Chile’s New Data Protection Law: Context, Overview, and Key Takeaways

On August 26, 2024, the Chilean Congress approved Law 21.719, on the Protection of Personal Data (“LPPD”) after eight years of legislative debate. The legislation was published on December 13, 2024, and will become fully effective twenty-four months after that date (in December 2026). 

The LPPD was introduced in the Senate in 2017 to replace Law 19.628, Ley sobre Protección de la Vida Privada (hereinafter referred to as “LPVP”), which was adopted in 1999 as Chile’s first national data protection framework, as well as the first such law in Latin America. 

The LPVP provided a foundational framework for personal data protection for nearly 24 years. However, the evolving demands of technological development and globalization gradually highlighted the LPVP’s lack of compatibility with newer and more comprehensive global standards for data protection adopted by partner countries. 

In particular, stronger data protection standards reflected in the European Union’s Directive 95/46/EC significantly influenced post-LPVP legislation in Latin America, with Argentina passing comprehensive data protection legislation in 2000 and Mexico in 2010, for example. A similar structural effect followed the enactment of the EU’s General Data Protection Regulation (GDPR), which has influenced recent proposals including Brazil’s Lei Geral de Proteção de Dados (LGPD) and Chile’s LPPD, although each nation has approached this era of policymaking in a unique way.

Prior congressional attempts to update the LPVP reflect the country’s efforts to align to best global standards and meet international commitments¹. According to the Chilean government, the approved LPPD pursues the dual objective of (i) providing stronger protection for data subjects and (ii) regulating and promoting the country’s digital economy.² 

This blog covers some of the new features in the LPPD, including:  

• Extraterritoriality: the new law applies to private and public organizations processing personal data of individuals residing in Chile, regardless of where the processing takes place;
• Stronger and new data subject rights: the LPPD expands regulation on previously recognized rights of access, rectification, suppression, and opposition, and adds new rights to portability and to block the processing of one’s data; 
• Additional lawful grounds for processing: the law introduces new legitimate bases for processing data as exceptions or alternatives to consent; 
• New obligations to controllers and processors: the LPPD imposes security incident reporting and confidentiality obligations, and the implementation of technical and organizational measures, compatible with explicitly recognized principles of legality, accountability, and privacy by design and by default, among others; 
• Cross-border data transfer regulation: the law recognizes several mechanisms for international transfers, including its own exception regime when transferring to  non-adequate countries or in the absence of appropriate safeguards;  
• Data Protection Authority (DPA): the LPPD creates, for the first time, a DPA vested with supervisory, regulatory, and sanctioning powers to enforce the data protection framework;³ 
• Stronger sanctioning regime: the new law incorporates sanctions for data protection violations, which can range between 2% and 4% of an entity’s total revenue, and creates a national registry for infractors.  

Read further for a deeper insight into the key features of the new Chilean data protection law and how they differ from its predecessor and other data protection laws in the region. 

1. Scope, covered actors, and exterritoriality

The LPPD regulates the form and conditions under which the processing of personal data of natural persons may be carried out, under Article 19 of the Chilean Constitution, which recognizes the right to personal data protection.⁴ 

Similar to other laws in the region (and to the model articulated in the GDPR), the LPPD applies extraterritorially to natural and legal persons, including public and private bodies, when the processing is carried out:

• By a controller or processor established in Chilean territory; 
• When the processor or third party, regardless of its place of establishment or incorporation, processes personal data on behalf of a controller established or incorporated in the national territory; or
• When the controller or processor is not established in Chilean territory, but the processing operations are intended to offer goods or services to data subjects in Chile – regardless of whether they are required to pay – or to monitor the behavior of data subjects in Chile, such as analysis, tracking, profiling, and behavior prediction (Art. 1 bis).

2. Covered data

Under Article 2(f) of the LPPD, “personal data” is broadly defined as “any information linked to or referring to an identified or identifiable natural person.” The LPPD establishes that an “identifiable” individual is one “whose identity can be determined, directly or indirectly, in particular by means of one or more identifiers, such as name, identity card number, analysis of elements of the physical, physiological, genetic, psychological, economic, cultural or social identity of such person.” In addition, to determine whether an individual is identifiable, the law requires “all objective means and factors that could reasonably be used to identify the individual at the time of the processing” be considered.

