DLA Piper Intelligence

Data Protection
Laws of the World

Electronic Marketing

Private entities are allowed to create and maintain databases for purposes of sending marketing and promotional emails, provided that the requirements mentioned in the 'Collection and Processing' section have been fulfilled.

However, any person may require that his/her information be deleted for such purposes, either permanently or temporarily.

The Chilean Consumer Protection Act (Law 19,496/1997 on the protection of consumer rights) defines 'advertising' as the communication that the provider of goods or services send to the public by any means, in order to inform and motivate the purchase goods or services. It also indicates that all promotional or advertising communication must indicate an expeditious way in which the recipients can request the suspension of the promotional communication (opt-out). After a consumer has exercised his opt out right, the sending of new communications is prohibited. In case of promotional or advertising communication sent by e-mail, the communication must also indicate the subject matter or theme and the identity of the sender.

Last modified 28 Jan 2021
Law
Chile

Personal Data Protection is regulated in different laws.

Constitution of the Republic of Chile, Art. 19 N° 4

The Chilean constitution establishes the individual’s right to (i) respect and protection of private life, (ii) honor of the person and his/her family, and (iii) protection of his/her personal data. Any individual who, as a result of an arbitrary or illegal act or omission, suffers a “privation, disturbance or threat” to these rights may file a Constitutional Protective Action (“Recurso de protección”).

Law 19,628/1999 'On the protection of private life', commonly referred to as 'Personal Data Protection Law' (hereinafter, the 'PDPL')

The PDPL generally defines and regulates the processing of personal data in public and private databases and thus constitutes the main and most important body of rules on the processing of personal data not governed by sectoral provisions (for example contained in the laws mentioned below).

Generally, the PDPL stipulates that personal data may only be processed if the processing is permitted by law (eg, employment law, health care law, etc.) or on the basis of the data subject’s prior informed, written consent. There are only a few narrow exceptions to this principle (eg, certain publicly accessible data, or purely internal data processing for certain purposes).

The PDPL law also provides data subjects the right to access, rectify, delete, block and object to processing of personal data in certain cases.

In 2011, Law 20.521/2011 introduced an amendment to the PDPL, prohibiting credit risk predictions or assessments related to late payments or contested items that are not based solely on objective data. In addition, the amendment contains obligations relating to the confidential treatment of personal data, duties of care, involvement of representatives, etc.

Decree with Force of Law N° 3/19978, 'General Law of Banks'

Article 154 of this law establishes the confidentiality of an individual’s transactions with and through banks. The law distinguishes transactions covered by secrecy, which in principle are subject to an absolute prohibition of disclosure, and transactions covered by reserve, which may only be disclosed where a legitimate interest exists and if it cannot be foreseen that the knowledge of the disclosed data may cause financial damage to the customer.

Law 20,575/2012 establishes the 'purpose principle' for the processing of personal data of an economic, financial, banking or commercial nature

This law establishes several rules that apply to the processing of personal data referring to financial, economic, banking or commercial information, such as:

  • Limited disclosures: Such data shall only be communicated to established commercial entities for the purpose of a commercial risk assessment in a credit granting process, and to entities that take part in this evaluation.
  • Prohibition of requesting such type of data in the context of processes for personnel selection, pre-school, school or higher education admission, emergency medical care or application for public office.
  • Providers of economic, financial, banking or commercial databases must have a system for recording the name of any person requesting database information, the reason, date and time of the request and the person responsible for delivering or transferring the information. Data subjects have the right to request access to their commercial information every four months and free of charge.
  • Providers of the database must implement the principles of legitimacy, access and objection, data quality, purpose, proportionality, transparency, non-discrimination, use limitation and security in personal data processing, and designate a contact person for data subjects.

Law 19,223/1993 that defines certain computer crimes

This law establishes criminal sanctions for certain specific conduct related to the theft, destruction, obstruction, modification and illegal access and disclosure of information contained in data processing systems.

Law 20,584/2012 that regulates the rights and duties of individuals in the context of healthcare

This law sets forth that all information contained in patient files or documentations of medical treatments are sensitive data, and establishes the obligation of healthcare professionals to maintain patient data confidential and to comply with the principle of purpose limitation. This law also includes certain specific cases in which such data can be submitted, partially or totally, to the data subject and to other individuals or entities.

Bill that regulates the protection and processing of personal data and creates the Agency for the Protection of Personal Data (Bulletin 11,144-07, consolidated with Bulletin 11,092-07)

This draft law aims to modernize the PDPL and to adapt it to international standards. In particular, the introduction of further legal bases in addition to consent, various basic principles which must be observed when processing personal data, regulations on international data transfers and the introduction of a data protection authority are contained in the draft. The bill has already been discussed for some time and is currently still in the first constitutional stage in the senate. Even though the bill was recently declared as urgent, thereby shortening the deadlines for further processing, it is not yet foreseeable when the law will actually be passed.

