Last modified 5 February 2026

Data Protection in Chile

Breach notification in Chile

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in Chile

Protection of Personal Data is regulated under various laws in Chile.

Constitution of the Republic of Chile, Art. 19 N° 4

The Chilean constitution establishes the individual's right to (i) respect and protection of private life, (ii) honor of the person and their family, and (iii) protection of their personal data. Any individual who, as a result of an arbitrary or illegal act or omission, suffers a "privation, disturbance or threat" to these rights may file a Constitutional Protective Action ("Recurso de protección").

Law 19.628/1999 'On the protection of private life', commonly referred to as 'Personal Data Protection Law' (hereinafter, the 'PDPL')

The PDPL generally defines and regulates the processing of personal data in public and private databases and is thus the primary body of rules on the processing of personal data not governed by sectoral provisions (for example contained in the laws mentioned below). Generally, the PDPL states personal data may only be processed if the processing is (i) permitted by law (eg, labor law, health care law, etc.) or (ii) based on the data subject's prior informed, written consent. There are only a few narrow exceptions to this principle (eg, certain publicly accessible data, or purely internal data processing for certain purposes). In addition, the PDPL contains special regulations on the processing of personal data relating to economic, banking, and financial obligations.
The PDPL law also provides data subjects the right to access, rectify, delete, block and object to processing of personal data in certain cases. The PDPL was recently amended by Law No. 21,719, which will enter into force on December 1st, 2026. Principal changes introduced by Law 21,719 are set forth below in this document.

Law 21.719, regulating the protection and processing of personal data and creating the Agency for the Protection of Personal Data

Law 21.719, effective December 1, 2026, modernizes the PDPL to align it with international standard. Key changes include:

the introduction of further legal basis for the processing of personal data in addition to consent (such as performance of a contract and legitimate interest), and additional requirements for processing sensitive data, depending on the category of data concerned
adoption of basic principles, such as lawfulness, purpose limitation, proportionality, data quality, accountability, security, transparency and information, and confidentiality
regulations on international data transfers
information requirements.
special obligations when using data processors.
provisions on data protection by design and default and security measures.
reporting obligations in the event of data breaches
the introduction of the right to portability and the right to object to automated decision-making.
the obligation to manage risks and the incorporation of the offense prevention model.
the creation of a data protection authority with the competence to impose administrative fines.
an increase of fines up to 20,000 monthly tax units (approximately US$1.588,400) and the concept of recidivism.

As mentioned above, Law 21.719 establishes an exhaustive list of rights that data subjects may exercise, including the:

Right of Access: the right to request and obtain from the controller confirmation as to whether personal data concerning the data subject is being processed by the controller, to access such data where applicable, and to the information provided for in this law.
Right to rectification: the right to request and obtain from the controller the modification or completion of their personal data, where such data are being processed by the controller and are inaccurate, outdated or incomplete.
Right to erasure: the right to request and obtain from the controller the erasure or deletion of their personal data, in accordance with the grounds set out in the law.
Right to object: the right to request and obtain from the controller that specific processing of personal data not be carried out, in accordance with the grounds set out in the law.
Right to data portability: the right to request and obtain from the controller a copy of their personal data in an electronic, structured, generic and commonly used format, capable of being operated by different systems, and to communicate or transfer such data to another data controller. The data subject shall have the right to have their personal data transmitted directly from controller to controller where technically possible.
Right to object to automated decision-making: the right to request and obtain from the controller that they not be subjected to any decision based exclusively on automated processing — including profiling — whenever such processing gives rise to legal effects concerning them or otherwise produces a significant impact on their rights or legitimate interests.

Law 21.719 also establishes an exhaustive list of obligations the data controller must comply with:

Inform and make available to the data subject the information that evidences the lawfulness of the processing carried out. The controller must likewise provide such information expeditiously when requested.
Ensure that personal data are collected from lawful sources for specific, explicit and lawful purposes, and that their processing is limited to the fulfillment of those purposes.
Communicate, in accordance with this law, accurate, complete and up-to-date information.
Erase or anonymize the data subject’s personal data when they were obtained for the performance of pre-contractual measures.
Comply with the other duties, principles and obligations governing the processing of personal data set forth in the law, such as:
o Duty of secrecy or confidentiality.
o Duty of information and transparency.
o Duty of protection by design and by default.
o Duty to adopt security measures.
o Duty to report breaches of security measures.

