	Global Data Privacy Guide
	Chile
	(Latin America/Caribbean) Firm Claro & Cia., Abogados Contributors Updated 01 Mar 2022
What is the key legislation?	The key privacy legislation is the Privacy Act, Law 19628 on the “Protection of Private Life and the Treatment of Personal Data” (“*DPA”). Also relevant is the following legislation: The Chilean Political Constitution* guarantees the right to the protection of personal data (Article 19 N° 4); The Consumer Protection Act, Law 19496 (“CPA”) regulates the following issues: Unsolicited commercial or marketing communications. The CPA provides that no authorization is required for the processing of personal data when that data is necessary for commercial communications of direct responses or when the data is necessary for the direct marketing or sale of goods or services. On the other hand, the CPA provides that the data subject may request the deletion or blocking of his/her data when the data is used for commercial communications and the data subject does not wish to continue appearing in the respective register or database, either definitively or temporarily. Use of cookies on websites or digital platforms of retail services. The CPA establishes the consumer´s right to a “truthful and timely information on the goods and services offered” and every person´s right to be informed, in cases of “collection of personal data through surveys, market studies or public opinion polls or other similar instruments” about the obligatoriness to respond and “the purpose for which the information is being requested”. Based on the mentioned two provisions, the National Consumer Bureau (“SERNAC”) has issued several actions against companies in the e-commerce retail industry, requesting to comply with the above obligations through the publication of a proper Privacy Policy and Cookies Policy which should inform about the existence of data storage files (cookies or other tracking devices) while navigating, the option of rejecting or accepting the use and storage of such files, the purpose of the data storage and processing, and the implementation of a mechanism of opposition/rejection to the use of the data. SERNAC is increasingly monitoring this compliance with privacy regulations in e-commerce websites and digital platforms. Voluntary procedure for the protection of collective interests (collective mediation) and subsequent class-action lawsuit in cases of security breaches. SERNAC is actively seeking consumer´s compensations in cases of consumers that have been affected by security breaches, such as disclosure of personal information, interruption of computer services, limiting users to carry out their transactions, in addition to causing other damages, including duplication of charges and differences in balances in checking accounts. The proceeding can only begin if no class actions have been filed related to the same facts and, once the proceeding has commenced, no class actions can be filed concerning the same facts until the voluntary proceeding ends. This proceeding can be initiated by SERNAC or through a complaint from a consumer association. Commission for the Financial Market ("CMF") Regulations on Cybersecurity. These regulations on cybersecurity are based on the CMF’s Updated Compilation of Regulations (‘the RAN’), chapter 20-8 on Information on Operational Incidents and Database of Cybersecurity Incidents and chapter 1-13 on the Classification of Management and Solvency. Recent amendments have taken place with the purpose of having access to more and better information about incidents and raising the security standards of the financial system; The General Banking Law 20950, establishing the banking secrecy; The Chilean Sanitary Code, regulating the secrecy of medical and health information; The Law on Rights and Duties of Patients, Law 20584, that “regulates the rights and duties that people have in relation to actions related to their health care”. This law establishes the privacy of the information contained in the clinical record of a patient. Medical prescriptions and laboratory analyses or exams and services related to health are confidential. Their content can only be revealed or copied with the explicit consent of the patient, granted in writing. Whoever disclosure their content improperly shall be punished eventually with a financial penalty; The Law on the Access to Public Information, Law 20285, regulating the individual right to access the information of public administration entities; and The Law on Criminal Conducts related to Informatics (1993), Law 19223, establishing sanctions for those who misuse information available in electronic databases.
What data is protected?	Personal data, meaning any information –and particularly sensitive information – about an identified or identifiable person. The DPA protects personal data, meaning any information about an identified or identifiable person, and in particular sensitive information such as the physical or moral characteristics of individuals or the facts or circumstances of their private life or intimacy, including their race, origin, health, sexual orientation, religious beliefs, ideology, personal habits, etc. Certain other data is protected to a lesser degree; for example, personal information that can be collected from sources accessible to the public, when such data is either (i) of an economic, financial, banking or commercial nature; (ii) contained in lists relative to a category of people that only indicate details such as their being part of a group, their profession or activity, education, address or birth date; or (iii) necessary for direct reply commercial communications or the commercialization or direct sale of goods or services. The extent of this definition and the concept of “sources accessible to the public” are quite controversial in Chile.