Last modified 28 Jan 2021
Definitions

Definition of personal data

The PDPL defines personal data as any information concerning identified or identifiable natural persons.

Definition of sensitive data

Sensitive data are defined very broadly as personal data relating to the physical or moral characteristics of persons or to facts or circumstances of their private or intimate life, such as personal habits, racial origin, ideologies or political opinions, religious beliefs or convictions, physical or mental health conditions, and sexual life.

Definition of controller and data processing

The PDLP defines the controller ('responsible for the register or database') as the private individual or legal entity, or the respective public body, which is responsible for decisions related to the processing of personal data.

Data processing is defined as any operation or complex of operations or technical procedures, of automated or non-automated nature, that allow to collect, store, record, organize, elaborate, select, extract, confront, interconnect, dissociate, communicate, assign, transfer, transmit or cancel personal data, or use them in any other way.

Last modified 28 Jan 2021
Authority

In Chile, no authority dedicated to overseeing matters related to data protection with regard to processing activities performed by private persons or entities exists. Law 20,285/2008 on access to public information provides that the Council for Transparency (Consejo para la Transparencia, the control body to ensure compliance with the aforementioned law which provides the rights to transparency of the public administration and access to information of the state administration) shall ensure proper compliance with the data protection law by the organs of the state administration; however, the Council for Transparency does not have powers to impose fines.

Last modified 28 Jan 2021
Registration

Public databases must be registered in the Civil Registry and Identification Service (Servicio de Registro Civil e Identificación). There is no obligation to register private databases.

Last modified 28 Jan 2021
Data Protection Officers

The PDPL does not require the appointment of a Data Protection Officer.

Last modified 28 Jan 2021
Collection & Processing

Generally, personal data may be processed in the following cases:

  • With informed, prior and written consent given by the data subject;
  • If expressly authorized by law;
  • If the personal data comes from publicly accessible sources, and the data:
    • are of financial, banking or commercial nature, or
    • are contained in lists related to a category of persons that merely indicate background information such as the individuals´ membership in that category, his/her profession or activity, educational qualifications, address or date of birth; or
    • are required for direct response commercial communications or direct marketing or sale of goods or services.
  • Furthermore, personal data may be processed without the data subject’s consent if they are processed by private entities for their own exclusive use, or that of their associated or affiliated entities use, for statistical, pricing or other purposes of general benefit to them. In practice, this exception is not of significant importance.
Last modified 28 Jan 2021
Transfer

Transfer of personal data is considered a processing activity, so all of the aforementioned rules are applicable, including the consent requirements. The PDPL does not provide for any special provisions for the international transfer of personal data.

Last modified 28 Jan 2021
Security

The PDPL does not establish specific measures that need to be adopted for the security of the personal data processed. It only stipulates that the controller is required to take care of the data with due diligence, being liable in case of damages.

All individuals involved in the processing of personal data (other than from publicly accessible sources) have to comply with confidentiality obligations, even after they end their work in this field.

Last modified 28 Jan 2021
Breach Notification

There is no obligation to report a data breach.

Last modified 28 Jan 2021
Enforcement

Since there is no data protection authority in Chile, data protection violations can only be challenged with a Constitutional Protective Action on the basis of an alleged violation of the constitutionally guaranteed right to protection of personal data, or with an action before the ordinary civil courts. In addition, the PDPL provides for a special type of action in the event that a controller fails to respond in a timely manner to a request to assert data subject rights ('Habeas Data'). In rare cases, other authorities, such as the consumer protection authority, deal with data protection issues related to their area of competence.

Last modified 28 Jan 2021
Electronic Marketing

Private entities are allowed to create and maintain databases for purposes of sending marketing and promotional emails, provided that the requirements mentioned in the 'Collection and Processing' section have been fulfilled.

However, any person may require that his/her information be deleted for such purposes, either permanently or temporarily.

The Chilean Consumer Protection Act (Law 19,496/1997 on the protection of consumer rights) defines 'advertising' as the communication that the provider of goods or services send to the public by any means, in order to inform and motivate the purchase goods or services. It also indicates that all promotional or advertising communication must indicate an expeditious way in which the recipients can request the suspension of the promotional communication (opt-out). After a consumer has exercised his opt out right, the sending of new communications is prohibited. In case of promotional or advertising communication sent by e-mail, the communication must also indicate the subject matter or theme and the identity of the sender.

Last modified 28 Jan 2021
Online Privacy

There are no specific laws governing online privacy or cookies.

Last modified 28 Jan 2021
Contacts
Felipe Bahamondez
Felipe Bahamondez
Partner
DLA Piper (Chile)
T +56 2 2798 2602
Lisa Hondl
Lisa Hondl
Associate
DLA Piper (Chile)
T +56 2 2798 2620
Last modified 28 Jan 2021