Protection of Personal Data is regulated under various laws in Chile.

Constitution of the Republic of Chile, Art. 19 N° 4

The Chilean constitution establishes the individual's right to (i) respect and protection of private life, (ii) honor of the person and their family, and (iii) protection of their personal data.  Any individual who, as a result of an arbitrary or illegal act or omission, suffers a "privation, disturbance or threat" to these rights may file a Constitutional Protective Action ("Recurso de protección").

Law 19.628/1999 'On the protection of private life', commonly referred to as 'Personal Data Protection Law' (hereinafter, the 'PDPL')

The PDPL generally defines and regulates the processing of personal data in public and private databases and is thus the primary body of rules on the processing of personal data not governed by sectoral provisions (for example contained in the laws mentioned below). Generally, the PDPL states personal data may only be processed if the processing is (i) permitted by law (eg, labor law, health care law, etc.) or (ii) based on the data subject's prior informed, written consent. There are only a few narrow exceptions to this principle (eg, certain publicly accessible data, or purely internal data processing for certain purposes). In addition, the PDPL contains special regulations on the processing of personal data relating to economic, banking, and financial obligations.
The PDPL law also provides data subjects the right to access, rectify, delete, block and object to processing of personal data in certain cases. The PDPL was recently amended by Law No. 21,719, which will enter into force on December 1st, 2026. Principal changes introduced by Law 21,719 are set forth below in this document.

Law 21.719, regulating the protection and processing of personal data and creating the Agency for the Protection of Personal Data 

Law 21.719, effective December 1, 2026, modernizes the PDPL to align it with international standard. Key changes include: 

• the introduction of further legal basis for the processing of personal data in addition to consent (such as performance of a contract and legitimate interest), and additional requirements for processing sensitive data, depending on the category of data concerned
• adoption of basic principles, such as lawfulness, purpose limitation, proportionality, data quality, accountability, security, transparency and information, and confidentiality
• regulations on international data transfers
• information requirements.
• special obligations when using data processors.
• provisions on data protection by design and default and security measures.
• reporting obligations in the event of data breaches
• the introduction of the right to portability and the right to object to automated decision-making.
• the obligation to manage risks and the incorporation of the offense prevention model.
• the creation of a data protection authority with the competence to impose administrative fines.
• an increase of fines up to 20,000 monthly tax units (approximately US$1.588,400) and the concept of recidivism.

As mentioned above, Law 21.719 establishes an exhaustive list of rights that data subjects may exercise, including the: 

• Right of Access: the right to request and obtain from the controller confirmation as to whether personal data concerning the data subject is being processed by the controller, to access such data where applicable, and to the information provided for in this law.
• Right to rectification: the right to request and obtain from the controller the modification or completion of their personal data, where such data are being processed by the controller and are inaccurate, outdated or incomplete.
• Right to erasure: the right to request and obtain from the controller the erasure or deletion of their personal data, in accordance with the grounds set out in the law.
• Right to object: the right to request and obtain from the controller that specific processing of personal data not be carried out, in accordance with the grounds set out in the law.
•  Right to data portability: the right to request and obtain from the controller a copy of their personal data in an electronic, structured, generic and commonly used format, capable of being operated by different systems, and to communicate or transfer such data to another data controller. The data subject shall have the right to have their personal data transmitted directly from controller to controller where technically possible.
• Right to object to automated decision-making: the right to request and obtain from the controller that they not be subjected to any decision based exclusively on automated processing — including profiling — whenever such processing gives rise to legal effects concerning them or otherwise produces a significant impact on their rights or legitimate interests.

Law 21.719 also establishes an exhaustive list of obligations the data controller must comply with: 

• Inform and make available to the data subject the information that evidences the lawfulness of the processing carried out. The controller must likewise provide such information expeditiously when requested.
• Ensure that personal data are collected from lawful sources for specific, explicit and lawful purposes, and that their processing is limited to the fulfillment of those purposes.
• Communicate, in accordance with this law, accurate, complete and up-to-date information.
• Erase or anonymize the data subject’s personal data when they were obtained for the performance of pre-contractual measures.
• Comply with the other duties, principles and obligations governing the processing of personal data set forth in the law, such as: 
  o    Duty of secrecy or confidentiality.
  o    Duty of information and transparency.
  o    Duty of protection by design and by default.
  o    Duty to adopt security measures.
  o    Duty to report breaches of security measures.

Law 21.459 regulating computer crimes

Law 21.459 — Chile’s modern Computer Crimes Law — updates and replaces the earlier framework established by Law 19.223. Law 21.459 introduces a comprehensive and updated regulatory structure, criminalizing a broader range of cyber related conduct. It incorporates offenses such as illegal access, interference with information systems, computer forgery, the unlawful acquisition, commercialization, or possession of databases and the distribution of malicious software and aligns Chilean legislation with the Budapest Convention on Cybercrime. 
Law 21,459 thereby strengthens the protection of personal data by providing penal tools to deter and sanction cyberattacks and related conduct that could lead to unauthorized access, loss, alteration, or disclosure of personal data.

Law 20.584/2012 regulating the rights and duties of individuals in the context of healthcare

This law sets forth that all information contained in medical records are sensitive data and states the obligation of healthcare providers to maintain patient data confidential and to comply with the principle of purpose limitation. This law also includes certain specific cases in which such data can be submitted, partially or totally, to the data subject and to other individuals or entities.

Law 21.521/2023 promoting competition and financial inclusion through innovation and technology in the provision of financial services, known as the FinTech Law 

This law establishes a broad framework to facilitate the provision of financial services using technology means. The law delegates regulatory authority to the Financial Market Commission (CMF).
The following principles guide the law: financial inclusion and innovation; competition promotion; financial client protection; adequate data protection; integrity and financial stability preservation; and prevention of money laundering and funding of drug trafficking and terrorism.

Law 21.680, creating a Consolidated Debt Registry

The law, enacted on 3rd July 2024 and effective from 1st. April 2026, establishes an official registry of credit obligations under the exclusive authority of the Financial Market Commission (CMF). 
Debtors are guaranteed access to their personal credit data, including reportable obligations, payment status, and a record of third-party access within the preceding twelve months. Data reporters are legally bound to preserve confidentiality, ensure proper use of personal information, and delete such data once its intended purpose has been fulfilled, thereby safeguarding privacy and promoting transparency in credit contract termination.

Law 21.663, Cybersecurity Framework Law 

This law creates a harmonized regulatory framework for the strengthening of cybersecurity, both operational and regulatory and addresses essential service providers.  It creates a governing body, the National Cybersecurity Agency, which designates essential service providers and operators of vital importance and issues binding protocols and standards calibrated by sector and entity size. Declared essential service providers and operators of vital importance must implement certain technological, organizational, and informational security measures to prevent, report, and resolve cybersecurity events, manage risks, and contain and reduce the impact on operational continuity, confidentiality, and service integrity, and they must report incidents to the National Computer Security Incident Response Team (CSIRT) on fixed timelines.

Law 21.663 further establishes coordination and precedence rules with sectoral regulators, confidentiality and reservation over cybersecurity information, and a supervisory and sanctioning regime for non-compliance. The law establishes a graduated system of sanctions according to the severity of the infringement. Minor infringements may result in fines of up to 5,000 UTM, while serious infringements may reach 10,000 UTM, and very serious infringements up to 20,000 UTM. For operators of vital importance (OIVs), these maximum fines are doubled, reaching 10,000, 20,000, and 40,000 UTM respectively.