The bill only remains to be promulgated by the Executive and published in the Official Gazette to become law.
Last November 14, the Constitutional Court completed the preventive control of the bill that regulates the Protection of Personal Data and creates an Agency of the branch, declaring all its norms constitutional.
To become law, it only remains for its promulgation and publication in the Official Gazette, which should occur during the next few weeks. This regulation will become effective 24 months after its publication.
The ABC of the New Law
A. Obligated Subjects
The new law applies to all persons, natural or legal, who process personal information, both as data controllers and data processors, including small, medium and large companies, government agencies, corporations, foundations and associations, among others.
B. Innovations
- New lawfulness bases:The lawfulness bases (authorization to process personal data) are expanded beyond the consent of the holder and the law, for example, legitimate interest, conclusion or execution of a contract and defense of a right before courts, among others.
- Rights of the holder: The rights of access, rectification, deletion and opposition (including the right to oppose automated decisions), blocking and portability are established.
- Guiding principles for data processing: The processing of personal information must necessarily comply with the explicitly provided principles of: lawfulness and fairness, purpose, proportionality, quality, accountability, security, transparency and information and confidentiality. Non-compliance entails infringement and penalties.
- New duties of the data controller: The duties to protect data by design and by default, report violations and adopt security measures, etc., are established.
- Compliance in Personal Data Protection and DPO: A new program for the prevention of infringements or compliance is created, of a voluntary nature which, if implemented and certified by the Agency, could constitute an attenuation of liability. This model includes the figure of a data protection officer (DPO), who must ensure compliance with the program.
C. Agency, Sanctions and Registry
C. Agencia, Sanciones y Registro
- Personal Data Protection Agency: A new authority is created with powers to issue rules, supervise compliance with the law and sanction violators, among others.
- New sanctioning regime: Infringement of the duties, obligations and principles established in the law may lead to sanctions ranging from a written warning to fines of up to 20 thousand UTM (US$1.5M approx.), including in certain cases the suspension of data processing for 30 days.
- National Registry of Sanctions and Compliance: A registry administered by the agency will be created, which will include those responsible for adopting a certified breach prevention model and the sanctions imposed on violators of the law.
For more information on these issues, please contact:
Eugenio Gormáz | Partner | egormaz@az.cl
Ivonne Bueno | az Tech Director | ibueno@az.cl
Antonia Nudman | Senior Associate | anudman@az.cl
Carlos Lazcano | Senior Associate | clazcano@az.cl
Fernanda Rodríguez | Associate | frodriguez@az.cl
Esteban Orhanovic | Associate | eorhanovic@az.cl
Be part of our multimedia platform and you can receive the latest legal news, events, podcazt and webinars.
