Chile Data Privacy Laws: Ley 21.719 Reform, New Agency, and December 2026 Entry into Force

Chile governs personal data under Ley 21.719, a comprehensive reform enacted in August 2024 that replaces the original Ley 19.628. The new law introduces a dedicated supervisory authority, GDPR-aligned rights, and penalties up to 20,000 UTM, with full enforcement starting December 1, 2026.

Quick Answer: Chile's Data Protection Transition

Chile is midway through a fundamental shift in how personal data is regulated. For nearly 25 years, the country operated under Ley 19.628 (1999), the first comprehensive data protection statute in Latin America. That law had no data protection authority, no framework for international transfers, and minimal enforcement mechanisms, leaving individuals largely dependent on private litigation to vindicate their rights.

Ley 21.719, enacted in August 2024 and published in the Diario Oficial on December 13, 2024, changes all of that. The new law replaces and modernizes the prior framework, drawing heavily from the European Union's General Data Protection Regulation (GDPR). It creates a new independent supervisory authority, expands data subject rights, introduces multiple lawful bases for processing, establishes cross-border transfer rules, and imposes meaningful penalties.

Full enforcement begins December 1, 2026. Organizations that process personal data belonging to Chilean residents, whether located inside or outside Chile, should be actively preparing now.

Ley 19.628: The Foundation (1999)

Chile's original data protection law, Ley 19.628 sobre Protección de la Vida Privada (Law on the Protection of Private Life), entered into force in August 1999. At the time, it was a pioneering statute in Latin America and helped establish the concept of personal data protection across the region.

Over time, however, the law's limitations became impossible to ignore. The most glaring gap was the absence of a supervisory authority. There was no dedicated government body empowered to investigate complaints, issue guidance, or levy fines. Enforcement depended almost entirely on individuals bringing civil actions in the courts, a costly and impractical route for most data subjects.

Other shortcomings included a narrow set of lawful bases for processing (consent dominated, with limited alternatives), no provisions governing international data transfers, no right to data portability, and penalties so low as to be economically irrelevant. Legislative efforts to modernize the law began as early as 2017, but the process stretched eight years before Congress finally passed the reform in August 2024.

Constitutional Fundamental Right: Article 19 No. 4

Data protection in Chile enjoys explicit constitutional status. Article 19 No. 4 of the Constitución Política de la República de Chile guarantees the right to respect and protection of private life and the honor of the person and their family.

A constitutional reform enacted in 2018 strengthened this foundation by adding an express guarantee that the processing and protection of personal data shall be carried out in the manner and under the conditions established by law. This amendment elevated data protection to the same tier as other fundamental rights protected under Article 19, giving it constitutional weight that constrains both government and private actors.

The constitutional grounding is more than symbolic. It means that challenges to data processing practices can be raised before constitutional courts, and that any legislative or regulatory measure restricting data protection rights must meet a heightened standard of justification.

Ley 21.719: The Reform in Full

Enactment and Timeline

Chile's Congress approved Ley 21.719 on August 26, 2024, ending eight years of legislative debate. The President promulgated the law and it was published in the Diario Oficial on December 13, 2024.

The law does not take effect immediately. It provides a 24-month transition period, calculated from the date of publication, giving organizations time to adapt and giving the government time to build out the new regulatory agency. Full enforcement begins on December 1, 2026.

During the transition, the existing Ley 19.628 remains operative as the current law. The new agency is being constituted, and the Ministry of Economy has begun issuing implementing instruments, including Standard Contractual Clauses for international data transfers.

Scope and Territorial Reach

The law applies to the processing of personal data by any natural or legal person, in the public or private sector, whether carried out by automated or non-automated means, provided the data forms part of a filing system.

Ley 21.719 has extraterritorial reach. It applies to controllers and processors located outside Chile when they offer goods or services to data subjects in Chile, or when they monitor the behavior of individuals on Chilean territory. This GDPR-style territorial extension means that foreign businesses serving Chilean customers cannot avoid the law simply by not having a physical presence in the country.

Certain processing activities are excluded, including personal or household use, journalistic and artistic expression, and national security functions subject to specific legal frameworks.

The Eight Data Protection Principles

Ley 21.719 introduces eight explicit data protection principles that govern all processing operations:

Lawfulness and Loyalty: Data must be processed on a legitimate legal basis and in a manner that is fair to data subjects.

Purpose Limitation: Data may only be collected for specified, explicit, and legitimate purposes and may not be processed in ways incompatible with those purposes.

Proportionality: Only data that is adequate, relevant, and limited to what is necessary for the stated purpose may be collected and processed.

Data Quality: Personal data must be accurate, complete, and kept up to date. Controllers must take reasonable steps to ensure that inaccurate data is erased or rectified.

