DLA Piper Intelligence

Data Protection
Laws of the World

Collection & Processing

The processing of personal data is defined as any operation, complex of operations or technical procedures, whether automated or not, that allows the:

  • Collection
  • Storage
  • Recording
  • Organization
  • Elaboration
  • Selection
  • Extraction
  • Comparison
  • Interconnection
  • Dissociation
  • Communication
  • Assignment
  • Transfer
  • Transmission
  • Cancellation, or
  • Any other use of personal data.

In general terms, personal data may be processed in the following cases:

  • With informed, prior and written consent given by the data subject
  • In cases expressly authorized by law
  • When said data may be collected from publicly accessible sources, and the data:
    • Has an economic, financial, banking or commercial nature
    • Is obtained from lists related to a specific category of people, which only disclose information such as the allegiance of such individual to such specific group, his / her profession or activity, educational degrees, address and date of birth
    • Is required for direct response to commercial communications or marketing, or direct sale of goods or services
    • Is treated by private entities only for their exclusive internal use, or for their associated or affiliated entities use, for statistical, pricing or other general benefit purposes
    • In cases of data processing carried out by public bodies, whenever dealing with matters within their competence, subject to the other general rules established in the PDPL.
Last modified 14 Jan 2020

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

  • processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
  • adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
  • accurate and where necessary kept up to date (the "accuracy principle");
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
  • processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle").

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organisations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

  • with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
  • where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
  • where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
  • where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited to 'life or death' scenarios, such as medical emergencies);
  • where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
  • where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

  • with the explicit consent of the data subject;
  • where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
  • where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
  • in limited circumstances by certain not-for-profit bodies;
  • where processing relates to the personal data which are manifestly made public by the data subject;
  • where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their legal capacity;
  • where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
  • where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
  • where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
  • where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorised by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organisations wish to 're-purpose' personal data - i.e. use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

  • any link between the original purpose and the new purpose
  • the context in which the data have been collected
  • the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
  • the possible consequences of the new processing for the data subjects
  • the existence of appropriate safeguards, which may include encryption or pseudonymisation.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, i.e. the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

  • the identity and contact details of the controller;
  • the data protection officer's contact details (if there is one);
  • both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
  • the recipients or categories of recipients of the personal data;
  • details of international transfers;
  • the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
  • the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
  • where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
  • the consequences of failing to provide data necessary to enter into a contract;
  • the existence of any automated decision making and profiling and the consequences for the data subject; and
  • in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, whilst others only apply in quite limited circumstances.   Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (e.g. commonly used file formats recognised by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

  1. necessary for entering into or performing a contract;
  2. authorised by EU or Member State law; or 
  3. the data subject has given their explicit (i.e. opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

Special categories of personal data (Article 9)

Article 9(2) of the GDPR provides for a number of exceptions under which special categories of personal data may lawfully be processed. Certain of these exceptions require a basis in Member State law. Parts 1 and 2 of Schedule 1 to the DPA provide a number of such bases, in the form of 'conditions', which in effect provide UK specific gateways to legalise the processing of certain types of special category data. Many of these conditions are familiar from the previous UK law, whilst other are new. Important examples include:

  • processing required for employment law;
  • heath and social care;
  • equal opportunity monitoring;
  • public interest journalism;
  • fraud prevention;
  • preventing / detecting unlawful acts (eg money laundering / terrorist financing);
  • insurance; and
  • occupational pensions.

Criminal convictions and offences data (Article 10)

The processing of criminal conviction or offences data is prohibited by Article 10 of the GDPR, except where specifically authorised under relevant member state law. Part 3 of Schedule 1 of the DPA authorises a controller to process criminal conviction or offences data where the processing is necessary for a purpose which meets one of the conditions in Parts 2 of Schedule 1 (this covers the conditions noted above other than processing for employment law, health and social care), as well as number of other specific conditions:

  • consent;
  • the protection of a data subject's vital interests; and
  • the establishment, exercising or defence of legal rights, the obtaining of legal advice and the conduct of legal proceedings

Appropriate policy and additional safeguards

In any case where a controller wishes to rely on one of the DPA conditions to lawfully process special category, criminal conviction or offences data, the DPA imposes a separate requirement to have an appropriate policy document in place and apply additional safeguards to justify the processing activity. The purpose of the policy document is to set out how the controller intends to comply with each of the data protection principles in Article 5 of the GDPR in relation to this more sensitive processing data activity.

