The “Law”

The Chilean legal framework for data protection can be found in Article 19, No 4 of the Political Constitution of the Republic of Chile, which guarantees that the processing and protection of personal data will be carried out in the manner, and under the conditions, laid down by law. In addition, Chile has a dedicated data protection law, Law No 19.628 on Privacy Protection (the “Law”), which was published in the Official Gazette on 28 August 1999. The current Law is not based on any international instrument on privacy or data protection (such as the OECD Guidelines, Directive 95/46/EC, the EU General Data Protection Regulation or the European Convention on Human Rights and Fundamental Freedoms).

The “New Law”

However, on Friday 13 December 2024, Law No 21.719 on Personal Data Protection (the “New Law”), which reforms and updates Law No 19.628, was published in the Official Gazette. This regulation – inspired by the General Data Protection Regulation of the EU – brings with it important modifications and raises the standards by which the information of clients, data subjects, collaborators and partners is handled and protected by various institutions, databases, data controllers and data processors.

As of the date of publication of the law, a 24-month legal vacancy period began, during which the obligations of companies and public bodies regarding the processing of personal data must be adapted to the new regulations, before the Personal Data Protection Agency (the “Agency”) begins its functions, which include imposing sanctions for non-compliance. This chapter will carefully review the current regulations applicable in Chile on the protection of personal data, and will highlight the fundamental changes that the new Law No 21.719 will bring about once it comes into force in December 2026.

At present, and in general, the main regulators of data protection are the civil courts under the Law. However, this will change in December 2026 when the Agency created by the New Law becomes functional.

In the meantime, other entities currently have powers in matters of personal data protection, the main ones being the following.

Consumer Rights

Currently, the National Consumer Service (Servicio Nacional del Consumidor, or SERNAC) is the supervisory body for the protection of personal data in the context of consumer relations, until the Agency is established in December 2026.

Although it does not have sanctioning powers, SERNAC can exercise its powers to file individual or class actions before the courts, supervise, inspect, investigate, and issue interpretative circulars that are mandatory for SERNAC officials when applying the regulation and the Law (eg, at the time of audit).

Public Sector

The Council for Transparency (the “Council”) is responsible for ensuring compliance with the Law by the organs of state administration. The Council has issued Recommendations on the Protection of Personal Data by the Organs of State Administration, the Guide on Protection of Personal Data for Public Institutions (2021) and Resolution No 489/2022, which approved the Procedure for Processing Requests for the Exercise of ARCO Rights made before the Council. ARCO rights are those of access, rectification, cancellation or elimination, opposition and blocking of personal data held, in this case, by the Council. 

Financial Sector

The Financial Market Commission (Comisión para el Mercado Financiero, or CMF) is the control body in the financial sector and has regulatory and supervisory powers in matters of personal data protection, information security and cybersecurity.

Under Chapters 18-5, on information about debtors from financial institutions, and Chapters 20-6 and following of the Updated Compilation of Standards (Recopilación Actualizada de Normas de Bancos, or RAN) of the CMF on business continuity, information security and outsourcing of services, financial institutions must have an internal policy on security and management of debtor information (Política Interna de Seguridad y Manejo de la Información sobre Deudores, or PISMID), which must follow international principles and best practices on personal data processing.

Law No 21.521, known as the “Fintech Law”, to “[promote] competition and financial inclusion through innovation and technology in the provision of financial services”, mandates the CMF to dictate the cybersecurity and personal data protection standards that financial institutions participating in the future Open Finance System must comply with.

Cybersecurity

In the area of cybersecurity, Chile has the Cybersecurity Framework Law No 21.663, which created the National Cybersecurity Agency that came into force on 1 January 2025. The Cybersecurity Framework Law applies to two types of entities: providers of essential services (telecommunications, digital services, digital infrastructure, water, health; energy, utilities, etc.) and operators of vital importance (operadores de importancia vital, or OIVs), the latter designated after a special procedure led by the National Cybersecurity Agency at least every three years.

