šØš± Chile
Informations
Extracts :
Extract :
The Law applies to the territory of Chile. Nevertheless, the Bill shall be applicable to the processing of
personal data that is carried out under any of the following circumstances:
when the controller or processor is established or incorporated into the national territory;
when the processor, regardless of its domicile or incorporation place, carries out the perā
sonal data processing operations on behalf of a controller established or incorporated in
the national territory; or
when the controller or processor is not established in the national territory but their perā
sonal data processing operations are intended to offer goods or services to data subjects
who are in Chile, regardless of whether they are required to pay or to monitor the behavior
of data subjects who are in the national territory, including their analysis, tracking, profiling
or prediction of behavior.
The Bill also applies to the processing of personal data carried out by a controller who, not being esā
tablished on national territory, is subject to national law by virtue of a contract or international law.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
The Law applies to the territory of Chile. Nevertheless, the Bill shall be applicable to the processing of
personal data that is carried out under any of the following circumstances:
when the controller or processor is established or incorporated into the national territory;
when the processor, regardless of its domicile or incorporation place, carries out the perā
sonal data processing operations on behalf of a controller established or incorporated in
the national territory; or
when the controller or processor is not established in the national territory but their perā
sonal data processing operations are intended to offer goods or services to data subjects
who are in Chile, regardless of whether they are required to pay or to monitor the behavior
of data subjects who are in the national territory, including their analysis, tracking, profiling
or prediction of behavior.
The Bill also applies to the processing of personal data carried out by a controller who, not being esā
tablished on national territory, is subject to national law by virtue of a contract or international law.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
The Law applies to the territory of Chile. Nevertheless, the Bill shall be applicable to the processing of
personal data that is carried out under any of the following circumstances:
when the controller or processor is established or incorporated into the national territory;
when the processor, regardless of its domicile or incorporation place, carries out the perā
sonal data processing operations on behalf of a controller established or incorporated in
the national territory; or
when the controller or processor is not established in the national territory but their perā
sonal data processing operations are intended to offer goods or services to data subjects
who are in Chile, regardless of whether they are required to pay or to monitor the behavior
of data subjects who are in the national territory, including their analysis, tracking, profiling
or prediction of behavior.
The Bill also applies to the processing of personal data carried out by a controller who, not being esā
tablished on national territory, is subject to national law by virtue of a contract or international law.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
Data controller: Any natural or legal person, public or private, who decides on the purposes and
means of personal data processing, regardless of whether the data is processed directly by them or
through a third party (Article 2(n) of the Law, see also Article 2 of the Bill).
Data processor: Any person who processes data on behalf of the data controller (Article 2 of the
Bill).
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
Biometric data: Those obtained from a specific technical treatment, related to the physical, physioā
logical, or behavioral characteristics of a person that allow or confirm their unique identification,
such as fingerprint, iris, hand or facial features, and voice (Article 2 of the Bill).
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
Health data: Health-related data, biological profile, genetic, proteomic, or metabolic data (Article 2
of the Bill).
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
Health data: Health-related data, biological profile, genetic, proteomic, or metabolic data (Article 2
of the Bill).
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
Sensitive data: Personal data revealing racial or ethnic origin, political, trade union or guild affiliation, personal habits, ideological or philosophical convictions, religious beliefs, data concerning
health, human biological profile, biometric data, and information concerning a natural person's sex
life, sexual orientation, and gender identity (Article 2(g) of the Law, see also Article 2 of the Bill).
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
Sensitive data: Personal data revealing racial or ethnic origin, political, trade union or guild affiliation, personal habits, ideological or philosophical convictions, religious beliefs, data concerning
health, human biological profile, biometric data, and information concerning a natural person's sex
life, sexual orientation, and gender identity (Article 2(g) of the Law, see also Article 2 of the Bill).
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
Sensitive data: Personal data revealing racial or ethnic origin, political, trade union or guild affiliation, personal habits, ideological or philosophical convictions, religious beliefs, data concerning
health, human biological profile, biometric data, and information concerning a natural person's sex
life, sexual orientation, and gender identity (Article 2(g) of the Law, see also Article 2 of the Bill).
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
Sensitive data: Personal data revealing racial or ethnic origin, political, trade union or guild affiliation, personal habits, ideological or philosophical convictions, religious beliefs, data concerning
health, human biological profile, biometric data, and information concerning a natural person's sex
life, sexual orientation, and gender identity (Article 2(g) of the Law, see also Article 2 of the Bill).
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
The Law considers as legal basis for data processing, the data subject's consent, as well as any reā
quirements under the law. However, regarding consent, the Law considers broad exceptions, which
allow personal data to be processed without the data subject's consent (Article 4 of the Law).