Law 21.459 regulating computer crimes

Law 21.459 — Chile’s modern Computer Crimes Law — updates and replaces the earlier framework established by Law 19.223. Law 21.459 introduces a comprehensive and updated regulatory structure, criminalizing a broader range of cyber related conduct. It incorporates offenses such as illegal access, interference with information systems, computer forgery, the unlawful acquisition, commercialization, or possession of databases and the distribution of malicious software and aligns Chilean legislation with the Budapest Convention on Cybercrime.
Law 21,459 thereby strengthens the protection of personal data by providing penal tools to deter and sanction cyberattacks and related conduct that could lead to unauthorized access, loss, alteration, or disclosure of personal data.

Law 20.584/2012 regulating the rights and duties of individuals in the context of healthcare

This law sets forth that all information contained in medical records are sensitive data and states the obligation of healthcare providers to maintain patient data confidential and to comply with the principle of purpose limitation. This law also includes certain specific cases in which such data can be submitted, partially or totally, to the data subject and to other individuals or entities.

Law 21.521/2023 promoting competition and financial inclusion through innovation and technology in the provision of financial services, known as the FinTech Law

This law establishes a broad framework to facilitate the provision of financial services using technology means. The law delegates regulatory authority to the Financial Market Commission (CMF).
The following principles guide the law: financial inclusion and innovation; competition promotion; financial client protection; adequate data protection; integrity and financial stability preservation; and prevention of money laundering and funding of drug trafficking and terrorism.

Law 21.680, creating a Consolidated Debt Registry

The law, enacted on 3rd July 2024 and effective from 1st. April 2026, establishes an official registry of credit obligations under the exclusive authority of the Financial Market Commission (CMF).
Debtors are guaranteed access to their personal credit data, including reportable obligations, payment status, and a record of third-party access within the preceding twelve months. Data reporters are legally bound to preserve confidentiality, ensure proper use of personal information, and delete such data once its intended purpose has been fulfilled, thereby safeguarding privacy and promoting transparency in credit contract termination.

Law 21.663, Cybersecurity Framework Law

This law creates a harmonized regulatory framework for the strengthening of cybersecurity, both operational and regulatory and addresses essential service providers. It creates a governing body, the National Cybersecurity Agency, which designates essential service providers and operators of vital importance and issues binding protocols and standards calibrated by sector and entity size. Declared essential service providers and operators of vital importance must implement certain technological, organizational, and informational security measures to prevent, report, and resolve cybersecurity events, manage risks, and contain and reduce the impact on operational continuity, confidentiality, and service integrity, and they must report incidents to the National Computer Security Incident Response Team (CSIRT) on fixed timelines.

Law 21.663 further establishes coordination and precedence rules with sectoral regulators, confidentiality and reservation over cybersecurity information, and a supervisory and sanctioning regime for non-compliance. The law establishes a graduated system of sanctions according to the severity of the infringement. Minor infringements may result in fines of up to 5,000 UTM, while serious infringements may reach 10,000 UTM, and very serious infringements up to 20,000 UTM. For operators of vital importance (OIVs), these maximum fines are doubled, reaching 10,000, 20,000, and 40,000 UTM respectively.

Related resources

Definitions

Definitions in Chile

Definition of personal data (Law 21.719)

The PDPL defines Personal Data as any information concerning identified or identifiable natural persons.
A person shall be deemed identifiable where their identity can be determined, directly or indirectly, in particular by reference to one or more identifiers, such as the person’s name, national identity number, or the analysis of elements specific to that person’s physical, physiological, genetic, psychic, economic, cultural or social identity.
In determining whether a person is identifiable, all means and objective factors that may reasonably be used for such identification at the time of the processing shall be taken into account.

Definition of sensitive data (Law 21.719)

Sensitive Data refers to personal data relating to an individual’s physical or moral characteristics, or to facts or circumstances of their private or intimate life, that reveal ethnic or racial origin, political, trade-union or professional association affiliation, socioeconomic status, ideological or philosophical convictions, religious beliefs, health-related information, human biological profile, biometric data, and information concerning a natural person’s sex life, sexual orientation, or gender identity.

Definition of controller and data processing (Law 21.719)

Controller is defined as any natural or legal person, public or private, who determines the purposes and means of the processing of personal data, irrespective of whether the data are processed directly by it or through a third-party mandatary or processor. Processor is defined as the natural or legal person who processes personal data on behalf of the controller, according to the instructions given by the controller, and who is prohibited from processing the data for any purpose other than the one entrusted, as well as from transferring or disclosing the data unless expressly and specifically authorized to do so.

Data Processing is defined as any operation or set of operations or technical procedures, of automated or non-automated nature, that in any manner permit the collection, processing, storage, communication, transmission, or use of personal data or sets of personal data.

