Webinar | Main questions about the Personal Data Protection Law

Article 13 of the new law provides that it is lawful to process personal data, without the consent of the owner, when it refers to data relating to economic, financial, banking or commercial obligations and is carried out in accordance with the rules of Title III of the law, including data relating to the socioeconomic situation of the owner.

In this case, it is the law that authorizes the processing of this type of data, without the need for other sources of lawfulness, such as the consent of the holder.

2. Is there any provision regarding the processing of data of legal entities?

No. Law No. 21.719 provides that personal data refers to any information linked to or referring to identified or identifiable natural persons.

3. What is the implementation process?

The law does not establish a process for implementing the law; this will depend on each organization, its resources, willingness and state of maturity.

However, it can be pointed out that any process should at least include a diagnosis of the organization’s compliance with the law, including the identification of data processing activities and the construction of a risk matrix.

Subsequently, it could consider an infringement prevention program, which sets out the specific measures to be adopted by the entity to comply with the law, which may refer to both processes and documentary adjustments.

As compliance programs are dynamic, it will also be necessary to establish the necessary controls and audits to verify that the model is being implemented correctly or not.

4. Does the law define what is considered “legitimate interest of the responsible party” and can you give an example?

No, it does not define it, it only establishes it as the lawful basis for processing personal data in article 13 letter d).

An example could be when a company implements security measures that monitor network traffic to detect and prevent cyber attacks. The processing would be justified on the grounds that ensuring the integrity and availability of information systems is essential for the continued operation of the business.

Another example would be the analysis of customer transactions by a bank to identify suspicious patterns that may indicate fraudulent activities.

5. Is an ok in the app before the law sufficient to have authorization to use data?

No. The law establishes stricter rules regarding the consent of the data owner, i.e. the app user. Indeed, the consent of the owner must be free, informed and specific as to its purpose or purposes.

In addition, it must be expressed, in advance and unequivocally, by means of a verbal, written statement or expressed through an equivalent electronic means, or by an affirmative act that clearly shows the owner’s will.

If these requirements are met, the user’s personal data may be processed, but only for the purposes for which the user’s approval was requested.

According to the transitional provisions of the law, it is understood that the Personal Data Protection Agency will start operating once the law comes into force, i.e. on December 1, 2026. Its statutes must be proposed within 90 days after this date.

What does its creation depend on?

Its creation is established in a law of the Republic, so it must necessarily be complied with, unless another law establishes otherwise.

What ministry will it depend on?

The law establishes that the Agency will be an autonomous corporation of public law, of a technical, decentralized nature, with legal personality and its own assets, which will be related to the President of the Republic through the Ministry of Economy, Development and Tourism.

2. In Chile, would it be applicable that the first action of the Agency consists of training and raising public awareness?

Among the powers of the Personal Data Protection Agency is the power to develop programs, projects and actions of dissemination, promotion and information to citizens, in relation to respect for the protection of their personal data. The manner of exercising this attribution and the others granted by the law will depend on the criterion that the Agency’s management decides to adopt. That is to say, in principle, it could decide to exercise an educational role or a more inquisitive one through sanctions, or both.

3. In the implementation of the new law: What is the role of a lawyer and other professionals (Risk Auditors, Computer Engineers, etc.)?

In the implementation of a new law, especially in the area of personal data protection, multidisciplinary collaboration is essential. Each professional brings specific expertise that, together, ensures effective and comprehensive compliance with the regulations.

Lawyers, for example, play a key role in implementing the new law, helping companies understand their legal obligations, interpreting the regulation and conducting compliance audits to identify areas of non-compliance. They also draft and review key legal documents such as privacy policies and terms of use, design mechanisms for obtaining user consent, and handle requests for access, rectification, erasure, objection and data portability.

For their part, auditors will be needed, for example, to identify risks in the handling of personal data and assess the impact of processing, especially in projects that may pose high risks to the rights of individuals.

