Overview of Data and Privacy-Related Laws

The Chilean legal framework for data protection is anchored in Article 19, No 4 of the Political Constitution of the Republic of Chile, which guarantees the protection of personal data. This constitutional provision ensures that the processing and protection of personal data must be carried out in the manner and under the conditions established by law. Additionally, Chile has a specific statute, Law No 19.628 on Privacy Protection (the “Law”), published on 28 August 1999. While the current version of the Law was not originally based on international instruments such as the GDPR, a significant reform has recently been enacted.

On 13 December 2024, Law No 21.719 on Personal Data Protection (the “New Law”) was published in the Official Gazette, reforming and updating Law No 19.628. This regulation introduces substantial modifications and raises standards for data controllers and processors, drawing inspiration from the European Union’s General Data Protection Regulation (GDPR). The New Law establishes a 24-month vacancy period, meaning it will enter into full force on 1 December 2026. During this transition, entities must adapt their processing activities before the new Personal Data Protection Agency (the “Agency”) begins its functions and enforcement powers.

Sectoral Instruments and Interactions Across Levels of Law

Currently, the interaction between legal sources relies heavily on general statutes and sectoral oversight, as there is no centralised data protection authority until the Agency is established in 2026. The interplay between these sources operates as follows:

• Consumer Protection: The National Consumer Service (SERNAC) acts as the supervisory body for data protection within consumer relations. SERNAC exercises powers to file class actions, inspect, and issue interpretative circulars, filling the gap until the Agency becomes operational.
• Public Sector: The Council for Transparency oversees compliance by state administration bodies. It issues recommendations and manages procedures for access rights (ARCO rights) within the public sector, ensuring co-ordination with the Transparency Law (Law No 20.285).
• Financial Sector: The Financial Market Commission (CMF) regulates the financial sector, including data protection and cybersecurity. Under the Fintech Law (Law No 21.521), the CMF is mandated to dictate standards for the Open Finance System. Furthermore, the CMF’s Updated Compilation of Standards (RAN) imposes specific obligations on financial institutions regarding data security and outsourcing.

Extraterritorial Reach

Under the New Law (Law No 21.719), the scope of application extends beyond national borders based on specific triggers designed to protect data subjects located in Chile. The law applies to the processing of personal data when the controller or processor is established in the national territory. Furthermore, strictly extraterritorial application is triggered in the following scenarios:

• when a processor, regardless of their location, performs data processing operations on behalf of a controller established or constituted in Chile;
• when the controller or processor is not established in Chile, but their processing operations are intended to offer goods or services to data subjects located in Chile, regardless of whether payment is required;
• when the processing involves monitoring the behaviour of data subjects located in Chile, including analysing, tracking, profiling, or predicting their behaviour; or
• when a controller not established in Chile is subject to national legislation due to a contract or international law.

Responsible parties not domiciled in Chile who process data of residents must designate an email address or suitable contact method to receive communications from data subjects and the Agency.

Interplay with Non-Personal Data, Cyber, and AI

Cybersecurity and critical infrastructure

Chile recently enacted the Cybersecurity Framework Law No 21.663, which created the National Cybersecurity Agency (ANCI). This law interacts with data protection statutes by mandating the reporting of cybersecurity incidents that may affect personal data. The law establishes the principle of “security and privacy by default and by design”, requiring systems to be designed with data protection in mind.

Specific interplay includes:

• Incident Reporting: Institutions must report incidents with significant effects to the National CSIRT. If an incident affects systems containing personal data, it is considered to have a “significant effect”.
• Data Protection in Reporting: Reports of cyber incidents must generally omit personal data to protect privacy, unless essential for management, and IP addresses are explicitly excluded from the definition of personal data for these specific reporting purposes.

Artificial intelligence (AI)

The regulation of AI in Chile is evolving and intersects directly with data privacy rules. The National AI Policy 2024-2031 promotes ethical and responsible AI use.

• Current Guidance: Guidelines for state agencies recommend that processing personal data for AI training or development must strictly comply with Law No 19.628, ensuring data is used only for authorised purposes. It is advised not to enter sensitive personal data into generative AI tools not contracted by the state.
• Legislative Proposals: A bill regulating AI systems is under discussion, inspired by the EU AI Act. This bill proposes a risk-based approach and establishes that the new Personal Data Protection Agency will act as the supervisory authority for AI matters, while a Technical Advisory Council and the Ministry of Science will handle regulatory powers.
• Automated Decisions: The New Law introduces the right for data subjects not to be subject to decisions based solely on automated processing, including profiling, that produce legal or significant effects.

General Principles and Requirements for Processing

The Chilean legal framework regarding personal data is currently undergoing a significant transition following the publication of Law No 21.719 (the “New Law”) on 13 December 2024, which updates Law No 19.628. This regulation introduces a comprehensive catalogue of principles that align Chile with international standards, particularly the GDPR.

