After a seven-year legislative journey, Chile has passed
Law No. 21.719 on the Protection of Personal Data, a landmark regulation that modernizes the country’s privacy framework and establishes the new Personal Data Protection Agency. Officially published on 13 December 2024, the law will take effect on 1 December 2026.
This reform brings Chile in line with international data protection standards and introduces a structured compliance framework for organizations handling personal data, making early preparation essential for businesses operating in the country.
Background
Chile’s previous data protection framework, Law No. 19.628 on the Protection of Private Life, had long been criticized as outdated. This new legislation draws heavily from the EU General Data Protection Regulation (GDPR), reinforcing transparency, accountability, and individual rights in data processing.
The establishment of an independent Personal Data Protection Agency marks a major institutional shift — providing a single authority to oversee compliance, investigate breaches, and sanction violations.
Key Obligations
Under Law No. 21.719, companies and organizations processing personal data must implement a robust set of measures, including:
- Legal basis for processing: Every data processing activity must be justified, documented, and aligned with the law.
- Enhanced transparency: Organizations must provide clear, accessible privacy policies and disclosures to data subjects.
- Special protection for sensitive data: Biometric, health, geolocation, financial data, and information about minors require extra safeguards.
- Breach notifications and confidentiality: Mandatory reporting of data breaches and strict confidentiality obligations are now required.
- Oversight of service providers: Companies must ensure that any third-party service providers handling personal data also comply with the law.
- Data protection impact assessments: High-risk processing activities must undergo formal impact evaluations.
- International data transfers: Cross-border data transfers must meet Chile’s new regulatory standards.
- Proportional obligations for SMEs: Small and medium-sized enterprises benefit from scaled security and transparency requirements suitable for their size.
Organizations are also encouraged to adopt a data protection compliance model, which includes appointing a Data Protection Officer and implementing internal control processes. While voluntary, certified compliance programs may serve as mitigating factors in potential sanctions.
.png?width=1200&length=1200&name=Chile%20Data%20Privacy%20Post%20(4).png)
Sanctions and Enforcement
The law introduces a detailed catalog of 30 infractions, categorized by severity.
Penalties can reach up to 20,000 UTM (approximately USD 1.39 million) for extremely serious breaches, with higher fines for repeat violations.
In addition to financial sanctions, the Agency has the authority to suspend data processing activities for up to 30 days, a measure that could significantly impact business operations.
How CRESCO Supports You with Data Privacy Compliance
Cresco can help organizations navigate new regulations such as Chile’s new Personal Data Protection Law with confidence. From assessing current data practices and identifying gaps to designing robust compliance frameworks, we guide companies through every step of implementation.
Our experts can help define legal bases for processing, draft transparent privacy policies, conduct impact assessments, and ensure secure international data transfers. By tailoring solutions to your organization’s size and risk profile, Cresco ensures you meet regulatory requirements efficiently while safeguarding your reputation and building trust with customers. To learn more or get started, contact us via the form below or at info@cresco-global.com
