Q&A: the data protection legal framework in Chile

Law and the regulatory authority

Summarise the legislative framework for the protection of personal information (PI). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments or laws of other jurisdictions on privacy or data protection?

The legal framework for data protection can be found in article 19 No. 4 of the Political Constitution of the Republic of Chile, which guarantees that the processing and protection of personal data shall be carried out in the manner and under the conditions laid down by law. In addition, Chile has a dedicated data protection law, Law No. 19,628 on Privacy Protection (the Law), which was published in the Official Gazette on 28 August 1999. The current Law is not based on any international instrument on privacy or data protection in force (such as the Organization for Economic Cooperation and Development (OECD) guidelines, Directive 95/46/EC, EU General Data Protection Regulation or the European Convention on Human Rights and Fundamental Freedoms).

Which authority is responsible for overseeing the data protection law? What is the extent of its investigative powers?

In general, there is no special data protection authority in Chile; data protection is overseen and addressed by general courts with general powers. A summary procedure is established by law if the person responsible for the personal data registry or bank fails to respond to a request for access, modification, elimination or blocking of personal data within two business days, or refuses a request on grounds other than the security of the nation or the national interest.

However, other entities have powers in matters of personal data protection, the main ones being the following.

The National Consumer Service (SERNAC) is the control body on matters of personal data protection in the context of consumers relations, until a specialised data protection agency is formed. SERNAC does not have sanctioning powers, although it can exercise its powers to supervise, inspect, investigate, file individual or class actions, and issue interpretative circulars that are mandatory for SERNAC officials when applying the regulation and the Law (e.g. at the time of audit).

Among the circulars issued by the SERNAC the main ones are: interpretative circular on good practices in electronic commerce; interpretative circular on the criteria of equity in the stipulations in standard form contracts referring to the collection and processing of the personal data of consumers (e.g. terms and conditions of use; end user licence agreements etc); and interpretative circular on consumer protection against the use of artificial intelligence systems.

In the public sector, the Council for Transparency is responsible for ensuring compliance with Law No. 19.628 by the organs of the state administration. The Council has issued the Recommendations on Protection of Personal Data by the Organs of the State Administration, the Guide on Protection of Personal Data for Public Institutions (2021), and Resolution No. 489/2022, which approved the Procedure for Processing Requests for the exercise of ARCO (access, rectification, cancellation and objection) rights made before the Council for Transparency.

The Financial Market Commission (CMF) is the control body in the financial sector and has supervisory powers on matters of personal data protection, information security and cybersecurity. Thus, financial institutions must have an internal policy on security and management of debtor information (PISMID), which must follow international principles and best practices on personal data processing. In Addition, the CMF should dictate the cybersecurity and personal data protection standards that financial institutions participating in the future Open Banking System must comply with. The Open Banking System is regulated by the recently approved Law No. 21.521, know as the Fintech Law.

Finally, according to the Bill on personal data protection (Bill No. 11.144-07), which is currently being discussed in the National Congress, the planned future agency regulating data protection in Chile will be an independent Personal Data Protection Agency.

Are there legal obligations on the data protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?

Currently, there is no data protection authority in Chile. A bill has been discussed in Congress that will reform the whole data protection environment in the country and will create the first data protection authority in Chile.

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

Yes. Breaches of data protection caused by improper processing of data may eventually lead to fines determined by the Law, ranging from 62,388 Chilean pesos (approximately US$78) to 623,880 Chilean pesos (approximately US$780), or from 623,880 Chilean pesos (approximately US$780) to 3,119,400 Chilean pesos (approximately US$3,900). Fines are determined through a summary proceeding. 

The Law establishes a general rule under which both non-monetary and monetary damages that result from wilful misconduct or negligence in the processing of personal data shall be compensated. In those cases, the amount of compensation shall be established reasonably by a civil judge, considering the circumstances of the case and the relevance of the facts.

The Bill on the protection of personal data, on the other hand, proposes a list of minor, serious and very serious infractions, and fines that can reach 623,880,000 Chilean pesos (approximately US$780,000) and, in the case of companies, a fine of up to the amount equivalent to 4 per cent of the annual income from sales and services and other activities of the line of business during the last calendar year, with a maximum of 1,247,760,000 Chilean pesos (approximately US$1,560,000), depending on the seriousness of the infraction.

Scope

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

Law No. 19,628 on Privacy Protection (the Law) applies to both private and public sector organisations and agencies. However, regarding public sector organisations, there are some special rules for the consent of the subject (ie, personal data about sentences for felonies, administrative sanctions or disciplinary failures and the records of personal data banks in government agencies).