Principles of Data Processing

Under Article 3 of the New Law, any processing of personal data must strictly adhere to the following principles:

• Lawfulness and Loyalty: Data must be processed lawfully and fairly, and the controller must be able to prove the lawfulness of the processing.
• Purpose: Data must be collected for specific, explicit, and lawful purposes and cannot be processed for different objectives, unless they are compatible with the original purpose or authorised by the data subject.
• Proportionality: Data processing must be limited to what is necessary, suitable, and relevant for the specific purposes.
• Quality: Data must be accurate, complete, current, and relevant.
• Security: The data controller must guarantee adequate security standards to protect data against unauthorised access, loss, leakage, or destruction.
• Transparency and Information: Controllers must provide clear and accessible information regarding their data processing policies and practices to the data subjects.
• Confidentiality: Controllers and anyone with access to data must maintain secrecy, a duty that persists even after the relationship with the data subject ends.
• Accountability: Those processing data are legally responsible for complying with these principles and obligations.

Requirements for Processing (Lawful Bases)

For data processing to be lawful, it must rely on a valid legal basis. While consent is the general rule, it is not the only basis for processing.

• Consent: It must be free, informed, specific, and unequivocal, given through a clear affirmative action or declaration.
• Contractual Necessity: Processing is permitted if necessary for the conclusion or execution of a contract between the data subject and the controller.
• Legal Obligation: Processing is allowed when necessary to comply with a legal obligation.
• Legitimate Interest: Data may be processed to satisfy the legitimate interests of the controller or a third party, provided this does not override the rights and freedoms of the data subject.

Data Subject’s Rights

The New Law significantly expands the rights of individuals, enhancing their control over their personal information. These rights are personal, non-transferable, and cannot be waived.

• access – the right to obtain confirmation from the controller about whether their data is being processed and to access specific information about the processing, such as purposes and recipients;
• rectification – the right to request the modification or completion of data that is inaccurate, outdated, or incomplete;
• suppression (deletion) – the right to request the elimination of data when, for example, it is no longer necessary for the collected purpose or when consent is revoked;
• opposition – the right to object to specific processing activities, particularly when based on legitimate interest or for direct marketing purposes;
• portability – the right to receive a copy of provided personal data in a structured, commonly used, and machine-readable format to transfer it to another controller;
• blocking – the right to request the temporary suspension of any processing operation on the stored data; and
• automated decisions – the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or significantly affect the individual.

Compliance ”To-Dos” for Organisations

As the New Law creates a 24-month vacancy period before full enforcement begins in December 2026, organisations must utilise this time to adapt their internal processes. The following steps are essential to ensure compliance and mitigate the risk of severe sanctions:

• Conduct a Gap Analysis and Data Mapping: It is highly advisable to perform a comprehensive diagnosis to identify the current state of their data processing activities compared to the new regulatory standards. This involves creating a Record of Processing Activities (RAT) to identify the types of data treated (especially sensitive data), the lawful basis for each processing activity, and data flows.
• Implement an Infringement Prevention Model: It is highly advisable to adopt an Infringement Prevention Model (Compliance Programme) that can then be certified by the Agency, which will reduce the amount of penalties for possible infringements. This model must include the appointment of a data protection officer (DPO) who will act as a point of contact between the authority and the interested parties. The DPO must have sufficient resources and independence to perform their duties effectively.
• Update Policies and Contracts: Privacy policies must be updated to meet the new transparency requirements, clearly explaining rights and legal bases to data subjects. Furthermore, all contracts with third-party service providers (data processors) must be reviewed and updated to include specific mandatory clauses regarding confidentiality, security, and the prohibition of using data for other purposes.
• Risk Management and Security Measures: Organisations must implement technical and organisational security measures appropriate to the risk, such as encryption or pseudonymisation. For processing activities that pose a high risk to data subjects’ rights, performing a Data Protection Impact Assessment (DPIA) is mandatory prior to processing.
• Establish Incident Response Procedures: Procedures must be established to detect, manage, and report security breaches. The New Law imposes a duty to report security breaches to the Data Protection Agency and, in certain cases involving high risk, to the affected data subjects.
• Manage International Transfers: If the organisation transfers data outside of Chile, it must ensure the destination country offers adequate protection or implement appropriate guarantees, such as standard contractual clauses approved by the Agency. Without these guarantees, international transfers may constitute a serious infringement.

Based on Law No 21.719 (the “New Law”), which modifies Law No 19.628, the Chilean legal framework establishes a reinforced protection regime for specific categories of data. These rules impose stricter obligations on data controllers compared to the processing of standard personal data.

Sensitive Data

The New Law defines sensitive data as information referring to the physical or moral characteristics of individuals, or facts regarding their private life or intimacy. This includes data revealing ethnic or racial origin, political affiliation, union membership, socioeconomic situation, ideological or philosophical convictions, religious beliefs, health, biological profiles, biometrics, and information regarding sexual life, orientation, or gender identity.

General rule for processing

The processing of sensitive data is generally prohibited unless the data subject provides their express consent. This consent must be given through a written declaration, verbally, or via an equivalent technological medium.

