On August 26, 2024, Chile marked a significant milestone with the approval of the New Personal Data Protection Law, after seven years of parliamentary processing. This law strengthens the rights of data subjects and sets stricter regulations regarding the collection, processing, and protection of personal information.
Objectives of the New Personal Data Protection Law in Chile
The new law, set to take effect in October or November 2024, aims to provide both businesses and citizens with a modern legal framework ensuring that personal data is treated with the respect and care it deserves. It seeks to align Chile’s data protection standards with those of the European Union’s General Data Protection Regulation (GDPR).
To achieve this, the law introduces significant changes to the rights of data subjects and the obligations of companies and organizations that handle personal data. Below is a summary of the law’s key aspects:
Creation of the Personal Data Protection Agency
One of the most notable features of the law is the creation of the Personal Data Protection Agency. This independent and decentralized body will oversee compliance with the law, resolve complaints from data subjects, and enforce penalties for violations.
The agency will also manage the National Registry of Sanctions and Compliance, a public database documenting sanctions imposed on those responsible for data processing. This could have serious reputational consequences for companies involved in violations.
Expanded Rights for Data Subjects
The law significantly expands the rights of individuals over their personal data. Key rights include:
- Right of Access: Individuals can request information on what personal data has been collected and how it is being used.
- Right to Rectification: Data subjects can correct any incorrect or outdated information.
- Right to Erasure: Individuals can request the deletion of their data when it is no longer necessary.
- Right to Data Portability: People can obtain a copy of their data in a format that allows it to be transferred to another entity.
- Right to Object to Automated Decisions: Data subjects can challenge decisions made solely through automated processes, such as credit scoring or job performance evaluations.
Organizations will have 30 days to respond to these requests, or data subjects can file a complaint with the Personal Data Protection Agency.
Territorial Scope
The law covers a wide territorial scope, regulating data processing in several scenarios, such as:
- When the data controller or processor is located in Chile.
- When the processor, even if located outside Chile, processes data on behalf of a controller based in Chile.
- When foreign organizations handle data for offering goods or services to individuals in Chile.
Foreign organizations must designate a contact email to receive communications from Chilean data subjects and the Personal Data Protection Agency.
Legal Bases for Data Processing
The law states that, as a general rule, personal data processing must be based on the explicit consent of the data subject. However, it also recognizes other legal bases, such as compliance with legal obligations, the execution of contracts, and the legitimate interest of the controller, provided that fundamental rights are not infringed.
Key Principles for Data Processing
The law outlines several fundamental principles that guide data processing:
- Lawfulness and Fairness: Controllers must ensure that the data processing is legal.
- Purpose Limitation: Data must be collected and processed for the specific purposes communicated to the data subject.
- Data Minimization: Only the necessary data should be processed.
- Accuracy: Data must be accurate, complete, and kept up to date.
- Security: Organizations must implement appropriate security measures to protect data from unauthorized access or incidents.
- Confidentiality: Those handling the data must maintain its confidentiality and take necessary steps to safeguard it.
Impact Assessments
When data processing presents a high risk to the rights of individuals, an impact assessment must be conducted. This is especially relevant for cases involving mass or sensitive data processing. If high risks are identified, the data controller may consult the Personal Data Protection Agency before proceeding.
International Data Transfers
The new law also regulates international data transfers, allowing them only in the following cases:
- Transfers to countries with adequate levels of protection, as determined by the Personal Data Protection Agency.
- Transfers based on contracts with adequate safeguards to protect the data.
- Transfers with the explicit consent of the data subject or to comply with international legal obligations.
Penalties for Non-compliance
The penalties for violating the New Personal Data Protection Law are substantial, varying based on the severity of the offense:
- Minor violations (e.g., failure to provide information): A written warning or fines up to 5,000 UTM (approximately USD 387,000).
- Serious violations (e.g., processing data without legal grounds): Fines up to 10,000 UTM (approximately USD 775,000).
- Very serious violations: Fines up to 20,000 UTM (approximately USD 1,550,000) or 4% of a company’s annual revenue. These apply when data is processed fraudulently or maliciously.
In case of repeated violations, fines can increase up to three times the original amount. For very serious offenses, the Personal Data Protection Agency may suspend the organization’s data processing activities for up to 30 days.
Preparing for the New Personal Data Protection Law
With the law expected to take effect in late 2024, it will fundamentally change how organizations handle personal data in Chile.
Whether you are an individual concerned about your data rights or a business responsible for processing data, now is the time to adjust your policies and practices. At Becker Abogados, our team specializes in this new data protection legislation and can help you comply with all the requirements. Contact us today for expert guidance to safeguard your data and ensure compliance with the law.