The LPPD’s approach to anonymized data is initially consistent with the GDPR’s approach to the subject: anonymized data is information that does not relate to an identified or identifiable person, and thus is not personal data⁵. A similar initial definition is found in Brazil’s LGPD, though the Brazilian legislation explicitly recognizes that anonymization might be a reversible process⁶. The key differentiating feature of LPPD’s approach to “anonymization” is the term’s definition as an “irreversible process” that does not allow for the identification of a natural person.⁷ In that sense, the LPPD’s definition of anonymization seems stricter than the language found in both the GDPR and the LGPD concerning anonymized data. It is likely that future guidance may shed light on the requirements for “irreversibility” under Chilean law. 

Concerning “pseudonymization,” the LPPD follows a similar approach to that found in the GDPR and LGPD. Chilean law defines it as a process carried out in a way that “[data] can no longer be attributed to a data subject without additional information, provided that such information is separate and subject to technical and organizational measures to ensure the data is not attributable to a natural person.” This approach points to the possibility of considering pseudonymized data as personal data as long as it can be linked to an identifiable individual through additional information. 

Standards and guidance on anonymization and pseudonymization continue to be explored globally by authorities in the context of data protection frameworks. However, some laws explicitly recognize these techniques as a way to comply with data protection principles. The LPPD explicitly refers to pseudonymization as a technique relevant to comply with the security principle. Article 14 quinquies of the LPPD indicates that controllers shall implement “technical and organizational measures to ensure a level of security appropriate to the risk” such as pseudonymization and encryption of personal data, among other security measures.

3. Data Subject Rights: “ARCO” rights, data portability, and the right to block the processing of data

The LPPD includes two new data subject rights – the right to data portability and the right to block the processing of one’s data – in addition to the previous rights granted in the former LPVP: access, rectification, suppression, and opposition, also regionally known as the “ARCO” rights. 

Similar to GDPR-inspired laws that have recently incorporated the right to portability, the LPPD indicates the data subject has the right to request and receive a copy of their data in an “electronic, structured, generic and commonly used format,” which allows the data to be read by different systems and the data subject to communicate or transfer the data to another data controller, when (i) the processing is carried out in the automated form; and (ii) the processing is based on the consent of the the data subject. When technically feasible, the LPPD mandates the portability to be performed directly from controller to controller. 

In addition, the LPPD indicates the controller must use the “most expeditious and least onerous means” and communicate to the data subject in a “clear and precise manner” the necessary measures to carry out the portability. Notably, under Chilean law, the right to portability does not necessarily entail the deletion of the data by the transferring controller, which means the data subject must jointly request the deletion of their data once the portability is carried out (Art. 9).

The “right to block the processing of personal data” is the other new right added by the LPPD, which resembles the GDPR’s Article 19 “right to restriction of processing” and Brazil’s LGPD Article 18 “right to blocking unnecessary or excessive data.” Under Article 8 ter of the LPPD, this right is understood as a “temporary suspension of any processing operation” that pertains to a data subject when they make a rectification, erasure, or opposition request. The temporary suspension applies as long as the subject’s request remains open. This suggests that under the “right to block processing,” a data subject can immediately and effectively suspend the processing of their data before the rectification, erasure, or opposition request is processed by the controller. The controller is thus restricted from further processing, although it may continue storing the affected personal data. 

Closely linked to the right of opposition, the LPPD introduces the “right to object and not be subject to decisions based on automated processing,” including profiling, when such processing produces legal effects on the data subject or significantly affects them (Art. 8 bis). Under the LPPD, “profiling” refers to “any form of automated processing of personal data that consists of using such data to evaluate, analyze or predict aspects relating to the professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements of a natural person” (Art. 2, (w)). 