Who is subject to privacy obligations?	Any person or entity in the private or public sectors that engages in the treatment of personal data. The DPA establishes, as an all-embracing principle, that any person or entity in the private or public sectors that engage in the treatment of data is subject to privacy obligations. The concept of “treatment or processing of data” comprises all kinds of operations or technical procedures, whether automated or not, that allow collecting, storage, recording, organizing, generating, selecting, extracting, comparing, interconnecting, dissociating, communicating, assigning, transferring, transmitting or canceling personal data or using it in any other way. Generally, any person or entity in charge of the personal data of others must always fully respect their fundamental rights as well as their rights under the Data Privacy Act.
What are the principles applicable to personal data processing?	Anyone may collect personal data for a lawful purpose if the collection is authorized by law or by the relevant person (valid consent). Any person or entity in the private or public sectors may collect personal data for a lawful purpose, provided that the DPA or another law authorizes such collection or the relevant person expressly consents to it. Consent to collect personal data must be in writing and will only be valid if the individual was duly informed about the purpose of obtaining his/her personal data and the potential disclosure of such data to others. The initial consent may be revoked later on, also in writing. In addition, when personal data is collected through polls, market studies, public opinion inquiries or other similar means, the relevant person must be informed of whether it is mandatory or voluntary to provide data in response. If the results are published, they cannot contain any information about the identity of the persons whose data was collected. Consent is not required in the case of: Any personal information that can be collected from sources accessible to the public, when such data is either: of an economic, financial, banking or commercial nature; or contained in lists relative to a category of people that only indicate details such as their being part of a group, their profession or activity, education, address or birthdate; or necessary for direct reply to commercial communications or the commercialization or direct sale of goods or services; Any personal information used by legal entities for its exclusive use, or the use of its associates, or the use of the entities to which the legal entities are affiliated; with statistical, tariff (set or calculate rates or prices) or other benefit purposes for them (the entities of their affiliates). This is the legal basis used by insurance companies when processing data of insured people without their consent. As the drafting of this exception is poor, and case law in this matter is limited, the scope of application of this exception is not clear. In the case of sensitive data: when the processing is necessary for the determination or granting of health benefit Data lawfully collected by public entities in connection with matters within their competence.
How is the processing of personal data regulated?	Anyone may use and disclose personal data for a lawful purpose if such use and disclosure are authorized by law or by the relevant person. Any person or entity in the private or public sectors may use and even disclose personal data for a lawful purpose, provided that the *DPA* or another law authorizes such use and/or disclosure, or the relevant person expressly consents to one or both. Personal data may only be used for the purpose for which it was collected unless it was obtained from sources accessible to the public. Consent to use and disclose personal data must be in writing and will only be valid if the individual was duly informed about the purpose of obtaining his/her personal data and the potential disclosure of such data to others. The initial consent may be revoked later on, also in writing.
How are storage, security and retention of personal data regulated?	Anyone may store personal data for a lawful purpose if such storage is authorized by law or by the relevant person. Stored data must be deleted when the legal basis for storing it disappears or when the data becomes outdated, even if the relevant person did not request such deletion. Any person or entity in the private or public sectors may store personal data for a lawful purpose, provided that the DPA or another law authorizes such storage or the relevant person expressly consents to it. Consent to store personal data must be in writing (wet or electronic signature) and will only be valid if the individual was duly informed about the purpose of obtaining his/her personal data and the potential disclosure of such data to others. The initial consent may be revoked later on, also in writing. When the legal basis for storing certain personal data disappears or when the stored data becomes outdated, it has to be deleted. If it seems that some data may be outdated or without a legal basis for storage, it has to be blocked until there is certainty about this. The person or entity in charge of the database must do all of the aforesaid even if the relevant individual did not request the deletion or other measures. In case this is not complied with, penalties may apply. If the individual does request a deletion, this must be done promptly (and free of charge) unless there are significant reasons (such as national security or other relevant public interests) not to do so. The right to request a lawful deletion cannot be limited in any way. The person or entity in charge of the database must safeguard the information with due care and will be responsible for damages caused by any privacy breach. All persons that work in connection with the personal data of others, both in the private or public sectors, must keep it secret if it was not collected from sources accessible to the public. This obligation survives any change or termination of their jobs.
