DLA Piper Intelligence

Data Protection
Laws of the World

Law

Chile
Chile

Personal Data Protection is addressed in several specific laws, as well as scattered provisions in related or complementary laws and other legal authority:

The main laws containing Data Protection provisions:

  1. Constitution of the Republic of Chile, Art. 19 N° 4: establishes the 'respect and protection of the public and private life, and the honour of the person and its family'. Any person who by arbitrary or illegal act or omission suffers a deprivation, perturbation or threat to this right may file a Constitutional Protection Action.
  2. Law 19,628 'On the protection of private life', commonly referred as 'Personal Data Protection Law' (PDPL): mainly defines and refers to the treatment of personal information in public and private databases. Last modified: Feb. 17, 2012.
  3. Law 20,285, 'On the Access to Public Information': sets forth the Public Function Transparency Principle, the individual right to access the information of Public Administration bodies, and the procedures and exceptions thereof.
  4. Law 20,575: 'Establishes the Destination Principle on the Treatment of personal data': incorporates additional rules when treating economic and debt-related personal data.
  5. General Law on Banks, article 154, establishes the Banking Secrecy: holds that, subject to certain specific exemptions, all deposits are secret, and related information can be given only to the account’s owner or designated representative.  
  6. Law 19,223, 'Criminal Conducts related to Informatics': establishes sanctions for those who breach and unlawfully access and/or use the information available in electronic databases.

Main Decrees containing Data Protection provisions:

  1. Decree N° 13 of 2009, Ministry of the General Secretary of the Presidency: establishes the 'Rules' (or administrative provisions and procedures) of Law 20,285.
Last modified 24 Jan 2017
Law
Chile

Personal Data Protection is addressed in several specific laws, as well as scattered provisions in related or complementary laws and other legal authority:

The main laws containing Data Protection provisions:

  1. Constitution of the Republic of Chile, Art. 19 N° 4: establishes the 'respect and protection of the public and private life, and the honour of the person and its family'. Any person who by arbitrary or illegal act or omission suffers a deprivation, perturbation or threat to this right may file a Constitutional Protection Action.
  2. Law 19,628 'On the protection of private life', commonly referred as 'Personal Data Protection Law' (PDPL): mainly defines and refers to the treatment of personal information in public and private databases. Last modified: Feb. 17, 2012.
  3. Law 20,285, 'On the Access to Public Information': sets forth the Public Function Transparency Principle, the individual right to access the information of Public Administration bodies, and the procedures and exceptions thereof.
  4. Law 20,575: 'Establishes the Destination Principle on the Treatment of personal data': incorporates additional rules when treating economic and debt-related personal data.
  5. General Law on Banks, article 154, establishes the Banking Secrecy: holds that, subject to certain specific exemptions, all deposits are secret, and related information can be given only to the account’s owner or designated representative.  
  6. Law 19,223, 'Criminal Conducts related to Informatics': establishes sanctions for those who breach and unlawfully access and/or use the information available in electronic databases.

Main Decrees containing Data Protection provisions:

  1. Decree N° 13 of 2009, Ministry of the General Secretary of the Presidency: establishes the 'Rules' (or administrative provisions and procedures) of Law 20,285.
Last modified 24 Jan 2017
Definitions

Definition of personal data

Under the PDPL, ‘personal data’ is data referring to any information concerning natural persons, whether identified or identifiable.

Definition of sensitive personal data

Under the PDPL, sensitive personal data is data relating to the physical or moral characteristics of persons, or facts or circumstances of their private life or intimacy, such as personal habits, racial origin, political ideologies and opinions, religious creed or beliefs, physical and mental health conditions, and sexual life.

Last modified 24 Jan 2017
Authority

There is not one regulator who oversees matters relating to  data protection and related issues; such matters are, in general, resolved by Chilean courts as follows:

  • The Jueces de Letras - territorial civil jurisdiction, judges exercise jurisdiction in the first instance over violations of the PDPL.
  • The Appeal Courts exercise jurisdiction in the first instance in connection with constitutional actions, including those involving alleged breaches of the constitutional Right to Privacy. It is also the appeals court (with second instance jurisdiction) over matters involving alleged violations of the PDPL.
  • The Supreme Court hears appeals involving constitutional violations. Also, when a citizen’s petition for removal, information, modification or blocking of his personal data from a public or private Database is denied on 'national security' grounds under the PDPL, it also has jurisdiction in the first instance over such claims.
Last modified 24 Jan 2017
Registration

Chilean law distinguishes between private and public databases containing personal data.

Private Databases: there is no registration obligation.

Public Databases: According to Article 22nd of the PDPL, and Decree 779 of 2000 of the Ministry of Justice, all public databases are administrated by the Civil Registry and Identification Service.

Last modified 24 Jan 2017
Data Protection Officers

According to the PDPL, the 'responsible person' – ie, the natural person, legal entity, or public body that makes decisions related to the treatment of personal data – is responsible for ensuring that personal data are protected in accordance with applicable legal requirements.  The 'responsible person' must also respond to the inquires of any person regarding his or her personal data, and its modification, deletion or blocking, etc. If no answer is provided by the responsible person within two business days, the affected person can initiate a civil procedure before the corresponding authorities.