In the context of personal data protection, the Cybersecurity Framework Law establishes the obligation for both essential service providers and OIVs to notify cybersecurity incidents with significant effects to the National Computer Security Incident Response Team (Equipo Nacional de Respuesta a Incidentes de Seguridad Informática, or National CSIRT), including incidents affecting computer systems containing sensitive personal data.

There is currently no privacy regulator or data protection authority in Chile, although there is a legal action (habeas data) that data subjects may exercise in the event of a breach of data. Thus, data protection enforcement is addressed by general courts with general powers. A summary court procedure is established by the Law if the person responsible for the personal data registry or bank fails to respond to a request for access, rectification, suppression or blocking of personal data within two business days, or refuses a request on grounds other than the security of the nation or the national interest.

Breaches of data protection caused by improper processing of data may eventually lead to fines determined by the Law (USD70 to USD700, and USD700 to USD3,490 approximately). Fines are determined in a summary court procedure. The Law establishes a general rule under which both non-monetary and monetary damages that result from wilful misconduct or negligence in the processing of personal data will be compensated. In those cases, the amount of compensation will be established reasonably by the civil judge, considering the circumstances of the case and the relevance of the facts.

On the other hand, the New Law advances from judicial logic to administrative logic, where the body in charge of overseeing this new regulatory standard will be the Personal Data Protection Agency, an administrative body of a technical nature, with regulatory, interpretive, supervisory and sanctioning powers.

With regard to the sanctioning regime, in the event of non-compliance with the New Law, the Agency may:

• impose fines of up to 100 monthly tax units (unidad tributaria mensual, or UTM) for minor infringements, up to 5,000 UTM for serious infringements, and up to 10,000 UTM (USD725,000) for very serious infringements;
• triple fines in cases of recidivism;
• charge fines of up to 2% or 4% of the annual revenues of large companies in cases of recidivism of serious or very serious infringements (with ceilings of 10,000 and 20,000 UTM – USD725,000 and USD1,450,000, respectively);

• suspend the processing of data for up to 30 days, as an accessory sanction; and/or

• register the sanctioned parties and the respective sanctions in the National Register of Sanctions and Enforcement (the records of which will be publicly accessible for five years).

Due to the fact that a protection system based on judicial logic is currently in force, there is no precedent of relevant administrative sanctioning procedure in this jurisdiction. This will eventually change when the New Law comes into force in December 2026.

The National AI Policy 2024–2031 (the “Policy”), with its respective Action Plan, was officially launched on 2 May 2024. The objective of the Policy is to promote the development and ethical and responsible use of AI in Chile, so that this technology can help to promote the country’s new development and growth model.

The 2021 Policy

Chile published its first National Artificial Intelligence Policy in 2021, which had among its objectives to position Chile at the Latin American level in AI and insert it in the vanguard and global collaboration related to AI, which was based on four cross-cutting principles: AI with a focus on people’s well-being, respect for human rights and security; AI for sustainable development; inclusive AI; and globalised AI.

The 2021 Policy had three pillars:

• Enabling factors, which are the baseline elements that enable the existence and deployment of AI and include talent development, technology infrastructure and data.
• Development and adoption, which comprises the space where AI is developed and deployed, and includes research, technology transfer, innovation, entrepreneurship, improvement of public services, and technology-based economic development, among others.
• Governance and ethics – being the axis that is composed of various elements, addressing the new discussions arising from AI, including, for example, addressing AI in consumer protection, privacy, the intellectual property system and cybersecurity, among others.

The New National AI Policy 2024–2031

During the year 2023, and as a result of the work carried out by the Ministry of Science with various stakeholders through multiple spaces of participation, the need arose to update the third pillar on “governance and ethics”. The update of this pillar was done in collaboration with UNESCO and its readiness assessment methodology (RAM) in the context of its “Recommendations on the Ethics of AI” published in 2021.