Child's consent to information society services (Article 8)

Article 8(1) of the GDPR stipulates that a child may only provide their own consent to processing in respect of information society (primarily, online) services, where that child is over 16 years of age, unless member state law applies a lower age. The DPA reduces the age of consent for these purposes to 13 years for the UK.

Automated Decision Making (Article 22)

Article 22(2)(b) of the GDPR allows member states to authorise automated decision making in local law, subject to additional safeguards, for purposes beyond the two permitted gateways already set out in Article 22(2) of the GDPR (ie, explicit consent, or necessity for entering into or performance of a contract with the data controller).

The DPA takes advantage of this provision to enable automated decision making where the automated decision is accompanied by the sending of a specific notice to the data subject which provides them with a one month period to request the controller to (i) reconsider the decision, or (ii) take a new decision that is not based solely on automated processing.

Last modified 14 Jan 2020
Law
Chile

Personal Data Protection is regulated in different laws.

Constitution of the Republic of Chile, Art. 19 N° 4

This law establishes individuals’ constitutional right to the respect and protection of public and private life, and the honor of the person and his / her family. Also, due to an amendment in 2018, it includes the protection of personal data. Any person who, as a result of an arbitrary or illegal act or omission, suffers a “privation, disturbance or threat” to this right may file a Constitutional Protective Action.

Law 19,628/1999 'On the protection of private life', commonly referred to as 'Personal Data Protection Law' (hereinafter, the 'PDPL')

This law mainly defines and regulates the processing of personal information in public and private databases and thus constitutes the main and most important body of rules on the processing of personal data which are not governed by special provisions.

As a general principle, the law stipulates that personal data may only be processed on the basis of the prior informed written consent of the data subject, with only a few narrow exceptions (e.g. in the case of certain publicly accessible data or purely internal data processing for certain purposes).

This law also regulates the rights of data subjects to access, rectification, deletion or blocking and objection in certain cases. In 2011, Law 20.521/2011 introduced an amendment to this law, according to which credit risk predictions or assessments related to late payments or contested items that are not based solely on objective data are forbidden.

Decree with Force of Law N° 3/19978, 'General Law of Banks'

This law establishes in its article 154 the confidentiality of transactions that individuals conduct with and through banks. The law distinguishes transactions covered by secrecy, which in principle are subject to an absolute prohibition of disclosure, and transactions covered by reserve, which are subject to a significant limitation on the possibility of disclosing the transaction (a disclosure may only be made to persons that can demonstrate a legitimate interest and only if it cannot be foreseen that the knowledge of the disclosed facts may cause property damage to the customer).

Law 20,575/2012 that establishes the 'purpose principle' in the processing of personal data for commercial risk assessment for the credit granting process

This law establishes several rules that apply to the processing of personal data referring to financial, economic, banking or commercial information:

  • Limited disclosures: This type of data shall only be communicated to established commercial entities, and only for the purpose of a commercial risk assessment in a credit granting process. It can also be communicated to entities that take part in this evaluation, and only for the aforementioned purpose.
  • Prohibition of requesting this type of data in the context of processes for personnel selection, preschool, school or higher education admission, emergency medical care or application for public office.
  • Access and opposition right for data subjects: Holders of commercial information have the right to request access to their information every four months and free of charge.
  • Obligation of the databases holders of implementing the principles of Information, Legitimacy, Data quality, Proportionality, Transparency, Non-discrimination, Use limitation and security in personal data processing, and designation of a contact person for data subjects.

