DLA Piper Intelligence

Data Protection
Laws of the World

Law

Chile
Chile

Personal Data Protection is regulated in different laws.

Constitution of the Republic of Chile, Art. 19 N° 4

This law establishes individuals’ constitutional right to the respect and protection of public and private life, and the honor of the person and his or her family. Also, due to a recent amendment, it includes the protection of personal data. Any person who, as a result of an arbitrary or illegal act or omission, suffers a deprivation, infringement or threat to this right may file a Constitutional Protection Action.

Law 19,628 'On the protection of private life', commonly referred as 'Personal Data Protection Law' (PDPL)

This law mainly defines and refers to the treatment of personal information in public and private databases. Last modified: Feb. 17, 2012

Law No. 20.521, about personal data protection to guarantee that information provided by credit risk entities (eg, credit agencies) is accurate, updated and true

This law forbids credit risk predictions or assessments related to late payments or contested items that are not based solely on objective data.

General Law of Banks, article 154. Banking Secrecy

This law establishes the confidentiality of transactions that individuals conduct with and through banks, applicable to the following transactions:

  • Transactions covered by secrecy, which in principle implies the absolute impossibility of making them known
  • Transactions covered by reserve, which implies a significant limitation on the possibility of reporting on the transaction

Law 20.575, establishes the limitations on the handling of personal data

Several principles apply to the treatment of personal financial, economic, banking or commercial data:

  • Limited disclosures: This type of data shall only be communicated to established commercial entities, and only for the purpose of a credit granting process. It can also be communicated to entities that take part in this evaluation, and only for the aforementioned purpose
  • Legitimacy
  • Access and opposition
  • Information
  • Data quality
  • Proportionality
  • Transparency
  • Nondiscrimination
  • Use limitation and security in personal data treatment

Law No. 20.285, about public information access

This law prohibits including sensitive personal data in 'Active Transparency' public websites.

Decree 13-2009, from the General Secretary of Presidency

This law establishes rules under Law No. 20.285. This Decree establishes restricts disclosure of public information that contains individuals’ sensitive data.

Law No. 20.169, which regulates unfair competition

This law protects competitors, consumers and, in general, any person whose legitimate interests are affected by an act of unfair competition. An act of unfair competition is any conduct contrary to good faith or good customs that, by illegitimate means, seeks to divert clientele from a market agent.

Law 19.223: Computer Crimes

This law establishes criminal sanctions for conduct related to the theft, destruction, obstruction, modification and illegal access of information contained in data processing systems.

Law No. 20.584, which regulates rights and duties related to healthcare

This law sets makes all information containing regarding healthcare procedures and treatments sensitive data.

Last modified 31 Jan 2019
Law
Chile

Personal Data Protection is regulated in different laws.

Constitution of the Republic of Chile, Art. 19 N° 4

This law establishes individuals’ constitutional right to the respect and protection of public and private life, and the honor of the person and his or her family. Also, due to a recent amendment, it includes the protection of personal data. Any person who, as a result of an arbitrary or illegal act or omission, suffers a deprivation, infringement or threat to this right may file a Constitutional Protection Action.

Law 19,628 'On the protection of private life', commonly referred as 'Personal Data Protection Law' (PDPL)

This law mainly defines and refers to the treatment of personal information in public and private databases. Last modified: Feb. 17, 2012

Law No. 20.521, about personal data protection to guarantee that information provided by credit risk entities (eg, credit agencies) is accurate, updated and true

This law forbids credit risk predictions or assessments related to late payments or contested items that are not based solely on objective data.

General Law of Banks, article 154. Banking Secrecy

This law establishes the confidentiality of transactions that individuals conduct with and through banks, applicable to the following transactions:

  • Transactions covered by secrecy, which in principle implies the absolute impossibility of making them known
  • Transactions covered by reserve, which implies a significant limitation on the possibility of reporting on the transaction

Law 20.575, establishes the limitations on the handling of personal data

Several principles apply to the treatment of personal financial, economic, banking or commercial data:

  • Limited disclosures: This type of data shall only be communicated to established commercial entities, and only for the purpose of a credit granting process. It can also be communicated to entities that take part in this evaluation, and only for the aforementioned purpose
  • Legitimacy
  • Access and opposition
  • Information
  • Data quality
  • Proportionality
  • Transparency
  • Nondiscrimination
  • Use limitation and security in personal data treatment

Law No. 20.285, about public information access

This law prohibits including sensitive personal data in 'Active Transparency' public websites.

Decree 13-2009, from the General Secretary of Presidency

This law establishes rules under Law No. 20.285. This Decree establishes restricts disclosure of public information that contains individuals’ sensitive data.

Law No. 20.169, which regulates unfair competition

This law protects competitors, consumers and, in general, any person whose legitimate interests are affected by an act of unfair competition. An act of unfair competition is any conduct contrary to good faith or good customs that, by illegitimate means, seeks to divert clientele from a market agent.

Law 19.223: Computer Crimes

This law establishes criminal sanctions for conduct related to the theft, destruction, obstruction, modification and illegal access of information contained in data processing systems.

Law No. 20.584, which regulates rights and duties related to healthcare

This law sets makes all information containing regarding healthcare procedures and treatments sensitive data.

Last modified 31 Jan 2019
Definitions

Definition of personal data

The only legal definition is found in the PDPL, in which personal data is referred to as any information concerning natural persons, identified or identifiable.