Thus, in this version, topics such as training new talent, improving infrastructure, empowering citizens, boosting industry and creating research funds dedicated to AI were included.

Among the main changes introduced in this version, the following stand out:

• The replacement of the word “Ethics” in the title with “Regulation and Institutionality”, emphasising the need to establish a regulatory framework that provides certainty and promotes the responsible development of AI, aligned with international standards.
• In addition, it was complemented by the need for minimum requirements based on criteria of transparency, accountability, and protection of personal data, among others.
• A new “Title on International Articulation”, to promote and articulate the discussion on AI governance at the Latin American and Caribbean level, ensuring a local technical and regulatory discussion consistent with international regulatory developments.
• In the “Title on Safe Digital Ecosystem”, the following objectives were added – to study the impact and to carry out measures to prevent and combat misinformation, digital violence and its effects on mental health.
• In the “Title on Environment and Climate Crisis”, fostering the use of non-conventional renewable energies in AI development was included as an objective.

Action Plan

With regard to the Action Plan of the new national AI policy, which translates the Policy into concrete measures to be implemented until 2031, the following targeted measures stand out:

• the upskilling and reskilling of workers, with new training courses;
• connectivity, with the deployment of the Humboldt submarine cable to start operating in 2025, and the feasibility study of a submarine cable to the Antarctic Continent;
• the National Data Centre Plan to boost the country’s data industry;
• permitting, to simplify regulatory and monitoring procedures to obtain the necessary permits for the installation of critical infrastructure for the development of AI (eg, data centres);
• the review and update of the R&D Law to make it suitable for the development and implementation of AI systems;
• data governance technical roundtables, to propose legal and/or administrative measures that provide a common framework for data governance in the country; and
• regulatory sandboxes in sectors such as logistics, health, security and fintech.

Consumer Protection

SERNAC issued an interpretive circular on consumer protection against the use of AI systems. This circular includes a series of interpretive rules that aim to establish the meaning and scope of the regulations on the protection of consumer rights, and the protection of personal data that SERNAC is responsible for monitoring, in the face of risks derived from AI systems in the context of a consumer relationship:

• the delivery of truthful, timely and transparent information;
• safeguarding of the freedom of choice;
• consumer safety;
• prohibition of all arbitrary discrimination; and
• protection of consumers’ personal data.

Public Sector

In the public sector, the current institutional ecosystem of AI governance is led by the Ministry of Science and the Interministerial Council for Science, Technology, Knowledge and Innovation. In this sense, the different ministries that make up the institutional ecosystem could potentially exercise their regulatory competences in the field of AI.

In this regard, the Ministry of Science and the Digital Government Division of Chile published a circular in mid-December 2023 with “Recommended Guidelines for the Use of AI by State Agencies”, which started to be implemented during 2024. The circular contains recommendations related to human-centred AI guidelines; transparency and explainability; as well as privacy and data use.

National Data Centres Plan 2024–2030

On 5 December 2024, the National Data Centres Plan 2024–2030 (“PDATA”) was officially published by the Ministry of Science of Chile, and this was promoted in the context of the Ministerial Cabinet Pro-Growth and Employment of the Government. The plan aims to promote the growth of the data centre industry; promote a decentralised industry, with low socio-environmental impact, that is supported by renewable energies; and strengthen the country’s research and development capabilities, especially those focused on AI.

