1. Is there any provision in your country’s law for privacy and data protection?
Yes, Chile has a legal framework for privacy and data protection.
2. Is privacy or personal data protection a fundamental right in your country?
Yes, from June 2018 data protection is enshrined in our Constitution as a fundamental right that has to be respected and protected (article 19 No. 4). The Constitution adds: “The processing and protection of personal data shall be carried out in the manner and under the conditions laid down by law.”
3. Has your country adopted a general legal framework for the protection of personal data?
The legal framework for privacy and data protection can be found in article 19 No. 4 of the Political Constitution of the Republic of Chile that guarantees the respect and protection of privacy and honour of the person and their family, as well as the protection of their personal data. The processing and protection of these data shall be carried out in the manner and under the conditions laid down by law, at a constitutional level. In addition, Chile has a dedicated data protection law, Law No. 19,628 on Privacy Protection, which was published in the Official Gazette on 28 August 1999 (the Law). The Law regulates the automatic and non-automatic processing of personal data by government or private entities in data registries or banks.
4. Has your country adopted a general legal framework on cybersecurity matters?
In 1993, Chile implemented Law 19.223 on Cybercrime with four provisions; however, this law is now obsolete, which has been the subject of criticism. In April 2017, Chile deposited the instrument of accession to the Budapest Convention on Cybercrime. In August 2017, Chile became the 54th signatory to the Treaty and the first of South America. In October 2018, the government introduced a bill in the Congress (Bill No. 12192-25) that establishes rules on computer crimes, repealing Law 19.223 and amending other legal bodies to bring them into line with the Budapest Convention. The bill is in its first constitutional stage of discussion in the Congress.
5. How does the law of your jurisdiction define personal data? Can the definition extend to data relating to businesses?
According to the Law, personal data is defined as any information relating to an identified or identifiable individual. The aforesaid definition cannot be extending to data relating to business, only to identified or identifiable individuals.
6. Does your country’s data protection legal framework distinguish between sensitive and non-sensitive data?
Yes, according to the Law, sensitive data is personal data that refers to the physical or moral characteristics of persons or to facts or circumstances of their private life or intimacy, such as personal habits, racial origin, ideologies and political opinions, beliefs or religious convictions, conditions of physical or psychic health and sex life. Non-sensitive data is personal data that is not encompassed as sensitive data.
7. Identify the basic principles in force in your country for the processing of personal data. Is there a general limitation for the processing of personal data?
One of the main principles established in the Law is the Finality Principle. The Law expressly foresees that personal data must be used only for the purposes it has been collected for, and those purposes must be permitted by the Chilean legal system. In all cases, the information must be exact, updated and truthfully reflect the real situation of the data subject. There are two exceptions to the aforesaid principle, and these are when the data has been collected from sources available to the public and when the individual has given his or her express consent in the data processing. Another implied principle in data processing is the authorisation of the subject of data and data accuracy. There are a few limitations for the processing of personal data:
- personal data must be eliminated or cancelled when there are no legal grounds for their storage or when the data have expired;
- personal data must be modified when they are erroneous, inexact, equivocal or incomplete; and
- personal data shall be blocked if their accuracy cannot be established or their validity is doubtful and their cancellation is not appropriate.
In addition, government agencies that process personal data on sentences for felonies, administrative infractions or disciplinary failures may not communicate them after the statute of limitations applicable to the criminal or administrative action, sanction or penalty has elapsed, or after the sanction or penalty has been served. Finally, financial data may not be processed in the following cases:
- after five years since the respective obligation was enforceable;
- in the case of debts incurred during a period of unemployment;
- in the case of data relating to obligations that have been paid or extinguished by other legal means; and
- in the case of debts of electricity, water, telephone, gas and highways.
8. Do special data protection rules apply to certain industries, such as financial services, healthcare and telecommunications? Is the processing of personal data on the internet specifically provided for?
Regarding financial data, this may not be processing in the following cases:
- after five years since the respective obligation was enforceable;
- in the case of debts incurred during period of unemployment;
- in the case of data relating to obligations that have been paid or extinguished by other legal means; and
- in the case of debts of electricity, water, telephone, gas and highways. Conditions of physical or psychic health are considered sensitive data.
The sensitive data may not be subject of processing, unless it is necessary for the determination or granting of health benefits. Doctors’ prescriptions and laboratory analyses or exams and services related to health are confidential. Their content can only be revealed or copied with the express consent of the patient, granted in writing. Whoever discloses their content improperly shall be punished eventually with a high financial penalty. The aforementioned do not prevent drug stores from publishing, for statistical purposes, the sales of pharmaceutical products of any nature, including the name and amount thereof. In no case shall the information provided by the pharmacies state the names of the patients who present the prescriptions, nor the name of the medical doctors that issued them, nor data that serves to identify them. Finally, there are no special provisions regarding processing of personal data on the internet, hence general rules apply.
