Chile establishes new Data Protection Law, raising privacy standards
Chile has published a new law aimed at strengthening the protection of personal data, bringing the country’s policy up to par with international privacy standards such as those set by the European Data Protection Regulation (GDPR).
The new Data Protection Law (DPL) regulates the processing of personal data and creates the Personal Data Protection Agency (PDPA), among other changes that mark significant advances in the protection of privacy in Chile and how companies handle and store their users' data. Organizations are now responsible for monitoring and adjusting their practices to comply with these new regulations as to avoid possible penalties for violation.
The main aspects of the new regulations include the following:
New obligations and principles
The DPL establishes the following new principles under which data can be processed and used: lawfulness and fairness, purpose, proportionality, quality, accountability, transparency and information, and confidentiality.
To manage the new principles, the DPL requires companies to have an internal data controller, which can either be a person or a company, to decide on the purposes and means of the processing of personal data. The data controller will be required to:
- Inform and make available to the owners the necessary information to demonstrate the legality of the processing of their data
- Maintain secrecy or confidentiality of personal data, and
- Implement appropriate technical and organizational measures for processing personal data, which must be applied from the project’s inception and continue throughout the processing of personal data.
New government agencies
- Personal Data Protection Agency (PDPA): The new governmental agency is established to ensure the adequate protection of the private life of individuals with regard to the use of their personal data, as well as to enforce compliance from organizations.
In this role, the PDPA will certify, register, and supervise organizations’ prevention models and compliance programs, as well as manage the National Registry of Sanctions and Compliance. In addition, the agency will have an educational role in which it will develop programs, projects, and actions for dissemination, promotion, and information to citizens and provide technical assistance to various bodies. - Data Protection Officer (DPO): The establishment of the DPO is a key facet in the compliance model outlined in the DPL. The DPO’s duties include cooperating with and acting as a point of contact for the new PDPA and assisting the organization's members in identifying potential non-compliance in their data-processing operations.
The DPO will have autonomy in administering these matters. In the case of micro, small, and medium-sized companies, the owner or the company’s highest authority may personally assume the tasks of DPO.
Infringement prevention model
The DPL mandates organizations to adopt an infringement prevention model that will allow each organization to track their compliance with the new laws. The model must be certified and accredited by the Data Protection Agency.
Infractions and fines
The law establishes a catalog of offenses and penalties, mitigating and aggravating factors, an infringement procedure, and a judicial claim procedure. It distinguishes between minor, severe, and very serious infractions, with the highest fines reaching up to UTM20,000 (approximately USD1.4 million).
Processing of sensitive data
The processing of sensitive data may only be carried out when the owner expressly gives consent, for which either a written or verbal statement or an equivalent technological means suffices. Nevertheless, the DPL establishes exceptions to this rule, such as the processing of sensitive personal data that the holder has made public and whose processing is related to the purposes for which it was published or is based on a legitimate interest that meets certain conditions and is carried out by a legal, non-profit-seeking entity.
International data transfers
The DPL requires the regulation of international transfers of personal data and determines the cases in which they may be legal, such as the transfer to organizations, entities, or persons that provide adequate levels of personal data protection or are covered by standard contractual clauses.
