Chile: Privacy and Data Protection-related Laws

Chile’s Personal Data Act

The following general laws regulate the collection and use of personal data: Article 19, No. 4, Constitution. This guarantees and protects the honour and privacy of all people.

Civil Code

This provides general rules in all aspects regarding liability and diligence by data controllers in case of causing damage to personal data holders or third parties.

Criminal Code

This protects of the inviolability of communications and sanctions the breach of secrets and their disclosure, with an emphasis on the access or knowledge of data by reason of their office.

Sectoral Law

There are several sectoral laws, you can read more about those here.

Personal Data The legislation on personal data processing applies to:

  • Personal data holder. This is defined as the individual to whom the personal data refers. Organisations, companies or legal entities are excluded from being considered personal data holders.
  • The individual responsible for database registration and/or data processing. This is defined as the individual, organisation or legal entity, private or public, which is responsible for the collection, processing, use and/or any decisions related to the personal data processing. This category applies to all persons or entities that manage personal data.

The Privacy Protection Law

Defines four categories:

  • Personal data. This is defined as data relating to any information concerning identified or identifiable individuals.
  • Sensitive data. This is defined as personal data relating to the physical or moral characteristics of individuals or to facts or circumstances of their private life, such as:
    • personal habits;
    • racial origin;
    • ideologies and political opinions;
    • beliefs or religious convictions;
    • physical or psychological states of health; and
    • sexual life.
  • Lapsed data. This is defined as data that has become outdated by virtue of the law, concurrence of the condition or expiration of the validity term or because of a change in facts or circumstances.
  • Statistical data. This is defined as data that, in its origin, or as a consequence of its treatment, cannot be associated with an identified or identifiable holder. This type of data is not within the scope of the Privacy Protection Law.

Personal data, sensitive data and lapsed data are protected by the Privacy Protection Law.

Regulated acts

The Privacy Protection Law regulates the general treatment of personal data, including:

  • Collection.
  • Treatment.
  • Transfer.
  • Any type of use of the data (regardless of the treatment method).

Juridical scope

The scope of application of the law is not only limited to automated personal data processing, but also manual personal data processing.

There are no exemptions to the jurisdictional scope, other than the general rules applicable to Consulates/Embassies, Antarctic Territories’ International Treaties, and so on.

Notification required before processing?

The information and consent of the data holder is one of the basic principles of the privacy protection legislative framework. The relevant sectoral law or the Privacy Protection Law provides that the processing of personal data can only be done by express authorisation by the law or directly by the data owner. In the latter case, such person must be informed about the purpose of the collection and storage of his data and its eventual publication, therefore the personal data holder authorisation must be made expressly and in writing. The authorisation can be revoked by the personal data holder without need of a justified cause, but it has no retroactive effect.

Main obligations and processing requirements

Article 11 of the Privacy Protection Law establishes the data controller’s responsibility for the maintenance of the personal data records or databases. The data controller is liable for damage caused as a result of its lack of diligence. However, the law does not establish specific standards of care or measures that the responsible data controllers must take to ensure the security of the data or prevent its damage or unauthorised use. Therefore, the Chilean courts must determine and define whether due diligence and/or sufficient measures have been taken to comply with this responsibility principle, on a case-by-case basis and applying general civil liability rules, therefore proving both negligence and causal link (Privacy Protection Law).


The current Privacy Protection law establishes that the processing of personal data can only be done by express authorisation by the law, understood as the Privacy Protection Law, or any other, or by the data holder (see Question 7). The authorisation must be made expressly and in writing. Online consent is sufficient provided that it is express (that is, not implied). Consent by minors (under 18 years old) and/or in case of mental incapacity is subject to general rules, by which authorisation must be granted by the legal guardian.

Read about exceptions to consent here.

Special Rules

Read about special rules here.

Rights of Individuals

According to the general right of information and access, the law requires the delivery of complete information on the personal data relating to:

  • Its holder.
  • Source and destination.
  • Purpose or purposes of its processing, use, publication or storage.

Specific Rights

In addition to general information and access rights, the current Privacy Protection Law recognises the following:

  • Modification or rectification. This is the right to modify or correct erroneous, incomplete or outdated information.
  • Cancellation or deletion. This is the right to request the destruction of data stored in registers or data banks, whatever the procedure used for it.
  • Blocking. This is the right to request the blocking of personal data which accuracy cannot be established and/or which validity is doubtful and/or cancellation rights do not apply.

Security Requirements

There is no legal requirement to notify the security breach to data subjects. However, data subject who have become aware of a breach should notify corresponding data subjects in the context of a judicial civil claim, according to general liability rules. There is no class action available under the current Privacy Protection Law, like the ones that have been recognised for consumer protection matters, although the same could be used to build a case as an alternative to the current Privacy Protection Law.

Processing by third parties

There are no additional requirements under the current Privacy Protection Law for processing by third parties. Third party processes are also treated as data controllers in the same manner as the original data controller. This includes all treatments of data (for example, data hosting services).

International Transfer of Data

The current Chilean legislation does not include provisions regarding the cross-border transfer of data. Therefore Chile is not considered as a “safe harbour” for personal data purposes, and this has been subject to international criticism in the context of Chile’s entry to the Organisation for Economic Co-operation and Development (OECD). The Chilean government has recently introduced a new Privacy Data Protection bill that includes OECD data protection standards on international data transfers and the creation of a Data Protection Authority, who was recently approved by the corresponding Senate Commission. Although a timeframe for the new law to be enforced is hard to estimate, since it depends directly on the President’s urgency for the bill to be further discussed in Congress, it is likely that the recently elected Piñera administration will prioritise the new bill in order to meet the international standards and comply with the OECD directives that Chile has subscribed.

Enforcement and Sanctions

There is currently no national regulator in Chile. The new Data Protection bill gives such authority full enforcement powers in order to receive claims, initiate investigations and impose fines or even the suspension of the data processing in certain cases.


For consequences of breach and non-compliance read more here.


Previous Section Next Section

Have a comment, edit, or item to add? Share your thoughts by commenting below!

comments powered by Disqus