Laws and Regulations

In Chile, there is a lack of regulations concerning cloud computing. Law No 19.628 (Data Protection Act, DPA) does not include a specific provision regarding cloud providers; however, the activity of cloud computing may be considered as data processing.

According to the DPA, data processing is defined broadly as: any action or set of technical operations or procedures, automated or not, that make it possible to collect, store, record, organise, prepare, select, extract, match, interconnect, dissociate, communicate, assign, transfer, transmit or cancel personal data, or use it in any form. Consequently, the current DPA makes no distinction between those who control or own personal data and those who provide personal data processing services to owners.

The DPA only mentions the person responsible for a data registry or a bank register, which means any private legal entity or individual, or government agency, that has the authority to implement the decisions related to the processing of personal data. Therefore, there are no different duties for owners, controllers or processors. Nevertheless, government agencies can only process data regarding matters within their respective legal authority and subject to the rules set out in the Data Privacy Act.

Furthermore, the DPA states that any individual can process personal data and it is necessary to comply with the provisions contained in the DPA. The following requirements shall be met – the processing of personal data shall be authorised by one of the three following: the DPA; another legal provision; or the subject or holder of the personal data specifically consenting thereto. In addition, personal data shall be used only for the purposes for which they have been collected (the so-called “finality principle”), and those purposes should be permitted by the Chilean law.

Specific Industries Regulations

In banking

The Financial Market Commission (CMF) is the regulator and supervisor of the Chilean financial market. The CMF supervises entities in securities, insurance markets, banks and financial institutions.

In 2017, an amendment was introduced to Chapter 20-7 of the Updated Compilation of Rules for Banks (RAN) of the Superintendence of Banks and Financial Institutions. Chapter 20-7 regulates the outsourcing of services in the banking industry, specifically cloud computing.

Chapter 20-7 defines the term “cloud services” as an adjustable, on-demand model of services provision associated with technology information through networking, based on technical mechanisms – such as virtualisation – under different approaches or supply strategies; it also provides definitions of “private cloud” and “public cloud”.

Furthermore, the regulation establishes special conditions for the outsourcing of cloud services, in order to ensure that the service provider has the appropriate expertise and certifications and fulfils the applicable regulations of the jurisdictions where the services are being carried out, as well as meeting the appropriate safety and encryption standards.

The Financial Market Commission (CMF) issued, on 26 December 2019, a new amendment to Chapter 20-7 of the Updated Compilation of Rules for Banks (RAN) and to Circular No 2, providing the conditions that shall be fulfilled in the externalisation of services by banks, their subsidiaries, which decide to outsource some activity.

By complying with some specific requirements, those modifications will exempt regulated entities from the current obligation to have a data processing site in Chile for services that are outsourced outside the country and that involve activities considered to be critical or strategic. In addition, the CMF determine that the board of directors of each regulated entity (banks, financial institutions, etc) shall be responsible for evaluating and weighing the benefits and difficulties involved in the outsourcing of services, including so-called “contingency sites”, being able to hire the providers that best meet their needs. This authorisation is subject to the compliance with operational requirements and to the issuance of a report by a company of recognised prestige and experience in the evaluation of this type of service.

The new regulation also allows for the banks or the financial institutions to outsource cloud computing and other services to be provided from jurisdictions that do not have a country risk rating in terms of investment grade, provided that there are suitable personal data protection and security laws in place. In this case, banks or the financial companies shall be responsible for recording the analysis performed in this regard.