The LPPD hews closer to the GDPR in the sense that it expressly recognizes the “right to object and not be subject” to automated processing, unlike Brazil’s LGPD, which only recognizes a data subject’s “right to review” automated processing. Similar to the GDPR, Article 8 bis of the LPPD restricts the exercise of this right under certain circumstances, such as when: (i) the decision is necessary for the conclusion or execution of a contract between the subject and the agent; (ii) there is prior and express consent; or (iii)  as indicated by law, to the extent that it provides safeguards for the rights and freedoms of the data subject. The operationalization of this right must safeguard the data subject’s rights to information and transparency, obtain an explanation and human intervention, express their point of view, and request a review of the decision. This set of rights and freedoms is encapsulated within the right to object and not be subject to automated processing.

4. Lawful grounds for processing and consent requirements

The LPPD maintains consent as the general basis for the processing of personal data – similar to how it was regulated by the former LPVP. Consent must be “free, informed and specific as to its purpose” and given “in advance and unequivocally” by means of a verbal or written statement, or expressed through electronic means or an affirmative act that “clearly shows” the owner’s intent. The data subject can revoke consent without retroactive effects, and its grant or revocation should be expeditious, reliable, free, and permanently available (Art. 12).

In line with the principle of purpose limitation, the LPPD presumes consent is not “freely given” when collected for the performance of a contract or the provision of a service, where the collection is not necessary to serve those purposes. However, this presumption is not applicable when a person or entity offering goods, services, or benefits solely requires the data subject’s consent to process their data (Art. 12). Notably, this scenario applies to many “free” online services, such as social media or messaging platforms, where consent to process an individual’s data for advertising or profiling purposes is often required for the provision of service.

Without consent of the data subject, the LPPD recognizes the following lawful grounds for processing:

• When the processing refers to data relating to obligations of an economic, financial, banking, or commercial nature;
• When the processing is necessary for the performance or fulfillment of a legal obligation or is required by law;
• When the processing is necessary for the conclusion or performance of a contract, or the execution of pre-contractual measures at the request of the data subject;
• When the processing is necessary for the satisfaction of the legitimate interests of the controller or a third party, provided that the rights and freedoms of the data subject are not affected – the subject may request to be informed about the processing and the legitimate interest under which the processing is carried out; or
• When the processing is necessary for the formulation, exercise, or defense of a right before the courts or public bodies.

Processing sensitive data and children’s and adolescent’s data 

Similar to other comprehensive frameworks, the LPPD distinguishes sensitive data from personal data of a general nature. Under Article 2 (g) of the LPPD, “sensitive data” encompasses data that refers to “physical or moral characteristics of persons or to facts or circumstances of their private life or intimacy, that reveal ethnic or racial origin, political, union or trade union affiliation, socioeconomic situation, ideological or philosophical convictions, religious beliefs, data related to health, human biological profile, biometric data, and information related to sexual life, sexual orientation and gender identity of a natural person.” 

Chile’s sensitive data definition is comparable to definitions found in other laws in the region such as Brazil’s LGPD and Ecuador’s Ley Orgánica de Protección de Datos (LOPD), which base the nature of sensitivity on the potential of discrimination or impact on an individual’s rights and freedoms if such information is mishandled or unlawfully accessed. 

As a general rule, sensitive data may only be processed with the consent of the data subject. Exceptionally, controllers may process sensitive data without consent in the following circumstances (Art. 16):

• When the processing refers to sensitive data that has been made public by the data subject and its processing is related to the purposes for which it was published; 
• When the processing is based on a legitimate interest carried out by a non-profit entity under public or private law and when certain conditions are met;⁸
• When the processing is indispensable to safeguard the life, health, or integrity of the data subject or another person, or when the subject is physically or legally prevented from giving their consent;
• When the processing is necessary for the exercise or defense of a right before courts or an administrative body; 
• When the processing is necessary for the exercise of rights or fulfillment of an obligation related to labor or social security; and 
• When the processing is expressly authorized or mandated by law.

Under Article 16 bis of the LPPD, health data and biometric data may only be processed for the purposes provided by the applicable laws or with the data subject’s consent, unless one of the following scenarios applies:  

• There is an official sanitary alert; 
• When the processing is for historical, statistical, or scientific purposes, based on public interest; 
• When the processing is necessary for preventive or occupational medicine, evaluation of an employee’s capacity to work, medical diagnosis, or provision and management of health or social care services (Art. 16 bis).

