that refer to the physical or moral characteristics of persons or to facts or circumstances of their private or intimate life, such as personal habits, racial origin, political ideologies and opinions, religious beliefs or convictions, physical or mental health conditions, and their sex life. Sensitive data may not be processed unless authorised by the data subject, or unless it is necessary for the determination or provision of health benefits, or authorised by law.
On the other hand, there is no definition of financial data in the law in force, although there are some rules in this respect. If financial data can be considered as personal data, no authorisation is required if the data originates, or is collected, from publicly accessible sources. Financial data may not be processed in the following cases:
However, the New Law that will come into force in December 2026 brings with it more specific applicable rules for certain categories of personal data, including sensitive personal data, such as biometric data, health data and human biological profile data, as well as special rules for the personal data of children and adolescents, historical or statistical data, and location data.
The Law in Force
As there is currently no specialised data protection supervisory authority, the obligations under the current law have little or no oversight. SERNAC has now taken action against WorldCoin, but at the national level this is practically an anecdotal case. See 2. Privacy Litigation.
Among the obligations for data controllers, the following stand out: to adopt security measures; to respond to requests from data subjects; and to use personal data only for the purposes for which it was collected. However, there are no specific rules that regulate in detail the duties and obligations of data controllers, except at the sectoral level depending on the instructions or powers of the supervisory authorities, for example, in banking and finance or in the public sector.
The New Law
From December 2026 when Law No 21.719 comes into force, data controllers will have the following obligations:
A data controller who is not domiciled in Chile, and who processes the data of persons residing in Chile, must keep an email address or other suitable means of contact updated and operational in order to receive communications from the data subjects and the Agency.
In addition, the following duties applicable to both data controllers and data processors are regulated (with some exceptions):
In the event of data processing through a data processor, the considerations contained in Article 15 bis of the New Law must be complied with and addressed. Thus, such processing must be governed by the contract entered into between the data controller and the data processor and must contain the special elements set out in that provision.
Furthermore, where it is likely that a type of processing, by its nature, scope, context, technology used or purposes, is likely to put the rights of data subjects at high risk, the controller must, prior to starting processing operations, carry out a personal data protection impact assessment.
Finally, unlike the GDPR, the Chilean regulation will provide for a voluntary infraction prevention model, consisting of a compliance programme that will have to be certified by the Agency. The certification of this model will help to reduce the amount of the fine in case of infraction, as it was contemplated as an attenuating circumstance of liability.
As for the appointment of the data processing officer (DPO), while the GDPR establishes a mandatory nature for this appointment, based on the type of entity and the processing activities, the Chilean regulation links it to the voluntary adoption of a prevention model. In other words, in Chile, the appointment of a DPO is only mandatory if a prevention model is voluntarily adopted.
For more details on the control authorities currently in force regarding personal data protection in Chile, see 1.2 Regulators.
On the other hand, the Personal Data Protection Agency, created by Law No 21.719, which will come into operation in December 2026, will be an autonomous, technical and decentralised entity that will have the objective of protecting the personal data of people in Chile.
Powers of the Personal Data Protection Agency
Under both the current law and the New Law that will come into force in December 2026, if cookies collect personal data, they can be considered as data processing, so companies that place cookies will require the consent of the data subject (with some exceptions, or using other bases of lawfulness of data processing) and must comply with the general rules for the processing of personal data. See 3. Data Regulation on IoT Providers, Data Holders and Data Processing Services.
Law No 19.496 on the Protection of Consumer Rights contains a provision regarding marketing through email. Every promotional or advertising communication sent by email must indicate its subject, the identification of the sender, and a valid email address to which the recipient can address their request for the suspension of the advertising communication, which will remain banned from then on.
Providers that direct promotional or marketing communications to consumers via mail, fax, telephone calls or messaging services must indicate an expedited way the addressees may request the suspension of the communications.
Regarding data privacy, this practice requires consent from the data subject, unless the data comes from sources available to the public.
The Political Constitution of the Republic of Chile guarantees the respect and protection of the privacy and honour of a person and their family at a constitutional level. Such constitutional protection extends to workers. The same protection is guaranteed in Article 5 of the Chilean Labour Code.
According to the Labour Department of Chile, employers may regulate the conditions, frequency and timeliness of use of the company’s emails, but may not, under any circumstances, have access to the private email correspondence sent and received by employees. This would violate the fundamental rights granted by the Political Constitution of the Republic of Chile.
If there is a breach of a worker’s privacy, and that worker is part of a union, the union may apply some pressure on the employer to fulfil the law.
All means to control workers – including cybersecurity tools – must comply with respect for the fundamental rights granted by the Political Constitution of the Republic of Chile, the right to privacy, a private life and the honour of workers. Therefore, control mechanisms are only allowed if they fulfil the following requirements:
There is no discovery system in Chile.
As a general rule, in asset transactions, the personal data protection regulations of the current law must be complied with, and eventually, from December 2026, the regulations of the New Law.
