New personal data protection regime in Chile
By Mariano Peruzzotti and Candela Basilotta
On December 13, Law No. 21,719, amending the Chilean Data Protection Law was published in the Official Gazette.
In a nutshell, here are some of the new aspects incorporated by the law:
- Extraterritorial scope: The law extends the application of its provisions to entities located outside the territory of Chile.
- New principles: The law includes data processing principles similar to the EU’s General Data Protection Regulation (“GDPR”) that were not included in the previous regulation.
- Legal bases: The law recognizes consent as the primary legal basis for data processing, with exceptions including legitimate interest, the performance of a contract or pre-contractual measures, the need to comply with a legal obligation, and the exercise of defense before courts or public authorities.
- Security duties: The security obligation is strengthened by establishing minimum standards that both controllers and processors must comply with.
- Data breach notification: Controllers will be required to notify the data protection authority of any data breaches that affect data subjects’ rights. Additionally, there are provisions requiring notification to affected data subjects in certain cases.
- Data Protection Impact Assessments (“DPIA”): The law places the obligation on controllers to conduct a DPIA in certain circumstances.
- Data Protection Officer (“DPO”): Controllers may appoint a DPO.
- Data subject rights: The catalogue of rights is expanded to include the right to object and the right to data portability, among others.
- Response to data subject requests: Controllers have 30 calendar days to respond to data subject requests, with a one-time extension of an additional 30 days if necessary.
- Cross-border data transfer: The international transfer of personal data to non-adequate jurisdictions is restricted. Moreover, the new law provides mechanisms for validating transfers, as well as exceptions.
- Authority: A data protection authority is created with the power to investigate infringements and impose sanctions.
- Sanctions: The sanctions regime follows the criteria outlined in the GDPR.
The provisions incorporated by the new law will come into effect within two years.
The complete text of the law can be consulted in Spanish here.
For further information please contact Mariano Peruzzotti at mperuzzotti@ojambf.com or Candela Basilotta at cbasilotta@ojambf.com.