Article 16 ter defines biometric data as “obtained from a specific technical treatment, related to the physical, physiological or behavioral characteristics of a person that allow or confirm the unique identification of the person, such as fingerprint, iris, hand or facial features and voice.” When processing biometric data, the controller is required to disclose the biometric system used, the purpose of the collection, the period during which the data will be processed, and the manner in which the subject can exercise their rights.

Similar to other frameworks in the region like Brazil’s LGPD, Article 16 quater of the LPPD incorporates the standard of “best interest” of the children when processing their data. As a general rule, the processing of such data may only be conducted in the child’s best interest and with respect to their “progressive autonomy” – a concept introduced, yet not defined, by the LPPD. The lawful processing of children’s data must be based on consent granted by the parents or legal guardian unless expressly authorized by law.

The LPPD introduces a notable distinction between the processing rules applicable to data from children (under 14 years old) and adolescents (between 14-18 years old). Under Chilean law, the processing of adolescents’ data may be processed following the general rules applicable to adults’ data, except when the information is sensitive and the child is below 16 years of age. This means that for processing sensitive data from 16 and below adolescents, controllers must still obtain consent from the parents or legal guardian. For other non-sensitive data, controllers may process adolescents’ data following the general rules of the LPPD, but would still be subject to the “best interest” standard. This distinction is a novel innovation of Chilean law and is not found in Brazil’s LGPD or Ecuador’s LOPD.

5. Duties and Obligations of Data Controllers

The LPPD’s provisions follow principles of lawfulness, fairness, purpose limitation, proportionality, quality, accountability, security, transparency, and confidentiality. These principles, along with other specific duties, guide the obligations of data controllers and are consistent with other modern data protection frameworks. 

For instance, under Article 14 ter, controllers must inform and make available “background information” that proves the lawfulness of the data processing and promptly deliver such information when requested by data subjects or the authority. This suggests that regardless of whether the information is requested or not, controllers should keep this information readily available. This obligation relates to the “duty of information and transparency,” under which controllers must provide and keep “permanently available to the public” its processing policy, the categories of personal data subject to processing, a generic description of its databases, and the security measures to safeguard the data, among other information.

Notably, Article 14 quater also introduces the “duty of protection by design and by default,” resembling GDPR Article 25. Under the LPPD, this duty refers to the application of “appropriate technical and organizational measures” before and during the processing. Drawing inspiration from the GDPR, the LPPD indicates the measures should consider the state of the art, costs, nature, scope, context, purpose, and risks associated with the data processing.

Although the LPPD does not expressly recognize a “right to anonymization” like Brazil’s LGPD, it sets out the controller’s obligation to anonymize personal data when it was obtained for the execution of pre-contractual measures (Art. 14, (e)). This obligation is closely linked to the general data protection principles, and effective compliance with this duty would free controllers from the scope of the LPPD.

In relation to the security principle, Article 14 quinquies of the LPPD provides that controllers must adopt necessary security measures to ensure the confidentiality, integrity, availability, and resilience of the data processing systems, as well as to prevent alteration, destruction, loss, or unauthorized access to the data. Both controller and processor must take technical and organizational measures to ensure the security of the processing, in consideration of the risks associated with the processing, such as: 

• Applying pseudonymization and encryption of personal data where possible 
• Capability to restore access to the personal data in the event of a physical or technical incident 
• Conduct regular assessments of the effectiveness of technical and organizational measures 

Security Incident Notification 

Under Article 14 sexies of the LPPD, the responsible agent must report to the Agency by the “most expeditious means possible and without undue delay” any incident that can cause the accidental or unlawful destruction, breach, loss, or alteration of the personal data or the unauthorized communication or access to such data, when there is a “reasonable risk to the rights and freedoms of the data subjects.” Since the law is not clear on a specific timeframe for notification, it is expected the Agency will further regulate this area.

The law also requires the controller to record these communications and describe the nature of the incident, its potential or demonstrated effects, the type of affected data, the approximate number of affected data subjects, and measures taken to manage and prevent future incidents.