However, for now, Chilean financial institutions must also comply with certain regulations for processing personal data during asset transactions and within the Open Finance System (Sistema de Finanzas Abiertas, or SFA), issued by the CMF.
For example, banks must require the presentation of the taxpayer identification number (RUT) or the national identity card for various financial operations such as loans, purchase of securities, opening of accounts, etc. This information is considered personal data. Likewise, banks must record the RUT or identity card number in the customer information or in the transaction document.
On the other hand, the SFA (which will gradually come into operation by 2027) will require that clients’ personal data only be transferred or transmitted to third parties in accordance with the applicable legal bases, and in compliance with Law No 19.628 on the protection of personal data and its updates.
The General Standard issued by the CMF that regulates the SFA establishes that information service providers (instituciones proveedoras de información, or IPIs) and account providers (instituciones proveedoras de cuentas, or IPCs) must obtain the express consent of the data subject to share financial information with information-based service providers (instituciones proveedoras de servicios basados en información, or PSBIs) and payment initiation service providers (proveedores de servicio de iniciación de pagos, or PSIPs). Also, consent must be specific, informed and unequivocal, detailing the information to be shared, the institution that will receive it, the validity period and the purpose.
PSBIs and PSIPs cannot request additional consent for the same exchange of information, nor discourage or hinder the consent process. In addition, both PSBIs/PSIPs and IPIs/IPCs must record and store consent for a minimum period of five years.
In terms of information security and cybersecurity, on the other hand, financial institutions must implement information security and cybersecurity measures to protect customers’ personal data. These include, for example:
Finally, other rules are applicable, for example, to the outsourcing of services applicable to both traditional financial institutions and institutions providing fintech services (including, for example, alternative asset transaction mechanisms), in which it is necessary to adopt risk management and operational safeguard measures that include verifying that the jurisdiction in which the data is processed has high levels of protection of personal data. See also 5.3 Data Localisation Requirements.
At present, the Law does not contain a specific provision in respect of international data transfers. However, the transfer of personal data outside the jurisdiction may be deemed as a use of data, for which authorisation and other requirements established by the Law would therefore be required.
However, the New Law has a chapter dedicated to the international transfer of personal data, contemplating a wide catalogue of cases that would allow data to be implemented dynamically. See 5.5 Recent Developments.
No government notifications or approvals are required to transfer data internationally.
For its part, according to the New Law, it is not necessary to request authorisation from the Personal Data Protection Agency to carry out an international transfer of data, except when some of the specific requirements under which it is legal to carry out this type of activity have not been met.
Currently, the Law does not establish data localisation requirements, nor does the New Law provide for such limitations.
However, under Chapter 20-7 of the Updated Compilation of Standards (“RAN”) on the outsourcing of services by financial institutions (especially banks), the data, technological platforms, and applications to be used in the outsourcing of services must be located at specific processing sites, and in the case of processing abroad, in a defined and known jurisdiction. In addition to jurisdiction, the city where the data centres operate is also required.
For the purpose of contracting any type of service through the modality called cloud computing, the board of directors of a financial institution must pronounce annually about the risk tolerance that the financial institution is willing to assume in this type of outsourcing. This pronouncement must consider an analysis of the data to be stored or processed under this modality and its location.
Without prejudice to the due fulfilment of the different requirements contained in Chapter 20-7, financial institutions may outsource their non-critical services to the public or private cloud. If the financial institution evaluates the contracting of a cloud service for an activity considered strategic or critical, this may also be carried out in public or private cloud mode. However, in these cases, the financial institution must carry out an enhanced due diligence of the provider and the service.
There are no blocking statutes in Chile.
The New Law, which will come into force in December 2026, regulates international transfers of personal data in a specific manner, unlike the current Law in force. Thus, international data transfers will be legal in the following cases:
In the absence of an adequacy decision or adequate guarantees, a specific and unusual transfer may be made in the following cases:
The Personal Data Protection Agency will be responsible for determining which countries have adequate levels of data protection. A country’s legal system will be deemed to have adequate levels of data protection when it meets standards similar to or higher than those of Chile, taking into account at least whether the country has established principles governing the processing of personal data; the existence of regulations that recognise and guarantee the rights of data subjects and the existence of a supervisory authority; the imposition of information and security obligations; and the establishment of an infringement and liability regime.
The Agency may approve model clauses and other legal instruments only if they contain adequate guarantees for the cross-border flow of data, and will not require any other additional guarantee or authorisation.
When the transfer is made between companies or entities belonging to the same business group, related companies or companies subject to the same controller under the terms provided in the Securities Market Law, provided that all of them operate under the same standards and policies regarding the processing of personal data, the transfers may be covered by binding corporate rules previously approved by the Agency.
In exceptional cases, the Agency may authorise, by means of a resolution, the international transfer of data for a particular case, provided that the transmitter and the recipient of the data provide the appropriate guarantees.
Santiago de Chile
Avda Andrés Bello 2687
Piso 24, Las Condes
Santiago de Chile
Santiago
Chile
+56 2 3210 0030
+56 2 377 9451
contacto@magliona.cl www.magliona.cl