What are the data subjects' rights?	The DPA grants to data subjects the following rights with regard to their personal data, none of which are waivable in advance (cannot be limited by any act or convention): Right to access This is the right to request the following information from the person responsible for the database (controller and/or processor) about: The data it holds, Its source and recipients, The purpose of the collection and storage of such data, and Information about the individuals or entities to which the data is regularly transferred. Right to rectification This is the right to request the correction or amendment of the data from the person responsible for the database in the following cases: In case the personal data is wrong, inaccurate, equivocal or incomplete, or In case the data was provided voluntarily by the data subject, or In case the data is used for commercial communications. Right to delete-erasure This is the right to request the deletion or cancellation of the data from the person responsible for the database in the following cases: In case the personal data is stored with no legal basis or when it is outdated, or In case the data was provided voluntarily by the data subject, or In case the data is used for commercial communications. Right to object-restrict This is the right to object to the processing of the data, including the restriction to processing the data in the following cases: In case the personal data is wrong, inaccurate, equivocal or incomplete, or In case the data was provided voluntarily by the data subject, or In case the data is used for commercial communications. All of the procedures associated with the aforementioned rights must be performed for free by the data responsible, and, in case the data subject requests so, the data responsible must provide a copy of the registry with the requested modifications. If personal data was previously shared with determined or determinable individuals or entities, the data responsible must notify them about the amendment/deletion/objection/restriction as soon as possible. If it is not possible to determine the individuals or entities, the data responsible shall publish an announcement to notify anyone that may be processing the data. Data responsible must respond to any request made by data subjects in connection with the exercise of the abovementioned rights within two business days. Lack of response within such term or denial for any reason other than national security, allows data subjects to file a claim before an ordinary civil court which may entail the application of a fine of up to approximately USD $3,500 plus payment of damages if requested. Exceptions: The above rights may not be exercised when its exercise: (i) prevents or hinders due compliance with the inspection functions of a public entity, or (ii) affects the duty of reserve or secrecy established in legal or regulatory provisions, or (iii) affects the security of the Nation or the national interest, or (iv) when the law orders to maintain or retain the personal data. Yes, any person can request information about his/her personal data stored by others.
Are there restrictions on cross-border data transfers?	The DPA does not regulate data transfer across country borders or international data sharing, so any international movement of personal data, including the storage on servers abroad, shall be considered as a regular data processing and general rules shall apply to its legitimate processing (authorized either by the law of by the explicit and written consent of the data subject, for a specific purpose, etc.). Therefore, it would be possible to transfer personal data from Chile to countries that have lower standards of protection than those established by our law. Conversely, Chile is not included in the list of secure third countries for which the European Commission has confirmed a suitable level of data protection (adequacy decision), so, if any data shall be transferred to Chile from Europe, the Intermediary must ensure that the personal data will be sufficiently protected by the recipient in Chile, according to European standards.
Are there any notification requirements for data breaches?	The Commission for the Financial Market ("CMF") Regulations on Cybersecurity. Regulations on cybersecurity are included in the CMF’s Compilation of Regulations, Chapter 20-8 on Information on Operational Incidents and Database of Cybersecurity Incidents and Chapter 1-13 on the Classification of Management and Solvency. The following are the main provisions, seeking to raise security standards and obtain accurate and fast information about security breaches: A strengthening of the current obligation of banks to report cybersecurity incidents to the CMF, including a 30-minute term to report the first information about any incident; Banks and financial institutions are required to appoint an executive-level manager to establish permanent communication with CMF; The handling of cybersecurity incidents by banks or financial institutions is considered a relevant factor to determine their evaluation and classification as financial institutions of higher or lesser rank; and A more precise description of the kinds of incidents that must be informed to clients and to the banking industry, and of the specific information that clients and other banks must receive in such cases. This can help other banks being harmed as well and prevent similar events.
Who is the privacy regulator?	There is no privacy regulator. It is expected that SERNAC will assume the role of regulator.