When the security incident concerns sensitive or children’s data, or data relating to economic, financial, banking, or commercial obligations, the controller must also communicate the incident to the owners in “clear and simple” language. If the notification cannot be made personally, the controller must notify via a mass notice in at least one of the main national media outlets.

Notably, Article 14 septies includes different standards of compliance with the “duty of information and transparency” and the “duty to adopt security measures” for controllers, based on whether they are a natural or legal person, their size, the activity they carry out, and the volume, nature, and purposes of their processing. The Agency will issue further regulation on the operationalization of these different standards.

For organizations not incorporated in Chile, Articles 10 and 14 of the LPPD establish that the controller must indicate to the Agency in writing an email address of the legal or natural person authorized to act on their behalf, so that the Agency can establish communications with them and data subjects can exercise their rights.

Similar to other frameworks, Article 15 bis limits the processor to carry out the data processing in accordance with the instructions given by the controller. If the processor or a third party processes the data for a different purpose or transfers the data without authorization, the processor will be considered the data controller for all legal purposes. The processor will be personally liable for any infringements incurred, and jointly and severally liable with the controller for any damages caused. Importantly, the “duty of confidentiality” and the “duty to adopt security measures” extend to the processor in the same terms applicable to the controller. 

Data Protection Impact Assessment

Similar to the GDPR, under Article 15 ter of the LPPD, controllers must carry out a personal data protection impact assessment (DPIA) where the data processing is “likely to result in a high risk to the rights of data subjects” and in the following cases: 

• When the operation involves a systematic and exhaustive evaluation of personal aspects of the data subjects based on automated processing, such as profiling; 
• Massive or large-scale data processing; 
• Processing that involves systematic observation or monitoring of a publicly accessible area; or
• Processing of sensitive or specially protected information. 

The Agency will publish a list indicating the processing operations that may require a DPIA under the LPPD. In addition, the law obligates the Agency to issue guidance on the specific requirements for conducting DPIAs, so forthcoming regulation on this matter is expected once the Agency begins to operate. Notably, Article 15 ter sets out similar DPIA requirements as the GDPR, indicating that data controllers must indicate the description of the processing operations and their purpose, an assessment of the necessity and proportionality of the processing concerning its purpose, an assessment of the risks it may pose, and the adoption of mitigation measures.  

Voluntary Appointment of a Data Protection Officer

Unlike other modern comprehensive data protection laws, the LPPD does not require the appointment of a Data Protection Officer (DPO). However, Article 49 indicates that controllers may voluntarily appoint a DPO that meets the requirements of suitability, capacity, and independence. Furthermore, the law indicates that controllers may adopt a “compliance program” that indicates, among other things, the appointment of the DPO and its powers and duties under that program. However, if the organization adopts a compliance program, it must be expressly incorporated into all employment or service provision contracts of the entity acting as data controller or processor.

6. Cross-Border Data Transfers

Similar to other frameworks in the region and the GDPR, cross-border data transfers made to a person, entity, or organization are generally authorized by the LPPD under the following mechanisms: (i) adequacy; (ii) contractual clauses, binding corporate rules, or other legal instruments entered into between the transferor and transferee; or (iii) under a compliance model or certification mechanism, along with adequate guarantees. The Agency will be in charge of publishing a list of “adequate” countries – under the criteria set forth by the law, as well as model contractual clauses and other legal instruments for international data transfers. Although the LPPD does not provide a specific timeline for publication, it does indicate that the agency will publish on its official website a list of countries deemed “adequate” as well as release the model contractual clauses and other data transfer mechanisms. 

In the absence of an adequacy decision or proper safeguards, a “specific and non-customary” transfer may still be made under the following circumstances: 

• With the express consent of the data subject;
• When it refers to a bank, financial, or stock exchange transfer under the applicable laws;
• When the transfer is necessary to comply with international obligations under treaties and conventions ratified by the Chilean State;
• When the transfer is necessary for cooperation between public bodies for the fulfillment of their functions or for international judicial cooperation;
• When the transfer is necessary for the conclusion or performance of a contract or pre-contractual measures between the data subject and the data controller; or
• When the transfer is necessary for urgent medical or sanitary measures or management of health services (Art. 27).

