The National Congress approved the bill that substantially modifies the Law on the Protection of Privacy, or rather, the forthcoming Law on the Protection of Personal Data.
After 7 long years of processing, on August 26, 2024, the National Congress approved the bill that substantially modifies Law 19.628 on the Protection of Private Life, or better said, the next Law on the Protection of Personal Data.
The Bill was approved in its majority by the Congress, with the exception of Article 55 which refers to the treatment of personal data by State Bodies.
Now, it only remains to wait for the approval of the Constitutional Court for its subsequent enactment by the President of the Republic.
The regulatory change regarding the requirements and obligations related to the processing of personal data is radical and has a significant impact. Thus, the changes will essentially affect the organizational culture of any company or institution, whether public or private, when processing personal data of third parties.
From this description, we can understand the weight of the legislative amendment, since clearly today there is no organization or institution that does not collect, use, store, communicate and generally process personal information.
In this context, the call to be informed and to anticipate the entry into force of the law seems to be the only viable strategy. The latter, if we consider that the new regulatory provisions will affect transversally the management of the institution internally in each institution and considering the penalties involved, reducing the margin of error and mitigating risks becomes a priority.
A good way to start is to take a look at the main updates and changes that significantly modify the regulatory landscape in our country:
- Basis of Licitud: The requirements for the consent of the holder for its processing, which had to be in writing, are modified and may now be oral and even by electronic means, in line with the practice of the companies.
Other bases of lawfulness in addition to the consent of the owner and the Law (such as the performance of a contract between the parties or legitimate interest) are also incorporated, and data collected from sources freely available to the public is eliminated as an autonomous basis for processing (data from public sources must also be based on some basis of lawfulness for processing).
- Express recognition of the principles: The principles that must integrate the processing of personal data are expressly typified (previously they were blurred and the appropriateness of some of them was discussed). The application of the principles will be real and effective, since their contravention will be sanctioned in accordance with the Penalties Regime.
- Modification in the rights of the holders: The right of portability is created, which allows the holder to request a copy of the processed data, in a format that favors its portability to be operated by different systems, and the name of the right of “cancellation” is changed to “deletion”.
Thus, the acronym ARCO is changed to PROSA (Portability-Rectification-Opposition-Suppression-Access). It also includes the right to Block in certain cases.
- Creation of Supervising Entity: The Personal Data Protection Agency (“Agency”) is created, an autonomous corporation of public law, which will be related to the President of the Republic through the Ministry of Tourism, and whose purpose will be the supervision of this law and the issuance of guidelines and directives for its correct application. Likewise, it will have regulatory, supervisory and sanctioning powers.
- Creation of a Sanctioning Regime: A scheme of infractions (minor, serious and very serious) is created, together with their corresponding associated sanctions (with fines ranging from 5,000 UTM to 20,000 UTM), and a sanctioning procedure before the Agency is created.
In the procedure there will be aggravating and mitigating factors, one of which will be the adoption of an Infringement Prevention Model, which, if certified by the Agency, will mitigate the liability of the responsible party in the event of non-compliance.
- Regulation of the figure of Data Protection Officer: The international figure of DPO or Data Protection Officer is incorporated, under the denomination of “Data Protection Officer”, and its functions are included.
Its incorporation is NOT mandatory, but may be incorporated by companies within the framework of the voluntary adoption of an Infringement Prevention Model.
- Regulation of International Data Transfer: The international transfer of data is regulated, replicating international standards and favoring the transfer to countries where the regulation of personal data is adequate. That is, whose standard is equal to or higher than that of Chile.
- Obligations for the Controller and Processor: Various obligations are typified for the Controller, but obligations are also imposed on the Processors, so that all actors involved in data processing must assess and review the obligations that apply to them according to their role in the processing.
The obligations include;
- The duty to adopt security measures and report possible violations to the Agency.
- The duty of secrecy or confidentiality.
- The duty of information and transparency.
- The duty that seeks to incorporate protection by design and, by default, to duly regulate the processing of data when processed by an agent or processor.
- Conduct a Personal Data Protection Impact Assessment in the event that the circumstances regulated by the standard apply.
- Effective date: The new regulations will be effective for a period of 2 years from the date of publication of the law in the Official Gazette.
In addition, there will be a period of 12 months from the date of entry into force, in which SMEs will only be sanctioned with a reprimand, in order to encourage their adaptation to the new regulatory standard.
Thus, Chile takes an advantageous position at a collective level, not only from the regulation that implies the respect and protection of a fundamental right that is essential and substantially valuable in the digital era, but also at a commercial level by being positioned as a reference at Latin American level and as a much more attractive country when contracting with respect to those companies that must comply with high standards regarding the protection and security of information, as is the case of the European Union.
Now, with respect to the individual advantage, it is also time to take advantage of it. This implies a call to us, as holders of the information, to value and raise awareness of our rights regarding its management and protection.
On the other hand, with respect to the institutions that are obliged to do so, taking advantage of the 24 months of vacancy as a strategic and unique opportunity to anticipate the new regulatory landscape and reduce the consequences that may arise from situations of non-compliance becomes an essential step.
For more information on these topics, please contact our IP, Tech and Data team:
Rodrigo Albagli | Partner | ralbagli@az.cl
Eugenio Gormáz | Partner | egormaz@az.cl
Antonia Nudman | Senior Associate | anudman@az.cl
Carlos Lazcano | Senior Associate | clazcano@az.cl
Fernanda Rodríguez | Associate | frodriguez@az.cl
Esteban Orhanovic | Associate | eorhanovic@az.cl
Be part of our multimedia platform and receive the latest legal news, events, podcazt and webinars.