What are the consequences of a privacy breach?	The person or entity in charge of the database must safeguard the information with due care and will be responsible for damages caused by any privacy breach. The individual affected by a breach may start legal actions at an ordinary civil court, claiming compensation for monetary and moral damages in addition to the modification, blocking or deletion of data and other measures aimed at the protection of data privacy rights.
How is electronic marketing regulated?	According to a recent amendment of the CPA, the right to the protection of personal data is considered a consumer´s right when related to a consumer relationship. Electronic commerce must be conducted in accordance with the principles of privacy and protection of personal data of the persons who visit and buy on the website. For this purpose, their valid consent must be requested for the use, storage and processing of their data. Privacy policy: must specify the purpose of use of the personal information collected, who will have access to the information and consumer´s consent to use the data for the specific purpose must be obtained. A Cookies Policy shall be included too. Site security: the website shall have the necessary technical features to provide security and confidentiality to the personal and financial data provided by consumers, bearing in mind events such as unauthorized alteration or transfer of said data; unauthorized disclosure; interception or malicious access by third parties. These security measures are mainly related to redirection to secure sites under the "HTTPS" cryptographic protocol, verification of the padlock symbol in the web browser, not using confusing security images, among others. In the case of financial data, it refers to online payments and the security conditions necessary for their safeguarding (PCI-DSS). Unsolicited commercial or marketing communications (via email): must always contain a valid email address to which the recipient can request the suspension of further communications (an opt-out system). From the moment the recipient requests the suspension of further emails sent to the account, any communication or unsolicited email shall be considered as forbidden by law.
Are there any recent developments or expected reforms?	The Chilean government has introduced a Privacy and Data Protection Bill (“Bill”) that includes OECD data protection standards, including the creation of a data protection agency. The proposed new regulation follows GDPR principles in many ways. Main provisions about legitimate processing of data: Requirements of valid consent: must be free, informed and specific as to its purpose or purposes. The consent must be expressed unequivocally, by means of a verbal statement, written or expressed through an equivalent electronic means, or by an affirmative act that clearly accounts for the will of the data subject. The consent will not be considered a sufficient legal basis for the validity of the data processing when there is an obvious imbalance between the position of the data subject and the data controller. When the data has been collected from a public access source and its processing is related to the purposes for which they were delivered or collected - this applies to sensitive data when the data subject made the information available to the public (e.g. gives an interview in the media). New lawful grounds to process the personal data: (i) when the data processing is necessary for the execution or fulfillment of a legal obligation or as provided by law; (ii) when the data processing is necessary for the execution of a contract between the data subject and the data controller, or for the execution of pre-contractual measures adopted at the request of the data subject; (iii) when the processing is necessary for the satisfaction of the legitimate interests of the data controller, provided that the rights and freedom of the data subject are not affected; and (iv) when the processing is necessary to protect the life or health of the data subject. Geolocation data: The processing of the personal geolocation data may be carried out under the same general sources of the legality of all personal data. The data subject must be informed in a clear, sufficient and timely manner, of the type of geolocation data that will be processed, the purpose and duration of the processing and whether the data will be communicated or transferred to a third party for the provision of a service with value-added Cross-border data transfers: The Bill includes rules for data transfer operations both nationally and internationally. The main criteria used in this Bill is that the transfer of personal data out of the national borders could be made only if the country with whom the transfer is made has adequate standards of security and quality. Security: The creation of an independent agency for the protection of personal data with powers to punish and imposed high fines. Duty to report any security breach to the Personal Data Agency, by the most expeditious means possible and without undue delay, any security breach that has caused the destruction, filtration, loss, accidental or unlawful alteration of the personal data processed or the unauthorized communication or access to said data. When said breaches refer to sensitive data, the data controller must inform the breach to data subjects. This communication must be made in clear and simple language, specifying the data affected, the possible consequences of the security breach and the measures adopted to avoid further damages. The notification must be made to each data subject and if this is not possible, it will be made through the publication of a notice in mass social media and nationwide.

