The following general laws regulate the collection and use of personal data: Article 19, No. 4, Constitution. This guarantees and protects the honour and privacy of all people.
Civil Code
This provides general rules in all aspects regarding liability and diligence by data controllers in case of causing damage to personal data holders or third parties.
Criminal Code
This protects of the inviolability of communications and sanctions the breach of secrets and their disclosure, with an emphasis on the access or knowledge of data by reason of their office.
Sectoral Law
There are several sectoral laws, you can read more about those here.
Personal Data The legislation on personal data processing applies to:
The Privacy Protection Law
Defines four categories:
Personal data, sensitive data and lapsed data are protected by the Privacy Protection Law.
Regulated acts
The Privacy Protection Law regulates the general treatment of personal data, including:
Juridical scope
The scope of application of the law is not only limited to automated personal data processing, but also manual personal data processing.
There are no exemptions to the jurisdictional scope, other than the general rules applicable to Consulates/Embassies, Antarctic Territories’ International Treaties, and so on.
Notification required before processing?
The information and consent of the data holder is one of the basic principles of the privacy protection legislative framework. The relevant sectoral law or the Privacy Protection Law provides that the processing of personal data can only be done by express authorisation by the law or directly by the data owner. In the latter case, such person must be informed about the purpose of the collection and storage of his data and its eventual publication, therefore the personal data holder authorisation must be made expressly and in writing. The authorisation can be revoked by the personal data holder without need of a justified cause, but it has no retroactive effect.
Main obligations and processing requirements
Article 11 of the Privacy Protection Law establishes the data controller’s responsibility for the maintenance of the personal data records or databases. The data controller is liable for damage caused as a result of its lack of diligence. However, the law does not establish specific standards of care or measures that the responsible data controllers must take to ensure the security of the data or prevent its damage or unauthorised use. Therefore, the Chilean courts must determine and define whether due diligence and/or sufficient measures have been taken to comply with this responsibility principle, on a case-by-case basis and applying general civil liability rules, therefore proving both negligence and causal link (Privacy Protection Law).
Consent
The current Privacy Protection law establishes that the processing of personal data can only be done by express authorisation by the law, understood as the Privacy Protection Law, or any other, or by the data holder (see Question 7). The authorisation must be made expressly and in writing. Online consent is sufficient provided that it is express (that is, not implied). Consent by minors (under 18 years old) and/or in case of mental incapacity is subject to general rules, by which authorisation must be granted by the legal guardian.
Read about exceptions to consent here.
Special Rules
Read about special rules here.
Rights of Individuals
According to the general right of information and access, the law requires the delivery of complete information on the personal data relating to:
Specific Rights
In addition to general information and access rights, the current Privacy Protection Law recognises the following:
Security Requirements
There is no legal requirement to notify the security breach to data subjects. However, data subject who have become aware of a breach should notify corresponding data subjects in the context of a judicial civil claim, according to general liability rules. There is no class action available under the current Privacy Protection Law, like the ones that have been recognised for consumer protection matters, although the same could be used to build a case as an alternative to the current Privacy Protection Law.
Processing by third parties
There are no additional requirements under the current Privacy Protection Law for processing by third parties. Third party processes are also treated as data controllers in the same manner as the original data controller. This includes all treatments of data (for example, data hosting services).
International Transfer of Data
The current Chilean legislation does not include provisions regarding the cross-border transfer of data. Therefore Chile is not considered as a “safe harbour” for personal data purposes, and this has been subject to international criticism in the context of Chile’s entry to the Organisation for Economic Co-operation and Development (OECD). The Chilean government has recently introduced a new Privacy Data Protection bill that includes OECD data protection standards on international data transfers and the creation of a Data Protection Authority, who was recently approved by the corresponding Senate Commission. Although a timeframe for the new law to be enforced is hard to estimate, since it depends directly on the President’s urgency for the bill to be further discussed in Congress, it is likely that the recently elected Piñera administration will prioritise the new bill in order to meet the international standards and comply with the OECD directives that Chile has subscribed.
Enforcement and Sanctions
There is currently no national regulator in Chile. The new Data Protection bill gives such authority full enforcement powers in order to receive claims, initiate investigations and impose fines or even the suspension of the data processing in certain cases.
Non-compliance
For consequences of breach and non-compliance read more here.
Previous Section | Next Section |