The law currently governing data privacy in Chile is Law No. 19.628 on the Protection of Private Life, published on August 28, 1999, as amended, in force until November 30, 2026.

The reformed regime is established by Law No. 19.628 as amended by Law No. 21.719, published on December 13, 2024, and entering into force on December 1, 2026, under the title Law on the Protection of Personal Data.

Under the current law, application is entrusted to the courts and, in some cases, to the National Consumer Bureau (“SERNAC”). For example, SERNAC has issued several actions against companies in the e-commerce retail industry, requesting them to comply with the above obligations through the publication of a proper Privacy Policy and Cookies Policy which should inform about the existence of data storage files (cookies or other tracking devices) while browsing, the option of rejecting or accepting the use and storage of such files, the purpose of the data storage and processing, and the implementation of a mechanism to object to or refuse the use of the data. SERNAC is increasingly monitoring this compliance with privacy regulations in e-commerce websites and digital platforms.

Under the reformed law, the Agency for the Protection of Personal Data will have regulatory and enforcement powers.

In the current law, personal data is defined as any information concerning identified or identifiable natural persons, while sensitive data is defined as personal data relating to physical or moral characteristics, or facts or circumstances of private life or intimacy, including personal habits, racial origin, political opinions, religious beliefs, physical or mental health, and sexual life (Article 2(f)-(g)).

In the reformed law, personal data is any information linked or referable to an identified or identifiable natural person, and sensitive data includes, in addition to the above, data revealing ethnic or racial origin, political, union or guild affiliation, socioeconomic status, ideological or philosophical convictions, religious beliefs, health data, biological profile, biometric data, sexual orientation, and gender identity (see Article 2(f)-(g)).

Under the current law, data must be used only for the purposes for which it was collected, must be accurate and updated, and must be deleted when its storage lacks a legal basis or when it becomes outdated. Sensitive data may not be processed except with legal authorization, the express consent of the data subject, or when necessary for the determination or granting of health benefits (Articles 6, 9, 10).

The reformed law establishes a comprehensive set of principles for data processing, including lawfulness, purpose limitation, proportionality, data quality, accountability, security, transparency, and confidentiality. Sensitive data is subject to stricter requirements, including explicit consent and additional safeguards, and the law provides for the rights of access, rectification, erasure, opposition, portability, and blocking (Article 3, and Articles 16, 16 bis, 16 ter).

According to the current law, any public or private entity that processes personal data in records or databases is subject to privacy obligations, except for data processed in the exercise of freedom of opinion and information (Article 1).

The reformed law clarifies that it applies to any natural or legal person, including public bodies, that processes personal data, except for personal or family use or journalistic activities. It also provides for its territorial scope of application, establishing that in the following cases its rule may apply:

1. The data controller or agent is established or incorporated in national territory.
2. The agent, regardless of its place of establishment or incorporation, carries out personal data processing operations on behalf of a data controller established or incorporated in national territory.
3. The processing of personal data carried out by a data controller who, not being established on national territory, is subject to national law under a contract or international law.

(Articles 1, 1 bis).

The current law defines data processing as any operation or set of operations or technical procedures, whether automated or not, that allow for the collection, storage, recording, organization, elaboration, selection, extraction, comparison, interconnection, dissociation, communication, transfer, transmission, or cancellation of personal data, or their use in any other form (Article 2(o)).

The reformed law defines data processing as any operation or set of operations or technical procedures, whether automated or not, that allow in any way for the collection, processing, storage, communication, transmission, or use of personal data or sets of personal data (see Article 2(o)).

While the current law does not explicitly enumerate data protection principles, it requires lawfulness, purpose limitation, accuracy, and confidentiality (see Articles 1, 6, 7, 9).

The reformed law expressly sets out the principles of lawfulness and fairness, purpose limitation, proportionality, data quality, accountability, security, transparency and information, and confidentiality (Article 3).

The regulation of data processing under the current law requires legal authorization or express consent, with exceptions for data from public sources and certain uses (see Article 4).

Under the reformed law, the general rule of data processing is that the processing of personal data concerning the data subject is lawful when the data subjects give their consent to it. Consent must be free, informed, and specific as to its purpose. Consent must also be given in advance and unequivocally, by means of a verbal, written statement or expressed through an equivalent electronic means, or by an affirmative act clearly indicating the data subject’s intention (Article 12).

It also establishes the following as other legal bases for data processing, without the consent of the data subject: 

1. The processing refers to data relating to obligations of an economic, financial, banking, or commercial nature.
2. The processing necessary to execute or fulfill a legal obligation or as provided by law.
3. The processing of data is necessary to enter into or perform a contract between the data controller and the data subject, or to perform pre-contractual measures at the request of the data subject. 
4. The processing of data is necessary for the satisfaction of legitimate interests of the data controller or of a third party, provided that the data subjects´ rights are not affected thereby. 
5. The processing of data is necessary for the formulation, exercise, or defense of a right before courts of law or public bodies.

(Article 13).

With respect to storage, security, and retention, the current law requires that data be deleted when its storage lacks a legal basis or when it becomes outdated, that it be modified if inaccurate, and that it be kept confidential (see Articles 6, 7, 9).