Global Data Privacy Guide

Back XLS

What is the key legislation?

The key privacy legislation is the Privacy Act, Law 19628 on the “Protection of Private Life and the Treatment of Personal Data” (“DPA”).

Also relevant is the following legislation:

The Chilean Political Constitution guarantees the right to the protection of personal data (Article 19 N° 4);
The Consumer Protection Act, Law 19496 (“CPA”) regulates the following issues:
- Unsolicited commercial or marketing communications. The CPA provides that no authorization is required for the processing of personal data when that data is necessary for commercial communications of direct responses or when the data is necessary for the direct marketing or sale of goods or services. On the other hand, the CPA provides that the data subject may request the deletion or blocking of his/her data when the data is used for commercial communications and the data subject does not wish to continue appearing in the respective register or database, either definitively or temporarily.
- Use of cookies on websites or digital platforms of retail services. The CPA establishes the consumer´s right to a “truthful and timely information on the goods and services offered” and every person´s right to be informed, in cases of “collection of personal data through surveys, market studies or public opinion polls or other similar instruments” about the obligatoriness to respond and “the purpose for which the information is being requested”. Based on the mentioned two provisions, the National Consumer Bureau (“SERNAC”) has issued several actions against companies in the e-commerce retail industry, requesting to comply with the above obligations through the publication of a proper Privacy Policy and Cookies Policy which should inform about the existence of data storage files (cookies or other tracking devices) while navigating, the option of rejecting or accepting the use and storage of such files, the purpose of the data storage and processing, and the implementation of a mechanism of opposition/rejection to the use of the data. SERNAC is increasingly monitoring this compliance with privacy regulations in e-commerce websites and digital platforms.
- Voluntary procedure for the protection of collective interests (collective mediation) and subsequent class-action lawsuit in cases of security breaches. SERNAC is actively seeking consumer´s compensations in cases of consumers that have been affected by security breaches, such as disclosure of personal information, interruption of computer services, limiting users to carry out their transactions, in addition to causing other damages, including duplication of charges and differences in balances in checking accounts. The proceeding can only begin if no class actions have been filed related to the same facts and, once the proceeding has commenced, no class actions can be filed concerning the same facts until the voluntary proceeding ends. This proceeding can be initiated by SERNAC or through a complaint from a consumer association.
Commission for the Financial Market ("CMF") Regulations on Cybersecurity. These regulations on cybersecurity are based on the CMF’s Updated Compilation of Regulations (‘the RAN’), chapter 20-8 on Information on Operational Incidents and Database of Cybersecurity Incidents and chapter 1-13 on the Classification of Management and Solvency. Recent amendments have taken place with the purpose of having access to more and better information about incidents and raising the security standards of the financial system;
The General Banking Law 20950, establishing the banking secrecy;
The Chilean Sanitary Code, regulating the secrecy of medical and health information;
The Law on Rights and Duties of Patients, Law 20584, that “regulates the rights and duties that people have in relation to actions related to their health care”. This law establishes the privacy of the information contained in the clinical record of a patient. Medical prescriptions and laboratory analyses or exams and services related to health are confidential. Their content can only be revealed or copied with the explicit consent of the patient, granted in writing. Whoever disclosure their content improperly shall be punished eventually with a financial penalty;
The Law on the Access to Public Information, Law 20285, regulating the individual right to access the information of public administration entities; and
The Law on Criminal Conducts related to Informatics (1993), Law 19223, establishing sanctions for those who misuse information available in electronic databases.

What data is protected?

Personal data, meaning any information –and particularly sensitive information – about an identified or identifiable person.

The DPA protects personal data, meaning any information about an identified or identifiable person, and in particular sensitive information such as the physical or moral characteristics of individuals or the facts or circumstances of their private life or intimacy, including their race, origin, health, sexual orientation, religious beliefs, ideology, personal habits, etc.

Certain other data is protected to a lesser degree; for example, personal information that can be collected from sources accessible to the public, when such data is either (i) of an economic, financial, banking or commercial nature; (ii) contained in lists relative to a category of people that only indicate details such as their being part of a group, their profession or activity, education, address or birth date; or (iii) necessary for direct reply commercial communications or the commercialization or direct sale of goods or services. The extent of this definition and the concept of “sources accessible to the public” are quite controversial in Chile.