Exceptions to consent

The legislation provides specific legal bases where sensitive data may be processed without consent, provided it is done lawfully:

• Publicly Available Data: Sensitive data may be processed without consent when the data subject has made the data manifestly public, and the processing aligns with the purpose of that publication.
• Non-Profit Associations: Foundations, NGOs, or associations with political, philosophical, religious, or trade union aims may process data of their members. This is permissible provided the processing relates solely to their members, guarantees are in place to prevent leaks, and the data is not transferred to third parties.
• Vital Interests: Sensitive data may be processed without consent when necessary to safeguard the life or physical/psychic integrity of the holder or another person, particularly if the data subject is physically or legally unable to consent.
• Legal Defence: Sensitive data may be processed without consent when necessary for the formulation, exercise, or defence of a right before courts or administrative bodies.

Health, Biological, and Biometric Data

The regulation creates a sub-category for health and biological data (such as genetic or metabolic profiles), which generally follows the rules for sensitive data but includes specific sanitary exceptions. These may be processed without consent for reasons of public health interest (such as sanitary alerts), medical diagnosis, provision of healthcare services, or scientific research, provided the data is anonymised prior to any publication of results.

Regarding biometric data (fingerprints, iris scans, voice, facial features), the controller must comply with heightened transparency duties. Before processing, the controller is obliged to inform the data subject about the specific identification system used, the precise purpose, the duration of the use, and the method for exercising data subject rights.

Data Relating to Minors (Children and Adolescents)

The New Law introduces a regime based on the principle of the best interest of the child and progressive autonomy. It distinguishes between “children” (under 14 years old) and “adolescents” (14 to under 18 years old).

• Children (Under 14): Processing requires the express consent of their parents, legal representatives, or those holding personal care. There is no scenario where a child under 14 can validly consent on their own.
• Adolescents (14 to 17): Generally, adolescents may provide consent for the processing of their data autonomously. However, if the data is classified as sensitive, adolescents under the age of 16 still require the consent of their parents or legal guardians.

Educational establishments and other entities processing data of minors have a specific statutory obligation to ensure the lawful use and protection of this information.

Anonymisation of Patient Data for Research and Development

Under the Chilean legal framework, particularly following the enactment of Law No 21.719 (the “New Law”) which updates Law No 19.628, the processing of health data is subject to a reinforced protection regime. However, specific provisions allow for the use and anonymisation of such data for scientific and product development purposes under strict conditions.

Exceptions for Scientific Research and Product Development

While the general rule for processing sensitive data (such as health data) is the requirement of express consent from the data subject, the legislation introduces specific exceptions relevant to life sciences companies:

• Public Interest and Human Health Benefit: Processing health and biological profile data without consent is permitted when used for historical, statistical, or scientific purposes. This specifically includes studies or investigations that serve the public interest or benefit human health, as well as the development of medical products or inputs that could not be developed otherwise.
• Legitimate Interest in Research: The law establishes a presumption of legitimate interest for processing performed exclusively for historical, statistical, or scientific purposes, provided they serve the public interest.
• Requirement to Anonymise for Publication: While the processing for the research itself may involve personal data under strict security measures, the New Law mandates that any publication or diffusion of the results and analyses obtained from such studies must be preceded by the anonymisation of the data.

Mandatory Data Protection Impact Assessments (DPIAs)

Life sciences companies will likely be required to conduct a DPIA prior to commencing processing. The New Law mandates this assessment when processing is likely to result in a high risk to data subjects’ rights, explicitly listing the processing of sensitive data (health data) as a trigger for this obligation.

The intersection of artificial intelligence (AI) and data privacy in Chile is currently governed by the recently enacted Law No 21.719 (the “New Law”), which updates Law No 19.628, and a series of sectoral guidelines. While a specific bill regulating AI systems is under discussion in Congress, the New Law establishes the binding framework for processing personal data within AI models.

General Requirements and Specific Guidance

The use of personal data in AI systems must adhere to the general principles of the New Law, such as purpose limitation, proportionality, and security. There are specific requirements regarding automated decision-making and profiling, which are now formally regulated.

In terms of guidance, distinct bodies have issued soft law instruments:

• Public Sector: The Ministry of Science and the Digital Government Division issued a Circular Letter with “Recommended Guidelines for the Use of AI by State Agencies”. It explicitly advises against entering sensitive personal data into generative AI tools unless they have been contracted or developed specifically for the agency with appropriate safeguards.
• Consumer Protection: The National Consumer Service (SERNAC) issued an interpretative circular regarding AI in consumer relations. It establishes that companies must ensure transparency, avoid arbitrary discrimination, and strictly protect consumers' personal data when deploying AI systems.

Rules Governing Automated Decision-Making

The New Law introduces a specific regime for automated decision-making (ADM), granting data subjects significant control over how AI affects them.

Right to opposition and explanation

Data subjects have the right not to be subject to decisions based solely on the automated processing of their personal data, including profiling, if those decisions produce legal effects or significantly affect them.