Security: Controllers must implement appropriate technical and organizational measures to protect data against unauthorized access, alteration, loss, or destruction, taking into account the state of the art, costs, and the nature of the data.

Transparency and Information: Data subjects must be clearly informed about the identity of the controller, the purposes of processing, the recipients of data, and the rights available to them.

Confidentiality: Persons who process data must treat it with confidentiality and may not use it for unauthorized purposes.

Accountability: Controllers are responsible for demonstrating compliance with the law and must be able to document and justify their data processing practices.

Legal Bases for Processing

One of the most consequential changes in Ley 21.719 is the move from a consent-centric model to a multi-basis framework, similar to the GDPR approach. The recognized lawful bases are:

• Consent of the data subject (freely given, specific, informed, and unambiguous)
• Contract performance or pre-contractual measures at the request of the data subject
• Legal obligation imposed on the controller
• Economic, financial, banking, or commercial obligations owed to or by the data subject
• Legitimate interests of the controller or third parties, provided those interests are not overridden by the rights of the data subject
• Legal proceedings or the establishment, exercise, or defense of legal claims

Consent for sensitive data requires an explicit affirmative act. Controllers bear the burden of proving that valid consent was obtained and must make withdrawal as easy as giving consent.

Sensitive Data Categories

The law designates a heightened protection category for sensitive data, which includes:

• Racial or ethnic origin
• Political opinions, party membership, and union affiliation
• Religious, philosophical, or moral beliefs
• Health and medical information
• Biometric data
• Data concerning sex life and sexual orientation
• Genetic data

Processing sensitive data requires explicit consent as a default rule. Exceptions exist for data voluntarily made public by the subject, non-profit organizations pursuing legitimate interests among their members, vital interests (life and health), legal proceedings, and processing required by law.

Data Subject Rights (ARCO+ Framework)

The reform preserves and significantly expands the traditional ARCO rights (access, rectification, cancellation/erasure, opposition) and adds new rights aligned with the GDPR. Under Ley 21.719, data subjects have:

Right to Access: Confirm whether personal data is being processed and obtain a copy, including information about the source of the data, the recipients, the purpose, and the retention period.

Right to Rectification: Request correction of inaccurate, outdated, or incomplete data. The controller must act within a prescribed period and notify third parties to whom the data was communicated.

Right to Erasure: Request deletion of data when the original purpose has been fulfilled, consent has been withdrawn, processing is unlawful, or a legal obligation requires erasure.

Right to Object: Oppose specific processing operations, including for direct marketing purposes, without the need to justify the objection.

Right to Block: Obtain temporary suspension of any processing operation while a dispute about accuracy or lawfulness is being resolved. This right is specific to the Chilean framework and is not found in the GDPR.

Right to Data Portability: Receive personal data in an electronic, structured, generic, and commonly used format that allows transfer to another controller, where processing is based on consent or contract.

Right Not to Be Subject to Automated Decision-Making: Object to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.

Controllers must respond to data subject requests within prescribed timeframes, and non-compliance constitutes a sanctionable infraction.

Rules for Children's Data

Ley 21.719 creates a three-tier framework for processing personal data of minors, distinguishing by age:

• Under 14 years: Parental or guardian consent is required for all processing of personal data.
• Ages 14 to 15: Parental or guardian consent is required specifically for processing of sensitive data; general personal data may be processed on other legal bases.
• Ages 16 and over: The general adult rules of the law apply.

This graduated approach reflects recognition that adolescents have developing capacity for informed decision-making, while ensuring heightened protection for the youngest data subjects.

Data Protection Impact Assessments

Controllers engaged in processing activities that are likely to result in a high risk to the rights and freedoms of data subjects must carry out a Data Protection Impact Assessment (DPIA) before commencing the activity. High-risk indicators include large-scale processing of sensitive data, systematic monitoring of public areas, processing using new technologies, and automated decision-making with significant effects.

The DPIA must assess the necessity and proportionality of the processing, the risks to data subjects, and the measures planned to address those risks. Where a DPIA reveals residual high risks that cannot be adequately mitigated, the controller must consult the Agencia before proceeding.

Data Protection by Design and Default

Controllers must implement technical and organizational measures both at the time of designing processing systems and at the time of the actual processing, ensuring that data protection principles are embedded by default. This means that, by default, only the personal data necessary for each specific purpose is processed, minimizing the volume of data collected, the extent of processing, the storage period, and access.

Records of Processing Activities

Controllers must maintain a Register of Processing Activities documenting the categories of data processed, the purposes, the legal bases, the recipients, international transfer details, and retention periods. A separate internal register of security incidents must also be maintained, recording the nature of each breach, its effects, and the data categories affected.

The Agencia de Protección de Datos Personales

Structure and Independence

The Agencia de Protección de Datos Personales (APDP) is established as an autonomous, technically independent public law body with its own legal personality, assets, and budget. Its independence from both the executive and legislative branches is a deliberate design choice, mirroring the structure of data protection authorities in the European Union.