Related resources

Authority

National data protection authority in Chile

Law 21.719 created the 'Agency for the Protection of Personal Data' (Agencia de Protección de Datos Personales) as an autonomous, technical, decentralized public‑law corporation with its own legal personality and assets. Its objective is to ensure the effective protection of the rights that safeguard individuals’ private life and personal data and to oversee compliance with the law.

The Agency is empowered to issue binding general instructions and norms following a public consultation; apply and administratively interpret the law and regulations; supervise compliance; determine infringements; exercise sanctioning powers; resolve data‑subject complaints; conduct outreach; and certify, register and supervise compliance models, including administering the National Register of Sanctions and Compliance.

Related resources

Registration

Registration in Chile

Public databases must be registered in the Civil Registry and Identification Service (Servicio de Registro Civil e Identificación). There is no obligation to register private databases.

Related resources

Data protection officers

Data protection officers in Chile

While the PDPL itself does not mandate the appointment of a Data Protection Officer (DPO), Law 21,719 and its supplementing regulations introducethe concept of the DPO as part of its certified infringement-prevention compliance models. In this regard, compliance programs must include the designation of a DPO with sufficient means and powers to exercise the role.

Law 21,719 also sets forth the DPO’s duties and fitness requirements, specifically providing that the DPO must be appointed by the controller’s highest governing or administrative authority (i.e.,, the board of directors, a managing partner, or the entity’s chief executive, as relevant), must be autonomous regarding management in matters related to the law, and, in the case of micro, small and medium-sized enterprises, the owner or the highest authorities may personally assume the DPO’s tasks.

Related resources

Collection and processing

Collection and processing in Chile

According to the PDPL and the changes incorporated by Law 21,719, the legal basis for the collection and processing of personal data is as follows:

With the data subjects’ consent. Consent must be free, informed, and specific as to its purpose(s), prior to the processing and in an unambiguous manner, by means of a verbal or written declaration or an equivalent electronic medium, or through an affirmative act that clearly evidences the data subject’s will. Data subjects may withdraw consent at any time, without explanation, and through simple and accessible means. Controllers, in turn, must enable this revocation, respect it immediately, and maintain evidence of both the granting and the termination of consent.
Processing of personal data is permitted when related to economic, financial, banking or commercial obligations.
Processing of personal data is permitted when necessary for the performance or fulfillment of a legal obligation or where the law provides.
Processing of personal data is permitted when necessary for the conclusion or performance of a contract between the data subject and the controller, or for pre‑contractual measures taken at the data subject’s request.
Processing of personal data is permitted when necessary for the satisfaction of the legitimate interests of the controller or of a third party, provided that the data subject’s rights and freedoms are not prejudiced; in all cases, the data subject may require to be informed about the processing that affects him/her and the legitimate interest on which it is based.
Processing of personal data is permitted if necessary for the establishment, exercise or defense of a right before the courts of justice or public bodies.nificant importance.

Related resources

Transfer of personal data

Transfer of personal data in Chile

The transfer of personal data is considered a processing activity, so all of the aforementioned rules are applicable, including the requirement to rely on a legal basis (usually consent).

Law 21,719 states that personal data may be transferred with the data subject’s consent and for the fulfillment of the purposes of the processing. Personal data may also be transferred where the cession is necessary for the performance and execution of a contract to which the data subject is a party; where there is legitimate interest of the transferor or the transferee; and where so provided by law.

Law 21,719 also specifically regulates the international transfer of personal data, establishing —in compliance with requirements— that international data transfer operations are lawful in any of the following cases:

Where the transfer is made to a person, entity or public or private organization subject to the legal order of a country that provides adequate levels of personal data protection;
Where the transfer is covered by contractual clauses, binding corporate rules, or other legal instruments executed between the exporting controller and the receiving controller or processor, which establish adequate safeguards; or
Where the exporting controller and the receiving controller or processor adopt a compliance model or certification mechanism that establishes adequate safeguards.

Related resources

Security

Security in Chile

The Agency will evaluate foreign legal systems and issue decisions establishing which countries provide adequate protection.

Regarding the data controller, he must adopt the measures necessary to safeguard compliance with the security principle established in the law, taking into account the state of technology and the costs of implementation, together with the nature, scope, context and purposes of the processing, as well as the likelihood of risks and the severity of their effects in relation to the type of data processed. The measures applied by the controller must ensure the confidentiality, integrity, availability and resilience of data processing systems and must likewise prevent unauthorized alteration, destruction, loss, processing or access.

