Actualidad Chile

Personal Data Protection Bill

Gazette 11.144 - 07

This bill proposes to update the legal framework for data protection in Chile, currently legislated under Law 19.628, by regulating areas such as information technologies as used in collecting and disseminating personal data. The bill also proposes to follow the recommendations made by the Organisation for Economic Cooperation and Development (OECD), of which Chile has been a member since 2010.

The precepts in the bill are consistent with recent international standards such as the European Data Protection Regulation, safeguarding respect for and protection of the rights and fundamental freedoms of people over their personal data.

The following draft provisions are important:

  • Guiding principles that underpin the regulation of personal data processing; these refer specifically to the principles of legitimate handling, purpose, proportionality, quality, security, responsibility and information.
  • Acknowledgement of the so-called “ARCO” principles, right of access, rectification, cancellation and opposition to the processing of personal data, all of them irrevocable rights that are free of charge and may not be restricted.
  • The consent of the data holder is the main source of legitimacy for the processing. Consent, which may be withdrawn at any time, must be free, informed, unequivocal, given prior to the processing and specific in terms of its purpose. However, the draft law also specifies cases in which consent is not required.
  • Definition of specific areas of responsibility among those in charge of the data, including duties such as information, confidentiality, adoption of security measures and reporting breaches.
  • Adoption of standards for handling personal data classified as sensitive, such that they may only be processed when the data holder has given their free, informed and explicit consent. “Sensitive “data concerns health, biometrics, biological profiling and geolocation, as well as data about minors.
  • Regulation of international transfer of data; data may be passed to countries deemed to have suitable legislation and certain conditions are established, such as prior notification of the supervisory authority, in the case of data transfer to countries deemed to have insufficiently comprehensive legislation.
  • A Data Protection Agency is to be set up, which will regulate, supervise, enforce and penalise non-compliances with the law. Penalties may range from a written warning to fines of between 1 and 5,000 UTM (monthly tax units), or in exceptional circumstances the shutdown of data treatment operations.