The agency is governed by a Directive Council of three Councilors. The President of the Republic nominates the candidates, who must be ratified by the Senate before assuming office. The three nominees (Joselyn Biermann, Roberto Godoy Fuentes, and Matías Larraguibel Goycoolea) were proposed by the executive for terms of 6, 4, and 2 years respectively. As of May 2026, Senate confirmation remained pending, with the relevant commissions scheduled to vote on the nominations. The nominees are expected to assume office in October 2026, approximately two months before the law enters into full force.

Agency Powers

Once operational, the agency will have broad regulatory, investigative, and sanctioning powers:

• Regulatory: Issue binding instructions, approve codes of conduct and certification mechanisms, publish adequacy determinations for international transfer purposes, and develop implementing regulations.
• Investigative: Receive and process complaints from data subjects, initiate ex officio investigations, conduct audits and inspections of controllers and processors, and require the production of information and documents.
• Sanctioning: Issue warnings, reprimands, and cease-and-desist orders; impose administrative fines; order the rectification, erasure, or blocking of data; and suspend processing activities temporarily or permanently.
• International cooperation: Work with foreign data protection authorities, facilitate cross-border complaint handling, and enter into cooperation agreements.

The agency also maintains the National Register of Sanctions and Compliance, where sanctions are recorded for five years. This public registry creates reputational consequences for repeat violators beyond the financial penalties.

Judicial Review

Sanctions imposed by the agency are subject to judicial review before the Courts of Appeals, providing a procedural safeguard for affected parties.

Data Breach Notification

Notification Obligations

When a security incident affecting personal data occurs, Ley 21.719 imposes a two-track notification obligation.

First, the controller must notify the Agencia de Protección de Datos Personales through the most expeditious means possible and without undue delay when the incident creates a reasonable risk to the rights and freedoms of data subjects.

Second, the controller must notify the affected data subjects directly when a breach involves sensitive data, personal data of minors under 14, or financial and banking data, and where the breach poses a high risk to those individuals.

The law does not establish a fixed number of hours within which notification must occur, unlike the GDPR's 72-hour rule. The agency is expected to issue specific guidance on acceptable timeframes during the transition period.

Cybersecurity Law Coordination

Chile's data breach notification obligations under Ley 21.719 operate alongside the country's Cybersecurity Framework Law, Ley 21.663, which entered full effect in January 2025. Ley 21.663 requires operators of essential services and critical information infrastructure to report significant cybersecurity incidents to the National Cybersecurity Agency (ANCI) as of March 2025. Organizations in sectors such as energy, healthcare, and financial services may therefore face parallel breach notification obligations to both the APDP and ANCI.

Cross-Border Data Transfers

The Prior Regime

Under Ley 19.628, there were no provisions governing cross-border transfers of personal data. Organizations transferred data internationally without a legal framework addressing adequacy or safeguards, creating significant uncertainty.

The New Framework

Ley 21.719 introduces a layered framework for international transfers, drawing from the GDPR model.

Adequacy: Transfers are freely permitted to countries or international organizations that the agency determines provide an adequate level of personal data protection. The agency will publish and maintain a list of adequate jurisdictions.

Appropriate Safeguards: In the absence of an adequacy determination, transfers may proceed where the controller implements appropriate safeguards, including:

• Standard Contractual Clauses as approved or issued by the agency (the Ministry of Economy issued initial Standard Contractual Clauses during the transition period)
• Binding corporate rules for multinational group transfers
• Certification mechanisms or compliance programs approved by the agency

Derogations: In specific circumstances, transfers may proceed without adequacy or safeguards, including with the explicit consent of the data subject, for the performance or conclusion of a contract, for important reasons of public interest, for legal proceedings, and for the protection of vital interests.

Penalties Under Ley 21.719

Infraction Classification

Ley 21.719 establishes a three-tier classification of infractions, each carrying graduated penalties:

Minor infractions (infracciones leves): Fines of up to 5,000 UTM (approximately USD 397,000). Minor infractions include technical non-compliance such as incomplete privacy notices.

Serious infractions (infracciones graves): Fines of up to 10,000 UTM (approximately USD 794,000). Serious infractions include failure to comply with data subject rights requests, inadequate security measures, and processing without a valid legal basis.

Very serious infractions (infracciones gravísimas): Fines of up to 20,000 UTM (approximately USD 1.5 million). Very serious infractions include large-scale processing of sensitive data without consent, major security failures leading to breaches, and repeated non-compliance after agency orders.