9. Are there specific rules for the processing of personal data of minors?
Currently, there are no provisions regarding the processing of personal data of minors. Hence, general rules apply, ie, is necessary to comply with the provisions contained in the Law, especially, those regarding the authorisation or consent of the individual, the finality principle and inform about the potential communication to the public of the data. Since the subject of data is a minor it will require the authorisation of the parents.
10. What are the sanctions and remedies for non-compliance with data protection and cybersecurity laws? Is there criminal liability for non-compliance with the data protection and cybersecurity laws?
Breaches of data protection caused by improper processing of data may eventually lead to fines determined by the Law (ranging from US$70 to US$700 and US$700 to US$3,015). Fines are viewed and determined in a summary procedure. The Law establishes a general rule under which both non-monetary and monetary damages that result from willful misconduct or negligence in the processing of personal data shall be compensated. In those cases, the amount of compensation shall be established reasonably by the civil judge, considering the circumstances of the case and the relevance of the facts. There is no criminal liability for non-compliance with data protection. Regarding cybersecurity, as previously stated, Law No. 19.223 established criminal liability for the actions described therein.
11. Does your jurisdiction have an independent authority (or authorities) with responsibility for regulating data protection and cybersecurity? What are the enforcement powers of the authorities?
No, Chile has no independent authority with responsibility for regulating data protection and cybersecurity. However, there is a bill in the Congress that seeks to amend the current Data Protection Law and creates an Agency for Data Protection matters.
12. Is notification or registration required before collecting, processing and transferring personal data?
No, notification or registration is not required before collecting, processing and transferring personal data.
13. What are the main obligations applicable to data controllers to process personal data?
The Law defines the person responsible for the data registry or bank as the private legal entity or individual, or government agency, that has the authority to implement the decisions related with the processing of personal data. The main obligations of the person responsible for the data registry or bank are related to grounds for data processing must comply with the provisions contained in the Law, especially, those regarding the authorisation or consent of the individual, the finality principle (personal data must be used only for the purposes they have been collected for, and those purposes, should be permitted by the Chilean legal system) and inform about the potential communication to the public of the data.
Personal data must be eliminated or cancelled when there are no legal grounds for the storage or when the data have expired. Personal data must be modified when they are erroneous, inexact, equivocal or incomplete. Personal data shall be blocked if their accuracy cannot be established or their validity is doubtful, and their cancellation is not appropriate. Finally, in those cases, the person responsible for the personal data bank shall proceed to delete, modify or block data, when appropriate without prior request by the subject.
14. Is there a specific regime applicable to the processing of personal data on behalf of third parties?
Currently, the Law has no special regime applicable to the processing of personal data on behalf of third parties. The only provision related to that matter is in the case that processing of personal data is carried out by voluntary representation, in which general rules shall apply. The power shall be granted in writing, and the conditions of use of the data shall be specially stated for the record. The representative shall respect those stipulations.
15. Is the informed consent of the data subjects required before processing personal data? Are there lawful ways to process personal data without consent?
Yes, such consent must be obtained in writing and the person providing the data must be informed about the purpose of the storage of his or her personal data and whether the data will be communicated to the public or not. The authorisation as any other authorisation can be obtained by electronic means. The aforesaid consent is not required when:
- the personal data is originated or is gathered from sources available to the public when such data is: (i) of an economic, financial, banking or commercial nature; (ii) contained in listings relating to a class of persons and is limited to indicating information such as the fact of belonging to such a group, the person’s profession or business activity, educational degrees and address or date of birth; or (iii) necessary for direct response commercial communications or direct sale of goods and services;
- the personal data is processed by private legal entities for their exclusive use or the exclusive use of their associates and entities that are affiliated with them, for statistical or rate setting purposes or other purposes of general benefits for the associated; and
- when processing of personal data is carried out by government agencies within their scope of jurisdiction.
16. What types of rights are granted in the law to data subjects over their information?
Any person has the right to demand information on all personal data pertaining to him or her, the source of such data and recipients thereof, the purpose for which such data is stored and the identification of all persons and organisms to whom or which such data are transmitted regularly, from whoever is responsible for a data bank dealing publicly or privately in the processing of personal data.