Exceptions and safeguards

ADM is permissible only under three specific circumstances:

• it is necessary for the conclusion or execution of a contract;
• it is authorised by law (with specific safeguards); or
• the data subject has granted their express consent.

Even when these exceptions apply, the controller must implement suitable measures to safeguard the data subject's rights. These include the right to obtain human intervention, to express their point of view, to receive an explanation of the decision, and to challenge it.

Risk-Based Regime and High-Risk Categories

The Chilean framework is increasingly shifting towards a risk-based approach, both under the data protection regime and the proposed AI legislation.

Mandatory Impact Assessments for AI

Under the New Law, the regime is risk-based. Controllers must conduct a Data Protection Impact Assessment (DPIA) prior to processing if the activity is likely to result in a high risk to the rights of data subjects. The law explicitly categorises the following AI-related activities as mandatory cases for a DPIA:

• systematic and exhaustive evaluation of personal aspects based on automated processing, including profiling, that produces legal or significant effects; and
• massive data processing or processing on a large scale.

Proposed AI regulation

A bill regulating AI systems, currently before the Senate, proposes a risk classification system inspired by the EU AI Act. It categorises AI systems into unacceptable (prohibited) risk, high risk, limited risk, and no evident risk.

Impact on Transparency, Governance and Oversight

• Transparency and Information: The New Law mandates a duty of active transparency. Controllers engaging in ADM or profiling must provide the data subject with “significant information” about the logic applied, as well as the significance and the envisaged consequences of such processing for the individual.
• Data Governance: The pending AI bill proposes establishing a principle of data governance, translating into specific obligations for operators of high-risk AI systems regarding information management. Furthermore, the public sector guidelines emphasise interoperability and preventing the misuse of data in generative AI tools not under direct state control.
• Human Oversight: The requirement for “human intervention” is a statutory right under the New Law for any ADM process.

Requirements Applicable in Case of a Data Breach

Under the new regulatory landscape established by the New Law, the management of security incidents has shifted from a reactive, unregulated approach to a proactive, mandatory reporting regime.

The duty to report to the Agency

The New Law introduces a statutory obligation for data controllers to report security breaches to the Agency. This duty arises when a breach of security measures results in the destruction, leakage, loss, or accidental or unlawful alteration of personal data, or unauthorised access to such data.

• Trigger: The obligation applies specifically when the breach poses a reasonable risk to the rights and freedoms of the data subjects.
• Timing: The report must be made through the most expeditious means possible and without undue delay.
• Content: The notification must describe the nature of the breach, the effects, the approximate number of affected data subjects, and the remedial measures taken.

The duty to notify data subjects

In addition to notifying the regulator, the controller must communicate the breach directly to the affected individuals in specific high-risk scenarios. This notification is mandatory when the breach involves:

• sensitive personal data (such as health or biometric data);
• data relating to minors (children and adolescents); or
• data regarding economic, financial, banking, or commercial obligations.

This communication must use clear and simple language, detailing the specific data affected, the potential consequences, and the safeguard measures adopted. If individual notification is not feasible, the controller must publish a notice in mass media with national reach.

Necessary Action Items for Organisations

• Detection and Internal Recording: The organisation must immediately log the incident. The New Law requires the maintenance of a register of breaches, documenting the nature of the event, its effects, and the categories of data affected. This internal record is essential for demonstrating compliance to the Agency during future audits.
• Mitigation and Containment: Controllers must deploy immediate technical and organisational measures to reduce the impact of the breach. For entities classified as Operators of vital importance under the Cybersecurity Framework Law, specific regulations mandate actions such as restricting access to compromised systems, isolating affected networks, and changing administrative passwords within three hours of detection.
• Risk Assessment: The Data Protection Officer (DPO) or the security team must evaluate whether the breach poses a “reasonable risk” to the rights and freedoms of individuals to determine if notification to the Agency is required.
• Management of Data Processors: If the breach originated from a third-party service provider (data processor), the provider has a statutory obligation to report the incident to the controller. Organisations must ensure their contracts explicitly mandate this reporting to allow the controller to meet its own regulatory deadlines.

Mass Data Privacy Litigation

The breach of the duty to report or the failure to implement adequate security measures can trigger significant civil liability. The New Law expressly establishes that the controller must indemnify both patrimonial and non-patrimonial (moral) damages caused to data subjects.

• Class Actions: While individual lawsuits are possible, the most significant risk lies in collective redress mechanisms. SERNAC or consumer associations can file class actions (demandas colectivas) representing the collective interest of consumers affected by a mass data breach.
• Compensation: The law allows for the indemnification of damages once the administrative sanction is final.

Please note that privacy litigation is dealt with in greater detail in 2. Privacy Litigation.

At present, and in general, the main regulators of data protection are the civil courts under the Law. However, this will change in 2026 when the Personal Data Protection Agency created by the New Law begins operating.

For its part, currently other entities have powers in matters of personal data protection, the main ones being the following.

Consumer Rights

Currently, the National Consumer Service (SERNAC) is the supervisory body for the protection of personal data in the context of consumer relations, until the Personal Data Protection Agency is established in 2026.

