We invite you to read the column written by our senior associate, Antonia Nudman, on the main changes brought by the new Personal Data Protection Law in Chile.
Today all organizations collect, store and communicate some type of data. In this scenario, the new local Personal Data Protection Law will imply important changes for companies in the country.
After seven long years of processing, the National Congress approved this week the Personal Data Protection Bill. Now, it only remains to wait for the approval of the Constitutional Court for its subsequent promulgation by the President of the Republic.
The regulatory change regarding the requirements and obligations related to the processing of personal data is radical and has a significant impact. Thus, the changes will essentially affect the organizational culture of any company or institution, whether public or private, when processing personal data of third parties.
From this description, we can understand the weight of the legislative amendment, since, today, there is no organization or institution that does not collect, use, store, communicate and, in general, process personal information.
In this context, the call to be informed and to anticipate the entry into force of the regulation seems to be the only viable strategy. A good way to start is to take a look at the main updates and changes that significantly modify the regulatory landscape in our country.
The first main modification is the change in the requirements for the consent of the owner for its processing, which had to be in writing, and can now be oral and even by electronic means, in line with the practice of companies. In addition, data collected from sources freely available to the public is eliminated as an autonomous authorization for processing.
The second change is that the principles that must be included in the processing of personal data are expressly typified (previously they were blurred and the appropriateness of some of them was disputed). The application of the principles will be real and effective, since their contravention will be sanctioned.
On the other hand, the international transfer of data is regulated, replicating international standards and favoring the transfer to countries where the regulation of personal data is adequate. That is, whose standard is equal to or higher than that of Chile.
Fourthly, the right of portability is created, which allows the holder to request a copy of the processed data, in a format that favors its portability to be operated by different systems. It also includes the right to blocking in certain cases.
The fifth major change is the creation of the Personal Data Protection Agency, an autonomous corporation under public law, whose purpose will be the supervision of this law and the issuance of guidelines and directives for its correct application. It will also have regulatory, supervisory and sanctioning powers.
Finally, a scheme of infractions (minor, serious and very serious) is created, together with their corresponding penalties (fines of up to 20,000 UTM), and a sanctioning procedure before the Agency is created.
In the procedure there will be aggravating and mitigating factors, one of which will be the adoption of an Infringement Prevention Model which, if certified by the Agency, will mitigate the liability of the responsible party in the event of non-compliance.
Thus, Chile takes an advantageous position at a collective level. Not only from the regulation that implies the respect and protection of a fundamental right that is essential and substantially valuable in the digital era, but also at a commercial level, being positioned as a reference in Latin America.
The law will enter into force 24 months after its publication. This time is a strategic and unique opportunity for companies to anticipate the new regulatory landscape and reduce the consequences of non-compliance.
Recent Comments