The following legal bases correspond to those established by the Bill:
5.1. Consent
The Bill states that consent must be free, informed, and specific as to its purpose or purposes, and
must also be expressed unequivocally, by means of a verbal or written statement, or expressed
through equivalent electronic means, or by an affirmative act that clearly shows the will of the data
subject.
Additionally, when consent is given by a representative of the data subject, the latter must be exā
pressly authorized to do so.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
Not applicable at present. However, it is included as a legal basis in the Bill.
Data processing is lawful without the data subject's consent when such processing is necessary for
the execution of a contract between the data subject and controller, or for the execution of pre-conā
tractual measures taken at the request of the data subject.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
Data processing is lawful without the data subject's consent when such processing is necessary for
the execution or fulfillment of a legal obligation, or where it is required by law.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
The Law does not include a detailed list of violations, thus hindering compliance and enforcement.
The highest fines amount to $3,500 and in the absence of a data privacy authority, claims are filed in
court.
Following international standards, depending on the nature and seriousness of the infraction, the Bill
raises the applicable fines to $375,000 or, in the case of companies, a fine of up to the equivalent of
4% of the annual income from sales and services and other activities of the business in the last calā
endar year, with a maximum of $750,000 (in the case of recidivism, the fine may be multiplied by
three).
Moreover, the Bill states as a sanction the suspension of the data processing for 30 days, which may
be extended for the same period.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
The Law does not include a detailed list of violations, thus hindering compliance and enforcement.
The highest fines amount to $3,500 and in the absence of a data privacy authority, claims are filed in
court.
Following international standards, depending on the nature and seriousness of the infraction, the Bill
raises the applicable fines to $375,000 or, in the case of companies, a fine of up to the equivalent of
4% of the annual income from sales and services and other activities of the business in the last calā
endar year, with a maximum of $750,000 (in the case of recidivism, the fine may be multiplied by
three).
Moreover, the Bill states as a sanction the suspension of the data processing for 30 days, which may
be extended for the same period.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
Currently, there is no data protection authority, thus the Bill creates this authority, which will be exā
ercised by the Agency.
However, as aforementioned, the Pro Consumer Law, granted enforcement power to SERNAC, who
may start class actions to protect the consumer collective or diffuse interest, in order to compensate
consumers whose personal data have been violated.
In addition, to the circulars detailed in section above on key acts, regulations, directives, and bills,
SERNAC has issued notices regarding the use of cook
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
Currently, there is no data protection authority, thus the Bill creates this authority, which will be exā
ercised by the Agency.
However, as aforementioned, the Pro Consumer Law, granted enforcement power to SERNAC, who
may start class actions to protect the consumer collective or diffuse interest, in order to compensate
consumers whose personal data have been violated.
In addition, to the circulars detailed in section above on key acts, regulations, directives, and bills,
SERNAC has issued notices regarding the use of cook
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
Even though the Law states the security obligation, it does not explicitly consider a Data Protection
Impact Assessment ('DPIA').
Nevertheless, the Bill requires carrying out a DPIA whenever a type of processing, by its nature,
scope, context, technology used, or purposes, is likely to result in a high risk to the rights of data
subjects.
Moreover, the data controller must adopt the technical and organizational measures both prior to
and during the data processing. Therefore, DPIAs must be performed before beginning any given
data processing.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
The Law does not establish the obligation to give notice of a data breach. Nevertheless, in 2018 the
CMF regulated the obligation for banks and financial institutions to notify data breaches to the CMF,
which shall be given within 30 minutes from the acknowledgement of the data breach. The same
obligation applies to insurance and reinsurance companies.
Regarding the Bill, the data controller and processor must notify the Agency by the most expeditious
means possible and without undue delay of any violations of the security measures.
If the breach concerns sensitive data, minors' data, or financial data, data subjects must also be notified
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
The Law does not establish the obligation to give notice of a data breach. Nevertheless, in 2018 the
CMF regulated the obligation for banks and financial institutions to notify data breaches to the CMF,
which shall be given within 30 minutes from the acknowledgement of the data breach. The same
obligation applies to insurance and reinsurance companies.
Regarding the Bill, the data controller and processor must notify the Agency by the most expeditious
means possible and without undue delay of any violations of the security measures.