The reformed law requires that data be kept only as long as necessary for the purpose for which it was collected, that it be deleted or anonymized when no longer needed, and that security measures be appropriate to the risk (see Articles 14 quater, 14 quinquies, 14 sexies).

The data subjects´ rights under the current law include the right to information, access, modification, deletion, and blocking of data (see Articles 12–16).

The reformed law expands these rights to include access, rectification, erasure, opposition, portability, and blocking, and provides detailed procedures for their exercise (see Articles 4–10). In particular, it regulates the following data subjects´ rights:

1. Right of access: the right to obtain from the data controller confirmation as to whether personal data concerning the data subject is being processed, and, where that is the case, access to such personal data and to the information required by law.
2. Right to rectification: the right to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning the data subject, and to have incomplete personal data completed, including by means of providing a supplementary statement.
3. Right to erasure: the right to obtain from the data controller the erasure of personal data concerning the data subject without undue delay, where one of the grounds provided by law applies.
4. Right to oppose: the right to oppose, on grounds relating to the data subject’s particular situation, at any time to the processing of personal data concerning them, including processing for direct marketing purposes.
5. Right to data portability: the right to receive the personal data concerning the data subject, which they have provided to a data controller, in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller without hindrance, where the processing is based on consent or on a contract and carried out by automated means.

Consent requirements under the current law stipulate that consent must be express and in writing, can be revoked in writing, and must be informed (see Article 4).

Under the reformed law, consent must be free, informed, and specific as to its purpose. Consent must also be given in advance and unequivocally, by means of a verbal, written statement or expressed through an equivalent electronic means, or by an affirmative act that clearly shows the data subject’s will (Article 12).

Authorization for the use of data under the current law must be in writing and informed and can be revoked (see Article 4).

The reformed law requires that authorization (consent) be explicit, prior, and revocable at any time, and also recognizes other legal bases for processing (see Articles 12, 13). 

The current law does not explicitly regulate cross-border data transfers.

The reformed law allows international transfers if the recipient country provides adequate protection, or with appropriate safeguards or in specific cases such as consent, contract, or legal obligation (see Articles 27, 28).

The current law does not define or regulate data incidents or breaches.

The reformed law defines security breaches as the destruction, leakage, loss, or destruction, leakage, loss, or unauthorized access to or disclosure of personal data (Article 14 sexies).

The current law does not impose notification requirements for data breaches.

The reformed law requires the data controller to notify the Agency for the Protection of Personal Data and, in some cases, the affected data subjects, without undue delay (Article 14 sexies).

Since there is no data protection authority under current law, courts serve as the competent authority (see Article 16).

The reformed law creates the Agency for the Protection of Personal Data as the national data protection authority, with regulatory, supervisory, and enforcement powers (see Articles 30–32).

Consequences of a data breach under the current law are not specifically addressed, but general liability for damages applies.

Under the reformed law, administrative sanctions, including fines and possible suspension of processing, as well as civil liability for damages, are provided for (see Articles 33–47).

Electronic marketing under the current law is regulated by granting data subjects the right to oppose to the use of their data for advertising, market research, or opinion surveys (Article 3).

The reformed law grants data subjects the right to object to processing for direct marketing purposes, including profiling (Article 8).

Neither law contains sector-specific or industry-specific privacy requirements, except that the current law addresses the confidentiality of medical data, and the reformed law provides for special regimes for certain public bodies and sensitive data.

There is no requirement to appoint a Data Protection Officer under the current law.

The reformed law allows entities to voluntarily appoint a Data Protection Officer as part of a compliance program, and such an appointment is required for certified compliance models (see Articles 49–50).

The current law does not impose explicit record-keeping or documentation obligations.

The reformed law requires data controllers to keep records of processing activities, security incidents, and compliance with the law (see Articles 14, 14 sexies, 49).

There is no requirement for Data Protection Impact Assessments under the current law.

The reformed law requires such assessments for high-risk processing, including profiling, large-scale processing, monitoring, or processing of sensitive data (see Article 15 ter).

Third-party vendor management and data sharing under the current law require that data processing by mandate be in writing and specify the conditions of use (see Article 8).

The reformed law requires that processing by third-party processors be governed by contract, specifying the object, duration, purpose, type of data, categories of data subjects, and rights and obligations (see Article 15).

Penalties and enforcement mechanisms for non-compliance under the current law include civil liability for damages, fines for certain violations, and judicial remedies (see Articles 16, 23). 

The reformed law provides for administrative fines of up to 20,000 Monthly Tax Units (Unidades Tributarias Mensuales)¹ , suspension of processing, publication of sanctions, and civil liability (see Articles 33–53).

 [1] 20,000 Monthly Tax Units (UTM) is equivalent to 1,307,380,000 CLP. At an exchange rate of 0.0011 CLP/USD, this is approximately $1,438,118.00 US Dollars. One UTM is equivalent to 65,369 CLP or approximately $71.91 USD.

There are no explicit ongoing compliance or audit requirements under the current law.

The reformed law requires entities to implement technical and organizational measures to ensure compliance and allows for voluntary adoption of compliance programs (Articles 48–51).

The most significant recent development is the enactment of the reformed law, which will enter into force on December 1, 2026, introducing new rights, obligations, and the creation of a national data protection authority. The current law will remain in force until November 30, 2026, after which the reformed law will fully apply.