For this reason, the plan proposes a series of measures that will be adopted by the country until 2030:

• A digital tool will be created that will integrate information on energy availability, adequate land use, connectivity and socio-environmental variables to identify strategic areas for the development of data centres.
• A reference guide will be published, in English and Spanish, detailing the permits and processes required for the construction and operation of data centres in Chile.
• A guide will be developed with standardised technical criteria for the environmental evaluation of data centre projects in the Environmental Impact Assessment Service (SEIA).
• The creation of Clean Production Agreements between the state and industry will be promoted to improve efficiency in the use of resources and reduce the environmental impact of data centres.
• A multi-cloud state model will be promoted that allows the public sector to access and manage cloud services safely and efficiently.
• A comprehensive public-private approach will be implemented to promote talent development and strengthen technical capabilities in industry and public institutions.
• The implementation of regional technological campuses specialised in infrastructure for training AI systems, located in regions with high availability of renewable energy, will be promoted.
• Agreements between the state and international companies will be promoted to guarantee access to AI computing infrastructure for Chilean research and development institutions.
• A strategic committee will be created for the monitoring and evaluation of the plan, with the participation of local governments, industry, experts and communities.

Public Sector

The circular with the “Recommended Guidelines for the Use of AI by State Agencies” states that the processing of personal data, especially of a sensitive nature, when using AI tools should ensure compliance with Law No 19.628 on privacy protection and its amendments (the “New Law”), in particular to ensure that data processed for the development, training or use of AI tools is used exclusively for the purposes authorised by the data subjects or by law.

Likewise, the circular recommends that personal information, especially of a sensitive nature, should not be entered in generative AI tools, when these have not been contracted or developed by or for the state administration. In this regard, special care should also be taken with the confidential information of legal persons to which the administration has access.

Bill Regulating AI Systems

Since May 2024, the draft law filed by the government regulating AI systems has been under discussion in the Chamber of Deputies. The bill is in some respects inspired by the EU AI Act, especially when classifying the risk levels of the uses of AI systems (unacceptable/prohibited risk; high risk; limited risk; no evident risk).

In terms of personal data protection, the bill contemplates the principle of data governance, which would translate into specific obligations for operators of high-risk AI systems (eg, information management systems). In addition, the bill establishes that the Personal Data Protection Agency would be the supervisory authority with oversight and sanctioning powers of the law, while a Technical Advisory Council on AI and the Ministry of Science would concentrate the regulatory powers.

Recent cases in Chile suggest a rise in litigation related to privacy and personal data protection that has reached the public debate, particularly regarding the collection and use of biometric data. The case of Worldcoin, a company that scans people’s irises in exchange for cryptocurrency, exemplifies this trend. SERNAC has taken action against Worldcoin, filing a complaint in court for questionable data collection practices and even requesting the suspension of its operations in Chile. Numerous citizen complaints have also been filed with SERNAC, highlighting growing public concern about how companies handle personal data, especially sensitive biometric data.

In addition to the Worldcoin case, the National Economic Prosecutor’s Office (Fiscalía Nacional Económica, or FNE) has faced opposition from major universities when requesting student contact data for a market study. Universities refused to comply with the FNE’s request, arguing that the data requested, and its purposes, do not comply with the principle of proportionality in the processing of personal data.

These cases, in the context of the publication of the New Law which will come into force in December 2026, highlight a greater sensitivity on the part of the public regarding issues related to personal data protection in Chile.

SERNAC v WorldCoin (ongoing)

• SERNAC has initiated legal action against WorldCoin, a company that scans people’s irises in exchange for cryptocurrency, for alleged violations of the Consumer Law and the Privacy Law.
• SERNAC argues that WorldCoin has failed to adequately inform consumers about the purposes for which their biometric data will be used and that the company has not implemented appropriate mechanisms to protect consumer privacy.
• SERNAC has also expressed concern that WorldCoin has scanned the irises of minors without the consent of their parents or guardians.
• SERNAC has asked the courts to suspend WorldCoin operations in Chile until it is proven that the company complies with regulations.

Universities v FNE

• The FNE has faced opposition from three universities (PUC, USACH, and the University of Chile) when requesting student contact information for a market study on higher education.
• The universities argue that the FNE does not have the authority to request personal data from students (since this requires express legal authorisation according to current Law No 19.628), and that doing so would affect their right to privacy, and that this would violate the principle of proportionality in the processing of personal data.
• The FNE defends its competence to request the information, arguing that it is necessary for the market study and that Law No 20.945 grants it the power to require information from individuals.