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals?

The Data Protection Law does not cover interception of communications or monitoring and surveillance of individuals. Both matters are regulated by:

• Law No. 21,459 (the Computer Crime Law);
• article 161-A, 369-ter, 411-octies of the Penal Code; and
• articles 222 to 226 of the Criminal Code of Procedure.

The Data Protection Law does cover electronic marketing, in the sense of establishing that no authorisation is required to make electronic marketing when the information comes from sources available to the public (registries or collection of personal data, public or private, with unrestricted or unreserved access to the requesters).

Are there any further laws or regulations that provide specific data protection rules for related areas?

Numerous laws address privacy issues, for example:

• Law No. 21,459 (the Computer Crime Law);
• article 161-A, 369-ter, 411-octies of the Penal Code;
• articles 222 to 226 of the Criminal Code of Procedure;
• Law No. 20,584, which contains provisions regarding the privacy of medical records along with Law No. 19,628, which contains provisions stipulating that a doctor’s prescriptions and laboratory analyses or exams and services related to health are confidential;
• Law No. 19,496, which contains provisions regarding credit information along with the same Law No. 19,628, which contains provisions about personal data related to obligations of an economic, financial, banking or commercial character;
• Law No. 18,290, which contains provisions regarding the privacy of a driver’s information;
• Law No. 19,799 regarding electronic signatures, which contains the right to privacy of the holder of an electronic signature; and
• article 154-bis of the Labour Code, which establishes that the employer shall keep confidential all the information and private data of the worker to which he or she has to access on the occasion of the employment relationship. Also, article 5 of the Labour Code establishes that the exercise of powers granted to the employer by law is limited by respect for the constitutional guarantees of the workers, especially when they may affect their privacy, private life or honour;
• Law No. 21,521, known as the Fintech Law, which 'promotes competition and financial inclusion through innovation and technology in the provision of financial services';
• Law No. 21,541, which authorises health providers to perform health care through telemedicine;
• Law No. 21,398, or the Pro-Consumer Law, which granted the National Consumer Service the status of a control body on matters of personal data protection in the context of consumers relations until the establishment of a specialised body in the protection of personal data;
• Decree No. 6/2021, which approves the Electronic Commerce Regulation.
• Decree No. 6/2022, which approves the Regulation on actions related to remote health care.

What categories and types of PI are covered by the law?

The Law regulates the following categories or types of personal information (PI):

• personal data: those related to any information concerning identified or identifiable natural persons;
• sensitive personal data: those related to the physical or moral characteristics of persons or to facts or circumstances of their private or intimate life, such as personal habits, racial origin, ideologies and political opinions, beliefs or religious convictions, conditions of physical or mental health, and sex life; and
• personal data relating to obligations of an economic, financial, banking or commercial nature.

On the other hand, the Bill on the protection of personal data would add other categories of PI to the Law, such as geolocation data, biometric data, health data, personal data of children and adolescents, among others.

Is the reach of the law limited to PI owners and processors physically established or operating in your jurisdiction, or does the law have extraterritorial effect?

The Law does not contain an explicit provision in this respect; however, any use of the data will require consent or authorisation of the holder or subject of the personal data, if it is not subject to the exceptions mentioned in this chapter (transfer is a kind of personal data processing, thus, all the data privacy rules shall apply, including the consent requirement).

For its part, the Bill on the protection of personal data would amend the Law and, therefore, would add grounds for extraterritorial application of the Law.

Is all processing or use of PI covered? Is a distinction made between those who control or own PI and those who provide PI processing services to owners? Do owners’, controllers’ and processors’ duties differ?

Yes, all processing of PI is covered. ‘Data processing’ is broadly defined in the Law as any operation or set of technical operations or procedures, automated or not, that make it possible to collect, store, record, organise, prepare, select, extract, match, interconnect, dissociate, communicate, assign, transfer, transmit or cancel personal data, or use it in any form.

There is no distinction made between those who control or own PI and those who provide PI processing services to owners. The Law only refers to the ‘person responsible for a data registry or a bank’, which means any private legal entity or individual, or government agency, that has the authority to implement the decisions related to the processing of personal data. Therefore, there are no different duties for owners, controllers or processors. However, government agencies can only process data regarding matters within their respective legal authority and subject to the rules set out in the Law.

On the other hand, the Bill on personal data protection amending the Law distinguishes between data subjects, data controllers and data processors, and assigns specific rights, obligations, duties or tasks to each of them.