When the treatment of private databases is delegated to a third party by contract, the contract must, among other things, include provisions governing record keeping, due diligence and data breaches or related losses.

Last modified 24 Jan 2017
Collection & Processing

The PDPL establishes the conditions under which personal data can be 'treated'.  Similar to the definition of 'processing' in the EU, “treatment” is defined very broadly to include 'any operation or set of operations, whether automated or not, that recalls, displays, accesses, saves, records, organizes, elaborates, selects, extracts, confront, interconnects, dissociates, communicates, deletes, transfers, transmits or cancels personal data, or the use of personal data in any other form or manner'.

 As a general rule, personal data can only be 'treated' when the written consent of the owner of the personal data is obtained, or when one or more of the following specific conditions are met:

  1. Authorization by Law.
  2. Collection from publicly accessible sources.
  3. The data is of an economic, financial, banking or commercial nature, provided the further treatment of this information (including transmission or communication), meets a number of specific requirements set forth in the PDPL.
  4. When data is obtained on lists related to a specific category of people, which only disclose information such as the allegiance of such individual to such specific group, his/her profession or activity, educational diplomas, address and date of birth.
  5. When personal data is treated by private entities solely for their, or their associate and affiliated entities' exclusive internal use.
Last modified 24 Jan 2017
Transfer

'Transfer' is considered a form of 'treatment' of personal data.  Thus, all of the aforementioned rules apply, including the consent requirements.

Last modified 24 Jan 2017
Security

All personnel involved in treatment of personal data have a legal obligation of confidentiality related to data that is not publicly available, even after they end their contractual relation / office.

The security of personal data contained in databases is an obligation of the 'responsible person', as defined above. This person must maintain the Database, and will keep it 'with due diligence, being held accountable for the damages'.

This is a key article, since it does not distinguish on the nature of the damages (to the Database or individuals, moral or common, losses, etc).  While there is no actual case law interpreting this rule, it is likely to be broadly construed by a court.

If the responsible person has implemented an automated transmission procedure, it must maintain records that track:

  1. the inquirer’s identity
  2. the motive and purpose of the request, and
  3. the specific data being transferred.
Last modified 24 Jan 2017
Breach Notification

There is no obligation to provide breach notification.

Last modified 24 Jan 2017
Enforcement

Every data subject has the right to demand that the responsible person for a database provide information on what data is held relating to that data subject, as well as its source and any recipients, the purpose of the record, and detailed information on any persons or entities to which the data is frequently sent. A data subject may also request any incorrect or incomplete record of personal data be modified. If there is no legal justification for the recording of the personal data, a data subject may request its removal or deletion.  If a data subject previously gave authorization for his or her personal data to be used for marketing, the data subject may request removal from such a marketing list.

The aforementioned rights and provisions cannot be contractually waived or limited.

However, requests for information, modification, etc. can be lawfully denied when the responsible person claims that doing so will impede its practices,  will affect the duty of confidentiality, or will affect national security or interests.

In all of the above cases, if the responsible person does not reply or respond within 2 business days to a data subject's request, then the data subject can file a complaint before the local Juez de Letras or common civil local judge. Along with the specific claim for information, removal, etc., the affected individual can claim patrimonial and moral damages. The Judge must reasonably determine the amount of the reparations, and may impose a fine between US $80 – $800 (as of November, 2013). If commercial information is involved, the fine may rise up to US $4,000 (as of November, 2013.).

If the reason for denial was due to national security or interest, then the Supreme Court will assume jurisdiction over the matter.

Finally, there are also criminal sanctions (imprisonment and fines) for breaching information treatment systems and/or revealing any information contained therein.

Last modified 24 Jan 2017
Electronic Marketing

The applicable provisions related to electronic marketing are set out in two laws: 

Consumer Protection Law, 19.496. 

Art. 4 defines 'publicity' or 'marketing' as 'the communication that the provider of goods or services sends to the public by any means, in order to inform and motivate him to purchase or contract for good or services.'All marketing practices must follow the provisions contained in the Consumer Protection Law (CPL), which are mainly two points, plus a specific provision regarding 'SPAM':

  • Accuracy obligation regarding the terms and conditions and/or characteristics of the offered goods and services.
  • Include an 'expedited means to request' the suspension of any further communications.
  • For email marketing, every marketing email  must indicate that it is an advertisement, and include the identity of the sender and a valid email address to which an  opt out request may be sent.

The PDPL.

Companies are allowed to create, compile, edit, transmit, etc. databases (including telephone numbers or other contact information) for 'commercial communications', provided the personal data used for marketing is  'available from publicly accessible sources,' or the data subject has provided prior written consent.

Last modified 24 Jan 2017
Online Privacy

There are no laws governing online privacy or cookies, specifically.

However, there is some risk that the use of cookies could implicate computer crime laws prohibiting unauthorized access to computers and information thereon.

Last modified 24 Jan 2017
Contacts
Ariela Agosin
Ariela Agosin
Partner
T +56 2 22445 6000
Nelson Campos
Nelson Campos
Associate
T +56 2 22445 6000
Last modified 24 Jan 2017