If the breach concerns sensitive data, minors' data, or financial data, data subjects must also be notified
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
The Law refers to this briefly and only sets out certain obligations to anyone who processes personal
data, namely:
obligation of maintaining secrecy about personal data, when it comes from or has been colā
lected from sources not accessible to the public;
personal data should be used only for the purposes for which it was collected unless it
comes from or has been collected from sources accessible to the public; or
the data controller must store personal data with due diligence, being responsible for the
damages caused.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
This is defined as the right to request and obtain from the controller, that specific and determined
processing of data is not carried out, in the following cases:
if the processing affects any fundamental rights and freedoms;
if the processing is conducted exclusively for the purpose of marketing or direct marketing
of goods, products, or services; and
if the processing is carried out with respect to data obtained from a publicly accessible
source and there is no other legal basis for the processing.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
This is defined as the right to request and obtain from the controller a copy of their personal data in
a structured, generic, and common electronic format, which allows it to be operated by different systems, and to communicate or transfer it to another controller.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
This is defined as the right to object to decisions concerning the data subject made by the controller
based solely on the fact that they are made through automated processing of the data subject's perā
sonal data, including profiling. If exercised, the controller must take all necessary measures to enā
sure the rights of the data subject, in particular the right to obtain human intervention by the conā
troller, to express their point of view, and to request a review of the decision.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
The right to be informed is not considered per se as a data subject right in the Bill, but only as a reā
quirement for consent as a basis to adequately process personal data.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
This is defined as the right to request and obtain from the controller, confirmation as to whether a
data subject's personal data is being processed, to access such data where appropriate, and to inforā
mation provided for in the Bill, such as:
the processed data and its origin;
the purpose or purposes of the processing;
the categories, classes, or types of recipients, or the identity of each recipient, if so requestā
ed by the data subject, to whom the data have been communicated or transferred or is inā
tended to be transferred;
the period during which the data will be processed; and
the legitimate interests of the data controller, when the processing has a different basis
other than the consent of the data subject.
This right includes the right to access meaningful information about the logic applied in the case of
automated individual decisions made by the controller, including profiling.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
This is defined as the right to request and obtain from the controller, the modification or completion
of personal data when it is being processed and is inaccurate, outdated, or incomplete.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
This is defined as the right to request and obtain from the controller, the deletion or removal of perā
sonal data, according to the conditions provided by law, especially when:
the data is not necessary in relation to the purposes of the processing for which it was
collected;
the data subject has revoked their consent and the processing has no other legal basis;
the data has been illegally obtained or processed by the controller;
the data is outdated;
the data must be deleted in order to comply with a court judgment or a legal obligation;
and
the data subject has exercised their right to object and there is no other legal basis for the
data processing.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
Personal data may be transferred with the data subject's consent and for the fulfillment of the data
processing purposes.
The Bill states that international data transfers are allowed when the organization is subject to an orā
der that provides adequate levels of protection of personal data. In the event that such a country
does not have an adequate level of protection, the existence of guarantees justifying such transfer
should be reported. Instruments, mechanisms, and clauses that contain similar or greater principles,
rights, and guarantees to those offered by the Bill and, in particular, that grant enforceable rights
and effective legal actions to the data subjects, shall be considered adequate guarantees. The
Agency may impose preconditions for the transfer to be verified and may approve model clauses
containing such guarantees, which shall be available to data controllers.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
Personal data may be transferred with the data subject's consent and for the fulfillment of the data
processing purposes.
The Bill states that international data transfers are allowed when the organization is subject to an orā
der that provides adequate levels of protection of personal data. In the event that such a country
does not have an adequate level of protection, the existence of guarantees justifying such transfer
should be reported. Instruments, mechanisms, and clauses that contain similar or greater principles,
rights, and guarantees to those offered by the Bill and, in particular, that grant enforceable rights
and effective legal actions to the data subjects, shall be considered adequate guarantees. The
Agency may impose preconditions for the transfer to be verified and may approve model clauses
containing such guarantees, which shall be available to data controllers.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
DPOs are not regulated under the Law, however, they are introduced by the Bill through the infringeā
ment prevention model provisions. The DPO must be appointed by the highest authority of the instiā
tutions, usually a board of directors, and must have autonomy regarding the privacy matters
conducted.
The DPO must meet the requirements of suitability, ability, and specific knowledge for the exercise
of their functions. The DPO may perform other duties, if they are compatible, and do not constitute a
conflict of interest.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
DPOs are not regulated under the Law, however, they are introduced by the Bill through the infringeā
ment prevention model provisions. The DPO must be appointed by the highest authority of the instiā
tutions, usually a board of directors, and must have autonomy regarding the privacy matters
conducted.
The DPO must meet the requirements of suitability, ability, and specific knowledge for the exercise
of their functions. The DPO may perform other duties, if they are compatible, and do not constitute a
conflict of interest.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
DPOs are not regulated under the Law, however, they are introduced by the Bill through the infringeā
ment prevention model provisions. The DPO must be appointed by the highest authority of the instiā
tutions, usually a board of directors, and must have autonomy regarding the privacy matters
conducted.