Although it does not have sanctioning powers, SERNAC can exercise its powers to file individual or class actions before the courts, supervise, inspect, investigate, and issue interpretative circulars that are mandatory for SERNAC officials when applying the regulation and the Law (eg, at the time of audit).

Public Sector

The Council for Transparency is responsible for ensuring compliance with the Law by the organs of state administration. The Council has issued the Recommendations on Protection of Personal Data by the Organs of the State Administration, the Guide on Protection of Personal Data for Public Institutions (2021).

Financial Sector

The Financial Market Commission (CMF) is the control body in the financial sector and has regulatory and supervisory powers in matters of personal data protection, information security and cybersecurity.

Under Chapters 18-5, on information about debtors from financial institutions, and Chapters 20-6 and following the Updated Compilation of Standards (RAN) of the CMF on business continuity, information security and outsourcing of services, financial institutions must have an internal policy on security and management of debtor information (PISMID), which must follow international principles and best practices on personal data processing.

Law No 21.521, known as the “Fintech Law”, to “[promote] competition and financial inclusion through innovation and technology in the provision of financial services”, mandates the CMF to dictate the cybersecurity and personal data protection standards that financial institutions participating in the future Open Finance System must comply with.

Cybersecurity

In the area of cybersecurity, Chile has the Cybersecurity Framework Law No 21.663, which created the National Cybersecurity Agency. In terms of personal data protection, the Cybersecurity Framework Law considers the obligation of essential service providers and operators of vital importance to report cybersecurity incidents with significant effects to the National CSIRT, including incidents affecting computer systems containing sensitive personal data.

There is currently no privacy regulator or data protection authority in Chile. Data protection enforcement is addressed by general courts with general powers. A summary court procedure is established by the Law if the person responsible for the personal data registry or bank fails to respond to a request for access, rectification, suppression or blocking of personal data within two business days or refuses a request on grounds other than the security of the nation or the national interest.

On the other hand, the New Law moves from a judicial framework to an administrative one, where the body in charge of overseeing this new regulatory standard will be the Personal Data Protection Agency, an administrative body of a technical nature, with regulatory, interpretive, supervisory and sanctioning powers.

With regard to penalties, in the event of non-compliance with the Law, the Agency may:

• issue warnings or impose fines of up to 5,000 UTM for minor infringements; up to 10,000 UTM for serious infringements; and up to 20,000 UTM (or up to approximately USD1.5 million) for very serious infringements;
• triple the fines in the event of repeat offences;
• in the case of large companies, the fine may reach the higher of the tripled fine or up to 2% or 4% of annual income in the event of repeat serious or very serious offences, respectively;
• suspend data processing for up to 30 days as an additional penalty in the case of fines imposed for repeated very serious infringements within 24 months; or
• administer the National Registry of Penalties and Compliance (whose entries will be publicly accessible for five years), which will record the persons responsible for the penalties and the respective penalties.

Over the past 24 months, Chile has witnessed a discernible rise in litigation related to privacy and personal data protection, driven largely by public debate surrounding the collection and use of biometric data. The high-profile case of WorldCoin, an entity scanning individuals' irises in exchange for cryptocurrency, exemplifies this trend and has triggered actions from both private citizens and public bodies. Additionally, there is a growing tension between distinct public interests, as seen in disputes where data privacy principles, such as proportionality, are invoked to oppose information requests from other state authorities like the National Economic Prosecutor’s Office (FNE).

Claimant Types and Causes of Action

Claimants generally fall into two categories: individual data subjects exercising constitutional protection actions or habeas data remedies, and public bodies acting within their competencies.

• Individual Claimants: Individuals typically file protection actions (recursos de protección) alleging the violation of their constitutional right to privacy (Article 19 No 4 of the Constitution). Recent causes of action focus on the lack of informed consent for biometric scanning and the difficulty in exercising the right to suppression (deletion) of data.
• Institutional Claimants: The National Consumer Service (SERNAC) has taken a proactive role, filing complaints against companies for questionable data collection practices and insufficient information provided to consumers. Conversely, universities have acted as claimants/defendants in resisting data transfer requests from the FNE, arguing that such transfers violate the principle of proportionality.

SERNAC v WorldCoin

• The National Consumer Service (SERNAC) has initiated legal action against WorldCoin, a company that scans people's irises in exchange for cryptocurrency, for alleged violations of the Consumer Law and the Privacy Law.
• SERNAC argues that WorldCoin has failed to adequately inform consumers about the purposes for which their biometric data will be used and that the company has not implemented appropriate mechanisms to protect consumer privacy.
• SERNAC has also expressed concern that WorldCoin has scanned the irises of minors without the consent of their parents or guardians.
• SERNAC has asked the courts to suspend WorldCoin operations in Chile until it is proven that the company complies with regulations.