Definition of sensitive data

Under the PDPL and Decree 13-2009 from the General Secretary of Presidency, sensitive data means personal data relating to the physical or moral characteristics of persons or to facts or circumstances of their private or intimate life, such as:

  • Personal habits
  • Racial origin
  • Ideologies and political opinions
  • Religious beliefs or convictions
  • Physical or mental health conditions, and
  • Sexual life
Last modified 31 Jan 2019
Authority

PDPL does not create a dedicated authority to supervise matters related to data protection. Issues under PDPL are resolved, generally, by Chilean courts.

Law 20.285 established the Transparency Council (Consejo para la Transparencia), an autonomous public body responsible for:

  • Promoting transparency in public institutions
  • Overseeing compliance with transparency and information disclosure standards, and
  • Guaranteeing the right of access to information
Last modified 31 Jan 2019
Registration

Public databases must be registered in the Civil Registry and Identification Service (Servicio de Registro Civil e Identificación). There is no obligation to register private databases.

Last modified 31 Jan 2019
Data Protection Officers

Under the PDPL, a Responsible Person for the registry or database should be appointed, to be responsible for decisions related to the processing of personal data. The Responsible Person is obliged to make these decisions with due diligence, taking responsibility for the damages that could occur.

Last modified 31 Jan 2019
Collection & Processing

The process of collecting and processing data is defined as any operation, complex operations or technical procedures, whether automated or not, that allows the:

  • Collection
  • Storage
  • Recording
  • Organization
  • Preparation
  • Selection
  • Extraction
  • Access
  • Interconnection
  • Dissociation
  • Communication
  • Assignation
  • Transfer
  • Transmission or cancellation of personal data, or
  • Any other use of personal data

Personal data may be processed in the following cases:

  • With written consent of data subject
  • Authorized by law
  • Collected from publicly accessible sources, in the the following cases:
    • It is of an economic, financial, banking or commercial nature
    • It is obtained from lists related to a specific category of people, which only disclose information such as the allegiance of such individual to such specific group, his/her profession or activity, educational degrees, address and date of birth, or
    • It is required for direct response to commercial communications or marketing, or direct sale of goods or services
    • When personal data is treated by private entities only for their exclusive internal use, or that of their associated or affiliated entities
    • In cases of processing of personal data carried out by public bodies, whenever dealing with matters within their competence, subject to the other common rules established in the PDPL
Last modified 31 Jan 2019
Transfer

Transferring is considered a form of personal data processing, so all of the aforementioned rules apply, including the consent requirements.

Last modified 31 Jan 2019
Security

The Responsible Person is required to ensure that individuals involved in personal data processing are subject to and comply with confidentiality obligations, even after they end their contractual relationship; these individuals are liable for the security of personal data contained in databases.

For automated transmission procedures, the Responsible Person must, at all times, ensure that the rights of the data subjects are safeguarded and the transmission is related to the tasks and purposes of the participating organizations. Also, in the case of a request for personal data through an electronic network, the following information must be recorded:

  • The inquirer’s identity
  • The motive and purpose of the request, and
  • The specific data being transferred
Last modified 31 Jan 2019
Breach Notification

There is no obligation to report a data breach.

Last modified 31 Jan 2019
Enforcement

The data subject has the right to require that the Responsible Person provide information on:

  • What data is held
  • Its source and recipients
  • Purpose of processing, and
  • Detailed information on any person or entities to which the data is frequently sent

The data subject may also request that any incorrect or incomplete record of personal data be modified.

The data subject can request the deletion of his / her personal data, as well as revoke his / her consent to data processing. The aforementioned rights and provisions cannot be contractually waived or limited.

Requests for information, modification, etc can only be denied when the Responsible Person can show that information etc will affect:

  • The duty of confidentiality
  • National security, or
  • Interests

In the cases mentioned above, if the Responsible Person does not reply or respond within two business days to a data subject's request, the data subject can file a complaint before local civil court. Along with specific performance, the affected individual can also claim damages.

The Responsible Person shall indemnify the data subject for the pecuniary and moral damages caused by the undue processing of the data, and must delete, modify or block the data as required by the data subject or, if applicable, ordered by the court.

The judge must reasonably determine the amount of damages, and may impose fines up to US$3,600.

In accordance with the provisions of Law 19.223 of Computer Crimes, criminal sanctions (imprisonment and fines) may be imposed for breaching information processing systems and/or revealing any information contained therein.

Last modified 31 Jan 2019
Electronic Marketing

Private entities are allowed to create and maintain databases for purposes of sending marketing and promotional emails, provided that the requirements mentioned in Collection and Processing section have been fulfilled.

However, any person may require that his or her information be deleted in this case, either permanently or temporarily.

The Consumer Protection Law defines marketing and promotional communications as the communication that the provider of goods or services sends to the public by any means, in order to inform and motivate the purchase or contract for goods or services, and provides that all marketing practices must comply with the following:

  • Terms and conditions and / or characteristics of the offered goods and services shall be accurate
  • An 'expedited means to request' the suspension of any further communications (opt-out) shall be included in such communications
  • Every marketing email must indicate that it is an advertisement, and include the identity of the sender and a valid email address to which an opt-out request may be sent
Note: Congress is currently considering Modifications of the Consumer Protection Law.
Last modified 31 Jan 2019
Online Privacy

There are no laws governing online privacy or cookies. However, there is some risk that the use of cookies could implicate computer crime laws prohibiting unauthorized access to computers and information therein.

Last modified 31 Jan 2019
Contacts
Felipe Bahamondez
Felipe Bahamondez
Partner
DLA Piper BAZ | NLD Spa
T +56 2 2798 2602
Last modified 31 Jan 2019