Sánchez v WorldCoin

• In this case, the Court of Appeals of Valparaíso rejected the protection action filed by an individual against WorldCoin. The ruling was confirmed by the Supreme Court in December 2024.
• The court argued that the plaintiff consented to the scanning of his iris in exchange for cryptocurrency and that concerns about data storage on the blockchain should be resolved through the specific procedures established in Law No 19.628 (eg, the right to the suppression of personal data).

Lagos v WorldCoin

• The Supreme Court upheld the protection appeal filed on behalf of a minor against WorldCoin in January 2025.
• The court argued that the company had not obtained the informed consent of the minor to scan their iris and that the deletion of their data from the database needed to be demonstrated more rigorously.
• The court also highlighted the reinforced protection that must be given to the personal data of minors.

SERNAC could bring collective actions on behalf of the collective or diffuse interests of consumers before the courts. The most recent and publicly relevant case has been the infringement complaint before the courts against WorldCoin, explained in the previous section (see 2.2 Recent Case Law).

The Law in Force

Purpose: Law No 19.628 on the protection of privacy in Chile aims to protect the privacy of individuals and prevent the misuse of their personal data.

Scope: The law applies to all processing of personal data carried out in the country. This includes public and private bodies that store personal data in registers or data banks.

Rights of data subjects:

• to access their personal data;
• to rectify their personal data;
• to cancel their personal data; and
• to express their opposition to the processing of their personal data.

The New Law

The purpose of the New Law will be to regulate the form and conditions under which the processing and protection of the personal data of natural persons is carried out. It applies to any processing of personal data carried out by a natural or legal person, including public bodies.

This does not apply:

• to the processing of data carried out in the exercise of freedom to express an opinion and to inform, regulated by the laws referred to in Article 19, No 12 of the Political Constitution of the Republic of Chile; or
• to the processing of data carried out by natural persons in relation to their personal activities.

With regard to the territorial scope of application, it applies:

• to a data controller or data processor established or incorporated in national territory;
• to a data processor who processes personal data on behalf of a data controller established or incorporated in the national territory;
• to a data controller or data processor not established or incorporated in national territory, but whose personal data processing operations are intended to offer goods or services to data subjects who are in Chile, or to monitor their behaviour, including analysis, tracking, profiling or prediction of their behaviour; or
• to a data controller who, not being established in national territory, is subject to national legislation as a result of a contract or international law.

In addition to the rights to which data subjects are entitled and which they may exercise vis-à-vis data controllers, the following have been added:

• the right not to be subject to automated individual decisions (Article 8 bis);
• the right to block (Article 8 ter); and
• the right to data portability (Article 9).

Currently, in Chile, the Law distinguishes between personal data and sensitive personal data. According to the Law, “sensitive data” means personal data that refer to the physical or moral characteristics of persons or to facts or circumstances of their private or intimate life, such as personal habits, racial origin, political ideologies and opinions, religious beliefs or convictions, physical or mental health conditions, and their sex life. Sensitive data may not be processed unless authorised by the data subject, or unless it is necessary for the determination or provision of health benefits, or authorised by law.

On the other hand, there is no definition of financial data in the law in force, although there are some rules in this respect. If financial data can be considered as personal data, no authorisation is required if the data originates, or is collected, from publicly accessible sources. Financial data may not be processed in the following cases:

• five years or more after the respective obligation became due;
• in the case of debts incurred during a period of unemployment;
• in the case of data relating to obligations that have been paid or extinguished by other legal means; and
• in the case of debts relating to electricity, water, telephone, gas and roads.

However, the New Law that will come into force in December 2026 brings with it more specific applicable rules for certain categories of personal data, including sensitive personal data, such as biometric data, health data and human biological profile data, as well as special rules for the personal data of children and adolescents, historical or statistical data, and location data.