Law 20,285/2008 on access to public information (and its Regulation, Decree 13/2009)

This law regulates the principle of transparency of the public service, the right of access to information held by any State Administration organism, the procedures for the exercise and protection of such right, and exceptions to the disclosure of information.

According to this law, the State Administration bodies are obliged to keep a public register with information about the structure of the body, certain finances, and access to services, among others. The register will not include sensitive personal data. The Regulation furtherly details the provisions set forth in this law.

Law 19,223/1993 that defines certain Computer Crimes

This law establishes criminal sanctions for certain specific conducts related to the theft, destruction, obstruction, modification and illegal access and disclosure of information contained in data processing systems.

Law 20,584/2012 that regulates the rights and duties of individuals in the context of healthcare

This law sets forth that all information contained in patient files or documentations of medical treatments are sensitive data, and establishes the obligation of healthcare professionals to maintain patient data confidential and to comply with the principle of purpose limitation. This law also includes certain specific cases when such data can be delivered, partially or totally, to the data subject and to other individuals or entities.

Bill that regulates the protection and processing of personal data and creates the Agency for the Protection of Personal Data (Bulletin 11,144-07, consolidated with Bulletin 11,092-07)

This draft law aims to modernize the data protection law (the PDPL, see above) and adapt it to international standards. In particular, the introduction of further legal bases in addition to consent, various basic principles which must be observed when processing personal data, regulations on international data transfers and the introduction of a data protection authority are planned. The bill is currently in the first constitutional stage in the senate and it is not yet foreseeable when the law will be passed.

Last modified 14 Jan 2020
Definitions

Definition of personal data

The only legal definition of the concept is found in the PDPL, in which personal data is defined as any information concerning identified or identifiable natural persons.

Definition of sensitive data

Under the PDPL and the Regulation of Law 20.285/2008 on access to public information, sensitive data means personal data relating to the physical or moral characteristics of persons or to facts or circumstances of their private or intimate life, such as:

  • Personal habits
  • Racial origin
  • Ideologies and political opinions
  • Religious beliefs or convictions
  • Physical or mental health conditions, and
  • Sexual life.
Last modified 14 Jan 2020
Authority

In Chile, there does not exist an authority dedicated to overseeing matters related to data protection with regard to processing activities performed by private persons or entitities. Issues under the PDPL are generally resolved by Chilean ordinary trial courts.

However, Law 20,285/2008 on access to public information created the Transparency Council (Consejo para la Transparencia), an autonomous public body responsible for:

  • Promoting transparency in public institutions
  • Overseeing compliance with transparency and information disclosure standards and rules, and
  • Guaranteeing the right of access to information held by public bodies by all individuals.
Last modified 14 Jan 2020
Registration

Public databases must be registered in the Civil Registry and Identification Service (Servicio de Registro Civil e Identificación). There is no obligation to register private databases.

Last modified 14 Jan 2020
Data Protection Officers

Under the PDPL, a responsible person for the registry or database should be appointed, corresponding to the natural or legal person or the public entity, as the case may be, which is in charge of the database and is responsible for decisions related to the processing of personal data. The responsible person is obliged to make these decisions with due diligence, being liable for the damages that could occur.

Last modified 14 Jan 2020
Collection & Processing

The processing of personal data is defined as any operation, complex of operations or technical procedures, whether automated or not, that allows the:

  • Collection
  • Storage
  • Recording
  • Organization
  • Elaboration
  • Selection
  • Extraction
  • Comparison
  • Interconnection
  • Dissociation
  • Communication
  • Assignment
  • Transfer
  • Transmission
  • Cancellation, or
  • Any other use of personal data.