The DPO must meet the requirements of suitability, ability, and specific knowledge for the exercise
of their functions. The DPO may perform other duties, if they are compatible, and do not constitute a
conflict of interest.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
Under the Law, data subjects have the right of access, rectification, cancellation, and objection. As
previously noted, currently these rights are not commonly exercised by data subjects, and in general,
companies have not implemented the process to comply with these rights. Despite this, SERNAC esā
tablished in 2010, the Do Not Disturb List to avoid unwanted (spam) promotional communications,
and they strictly enforce compliance.
Nevertheless, the Bill includes said rights, defines them, creates new ones (detailed below), and adds
an administrative procedure for claims, so that the data subjects can exercise them correctly.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
The data controller who is not domiciled in Chile and who processes data of persons residing in the
national territory must indicate, and keep updated and operative, an e-mail address or other suitable
means of contact to receive communications from the data owners and the Agency.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
The Law considers as legal basis for data processing, the data subject's consent, as well as any reā
quirements under the law. However, regarding consent, the Law considers broad exceptions, which
allow personal data to be processed without the data subject's consent (Article 4 of the Law).
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
As previously mentioned, in 2017 the Bill was introduced to National Congress, which aims to modify
the Law and create a data privacy agency. The relevant aspects of the Bill are:
Scope: Applies to public and private organizations and regulates personal and sensitive
data of identified and identifiable natural persons.
Legal basis: Consent, law, contract, and legitimate interest.
Consent characteristic: Express, unequivocal, specific, previously informed, and free.
Data: Personal, sensitive, biometric, georeferenced, minor's data, health and genetic.
Authority: Creates the Agency, which will be the data protection authority responsible for
claims regarding data processing under the Bill and its decisions can be appealed to a Court
of Appeals.
Fines: Following international standards, depending on the nature and seriousness of the
infraction, the Bill raises the applicable fines to $375,000 or, in the case of companies, a fine
of up to the equivalent of 4% of the annual income from sales and services and other activiā
ties of the business in the last calendar year, with a maximum of $750,000 (in the case of reā
cidivism, the fine may be multiplied by three).
Compliance: The Bill considers infringement prevention models as mitigating factors in
case of infringements.
Data subject rights: Access, rectification, cancellation, objection, objection to automated
decisions, and portability rights.
Controller and processor: The Bill clearly distinguishes between the controller and the
processor, and their obli
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
This is defined as the right to request and obtain from the controller, confirmation as to whether a
data subject's personal data is being processed, to access such data where appropriate, and to inforā
mation provided for in the Bill, such as:
the processed data and its origin;
the purpose or purposes of the processing;
the categories, classes, or types of recipients, or the identity of each recipient, if so requestā
ed by the data subject, to whom the data have been communicated or transferred or is inā
tended to be transferred;
the period during which the data will be processed; and
the legitimate interests of the data controller, when the processing has a different basis
other than the consent of the data subject.
This right includes the right to access meaningful information about the logic applied in the case of
automated individual decisions made by the controller, including profiling.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
This is defined as the right to request and obtain from the controller, confirmation as to whether a
data subject's personal data is being processed, to access such data where appropriate, and to inforā
mation provided for in the Bill, such as:
the processed data and its origin;
the purpose or purposes of the processing;
the categories, classes, or types of recipients, or the identity of each recipient, if so requestā
ed by the data subject, to whom the data have been communicated or transferred or is inā
tended to be transferred;
the period during which the data will be processed; and
the legitimate interests of the data controller, when the processing has a different basis
other than the consent of the data subject.
This right includes the right to access meaningful information about the logic applied in the case of
automated individual decisions made by the controller, including profiling.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
Extracts :
Extract :
It is lawful to process personal data, given the data subject's consent (Article 12 of the Bill). In this reā
spect, consent must be expressed unequivocally, by means of a verbal or written declaration, or exā
pressed through an equivalent electronic means, or by an affirmative notice that clearly states the
will of the data subject.
7.2. Data transfers
Personal data may be transferred with the data subject's consent and for the fulfillment of the data
processing purposes.
The Bill states that international data transfers are allowed when the organization is subject to an orā
der that provides adequate levels of protection of personal data. In the event that such a country
does not have an adequate level of protection, the existence of guarantees justifying such transfer
should be reported. Instruments, mechanisms, and clauses that contain similar or greater principles,
rights, and guarantees to those offered by the Bill and, in particular, that grant enforceable rights
and effective legal actions to the data subjects, shall be considered adequate guarantees. The
Agency may impose preconditions for the transfer to be verified and may approve model clauses
containing such guarantees, which shall be available to data controllers.
Reference :
Chile Data protection overview | DataGuidance
Information on Chile data protection
| Name | Short name | Classification | Jurisdiction | Year of creation |
|---|
| Legal text name | Original text name | Legislation type | Year signed | Regulation status | In effect since | Latest update initiated | Latest update areas | Latest update signed year |
|---|