Chile Data Privacy Laws: Law 21.719 Data Protection Reform Guide (2026)

Overview of Chile's Data Protection Framework

Chile holds the distinction of being the first country in Latin America to enact a comprehensive data protection law. Law 19.628 on the Protection of Private Life (Ley sobre Proteccion de la Vida Privada), adopted in 1999, established the foundational framework for personal data protection in the country and served as a model for other Latin American jurisdictions.

However, over the course of nearly 25 years, the limitations of Law 19.628 became increasingly apparent. The law lacked recognition of various lawful bases for processing personal data, contained no framework for international data transfers, and critically failed to establish a data protection authority with enforcement powers. Enforcement depended primarily on private litigation, resulting in a low level of regulatory oversight.

After eight years of legislative debate beginning in 2017, Chile's Congress approved Law 21.719 on 26 August 2024. The reform was published in the Official Gazette on 13 December 2024 and will become fully effective on 1 December 2026, providing organizations with a two-year transition period to bring their practices into compliance.

Constitutional Foundation

Data protection in Chile enjoys constitutional status. Article 19 No. 4 of the Political Constitution of the Republic of Chile guarantees the right to respect and protection of private life and the honor of the individual and their family. A 2018 constitutional amendment added an explicit guarantee that the processing and protection of personal data will be carried out in the manner and under the conditions laid down by law.

This constitutional grounding elevates data protection to a fundamental right in Chile, placing it alongside other constitutionally protected liberties. The constitutional provision also serves as the legal basis for the comprehensive reform enacted through Law 21.719.

Law 21.719: The Reform in Detail

Scope and Application

The reformed law applies to the processing of personal data carried out by any natural or legal person, whether in the public or private sector, using automated or non-automated means, where the data forms part of a filing system. The law has extraterritorial reach, applying to controllers and processors outside Chile who offer goods or services to individuals in Chile or who monitor the behavior of individuals in the country.

Definition of Personal Data

Personal data is defined as any information relating to an identified or identifiable natural person. The law recognizes special categories of sensitive data, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, and data concerning sex life or sexual orientation.

Legal Bases for Processing

One of the most significant changes introduced by the reform is the establishment of multiple legal bases for processing personal data, aligned with the GDPR's approach. The recognized legal bases include consent of the data subject, performance of a contract, compliance with a legal obligation, protection of vital interests, performance of a task in the public interest, and legitimate interests of the controller.

This represents a major advancement from Law 19.628, which relied primarily on consent as the basis for lawful processing. The expanded legal bases provide organizations with greater flexibility while maintaining appropriate protections for data subjects.

Consent Requirements

Consent must be free, informed, specific, and unambiguous. For the processing of sensitive data, explicit consent is required. The data subject must be clearly informed about the identity of the controller, the purposes of processing, the types of data to be processed, the recipients of the data, and the rights of the data subject.

Consent may be withdrawn at any time, and the withdrawal must be as easy to effect as the giving of consent. The controller bears the burden of demonstrating that valid consent was obtained.

Data Subject Rights

The reform establishes a comprehensive set of data subject rights, including the right to be informed about processing, the right to access personal data, the right to rectification of inaccurate data, the right to deletion of data, the right to object to processing, the right to restrict processing, the right to data portability, and the right not to be subject to solely automated decision-making.

These rights are enforceable through complaints to the new Personal Data Protection Agency and through the courts.

The Personal Data Protection Agency

Establishment and Mandate

The most consequential change introduced by Law 21.719 is the creation of the Personal Data Protection Agency (Agencia de Proteccion de Datos Personales). This marks the first time Chile will have a dedicated data protection authority with enforcement powers.

The agency is established as an autonomous, technically independent public body with its own legal personality and assets. It is responsible for overseeing compliance with the law, receiving and investigating complaints, issuing guidance and binding opinions, conducting inspections, and imposing sanctions for violations.

Powers and Functions

The agency has broad investigative and corrective powers. It may require controllers and processors to provide information, conduct audits and inspections, issue warnings and reprimands, order controllers to comply with data subject requests, impose temporary or permanent bans on processing, and levy administrative fines.

The agency also has the power to approve codes of conduct and certification mechanisms, issue guidance on the interpretation of the law, and promote awareness of data protection rights among the public.

Transitional Period

The establishment of the agency is taking place during the two-year transition period between the law's publication (December 2024) and its full effectiveness (December 2026). During this period, the institutional infrastructure of the agency is being built, including the appointment of leadership, hiring of staff, and development of regulatory guidance.

Cross-Border Data Transfers

Transfer Framework

The reform introduces, for the first time in Chilean law, a comprehensive framework for international data transfers. Under Law 19.628, there were no specific provisions governing cross-border transfers, creating significant legal uncertainty.

The new framework allows transfers to countries that the agency determines provide an adequate level of data protection. In the absence of an adequacy determination, transfers may proceed based on appropriate safeguards such as standard contractual clauses, binding corporate rules, or certifications approved by the agency.

Derogations

Transfers may also proceed in specific situations, including with the explicit consent of the data subject, for the performance of a contract, for important reasons of public interest, or for the establishment, exercise, or defense of legal claims. These derogations align closely with the GDPR's approach under Article 49.

Penalties and Enforcement

Administrative Fines

The reform dramatically increases the penalty framework compared to Law 19.628. Violations are classified into minor, serious, and very serious categories.

Minor infractions can attract fines of up to 5,000 Monthly Tax Units (UTM). Serious infractions can result in fines of up to 10,000 UTM. Very serious infractions can be penalized with fines of up to 20,000 UTM (approximately USD 1.4 million as of 2025).

For repeat offenders, fines may be doubled or tripled. In cases of very serious infractions, the agency may also impose a partial or total suspension of processing activities.

Additional Sanctions

Beyond fines, the agency may issue warnings and reprimands, order the cessation of unlawful processing, require the deletion of unlawfully processed data, and impose temporary or permanent bans on processing.

Public sector entities that violate the law are subject to the same standards, though the penalty mechanisms differ to account for their public nature.

Data Protection Impact Assessments

The reform introduces mandatory data protection impact assessments (DPIAs) for processing activities that are likely to result in a high risk to the rights and freedoms of data subjects. This includes large-scale processing of sensitive data, systematic monitoring of public areas, and the use of new technologies that present high data protection risks.

The DPIA must assess the necessity and proportionality of the processing, the risks to data subjects, and the measures planned to address those risks. Where a DPIA identifies a high risk that cannot be adequately mitigated, the controller must consult the agency before proceeding with the processing.

Data Breach Notification

Organizations must notify the agency of personal data breaches that are likely to result in a risk to the rights and freedoms of data subjects. The notification must be made without undue delay. Where the breach is likely to result in a high risk to data subjects, the controller must also notify the affected individuals.

Practical Compliance Considerations

Organizations operating in Chile or processing the personal data of Chilean residents should use the two-year transition period to prepare for compliance. Key steps include conducting data mapping exercises to understand what personal data is processed and for what purposes, reviewing and updating privacy policies and consent mechanisms, establishing procedures for responding to data subject requests, assessing cross-border data transfer practices, appointing data protection officers where appropriate, and conducting data protection impact assessments for high-risk processing activities.

The transition from a framework with minimal enforcement to one with an active supervisory authority and significant penalties represents a substantial shift. Organizations that proactively address compliance during the transition period will be better positioned when the agency begins enforcement in December 2026.

This article is for informational purposes only and does not constitute legal advice. Data protection laws are subject to change, and organizations should consult with a qualified attorney for advice specific to their situation.