In general terms, personal data may be processed in the following cases:

  • With informed, prior and written consent given by the data subject
  • In cases expressly authorized by law
  • When said data may be collected from publicly accessible sources, and the data:
    • Has an economic, financial, banking or commercial nature
    • Is obtained from lists related to a specific category of people, which only disclose information such as the allegiance of such individual to such specific group, his / her profession or activity, educational degrees, address and date of birth
    • Is required for direct response to commercial communications or marketing, or direct sale of goods or services
    • Is treated by private entities only for their exclusive internal use, or for their associated or affiliated entities use, for statistical, pricing or other general benefit purposes
    • In cases of data processing carried out by public bodies, whenever dealing with matters within their competence, subject to the other general rules established in the PDPL.
Last modified 14 Jan 2020
Transfer

Transfer of data is considered a personal data processing activity, so all of the aforementioned rules are also applicable, including the consent requirements.

Last modified 14 Jan 2020
Security

The PDPL does not establish specific measures that need to be adopted for the security of the personal data processed. It only sets that the responsible person is required to take care of the data with due diligence, being liable in case of damages.

Regarding the use of personal data all individuals involved in the processing activities shall comply with confidentiality obligations, even after they end their contractual relationship.

For automated transmission procedures, the responsible person must, at all times, ensure that the rights of the data subjects are safeguarded and the transmission is related to the tasks and purposes of the organizations involved. Also, in case of a request for personal data through an electronic network, the following information must be recorded:

  • The inquirer’s identity
  • The motive and purpose of the request, and
  • The specific data being transferred.
Last modified 14 Jan 2020
Breach Notification

There is no obligation to report a data breach.

Last modified 14 Jan 2020
Enforcement

The data subject has the right to require that the responsible person provide information on:

  • What data is held
  • Its source and recipients
  • The purpose of processing, and
  • Detailed information on any person or entity to which the data is regularly sent

The data subject may also request that any incorrect or incomplete record of personal data is modified.

The data subject can request the deletion of his / her personal data, as well as revoke his / her consent to data processing.

The rights of the data subject to information, modification, cancellation or blocking of his / her personal data cannot be contractually waived or limited. Also, requests for the exercise of said rights can only be denied when the responsible person can show that they will affect:

  • The due exercise of the faculties of the public body requested (as the case may be)
  • The duty of confidentiality
  • National security, or
  • National interests.

In the cases mentioned above, if the responsible person does not reply within two business days to a data subject's request, the data subject can file a complaint before the relevant local trial court. Along with requesting a specific performance, the affected individual can also claim damages.

The responsible person shall indemnify the data subject for the pecuniary and moral damages caused by the undue processing of the data, and must delete, modify or block the data as required by the data subject or, if applicable, as ordered by the court.

The court must reasonably determine the amount of damages, and may impose fines up to USD 3,300.

Additionally, if the data subject considers that his / her constitutional right to protection of personal data has been affected or threatened, he / she can also file a Constitutional Protective Action before the relevant Court of Appeals, requesting the cessation of the offensive action or omission.

Finally, in accordance with the provisions of Law 19,223/1993 that defines certain Computer Crimes, criminal sanctions (imprisonment and fines) may be imposed for breaching information processing systems and/or revealing any information contained therein.

Last modified 14 Jan 2020
Electronic Marketing

Private entities are allowed to create and maintain databases for purposes of sending marketing and promotional emails, provided that the requirements mentioned in the “Collection and Processing” section have been fulfilled.

However, any person may require that his / her information be deleted in this case, either permanently or temporarily.

The Chilean Consumer Protection Act defines marketing as the communication that the provider of goods or services sends to the public by any means, in order to inform and motivate the purchase or contract for goods or services. It also indicates that all marketing practices must comply with the following:

  • Terms and conditions and / or characteristics of the offered goods and services shall be accurate
  • An 'expedited mean to request' the suspension of any further communications (opt-out) shall be included in such communications
  • Every marketing email must indicate that it is an advertisement, and include the identity of the sender and a valid email address to which an opt-out request may be sent.
Last modified 14 Jan 2020
Online Privacy

There are no specific laws governing online privacy or cookies.

Last modified 14 Jan 2020
Contacts
Felipe Bahamondez
Felipe Bahamondez
Partner
DLA Piper (Chile)
T +56 2 2798 2602
Last modified 14 Jan 2020