Who is subject to privacy obligations?

Any person or entity in the private or public sectors that engages in the treatment of personal data.

The DPA establishes, as an all-embracing principle, that any person or entity in the private or public sectors that engage in the treatment of data is subject to privacy obligations.

The concept of “treatment or processing of data” comprises all kinds of operations or technical procedures, whether automated or not, that allow collecting, storage, recording, organizing, generating, selecting, extracting, comparing, interconnecting, dissociating, communicating, assigning, transferring, transmitting or canceling personal data or using it in any other way.

Generally, any person or entity in charge of the personal data of others must always fully respect their fundamental rights as well as their rights under the Data Privacy Act.

What are the principles applicable to personal data processing?

Anyone may collect personal data for a lawful purpose if the collection is authorized by law or by the relevant person (valid consent).

Any person or entity in the private or public sectors may collect personal data for a lawful purpose, provided that the DPA or another law authorizes such collection or the relevant person expressly consents to it.

Consent to collect personal data must be in writing and will only be valid if the individual was duly informed about the purpose of obtaining his/her personal data and the potential disclosure of such data to others. The initial consent may be revoked later on, also in writing.

In addition, when personal data is collected through polls, market studies, public opinion inquiries or other similar means, the relevant person must be informed of whether it is mandatory or voluntary to provide data in response. If the results are published, they cannot contain any information about the identity of the persons whose data was collected.

Consent is not required in the case of:

Any personal information that can be collected from sources accessible to the public, when such data is either:
- of an economic, financial, banking or commercial nature; or
- contained in lists relative to a category of people that only indicate details such as their being part of a group, their profession or activity, education, address or birthdate; or
- necessary for direct reply to commercial communications or the commercialization or direct sale of goods or services;
Any personal information used by legal entities for its exclusive use, or the use of its associates, or the use of the entities to which the legal entities are affiliated; with statistical, tariff (set or calculate rates or prices) or other benefit purposes for them (the entities of their affiliates). This is the legal basis used by insurance companies when processing data of insured people without their consent. As the drafting of this exception is poor, and case law in this matter is limited, the scope of application of this exception is not clear.
In the case of sensitive data: when the processing is necessary for the determination or granting of health benefit
Data lawfully collected by public entities in connection with matters within their competence.

How is the processing of personal data regulated?

Anyone may use and disclose personal data for a lawful purpose if such use and disclosure are authorized by law or by the relevant person.

Any person or entity in the private or public sectors may use and even disclose personal data for a lawful purpose, provided that the DPA or another law authorizes such use and/or disclosure, or the relevant person expressly consents to one or both.

Personal data may only be used for the purpose for which it was collected unless it was obtained from sources accessible to the public.

Consent to use and disclose personal data must be in writing and will only be valid if the individual was duly informed about the purpose of obtaining his/her personal data and the potential disclosure of such data to others. The initial consent may be revoked later on, also in writing.

How are storage, security and retention of personal data regulated?

Anyone may store personal data for a lawful purpose if such storage is authorized by law or by the relevant person. Stored data must be deleted when the legal basis for storing it disappears or when the data becomes outdated, even if the relevant person did not request such deletion.

Any person or entity in the private or public sectors may store personal data for a lawful purpose, provided that the DPA or another law authorizes such storage or the relevant person expressly consents to it.

Consent to store personal data must be in writing (wet or electronic signature) and will only be valid if the individual was duly informed about the purpose of obtaining his/her personal data and the potential disclosure of such data to others. The initial consent may be revoked later on, also in writing.

When the legal basis for storing certain personal data disappears or when the stored data becomes outdated, it has to be deleted. If it seems that some data may be outdated or without a legal basis for storage, it has to be blocked until there is certainty about this. The person or entity in charge of the database must do all of the aforesaid even if the relevant individual did not request the deletion or other measures. In case this is not complied with, penalties may apply.

If the individual does request a deletion, this must be done promptly (and free of charge) unless there are significant reasons (such as national security or other relevant public interests) not to do so. The right to request a lawful deletion cannot be limited in any way.