Universities v FNE

• The National Economic Prosecutor’s Office (FNE) has faced opposition from three universities (PUC, USACH, and University of Chile) when requesting student contact information for a market study on higher education.
• Universities argue that the FNE does not have the authority to request personal data from students (since this requires express legal authorisation according to the current Law 19,628), and that doing so would affect their right to privacy, and that this would violate the principle of proportionality in the processing of personal data.
• The FNE defends its competence to request the information, arguing that it is necessary for the market study and that Law No 20.945 grants it the power to require information from individuals.

Sánchez v WorldCoin

• In this case, the Court of Appeals of Valparaíso rejected the protection action filed by a man against WorldCoin. The ruling was confirmed by the Supreme Court in December 2024.
• The Court argued that the plaintiff consented to the scanning of his iris in exchange for cryptocurrency and that concerns about data storage on the blockchain should be resolved through the specific procedures established in Law No 19.628 (eg, right to suppression of personal data).

The National Consumer Service (SERNAC) could bring collective actions on behalf of the collective or diffuse interest of consumers before courts.

General Legal Framework for Non-Personal Data

Unlike the European Union, Chile does not currently have a single, comprehensive piece of legislation equivalent to the EU Data Act that governs cross-sector access and sharing of non-personal data. There is no unified statutory regime dedicated solely to industrial data, non-personal IoT data, or the commercial exchange of data between private entities.

Instead, the regulation of non-personal data is fragmented across various sectoral laws and technical standards, focusing primarily on cybersecurity, public sector interoperability, and financial stability.

Public Sector Data Management and Interoperability

While a unified law is absent, there is significant legislative and regulatory activity regarding data governance within the state, which directly impacts private sector providers.

The National Public Sector Data Management System

Discussions are currently underway regarding a legislative proposal establishing the National Public Sector Data Management System. This initiative seeks to create a robust governance framework for data held by the state.

• Secondary Regulations: The implementation of such a system implies the enactment of numerous secondary regulations to define technical standards.
• Impact on Private Providers: This framework will significantly impact private entities providing services to the state, particularly regarding interoperability. Private vendors interacting with public bodies will be required to align their technical standards with government protocols to ensure seamless data exchange and security.

Digital Transformation Law

This move towards a data-driven state is supported by Law No 21.180 on the Digital Transformation of the state. This law mandates that administrative procedures be expressed through electronic media.

• Interoperability: Public bodies must achieve a high degree of interoperability to avoid duplicating information requests to citizens.
• Technical Standards: Decree No 7/2023 establishes technical standards for information security and cybersecurity, requiring public bodies to implement processes that safeguard confidentiality, integrity, and availability of information (both personal and non-personal) on their electronic platforms. There are other regulations establishing rules for interoperability, authentication, etc.

Cybersecurity and Critical Infrastructure

The protection of non-personal data is addressed through the lens of cybersecurity and critical infrastructure protection.

Cybersecurity Framework Law (Law No 21.663)

This law, which entered into force in 2024, applies to both public and private entities providing “essential services” (eg, energy, telecommunications, finance, digital infrastructure).

• Scope: The law protects the resilience of networks and computer systems. It mandates the reporting of incidents that could have "significant effects" on the continuity of essential services, regardless of whether personal data is compromised.
• Regulated Actors: The National Cybersecurity Agency (ANCI) regulates “Operators of Vital Importance” (OIV). These operators must implement security management systems to protect their information assets and ensure business continuity.
• Cloud and Digital Infrastructure: The ANCI has identified critical digital functions, including data hosting, cloud administration (IaaS, PaaS, SaaS), and data processing services, as falling within the scope of the law due to their importance for national digital infrastructure.

Sectoral Guidance: Financial Services and Cloud Computing

Financial Market Commission (CMF) Rules

The CMF issues binding instructions, such as Chapter 20-7 of the Updated Compilation of Standards (RAN) and General Norms.

• Cloud Outsourcing: Financial entities outsourcing data processing to cloud providers must ensure the provider maintains adequate security mechanisms (physical and logical) to isolate the entity's infrastructure from other clients.
• Data Integrity and Availability: The regulations require measures to prevent information leaks or events affecting the availability, confidentiality, and integrity of the entity's data.
• Encryption: Entities must use encryption techniques for data stored in the cloud, appropriate to the nature and sensitivity of the information.

National Data Centres Plan

To foster the non-personal data economy, the Ministry of Science launched the National Data Centres Plan 2024-2030. This policy aims to promote the growth of the local data centre industry, strengthen connectivity (eg, Humboldt submarine cable), and simplify the permitting process for digital infrastructure projects, thereby facilitating the processing capabilities required for AI and cloud computing.

Legal Basis and Lawfulness of Processing

The interaction between data regulation frameworks and privacy rules in Chile is fundamentally governed by the principle of lawfulness established in the new Personal Data Protection Law (Law No 21.719). Under this regime, the processing of personal data is only legitimate when founded on specific legal bases, such as the consent of the data subject, the execution of a contract, compliance with a legal obligation, or the satisfaction of legitimate interests. The Cybersecurity Framework Law (Law No 21,663) explicitly states that any data processing carried out for cybersecurity purposes must strictly comply with Law No 19,628 (and its successor, Law No 21.719), particularly regarding the principle of purpose limitation.