The Law in Force

As there is currently no specialised data protection supervisory authority, the obligations under the current law have little or no oversight. SERNAC has now taken action against WorldCoin, but at the national level this is practically an anecdotal case. See 2. Privacy Litigation.

Among the obligations for data controllers, the following stand out: to adopt security measures; to respond to requests from data subjects; and to use personal data only for the purposes for which it was collected. However, there are no specific rules that regulate in detail the duties and obligations of data controllers, except at the sectoral level depending on the instructions or powers of the supervisory authorities, for example, in banking and finance or in the public sector.

The New Law

From December 2026 when Law No 21.719 comes into force, data controllers will have the following obligations:

• to inform and make available to the data subject the background information that proves the lawfulness of the data processing it carries out;
• to ensure that personal data is collected from lawfully accessible sources for specific, explicit and lawful purposes, and that the processing is limited to the fulfilment of these purposes;
• to communicate or transfer, in accordance with the provisions of the law, accurate, complete and current information;
• to suppress or anonymise the personal data of the holder when this was obtained for the execution of pre-contractual measures; and
• to comply with the other duties, principles and obligations of the law.

A data controller who is not domiciled in Chile, and who processes the data of persons residing in Chile, must keep an email address or other suitable means of contact updated and operational in order to receive communications from the data subjects and the Agency.

In addition, the following duties applicable to both data controllers and data processors are regulated (with some exceptions):

• the duty of secrecy or confidentiality;
• the duty of information and transparency;
• the duty of protection by design and by default;
• the duty to adopt security measures; and
• the duty to report breaches of security measures.

In the event of data processing through a data processor, the considerations contained in Article 15 bis of the New Law must be complied with and addressed. Thus, such processing must be governed by the contract entered into between the data controller and the data processor and must contain the special elements set out in that provision.

Furthermore, where it is likely that a type of processing, by its nature, scope, context, technology used or purposes, is likely to put the rights of data subjects at high risk, the controller must, prior to starting processing operations, carry out a personal data protection impact assessment.

Finally, unlike the GDPR, the Chilean regulation will provide for a voluntary infraction prevention model, consisting of a compliance programme that will have to be certified by the Agency. The certification of this model will help to reduce the amount of the fine in case of infraction, as it was contemplated as an attenuating circumstance of liability.

As for the appointment of the data processing officer (DPO), while the GDPR establishes a mandatory nature for this appointment, based on the type of entity and the processing activities, the Chilean regulation links it to the voluntary adoption of a prevention model. In other words, in Chile, the appointment of a DPO is only mandatory if a prevention model is voluntarily adopted.

For more details on the control authorities currently in force regarding personal data protection in Chile, see 1.2 Regulators.

On the other hand, the Personal Data Protection Agency, created by Law No 21.719, which will come into operation in December 2026, will be an autonomous, technical and decentralised entity that will have the objective of protecting the personal data of people in Chile.

Powers of the Personal Data Protection Agency

• Regulation: It will issue instructions and general rules to regulate the processing of personal data, ensuring compliance with the law.
• Supervision: It will supervise entities to ensure they comply with the law and its regulations in the processing of data. To do so, it may require those who process personal data to provide any document, book or record and other information that is necessary for the fulfilment of its supervisory function.
• Sanctioning: It may sanction those who violate the law or its regulations. For more information, see 1.3 Enforcement Proceedings and Fines.
• Conflict resolution: It will address requests and claims from data subjects against those who violate the law.
• Education: It will promote citizen awareness on the protection of personal data.
• Consulting: It will provide technical assistance to other state agencies in the implementation of data protection policies.
• Co-operation: It will collaborate with national and international entities in data protection.
• Certification: It will certify infringement prevention models and compliance programmes regarding personal data.