The person or entity in charge of the database must safeguard the information with due care and will be responsible for damages caused by any privacy breach. All persons that work in connection with the personal data of others, both in the private or public sectors, must keep it secret if it was not collected from sources accessible to the public. This obligation survives any change or termination of their jobs.

What are the data subjects' rights?

The DPA grants to data subjects the following rights with regard to their personal data, none of which are waivable in advance (cannot be limited by any act or convention):

Right to access

This is the right to request the following information from the person responsible for the database (controller and/or processor) about:

The data it holds,
Its source and recipients,
The purpose of the collection and storage of such data, and
Information about the individuals or entities to which the data is regularly transferred.

Right to rectification

This is the right to request the correction or amendment of the data from the person responsible for the database in the following cases:

In case the personal data is wrong, inaccurate, equivocal or incomplete, or
In case the data was provided voluntarily by the data subject, or
In case the data is used for commercial communications.

Right to delete-erasure

This is the right to request the deletion or cancellation of the data from the person responsible for the database in the following cases:

In case the personal data is stored with no legal basis or when it is outdated, or
In case the data was provided voluntarily by the data subject, or
In case the data is used for commercial communications.

Right to object-restrict

This is the right to object to the processing of the data, including the restriction to processing the data in the following cases:

In case the personal data is wrong, inaccurate, equivocal or incomplete, or
In case the data was provided voluntarily by the data subject, or
In case the data is used for commercial communications.

All of the procedures associated with the aforementioned rights must be performed for free by the data responsible, and, in case the data subject requests so, the data responsible must provide a copy of the registry with the requested modifications.

If personal data was previously shared with determined or determinable individuals or entities, the data responsible must notify them about the amendment/deletion/objection/restriction as soon as possible. If it is not possible to determine the individuals or entities, the data responsible shall publish an announcement to notify anyone that may be processing the data.

Data responsible must respond to any request made by data subjects in connection with the exercise of the abovementioned rights within two business days. Lack of response within such term or denial for any reason other than national security, allows data subjects to file a claim before an ordinary civil court which may entail the application of a fine of up to approximately USD $3,500 plus payment of damages if requested.

Exceptions: The above rights may not be exercised when its exercise: (i) prevents or hinders due compliance with the inspection functions of a public entity, or (ii) affects the duty of reserve or secrecy established in legal or regulatory provisions, or (iii) affects the security of the Nation or the national interest, or (iv) when the law orders to maintain or retain the personal data. Yes, any person can request information about his/her personal data stored by others.

Are there restrictions on cross-border data transfers?

The DPA does not regulate data transfer across country borders or international data sharing, so any international movement of personal data, including the storage on servers abroad, shall be considered as a regular data processing and general rules shall apply to its legitimate processing (authorized either by the law of by the explicit and written consent of the data subject, for a specific purpose, etc.).

Therefore, it would be possible to transfer personal data from Chile to countries that have lower standards of protection than those established by our law. Conversely, Chile is not included in the list of secure third countries for which the European Commission has confirmed a suitable level of data protection (adequacy decision), so, if any data shall be transferred to Chile from Europe, the Intermediary must ensure that the personal data will be sufficiently protected by the recipient in Chile, according to European standards.

Are there any notification requirements for data breaches?

The Commission for the Financial Market ("CMF") Regulations on Cybersecurity. Regulations on cybersecurity are included in the CMF’s Compilation of Regulations, Chapter 20-8 on Information on Operational Incidents and Database of Cybersecurity Incidents and Chapter 1-13 on the Classification of Management and Solvency.

The following are the main provisions, seeking to raise security standards and obtain accurate and fast information about security breaches:

A strengthening of the current obligation of banks to report cybersecurity incidents to the CMF, including a 30-minute term to report the first information about any incident;
Banks and financial institutions are required to appoint an executive-level manager to establish permanent communication with CMF;
The handling of cybersecurity incidents by banks or financial institutions is considered a relevant factor to determine their evaluation and classification as financial institutions of higher or lesser rank; and
A more precise description of the kinds of incidents that must be informed to clients and to the banking industry, and of the specific information that clients and other banks must receive in such cases. This can help other banks being harmed as well and prevent similar events.

Who is the privacy regulator?