Notwithstanding the previous exceptions, Article 28 of the LPPD also includes a broader authorization for transfers that do not fall under any of these scenarios. Under Chilean law, an international data transfer may still be authorized when the transferor and transferee demonstrate “appropriate guarantees” to protect the rights and interests of the data subjects and the security of the information. This provision leaves a broad possibility to transfer personal data without any of the traditional mechanisms or for any of the purposes listed above as long as the Agency determines there are appropriate measures in place for the transfer to take place. 

7. Infractions and Civil Liability

Violations of the principles and obligations set out in the LPPD may be subject to administrative and civil liability. The LPPD classifies violations as “minor” (i.e. failing to respond to data subject’s requests or to communicate with the Agency), “serious” (i.e., processing data without a legal basis or for a purpose different for which the data was collected) and “very serious” (i.e. fraudulent or malicious processing of personal data, or knowingly transferring sensitive data in contravention with the law). Notably, “very serious” violations seem to require the demonstration of intent by the infractor. 

Penalties under the LPPD can range from 5,000 national tax units (around USD 387.000) to 20,000 tax units (USD 1.550.000 USD). In the case of repeated “very serious” violations, the Agency may also order the total or partial suspension of processing activities for up to thirty (30) days, a period during which the infractor must demonstrate the adoption of necessary measures to comply with the law. For entities that are not considered “small businesses”⁹ with repeated serious or very serious violations, the Agency may impose a fine of 2% or 4% of its annual income in the last calendar year.

Furthermore, as a dissuasive mechanism, the LPPD also creates the National Registry of Sanctions and Compliance, which will record all data controllers sanctioned for data protection violations and indicate the seriousness of the infringement, as well as aggravating or mitigating circumstances, for five (5) years.

Towards Stronger Data Protection in Chile 

With the passage of the LPPD, Chile enters an era of stronger data protection requirements and enforcement. The new law expands existing data subject rights and interests and incorporates new ones, sets out relevant obligations consistent with the evolving nature and demands of offering goods and services in the digital ecosystem, aligns with other global standards of personal data protection, and incorporates higher fines and dissuasive mechanisms. 

Although the LPPD draws structural inspiration from the GDPR, it also maintains certain provisions unique to its predecessor law, the LVPD, such as specific regulations for the commercial and banking sectors, and broader exceptions to the lawful grounds for processing of personal data, including sensitive and children’s data. 

The LPPD may again position Chile as a regional data protection trend-setter. Other countries with not-so-old data protection laws currently seeking to update their normative frameworks, such as Argentina and Colombia, could be influenced by the landmark passing of the LPPD, facilitating a new wave of “second generation” data protection laws in Latin America. 

1. The Chilean Congress previously analyzed at least two similar proposals under different administrations in 2008 and 2012. Two of the recurring motivations for updating the data protection framework were to achieve adequacy under the EU’s regime and comply with Chile’s commitment to update its legislation after becoming an OECD member in 2010.   ↩︎
2. See: press release from government after approval of LPPD. ↩︎
3. The Agency will be managed by a Directive Council composed of three Councilors designated by the Executive and ratified by the Senate. The first Councilors are expected to be appointed within sixty (60) days after the formal enactment of the law.
   ↩︎
4. Article 19, sec. 4, of the Chilean Constitution recognizes the right to private life, human dignity, and personal data protection. ↩︎
5. EU Regulation 2016/679 (GDPR), Recital 26. ↩︎
6. Lei Geral de Proteção de Dados (LGPD), Article 12 ↩︎
7. Law No. 21.719, (LPPD), Art. 2(k). ↩︎
8. For this exception to apply, the entity must have a political, philosophical, religious, or cultural purpose, or be a trade union; the processing refers exclusively to the entity’s members or affiliates and fulfills the purposes of the entity; the entity grants necessary guarantees to avoid unauthorized use or access to the data; and the personal data is not transferred to third parties. ↩︎
9. As defined under Article 2 of Law no. 20.416. ↩︎