Confidentiality of Personal Data

Confidentiality is a transversal obligation across Chilean digital regulations. The Personal Data Protection Law imposes a duty of secrecy and confidentiality on data controllers and processors, a duty that persists even after the relationship with the data subject has ended. In the public sector, officials dealing with sensitive data or infraction records are subject to strict secrecy obligations, where violations are considered grave breaches of administrative probity. Similarly, the Fintech Law (Law No 21.521) mandates that financial information service providers must maintain confidentiality and implement security measures to prevent unauthorised access or disclosure.

Intellectual Property and Non-Personal Data

Regarding non-personal data and intellectual property (IP), the regulatory framework seeks to balance transparency with the protection of proprietary assets. The Cybersecurity Framework Law obliges service providers to share information on vulnerabilities and incidents to prevent cyber threats; however, contracts regarding these services cannot restrict this communication unless it compromises IP protection. Furthermore, legislation on open finance and algorithmic transparency protects the “business secrets” and proprietary logic of algorithms while requiring sufficient information to be provided to the data subject regarding the consequences of automated decisions.

Interoperability and Data Sharing Conditions

Obligations regarding data sharing and interoperability are particularly strong in the public sector and the fintech ecosystem. The State Digital Transformation Law (Law No 21,180) and the new Data Protection Law mandate state bodies to achieve high levels of interoperability to prevent duplicating requirements for citizens. For private entities, specifically within the Open Finance System, participants must implement Application Programming Interfaces (APIs) that ensure secure and standardised data exchange. These exchanges require express, informed, and specific consent from the client, which can be revoked at any time.

Competent Authorities

The enforcement landscape in Chile is transitioning towards a model with specialised technical authorities. The Personal Data Protection Agency, created by Law No 21.719, is the independent corporation responsible for supervising compliance, interpreting regulations, and sanctioning infringements regarding personal data.

In parallel, the National Cybersecurity Agency (ANCI) enforces the Cybersecurity Framework Law, supervising essential service providers and critical infrastructure. For the financial sector, the Financial Market Commission (CMF) retains jurisdiction over fintechs and banks, enforcing operational resilience and data protection standards specific to that industry.

Role of the Digital Government Secretariat

Regarding the public sector, the Digital Government Secretariat, which operates under the Ministry of Finance, plays a pivotal role. This entity serves as the intersectoral co-ordinator for the strategic use of digital technologies and data within the State Administration. It is empowered to issue circulars, technical guidelines, and directives to support public bodies in implementing data protection and information security standards.

Under both the current law and the New Law that will come into force in December 2026, if cookies collect personal data, they can be considered data processing, so companies that place cookies will require the consent of the data subject (with some exceptions or using other bases of lawfulness of data processing) and comply with the general rules for the processing of personal data.

Law No 19,496 on the Protection of Consumer Rights contains a provision regarding marketing through email. Every promotional or advertising communication sent by email must indicate its subject, the identification of the sender and a valid email address to which the recipient can address their request for the suspension of the advertising communication, which will remain banned from then on.

Providers that direct promotional or marketing communications to consumers via mail, fax, telephone calls or messaging services must indicate an expedited way the addressees may request the suspension of the communications.

Regarding data privacy, this practice requires consent from the data subject, unless the data comes from sources available to the public.

The Political Constitution of the Republic of Chile guarantees the respect and protection of the privacy and honour of a person and their family at a constitutional level. Such constitutional protection extends to workers. The same protection is guaranteed in Article 5 of the Chilean Labour Code.

According to the Labour Department of Chile, employers may regulate the conditions, frequency and timeliness of use of the company’s emails, but may not, under any circumstances, have access to the private email correspondence sent and received by employees. This would violate the fundamental rights granted by the Political Constitution of the Republic of Chile.

If there is a breach of a worker’s privacy, and that worker is part of a union, the union may apply some pressure on the employer to fulfil the Law.

All means to control workers – including cybersecurity tools – must comply with respect for the fundamental rights granted by the Political Constitution of the Republic of Chile, the right to privacy, a private life and the honour of workers. Therefore, control mechanisms are only allowed if they fulfil the following requirements:

• They must necessarily be incorporated in the normative text that the law establishes for the effect, that is, the Internal Regulations of Hygiene and Safety of the company, dictated in conformity with the law.
• They may only be carried out by suitable means consistent with the nature of the employment relationship.
• The application of control mechanisms must be general, and the impersonality of the measure must be guaranteed (ie, it must not be discriminatory).
• The dignity of the worker must be respected.

Competition Law Considerations

The National Economic Prosecutor’s Office (FNE) reviews concentrations where data accumulation may affect competition. The combination of information assets, such as consumer databases and preferences, can create barriers to entry that weaken competition. Furthermore, the FNE evaluates whether a merger might degrade non-price variables, such as the terms of use or privacy policies applicable to users.

Asset Deals and Transfer of Databases

In asset deals, the transfer of a customer database from the seller to the buyer is legally classified as a "cession" of data.