There is no privacy regulator. It is expected that SERNAC will assume the role of regulator.

What are the consequences of a privacy breach?

The person or entity in charge of the database must safeguard the information with due care and will be responsible for damages caused by any privacy breach. The individual affected by a breach may start legal actions at an ordinary civil court, claiming compensation for monetary and moral damages in addition to the modification, blocking or deletion of data and other measures aimed at the protection of data privacy rights.

How is electronic marketing regulated?

According to a recent amendment of the CPA, the right to the protection of personal data is considered a consumer´s right when related to a consumer relationship.

Electronic commerce must be conducted in accordance with the principles of privacy and protection of personal data of the persons who visit and buy on the website. For this purpose, their valid consent must be requested for the use, storage and processing of their data.

Privacy policy: must specify the purpose of use of the personal information collected, who will have access to the information and consumer´s consent to use the data for the specific purpose must be obtained. A Cookies Policy shall be included too.

Site security: the website shall have the necessary technical features to provide security and confidentiality to the personal and financial data provided by consumers, bearing in mind events such as unauthorized alteration or transfer of said data; unauthorized disclosure; interception or malicious access by third parties. These security measures are mainly related to redirection to secure sites under the "HTTPS" cryptographic protocol, verification of the padlock symbol in the web browser, not using confusing security images, among others. In the case of financial data, it refers to online payments and the security conditions necessary for their safeguarding (PCI-DSS).

Unsolicited commercial or marketing communications (via email): must always contain a valid email address to which the recipient can request the suspension of further communications (an opt-out system). From the moment the recipient requests the suspension of further emails sent to the account, any communication or unsolicited email shall be considered as forbidden by law.

Are there any recent developments or expected reforms?

The Chilean government has introduced a Privacy and Data Protection Bill (“Bill”) that includes OECD data protection standards, including the creation of a data protection agency. The proposed new regulation follows GDPR principles in many ways.

Main provisions about legitimate processing of data:

Requirements of valid consent: must be free, informed and specific as to its purpose or purposes. The consent must be expressed unequivocally, by means of a verbal statement, written or expressed through an equivalent electronic means, or by an affirmative act that clearly accounts for the will of the data subject. The consent will not be considered a sufficient legal basis for the validity of the data processing when there is an obvious imbalance between the position of the data subject and the data controller.
When the data has been collected from a public access source and its processing is related to the purposes for which they were delivered or collected - this applies to sensitive data when the data subject made the information available to the public (e.g. gives an interview in the media).
New lawful grounds to process the personal data: (i) when the data processing is necessary for the execution or fulfillment of a legal obligation or as provided by law; (ii) when the data processing is necessary for the execution of a contract between the data subject and the data controller, or for the execution of pre-contractual measures adopted at the request of the data subject; (iii) when the processing is necessary for the satisfaction of the legitimate interests of the data controller, provided that the rights and freedom of the data subject are not affected; and (iv) when the processing is necessary to protect the life or health of the data subject.

Geolocation data: The processing of the personal geolocation data may be carried out under the same general sources of the legality of all personal data. The data subject must be informed in a clear, sufficient and timely manner, of the type of geolocation data that will be processed, the purpose and duration of the processing and whether the data will be communicated or transferred to a third party for the provision of a service with value-added

Cross-border data transfers: The Bill includes rules for data transfer operations both nationally and internationally. The main criteria used in this Bill is that the transfer of personal data out of the national borders could be made only if the country with whom the transfer is made has adequate standards of security and quality.

Security: The creation of an independent agency for the protection of personal data with powers to punish and imposed high fines. Duty to report any security breach to the Personal Data Agency, by the most expeditious means possible and without undue delay, any security breach that has caused the destruction, filtration, loss, accidental or unlawful alteration of the personal data processed or the unauthorized communication or access to said data. When said breaches refer to sensitive data, the data controller must inform the breach to data subjects. This communication must be made in clear and simple language, specifying the data affected, the possible consequences of the security breach and the measures adopted to avoid further damages. The notification must be made to each data subject and if this is not possible, it will be made through the publication of a notice in mass social media and nationwide.

Global Data Privacy Guide

Chile

Global Data Privacy Guide

Chile

Members