info@ecija.com

Press Room

20 September, 2024
España
twitter linkedIn

News on Data Protection in Chile

On August 26, 2024, after more than seven years of intense negotiations, the National Congress of Chile finally approved the Personal Data Protection Bill (hereinafter, the “Bill”). Once it undergoes the required constitutional review by the Chilean Constitutional Court, it will be published in the Official Gazette to officially become law, shedding its current status as a bill.

According to the Chilean legislator, the purpose of the upcoming regulation is to protect the personal data of individuals, regulating the manner and conditions under which such data should be processed, directly aiming to safeguard a fundamental right.

From the moment it takes effect, fundamental changes will be introduced to the current regulation on privacy and data protection across Chile, which is primarily governed by Law 19.628, in effect since 1999, and which has become completely outdated, unable to adequately address the modern challenges of this branch of law. The Chilean legislator has set a one-year period from the publication of the law for it to come into force. Additionally, there is a 24-month grace period to adapt existing databases to the new legislation from the date of publication.

In this way, Chile follows the model of most Latin American countries, which in recent years have been moving closer to European standards on privacy by adopting and enacting regulations deeply inspired by the General Data Protection Regulation (GDPR).

As a result, companies operating in Chile will have to adjust their business models to meet the requirements established by the new regulation. Considering how demanding this process can be, the period leading up to the law’s full implementation is seen as crucial for making the necessary adjustments.

Thus, a brief summary of the main new features introduced by the Bill is included below:

  1. Territorial Scope of the Regulation
    The new provisions included in the Bill, and which the subsequent law will incorporate, will primarily be binding for all personal data processing carried out:a) By a data controller or processor (or “encargado” as referred to under European regulations) established or constituted in Chile.b) By a processor, regardless of location, who carries out data processing operations on behalf of a data controller established or constituted in Chile.c) By a data controller or processor who, although not established in Chile, processes data in operations aimed at offering goods or services to data subjects located in Chile.
  1. Creation of the Data Protection Agency and the National Sanctions Registry
    The Bill provides for the creation of two important entities: on the one hand, the Data Protection Agency, which will be responsible for ensuring the effective protection of the rights that guarantee individuals’ privacy and their personal data, in accordance with the new law, and monitoring compliance with its provisions; and on the other hand, the National Sanctions and Compliance Registry, which will be managed by the Agency and will publish sanctions imposed on companies that violate the regulations.Access to this Registry will be free and open to the public, which increases the importance for every entity to properly comply with the new regulations and implement clear and preventive processes. The reputational damage of being listed in this Registry could be immense.

**Sanctions Regime and Company Liability**
The Bill introduces a new and stringent sanctions system, classifying violations as minor, serious, and very serious, replacing the more lenient regime regulated by Law 19.628. From now on, sanctions can be categorized as follows:

It is important to note that repeated serious or very serious offenses also carry the risk that fines may not only be based on a fixed amount but could reach 2% or 4% of a company’s annual revenue, depending on the severity of the infraction.

– **Minor Violations**
Fine of up to 5,000 UTM (approximately USD 387,000) for cases such as failure to adequately inform data subjects about data processing.

– **Serious Violations**
Fine of up to 10,000 UTM (approximately USD 775,000) for cases such as processing data without a legal basis.

– **Very Serious Violations**
Fine of up to 20,000 UTM (approximately USD 1,550,000) for cases such as the fraudulent use of personal data.

The Bill also establishes a civil liability regime which, in summary, stipulates that the data controller must compensate for both pecuniary and non-pecuniary damages caused to data subjects when their data processing operations violate the principles established by the law, as well as the rights and obligations set forth, resulting in harm to the data subjects.

Beyond the significant financial penalties that may be imposed by the Agency, one must not overlook the reputational damage that comes with being labeled a violator of data protection regulations. This significantly erodes the trust that individuals place in such companies.

4. Relationship Between Data Controllers and Processors
The requirements for the relationship between a data controller and a processor closely resemble those established under the GDPR. The regulation expands significantly on what is outlined in Law 19.628, introducing the obligation to formalize detailed contractual agreements. These agreements must clearly define the responsibilities of each party and the main characteristics of the data processing, including provisions for subcontracting, the handling of data after the processing has concluded, or even the designation of the processor as a controller if they use the data for their own purposes, among other aspects.