Under both the current law and the New Law that will come into force in December 2026, if cookies collect personal data, they can be considered as data processing, so companies that place cookies will require the consent of the data subject (with some exceptions, or using other bases of lawfulness of data processing) and must comply with the general rules for the processing of personal data. See 3. Data Regulation on IoT Providers, Data Holders and Data Processing Services.

Law No 19.496 on the Protection of Consumer Rights contains a provision regarding marketing through email. Every promotional or advertising communication sent by email must indicate its subject, the identification of the sender, and a valid email address to which the recipient can address their request for the suspension of the advertising communication, which will remain banned from then on.

Providers that direct promotional or marketing communications to consumers via mail, fax, telephone calls or messaging services must indicate an expedited way the addressees may request the suspension of the communications.

Regarding data privacy, this practice requires consent from the data subject, unless the data comes from sources available to the public.

The Political Constitution of the Republic of Chile guarantees the respect and protection of the privacy and honour of a person and their family at a constitutional level. Such constitutional protection extends to workers. The same protection is guaranteed in Article 5 of the Chilean Labour Code.

According to the Labour Department of Chile, employers may regulate the conditions, frequency and timeliness of use of the company’s emails, but may not, under any circumstances, have access to the private email correspondence sent and received by employees. This would violate the fundamental rights granted by the Political Constitution of the Republic of Chile.

If there is a breach of a worker’s privacy, and that worker is part of a union, the union may apply some pressure on the employer to fulfil the law.

All means to control workers – including cybersecurity tools – must comply with respect for the fundamental rights granted by the Political Constitution of the Republic of Chile, the right to privacy, a private life and the honour of workers. Therefore, control mechanisms are only allowed if they fulfil the following requirements:

• they must necessarily be incorporated in the normative text that the law establishes for the effect, that is, the internal regulations of hygiene and safety of the company, dictated in conformity with the law;
• they may only be carried out by suitable means consistent with the nature of the employment relationship;
• the application of control mechanisms must be general, and the impersonality of the measure must be guaranteed (ie, it must not be discriminatory); and
• the dignity of the worker must be respected.

There is no discovery system in Chile.

As a general rule, in asset transactions, the personal data protection regulations of the current law must be complied with, and eventually, from December 2026, the regulations of the New Law.

However, for now, Chilean financial institutions must also comply with certain regulations for processing personal data during asset transactions and within the Open Finance System (Sistema de Finanzas Abiertas, or SFA), issued by the CMF.

For example, banks must require the presentation of the taxpayer identification number (RUT) or the national identity card for various financial operations such as loans, purchase of securities, opening of accounts, etc. This information is considered personal data. Likewise, banks must record the RUT or identity card number in the customer information or in the transaction document.

On the other hand, the SFA (which will gradually come into operation by 2027) will require that clients’ personal data only be transferred or transmitted to third parties in accordance with the applicable legal bases, and in compliance with Law No 19.628 on the protection of personal data and its updates.

The General Standard issued by the CMF that regulates the SFA establishes that information service providers (instituciones proveedoras de información, or IPIs) and account providers (instituciones proveedoras de cuentas, or IPCs) must obtain the express consent of the data subject to share financial information with information-based service providers (instituciones proveedoras de servicios basados en información, or PSBIs) and payment initiation service providers (proveedores de servicio de iniciación de pagos, or PSIPs). Also, consent must be specific, informed and unequivocal, detailing the information to be shared, the institution that will receive it, the validity period and the purpose.

PSBIs and PSIPs cannot request additional consent for the same exchange of information, nor discourage or hinder the consent process. In addition, both PSBIs/PSIPs and IPIs/IPCs must record and store consent for a minimum period of five years.

In terms of information security and cybersecurity, on the other hand, financial institutions must implement information security and cybersecurity measures to protect customers’ personal data. These include, for example:

• policies and procedures to manage information security and cybersecurity risks;
• access controls to protect restricted areas and user privileges;
• tools to control, record and monitor user activities;
• mechanisms to control access to electronic channels to mitigate the risk of impersonation;
• encryption techniques to protect the confidentiality and integrity of information;
• regular data quality tests; and
• policies and procedures for business continuity.