Requirements for Cession

Under the current regime, the general rule is that personal data may only be processed (which includes transferring) when the law authorises it or the data subject consents. However, the New Law expands the bases for lawfulness. Future transfers may be justified if they are necessary for the execution of a contract between the data subject and the controller, or for the satisfaction of legitimate interests, provided these do not override the rights of the data subject.

Once an asset deal is closed, the status of the parties regarding the data changes.

New Controller Status

Upon the perfection of a data cession, the New Law establishes that the assignee (buyer) acquires the status of “data controller” for all legal effects. The assignor (seller) retains responsibility for any processing they continue to perform. If a cession occurs without necessary consent, it may be deemed void, obliging the buyer to delete the data.

At present, the Law does not contain a specific provision in respect of international data transfers. However, the transfer of personal data outside the jurisdiction may be deemed a use of data, for which authorisation and other requirements established by the Law would therefore be required.

However, the New Law has a chapter dedicated to the international transfer of personal data, contemplating a wide catalogue of cases that would allow data transfers to be carried out under a dynamic framework. See 5.5 Recent Developments.

No government notifications or approvals are required to transfer data internationally.

For its part, according to the New Law, it is not necessary to request authorisation from the Personal Data Protection Agency to carry out an international transfer of data, except when some of the specific requirements under which it is legal to carry out this type of activity have not been met.

Currently, the Law does not establish data localisation requirements, nor does the New Law provide for such limitations.

However, under Chapter 20-7 of the Updated Compilation of Standards (RAN) on the outsourcing of services by financial institutions (especially banks), the data, technological platforms, and applications to be used in the outsourcing of services must be located at specific processing sites, and in the case of processing abroad, in a defined and known jurisdiction. In addition to jurisdiction, the city where the data centres operate is also required to be known.

For the purpose of contracting any type of service through the modality called cloud computing, the board of directors of a financial institution must annually determine the level of risk tolerance that the financial institution is willing to assume in this type of outsourcing. This pronouncement must consider an analysis of the data to be stored or processed under this modality and its location.

Without prejudice to the due fulfilment of the different requirements contained in Chapter 20-7, financial institutions may outsource their non-critical services to the public or private cloud. If the financial institution evaluates the contracting of a cloud service for an activity considered strategic or critical, this may also be carried out in public or private cloud mode. However, in these cases, the financial institution must carry out enhanced due diligence of the provider and the service.

There are no blocking statutes in Chile.

The New law, which will come into force in December 2026, regulates international transfers of personal data in a specific manner, unlike the current Law in force. Thus, international data transfers will be legal in the following cases:

• When the recipient of the data is in a country with adequate levels of data protection.
• When the transfer is covered by contractual clauses or other legal instruments.
• When the data controller and the recipient adopt a compliance model or certification mechanism.

In the absence of an adequacy decision or adequate guarantees, a specific and unusual transfer may be made in the following cases:

• express consent of the data owner;
• bank, financial or stock market transfers;
• compliance with international obligations;
• international judicial co-operation;
• conclusion or execution of a contract; and
• urgent measures in medical or health matters.

The Personal Data Protection Agency will be responsible for determining which countries have adequate levels of data protection. A country’s legal system will be deemed to have adequate levels of data protection when it meets standards similar to or higher than those of Chile, taking into account at least whether the country has established principles governing the processing of personal data; the existence of regulations that recognise and guarantee the rights of data subjects and the existence of a supervisory authority; the imposition of information and security obligations; and the establishment of an infringement and liability regime.

The Agency may approve model clauses and other legal instruments only if they contain adequate guarantees for the cross-border flow of data, and will not require any other additional guarantee or authorisation.

When the transfer is made between companies or entities belonging to the same business group, related companies or companies subject to the same controller under the terms provided for in the Securities Market Law, provided that all of them operate under the same standards and policies regarding the processing of personal data, the transfers may be covered by binding corporate rules previously approved by the Agency.

The Agency may authorise in very exceptional cases, by means of a resolution, the international transfer of data for a particular case, provided that the transmitter and the recipient of the data provide the appropriate guarantees.

Adoption of Standard Contractual Clauses

To address the period of legal uncertainty before the New Law fully enters into force, the Ministry of Economy has issued a Resolution approving Standard Contractual Clauses (SCCs) for international transfers. These clauses are based on the models developed by the Ibero-American Data Protection Network (RIPD) and are intended to provide legal certainty and a compliance mechanism for responsible parties during the transition period. These clauses cover transfers between controllers and from controllers to processors.

Potential Acceleration of the Agency’s Installation

Although the New Law is scheduled to enter into full force in December 2026, a legal reform is currently under discussion (Bulletin No 18036-05) that proposes modifying the deadlines for the appointment of the Council of the Personal Data Protection Agency. If approved, this reform would allow the President of the Republic to propose Council members to the Senate earlier than originally planned, enabling the Agency to exercise necessary functions for its installation and operational preparation before the general entry into force of the law in late 2026.