5. New Catalogue of Rights for Data Subjects
The data protection rights of Chilean citizens are also seeing important updates. The Bill adds new rights to the existing catalogue from Law 19.628. In addition to the existing rights—access, rectification, cancellation, opposition, and blocking—the new rights of **data portability** and **objection to automated individual decisions** are introduced.

To properly handle these requests in a timely and appropriate manner, companies will need to establish systems and develop procedures and protocols that ensure the correct management of rights exercises within a 30-calendar-day period from the receipt of the request, with the possibility of extending this deadline by an additional 30 days. If the data subject is not satisfied with the response, they will have 30 calendar days, extendable by another 30 days, to file a complaint with the Agency.

6. Legal Bases for Data Processing
One of the biggest legal gaps in Law 19.628 was the absence of a diverse range of legal bases that would allow companies to carry out data processing operations with adequate legal guarantees, without relying solely on the individual’s consent or requiring that the processing be explicitly stipulated by law.

The new Bill addresses this issue by providing a broader set of legal bases for processing personal data, thereby giving businesses more flexibility in ensuring their data practices comply with the law while safeguarding the rights of individuals.

Thus, although consent remains a fundamental pillar in this regard—and has even been strengthened, as the Bill clearly establishes that consent must be explicit, informed, and revocable—new legal bases for data processing have been introduced, reflecting the GDPR. These new bases include compliance with legal obligations, the execution of contracts with the data subject, or the legitimate interest of the controller.

This inevitably requires companies to undergo an internal review of the legal bases they currently rely on for data processing operations. By doing so, they can ensure compliance with the new regulations and adjust their practices accordingly.

8. New Obligations for Data Controllers
The Bill also introduces a significant number of obligations and tasks that all companies must undertake to properly comply with the new regulations and ensure secure and reliable data processing for affected individuals.

These new obligations include implementing robust data protection measures, ensuring transparency in data processing activities, maintaining accountability through regular audits and assessments, and establishing clear protocols for responding to data subject requests. Companies will need to dedicate considerable resources to aligning their operations with these new standards to safeguard personal data effectively.

Impact Assessments

Treatments that involve high risks to individuals’ rights must undergo prior impact assessments. This requirement becomes crucial—and mandatory—in scenarios involving the mass processing of personal data or situations that could significantly compromise individuals’ privacy, such as activities involving the systematic and comprehensive evaluation of personal aspects based on automated processing or decisions, the systematic observation or monitoring of a public access area, or the processing of sensitive and specially protected data, particularly in cases where consent is exempted. Conducting these assessments will be essential to prevent sanctions from the Agency.

Security Breaches

Breaches that compromise the security of personal data and pose a reasonable risk to the rights and freedoms of the data subjects must be reported without delay to the Data Protection Agency.

If the breaches involve sensitive data or data of minors, the affected data subjects must also be notified. Establishing security incident response protocols is an immediate necessity to comply with the law and avoid sanctions.

Regularization of International Data Transfers

According to the provisions of the draft law, once it comes into effect, personal data transfers from Chile to a recipient in a third country or state will only be permitted if the new legal requirements are met. These include, for example, that the legal framework of the country or territory where the recipient is located provides an adequate level of data protection, or that the data transfer is covered by contractual clauses, binding corporate rules, or other legal instruments signed by the parties involved. The new regulations on data transfers restrict the operations of companies with international business relationships, requiring the execution of the appropriate legal instruments in cases where they do not already exist.

Data Protection by Design and by Default

The draft law also establishes the obligation to integrate data protection from the design phase of systems, ensuring that by default, only the data strictly necessary for each activity is processed. This requires the adoption of technical and organizational measures from the start of projects and throughout their entire life cycle. This approach demands the involvement of all departments within a company, under the coordination of the Data Protection Officer or internal privacy officer, making it a complex and long-term process.

Implementation of Prevention Models

One of the new provisions introduced by the draft law is the possibility for data controllers to adopt a prevention model for violations, consisting of a compliance program. These compliance programs must include, at a minimum:

  • The appointment of a Data Protection Officer, along with the necessary resources and authority.
  • The identification of the types of data processed and the processes that could increase the risk of violations.
  • Protocols and reporting mechanisms, both internal and towards the Agency, in the event of security breaches.
  • The existence of internal administrative sanctions, as well as procedures for reporting or holding accountable individuals who fail to comply with the violation prevention system.

Conclusions

Implementing this type of prevention program is not only a proactive security measure but also a way to reduce potential sanctions, thereby minimizing exposure to significant violations.