Related resources

Breach notification

Breach notification in Chile

Law 21,719 requires reporting of security breaches. Controllers must report to the Agency, with the most expeditious means possible and without undue delay, any security breach that results in the destruction, leakage, loss, or accidental or unlawful alteration of the personal data it processes, or the unauthorized communication of or access to such data, where there is a reasonable risk to the rights and freedoms of impacted data subjects. Controller must also notify affected data subjects to the extent the breach involves sensitive data, minors’ data, or financial type data—using clear language and explaining the consequences and mitigation measures.

Related resources

Enforcement

Enforcement in Chile

Law 21,719 establishes a robust liability regime for anyone violates the principles and rights and obligations established thereunder when processing personal data. The law distinguishes between minor, serious, and very serious violations, to which different penalties are applied and which shall be enforced by the Agency:

Minor infringements shall be sanctioned with a written warning or a fine of up to 5,000 monthly tax units (approximately US$397,100).
Serious infringements shall be sanctioned with a fine of up to 10,000 monthly tax units (approximately US$794,200).
Very serious infringements shall be sanctioned with a fine of up to 20,000 monthly tax units (approximately US$1,588,400).
Law 21,719 also introduces the concept of recidivism, which applies when a controller has been sanctioned two or more times within the previous 30 months. In such cases, the Agency may impose a fine of up to three times the original amount and, for large companies, penalties may reach 2% or 4% of the prior year’s gross revenues, depending on the severity of the infringement.

The law also provides for mitigating and aggravating circumstances of liability, as well as other accessory sanctions such as the suspension of the data processing operations and activities carried out by the data controller. In addition, a National Register of Sanctions and Compliance is created, in which sanctioned data controllers must be recorded.
Affected data subjects may seek compensation for the damage they have suffered. In addition, the National Consumer Service (Servicio Nacional del Consumidor) and consumer associations may file collective actions.

Related resources

Electronic marketing

Electronic marketing in Chile

Data subjects have the right to object to the processing of their personal data when it is carried out exclusively for direct marketing purposes, including the creation of marketing profiles. Once this right is exercised, the controller must cease all such marketing related processing.

In addition, the data controller must, as part of their information duty, make available to the public on a permanent basis, on its website or through any other equivalent information medium, at least the following information:

The privacy policy, including its most recent date and version.
The identification of the controller and its legal representative, and the identification of the Data Protection Officer if applies.
The postal address, email address, contact form, or identification of the equivalent technological means in common use and easily accessible through which requests submitted by data subjects are to be notified to it.
The categories or types of data it processes; a generic description of the universe of persons encompassed by its databases; the recipients to whom the data are expected to be communicated or ceded; the purposes of the processing it carries out; the legal basis for the processing; and, in the case of processing based on the satisfaction of legitimate interests, what those interests are.
The security measures adopted to protect the personal databases it administers.
The data subject’s right to request from the controller access, rectification, erasure, objection and portability of his or her personal data, in accordance with the law.
The data subject’s right to submit a complaint with the Agency if the controller rejects or fails to timely respond to the requests submitted by the data subject.
Where applicable, whether personal data will be transferred to a third country or an international organization and whether such destination offers an adequate level of protection. If an adequate level of protection is not present, it must be indicated whether there are safeguards that justify such transfer.
The period for which the personal data will be retained.
The source from which the personal data originates and, where applicable, whether they come from publicly accessible sources.
Where the processing is based on the data subject’s consent, the existence of the right to withdraw such consent at any time, without affecting the lawfulness of processing based on consent prior to its withdrawal.
The existence of automated decision-making, including profiling. In such cases, meaningful information about the logic involved, as well as the envisaged consequences of such processing for the data subject.

The Chilean Consumer Protection Act (Law 19,496/1997), on the other hand, defines “advertising” as the communication that the provider of goods or services send to the public by any means, in order to inform and motivate the purchase of goods or services. It also indicates that all promotional or advertising communication must indicate an expeditious way in which the recipients can request the suspension of the promotional communication (opt-out). After a consumer has exercised his opt out right, the sending of new communications is prohibited. In case of promotional or advertising communication sent by e-mail, the communication must also indicate the subject matter or theme and the identity of the sender.

Related resources

Online privacy

Online privacy in Chile

There are no specific laws governing online privacy or cookies. However, the National Consumer Service (SERNAC), issued a circular order establishing that providers should inform consumers whether an ecommerce site uses cookies, based on the duty to provide consumers with complete and accurate information about the provider's products and services.