Personal Data Protection Law (CLPP) Chile

    Overview

    Chile’s Personal Data Protection Law, originally enacted as Law No. 19,628 in 1999, establishes comprehensive rules to govern the collection, use, and protection of personal data. The law’s 2024 amendments expanded its scope to include new rights for individuals, detailed responsibilities for organizations, and provisions for data transfers. The law aims to safeguard individuals’ personal data rights while promoting transparency and accountability in data processing activities. The Agencia de Protección de Datos Personales (Agency for the Protection of Personal Data) was created to oversee and enforce compliance with the law.

     

    Regulation Summary

    Timeline
    • August 28, 1999: Initial Personal Data Protection Law (Ley 19.628) enacted.
    • May 9, 2023: Latest modifications to Ley 19.628.
    • December 13, 2024: Ley Núm. 21.719 enacted, replacing previous regulations.
    • November 30, 2026: Full transition to the new legal framework.
    What Businesses Are Affected
    • Companies processing personal data of individuals in Chile.
    • Organizations offering goods/services to Chilean residents, regardless of location.
    • Any entity monitoring the behavior of Chilean residents.
    • Public institutions handling personal data.
    Exemptions
    • Personal use of data.
    • Media organizations processing data for journalism.
    • Data processed for national security purposes.
    Responsibilities for Businesses
    • Obtain clear and informed consent before processing personal data.
    • Ensure transparency in data collection and usage.
    • Implement security measures to prevent unauthorized data access.
    • Provide users with access to, and control over, their data.
    • Appoint a Data Protection Officer (DPO) if required by law.
    Specific Responsibilities for Website Owners
    • Implement cookie consent mechanisms.
    • Maintain a clear and accessible privacy policy.
    • Secure online forms handling personal data.
    • Enable users to exercise data rights through an online portal.
    Additional Requirements
    • Data transfers outside Chile must comply with adequacy standards, contractual safeguards, or other legal mechanisms such as explicit consent or regulatory approval.
    • Impact assessments required before high-risk data processing, such as large-scale profiling or handling of sensitive data.
    • Data Protection Officers required for companies processing large-scale or sensitive personal data.
    Data Subject Rights
    • Access: Right to request copies of personal data.
    • Rectification: Right to correct inaccurate or outdated information.
    • Erasure: Right to request deletion of personal data.
    • Portability: Right to receive data in a structured format.
    • Objection: Right to refuse data processing under certain conditions.
    Enforcement
    • Regulatory Authority: Agency for Personal Data Protection.
    • Penalties: Fines up to 20,000 UTM (~$1.5 million USD) for severe violations.
    • Sanctions: Temporary suspension of data processing activities for repeated infractions.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596