Finally, other rules are applicable, for example, to the outsourcing of services applicable to both traditional financial institutions and institutions providing fintech services (including, for example, alternative asset transaction mechanisms), in which it is necessary to adopt risk management and operational safeguard measures that include verifying that the jurisdiction in which the data is processed has high levels of protection of personal data. See also 5.3 Data Localisation Requirements.

At present, the Law does not contain a specific provision in respect of international data transfers. However, the transfer of personal data outside the jurisdiction may be deemed as a use of data, for which authorisation and other requirements established by the Law would therefore be required.

However, the New Law has a chapter dedicated to the international transfer of personal data, contemplating a wide catalogue of cases that would allow data to be implemented dynamically. See 5.5 Recent Developments.

No government notifications or approvals are required to transfer data internationally.

For its part, according to the New Law, it is not necessary to request authorisation from the Personal Data Protection Agency to carry out an international transfer of data, except when some of the specific requirements under which it is legal to carry out this type of activity have not been met.

Currently, the Law does not establish data localisation requirements, nor does the New Law provide for such limitations.

However, under Chapter 20-7 of the Updated Compilation of Standards (“RAN”) on the outsourcing of services by financial institutions (especially banks), the data, technological platforms, and applications to be used in the outsourcing of services must be located at specific processing sites, and in the case of processing abroad, in a defined and known jurisdiction. In addition to jurisdiction, the city where the data centres operate is also required.

For the purpose of contracting any type of service through the modality called cloud computing, the board of directors of a financial institution must pronounce annually about the risk tolerance that the financial institution is willing to assume in this type of outsourcing. This pronouncement must consider an analysis of the data to be stored or processed under this modality and its location.

Without prejudice to the due fulfilment of the different requirements contained in Chapter 20-7, financial institutions may outsource their non-critical services to the public or private cloud. If the financial institution evaluates the contracting of a cloud service for an activity considered strategic or critical, this may also be carried out in public or private cloud mode. However, in these cases, the financial institution must carry out an enhanced due diligence of the provider and the service.

There are no blocking statutes in Chile.

The New Law, which will come into force in December 2026, regulates international transfers of personal data in a specific manner, unlike the current Law in force. Thus, international data transfers will be legal in the following cases:

• when the recipient of the data is in a country with adequate levels of data protection;
• when the transfer is covered by contractual clauses or other legal instruments; and
• when the data controller and the recipient adopt a compliance model or certification mechanism.

In the absence of an adequacy decision or adequate guarantees, a specific and unusual transfer may be made in the following cases:

• with the express consent of the data subject;
• for bank, financial or stock market transfers;
• to comply with international obligations;
• for international judicial co-operation;
• for the conclusion or execution of a contract; and
• for urgent measures in medical or health matters.

The Personal Data Protection Agency will be responsible for determining which countries have adequate levels of data protection. A country’s legal system will be deemed to have adequate levels of data protection when it meets standards similar to or higher than those of Chile, taking into account at least whether the country has established principles governing the processing of personal data; the existence of regulations that recognise and guarantee the rights of data subjects and the existence of a supervisory authority; the imposition of information and security obligations; and the establishment of an infringement and liability regime.

The Agency may approve model clauses and other legal instruments only if they contain adequate guarantees for the cross-border flow of data, and will not require any other additional guarantee or authorisation.

When the transfer is made between companies or entities belonging to the same business group, related companies or companies subject to the same controller under the terms provided in the Securities Market Law, provided that all of them operate under the same standards and policies regarding the processing of personal data, the transfers may be covered by binding corporate rules previously approved by the Agency.

In exceptional cases, the Agency may authorise, by means of a resolution, the international transfer of data for a particular case, provided that the transmitter and the recipient of the data provide the appropriate guarantees.