Aggravated Penalties for Repeat Offenders

For organizations that are not classified as small enterprises and that commit repeated serious or very serious infractions within a 30-month period, the penalty can alternatively be calculated as a percentage of annual revenue:

• Repeated serious infractions: up to 2% of annual income from sales and services in Chile
• Repeated very serious infractions: up to 4% of annual income from sales and services in Chile

In either case, the higher of the UTM ceiling or the revenue percentage applies. For large multinationals, the revenue-based calculation may produce a significantly higher fine than the UTM cap.

Additional Sanctions

Beyond financial penalties, the agency may issue formal warnings and public reprimands (recorded in the National Register), order the cessation of unlawful processing, require the erasure or correction of unlawfully processed data, and suspend processing activities for up to 30 days in cases of repeated very serious infractions.

Public sector entities are subject to the same substantive standards, though the penalty mechanisms account for their public nature.

Data Protection Officers

Ley 21.719 does not impose a universal mandatory DPO requirement. The law creates a compliance program framework that is voluntary for most private sector organizations, but organizations that adopt such a program and designate a qualified DPO may qualify for reduced penalties in enforcement proceedings.

There are important exceptions. DPO appointment is mandatory for public sector bodies and for organizations whose core activities involve large-scale processing of personal data, or large-scale processing of sensitive data (Article 47 and Article 50).

Where a DPO is appointed, the individual must possess specialist knowledge of data protection law and practice, act independently without conflicts of interest, have sufficient resources and support from senior management, and serve as the primary contact point for the Agencia and for data subjects exercising their rights.

Micro, small, and medium-sized enterprises may fulfill the DPO function through their owners or senior leadership rather than through a dedicated position.

Transition Period and Implementation Timeline

Key Dates

What Happens During the Transition

During the 24-month window, several parallel processes are underway.

The agency is being constituted. The government has proposed three candidates for the Directive Council, and the Senate is working through the confirmation process. The law requires the council to assume office at least two months before the December 2026 entry into force.

Ley 19.628 remains the operative law. Complaints and enforcement during the transition period continue under the existing framework, with its limited enforcement mechanisms.

The Ministry of Economy and other government bodies are developing implementing instruments. Standard Contractual Clauses for international transfers were issued during 2025. The agency, once constituted, will issue binding instructions, adequacy determinations, guidance on DPIAs, and other regulatory materials.

Recent Developments (2025 to 2026)

December 2024: Ley 21.719 published in the Diario Oficial, starting the 24-month countdown to enforcement.

2025: Ministry of Economy issues Standard Contractual Clauses for international data transfers, providing organizations with an early compliance tool for cross-border transfers.

January 2025: Chile's Cybersecurity Framework Law, Ley 21.663, enters full effect. From March 2025, essential service operators are required to report significant cybersecurity incidents to the ANCI, creating a parallel notification regime that intersects with Ley 21.719's breach notification obligations.

Early 2026: Legislative discussion of Bulletin No. 18036-05 seeks to accelerate the process for appointing the Directive Council of the APDP.

May 2026: The joint Constitutional and Economy Senate commissions are deliberating on the confirmation of the three Directive Council nominees. A deadlocked vote (5-5 tie) in the commissions required a reconvened session on May 19, 2026, to attempt to break the impasse. The nominees are expected to assume office in October 2026, two months before enforcement begins.

Business Compliance Guide

Organizations processing personal data of Chilean residents should use the remaining months before December 2026 to take these steps:

Data Mapping: Identify all categories of personal data collected and processed, document purposes, legal bases, retention periods, and data flows including transfers to processors and third parties.

Records of Processing: Establish and maintain a formal Register of Processing Activities and a separate incident register as required by the law.

Legal Bases Review: Audit existing consent mechanisms and identify alternative legal bases where processing rests on inadequate grounds. Update privacy notices to reflect all required disclosures.

Data Subject Rights Procedures: Implement operational workflows for responding to access, rectification, erasure, portability, objection, and automated decision-making requests within the required timeframes.

International Transfers: Review all cross-border data flows. Where adequacy determinations are not available, implement Standard Contractual Clauses or other approved safeguards.

Security Measures: Assess technical and organizational security measures against the law's requirements. Implement a breach detection and notification procedure that can respond to incidents without undue delay.

DPIA Process: Identify processing activities that require a DPIA and conduct assessments before December 2026. Consult the agency where residual high risks cannot be mitigated.

DPO Consideration: Determine whether DPO appointment is mandatory (public sector or large-scale sensitive data processing) or strategically advisable to reduce penalty exposure through a voluntary compliance program.

Processor Agreements: Review and update contracts with data processors to include mandatory clauses on confidentiality, security, purpose limitation, and incident notification to meet regulatory deadlines.

Children's Data: Verify that any processing of data belonging to users under 16 complies with the tiered age-based consent requirements under the law.

For information on how Chile regulates audio and video recording, see Chile Recording Laws.

This article is for informational purposes only and does not constitute legal advice. Data protection laws are subject to change; consult a qualified attorney for advice specific to your situation.