The new Personal Data Protection Law in Chile aims to strengthen the privacy and security of citizens regarding the use of their information on digital platforms.
This new regulation introduces significant changes in how personal data should be managed, establishing clear obligations for organizations and expanding the rights of data owners.
Below, we address the most common myths about this law, explaining how the reality of its application affects companies of all sizes, establishing a more rigorous regulatory framework.
Doesn't the new law affect how personal data is collected on websites or apps?
Reality: With the new regulatory framework, greater transparency will be required in the collection and processing of personal data on digital platforms. Data controllers will have to clearly inform about the purposes of the processing and the legal bases that justify it, in addition to adopting appropriate technical and organizational measures to ensure privacy protection from the design stage. Users will have more control over their data, which directly impacts how cookies, forms and other online information collection technologies are managed.
Are only large companies required to comply with the law?
Reality: The law affects all entities that process personal data, regardless of their size or nature. This includes both small and large companies and individuals. Although SMEs will have an additional 12-month “grace period” to comply, all, including individuals, must eventually comply with the provisions. Failure to comply with the regulations could result in significant penalties, even for small businesses and individuals handling personal data.
Is international data transfer still unregulated?
Reality: The new framework explicitly regulates international data transfers, establishing clear criteria as to when they are lawful and the obligations that data controllers must comply with.
Doesn't the new law provide for serious penalties for violations?
Reality: The new law introduces a strict penalty regime, with fines varying according to the seriousness of the infringement (minor, serious and very serious). Very serious infractions can carry fines of up to 20,000 UTM. In addition, in cases of recidivism, the National Data Protection Agency has the power to suspend processing activities for up to 30 days, which implies a severe consequence for the operations of any organization.
Are data controllers obliged to inform about the legal basis of the processing?
Reality: The new draft establishes that the data controller must inform data subjects about the lawful basis for processing their data. They must also adopt technical and organizational measures from the design to the execution of the processing to guarantee the confidentiality and security of personal data.
Is there an authority to supervise compliance with the law?
Reality: The creation of the National Data Protection Agency is one of the most relevant changes in the bill. This body will have powers not only to supervise compliance with the regulation, but also to sanction those who violate it. It will also be responsible for issuing guidelines to ensure proper data processing and certifying prevention models implemented by organizations.
Are the rights of data subjects waivable or negotiable?
Reality: Data subjects’ rights, such as access, rectification, erasure, objection and data portability (ARCOP Rights), are non-transferable, non-waivable and cannot be limited by any contract or agreement. This ensures that holders always maintain control over their personal data, and any act to the contrary will be considered a violation of the law.
Are data controllers required to adopt a compliance program?
Reality: While implementing a compliance program can be beneficial, it is not required by law. Data controllers can implement a breach prevention model, which consists of a compliance program, which, while highly recommended, is voluntary. Such a model makes it possible to establish in order to prevent possible breaches in the processing of personal data.
Does the new Personal Data Protection Law not apply to foreigners who are not established in the country?
Reality: The Law does apply to foreign entities when their operations and processing of personal data are intended to offer goods or services in Chile, regardless of whether payment is required. In addition, it also applies to these entities in case they monitor the behavior of data subjects who are in the national territory, which includes activities such as analysis, tracking, profiling or prediction of behavior. This means that, even if a data controller or agent is not physically in Chile, it must still comply with the provisions of the Law if its actions impact data subjects in our country.
Is it necessary to perform a personal data protection impact assessment?
Reality: The Law establishes that, when it is foreseen that a type of processing may generate a high risk for the rights of data owners -due to its nature, scope, context, technology used or purposes- the data controller must carry out a personal data protection impact assessment. This assessment must be carried out before starting data processing operations, with the aim of identifying and mitigating risks.
In conclusion, the law establishes a modern framework in line with international regulations, providing greater guarantees to data subjects and requiring a high level of compliance from all organizations.
Understanding the new obligations and mitigating risks is key to anticipate sanctions and take advantage of the legislative vacancy period to implement the appropriate measures.
For more information on these topics, please contact:
Eugenio Gormáz | Partner | egormaz@az.cl
Ivonne Bueno | az Tech Director | ibueno@az.cl
Antonia Nudman | Senior Associate | anudman@az.cl
Carlos Lazcano | Senior Associate | clazcano@az.cl
Fernanda Rodríguez | Associate | frodriguez@az.cl
Esteban Orhanovic | Associate | eorhanovic@az.cl
Be part of our multimedia platform and you can receive the latest legal news, events, podcazt and webinars.
