This interview was published by Legal 500. Read the full article here.
Please provide an overview of the legal framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the laws enforced)?
- The legal framework governing privacy can be found in article 19 No. 4 of the Political Constitution of the Republic of Chile, which guarantees the respect and protection of privacy and honor of the person and his/ her family. Article 19 No. 4 of the Chilean Constitution, was amended by Law No. 21,096, establishing the Right to Protection of Personal Data; and precisely recognizes the protection of personal data within the scope of the constitutional guarantee of the protection of private life and honour, stating that the treatment and protection of this data will be subject to the forms and conditions established by law.
- Furthermore, Chile has a data protection law, Law No. 19,628 on Privacy Protection (“Data Privacy Act”); regulates the treatment of personal information in public and private databases or bank register. Though, regarding the public segment, there are some special rules about the public data base or bank by public agencies, restricted rights for holders of personal data stored or processed by public entities, and under the scope of its functions.
- Law No. 19,496, which comprehends provisions regarding credit information along with the Data Privacy Act (Article 9 amended by Law No. 20,521), which contains provisions about personal data related to obligations of an economic, financial, banking or commercial character; to ensure that the information delivered through risk predictors is accurate, updated and truthful.
- Law No. 20,584, which regulates privacy on healthcare, encompasses provisions concerning the privacy of medical records together with the Data Privacy Act, which contains the confidentiality of the doctor’s prescriptions and laboratory analyses, and exams and services related to health services.
- Article 154bis of the Chilean Labour Code states that the employer shall maintain reserve of all private information and data of the employee to which it has access due to the labour relationship. Article 5 of the Labour Code expressly states that employers can exercise their rights within the limits imposed by the Constitution, especially regarding respect of privacy. Employers must abide by and comply with the privacy statements.
Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?
There is no registration process for private entities. Though, regarding personal data processing by government entities, the Service of Civil Registration and Identification shall keep a record of personal data base processed by such agencies (no fee payable).
The Data Privacy Act states any individual can process personal data, if the following requirements are met:
1. The processing of personal data shall be authorized by one of the three following: (i) the1. Data Privacy Act; (ii) another legal provision; or (iii) the subject/holder of the personal data specifically consents thereto.
In addition, the authorization granted by the holder/subject of the personal data regarding to the processing of his/her data shall comply with the following requirements in order to be effective:
- it shall be accurately informed about the purpose of the storage of the personal data and if those data will be communicated or not to the public
- the consent shall be specified; in writing; and
- the personal data must be used only for the purposes for which it has been collected, unless it comes or has been collected from public sources. Even though, the data shall be accurate, updated and respond truthfully to the actual circumstances of the holder of the personal data.
2. The rights granted by the Data Privacy Act shall be respected and fulfilled;
3. The purpose of the collecting and processing shall be allowing by the Chilean law.
How do these laws define personally identifiable information (PII) versus sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
According to the Data Privacy Act: personal data is referred to as any information concerning natural persons, identified or identifiable.
Sensitive Data: The Data Privacy Act enacts more severe rules regarding sensitive data; which refers to the physical or moral characteristics or circumstances of the private life or intimacy of the persons, such as personal habits, racial origin, ideologies and political opinions, beliefs or religious convictions, conditions of physical or mental health and sex life.
Are there any restrictions on, or principles related to, the general processing of PII – for example, must a covered entity establish a legal basis for processing PII in your jurisdiction or must PII only be kept for a certain period? Please outline any such restrictions or “fair information practice principles” in detail?
Personal data shall be removed or cancelled when there are no legal grounds for its storage or when the data has expired.
- Regarding financial data shall not be processed in the following cases:
- After 5 years since the corresponding obligation was enforceable;
- In case of debts incurred during a period of unemployment;
- Obligations that have been paid or extinguished by other legal means; and
- Debts related to electricity, water, telephone, gas and highways.
In the case of government entities which process personal data on rulings for felonies, administrative infringements or disciplinary failures, it should not be communicated after the statute of limitations applicable to the criminal or administrative action, or the sanction has elapsed, or once the penalty has been served. This is without prejudice to the fact that in Chile, the right to be forgotten has not been regulated by law.
Are there any circumstances where consent is required or typically used in connection with the general processing of PII and, if so, are there are rules relating to the form, content and administration of such consent?
The Data Privacy Act states any individual can process personal data, if the following requirements are met:
(a) The processing of personal data shall be authorized by one of the three following:
- the Data Privacy Act;
- another legal provision; or
- the subject or holder of the personal data specifically consents thereto.
The consent/authorization granted by the holder/subject of the personal data regarding to the processing of his/her data shall comply with the following requirements in order to be effective:
- it shall be accurately informed about the purpose of the storage of the personal data and if those data will be communicated or not to the public the consent shall be specified; in writing; and
- the personal data must be used only for the purposes for which it has been collected, unless it comes or has been collected from public sources. Even though, the data shall be accurate, updated and respond truthfully to the actual circumstances of the holder of the personal data.
In addition:
(b) The rights granted by the Data Privacy Act shall be respected and fulfilled;
(c) The purpose of the collecting and processing shall be allowing by law.
What special requirements, if any, are required for processing sensitive PII? Are there any categories of PII that are prohibited from collection?
The sensitive data may not be subject to processing, unless (i) the law so authorizes; (ii) there is express consent from the subject of the sensitive data; (iii) or it is necessary for granting health benefits.
In the case of physician or doctor prescriptions and laboratory analyses or exams and services related to healthcare; are confidential. Such content could be revealed or copied with the express consent of the patient, granted in writing. Nevertheless, pharmacies can publish for statistical purposes, the sales of pharmaceutical products of any nature, including the name and amount thereof.
The Data Privacy Act include special provisions regarding a person’s economic, financial, banking or commercial information/data and its communication: see answer to question 4.