In turn, IT professionals help implement technical cybersecurity measures to protect personal data, such as encryption, strong authentication and access controls. They will also continuously monitor information security to detect and respond to such incidents, among other functions.

4. In the area of subcontracting, what actions should a client company take to guarantee the protection of the data and documentation that must be submitted by the employees of contractor companies to be accredited and authorized to work in their respective specialties? In addition, an occupational medical examination is one of the requirements.

In the future, it is recommended to hire companies that have ISO certifications in data protection and/or have breach prevention models certified by the future Personal Data Protection Agency, in order to ensure that the information handled by such entity complies with the provisions of the new regulations.

In the meantime, while the new law is in force, it is advisable to reinforce the contract that the client company has with the contractor, by incorporating clauses that raise the requirements regarding the protection of personal information handled by the contractor company.

To a large extent, yes.

The new law defines the communication of personal data as the “disclosure by the data controller, in any form, of personal data to persons other than the data subject to whom the data pertains, without actually assigning or transferring them”.

As there are no other specific rules governing this activity, the general rules must be applied.

The law also defines the transfer of personal data. In this regard it states that it is the “transfer of personal data by the data controller to another data controller.” In this case, data may be transferred with the consent of the owner and for the fulfillment of the purposes of the processing. In addition, they may be transferred when the transfer is necessary for the fulfillment and performance of a contract to which the holder is a party, when there is a legitimate interest of the transferor or transferee and when provided by law.

If an international transfer of personal data is required between companies located in different countries, it must comply with the provisions of Article 27 and following, which regulate, among others, the requirements of these.

2. How should an SME that does not have qualified personnel such as a lawyer, a preventionist, etc., deal with this new law?

Since the Personal Data Protection Agency has not yet been installed, there are no official guides to help SMEs implement the law. Therefore, it is advisable to hire legal services that can accompany them in the process of adapting their operations to the standards of the law.

Notwithstanding the above, we would like to point out that the new law contemplates small considerations for smaller companies. For example, it provides that the tasks of the personal data protection delegate may be assumed personally by the owner or its highest authorities, in the case of micro, small and medium-sized companies.

It also establishes that in the period from December 1, 2026 to December 1, 2027, in the cases in which a sanction is applicable for companies classified as smaller (Law No. 20,416), the Agency may apply a written warning as a sanction, indicating to the data controllers the seriousness of the infringement, the infringing conduct, and the mitigating and aggravating circumstances of liability, if applicable.

It should be noted that, without prejudice to the foregoing, these sanctions must also be recorded in the National Registry of Sanctions and Enforcement provided by law.

3. Who is going to review the prevention model, as I understand it is the “Agency”? How to have a review?

Indeed, the Personal Data Protection Agency will be in charge of certifying that a breach prevention model complies with the law. As for the certification procedure, it will be defined by a regulation to be issued by the Agency.

The law contemplates sanctions of written warning and fine in case of infringements. The second paragraph of article 34 of the law provides that the responsibilities incurred by a natural or legal person for the infractions established in the law are understood without prejudice of the other legal, civil or criminal responsibilities that may correspond to it.

Regarding civil liability, article 47 of the law establishes that the data controller must indemnify the patrimonial and extra-patrimonial damage caused to the data subject(s), when in its data processing operations it infringes the principles established in article 3°, the rights and obligations established in this law and causes them harm.

The regulation adds that the indemnity action may be filed once the resolution that favorably resolved the claim filed before the agency or the sentence is final and enforceable, in case of having filed a claim of illegality, and will be processed in accordance with the rules of the summary procedure established in articles 680 and following of the Code of Civil Procedure.

2. Is it a good option to start with the mapping of data and parameterization of systems and information access profiles, rather than waiting to survey all the processes, which may take longer (without prejudice to the medium and long term)?

It is a viable alternative, but it is advisable to start the process survey as soon as possible, as it could take time to identify them. This information is used to build a diagnosis of the organization’s compliance status, which will allow them to start taking the necessary measures to be in compliance before the new law comes into force (December 1, 2026).