In case any personal data is incorrect, inaccurate, misleading or incomplete and it is so proven, such user shall have the right to have such data modified accordingly, and may additionally demand that personal data referring to him or her be deleted whenever the storage thereof lacks any legal grounds, or such personal data has become obsolete.
The same demand for deletion or blocking of data, as applicable, may be made whenever persons have voluntarily provided their personal data, or said personal data is used for commercial communications and such persons do not wish that such data remains on the respective records and wish that it is removed therefrom either permanently or temporarily.
The information, modification or elimination of personal data shall be absolutely free of charge, and a copy of the pertinent part of the registry that has been changed shall also be provided at the subject’s request. If new modifications or elimination of data are made, the user may obtain a copy of the updated registry without cost, as long as at least six months have passed since the last time he or she made use of this right. The right to free copy may only be exercised personally.
If the cancelled or modified personal data have been communicated previously to specific or determinable persons, the person responsible for the data bank shall give them notice as soon as possible of the operation that has taken place. If it is not possible to determine the persons who have received a previous communication, then the person responsible for the data bank shall publish a notice that can be made known generally to users of information of the data bank.
17. What is the general regime for the transfer of personal data abroad? Is there a general restriction on the transfer of personal data out of your country? Is the notification of, and approval of the transfer by, the competent authority necessary?
At present, the Law does not contain a specific provision in this respect. However, considering that transfer of data is deemed as data processing according to the Law, it follows that it will require authorisation of the subject of personal data and the other requirements established by the Law, mentioned in the question 12. Currently, since there is no specific provision in this regard, there is no restriction on the transfer of personal data out of Chile, except those established for data processing. Finally, the notification of, and approval of the transfer by, the competent authority is not necessary because in Chile there is no data protection authority.
18. What data security requirements are imposed in relation to the processing of personal data?
Regarding security requirements, the Law does not impose any type of security measures that data subjects and entities must take in relation to processing of personal data. Instead, it mentions that the person responsible for the registries or banks where personal data is stored after its collection shall manage them with due diligence, assuming responsibility for damages.
19. Is there any legal requirement in your jurisdiction for a data processor to have a data protection officer (DPO)? What are the main roles or responsibilities of the DPO? Can the DPO incur criminal liability for acts and omissions?
Currently, in Chile there is no data protection authority.
20. Does your jurisdiction require notification to affected individuals or the authority in the event of data security breach?
No, the Law does not require notification to affected individuals or any authority in the event of a data security breach.
22. Is there any national law, regulation or guidance regarding financial technology companies, data protection and cybersecurity?
No, currently there are no law, regulation or guidance regarding fintech companies and data protection and cybersecurity in Chile. Regulation on fintech is one of the main regulatory challenges of the Financial Market Commission for the coming years, but to date there has been no regulation in that matter.
23. What requirements are imposed in your jurisdiction regarding "privacy by design", "privacy by default" and privacy impact assessment?
In our jurisdiction there are no requirements imposed regarding “privacy by design” or “privacy by default”, only general requirements for data processing apply.
24. What requirements are imposed in your jurisdiction on the sending of unsolicited electronic commercial communications?
The Law covers electronic marketing in the sense of establishing that no authorisation is required for electronic marketing when the information comes from sources available to the public. In addition, Law No. 19,496 on the Protection of Consumer Rights contains a provision regarding marketing by email (also known as spam). In that case, every promotional or advertising communication sent by email must indicate the subject, the identification of the sender and a valid email address to which the recipient can request the suspension of the advertising communication, which will remain banned from then on. Providers of direct promotional or marketing communications to consumers via mail, fax, telephone calls or messaging services shall indicate teh most efficient way the addressees may request the suspension thereof.
25. Do any specific requirements apply in your country to cloud computing?
In December 2017, the Superintendency of Banks and Financial Institutions (now the Financial Market Commision) issued a new set of rules with regard to cloud computing for financial services. These new set of rules is part of the Chapter 20-7 of the SBIF (the Chapter). The Chapter is the first legal statute that defines cloud computing in Chile as “a model of service provision, configurable on demand, for the provision of services associated with information technologies through networks, based on technical mechanisms such as virtualisation, under different approaches or supply strategies”. In addition, it distinguishes between a private and a public cloud, understanding as "private" that cloud infrastructure provided for the exclusive use of an entity, comprising multiple users (for example, commercial units), which may be owned, administered and operated, from the same institution, from a third party or a combination of both; and can be found both inside and outside the contractor's premises. Meanwhile, "public cloud" comprises the cloud infrastructure provided for the use of several entities, which belongs to a provider of this service, is managed and operated by it and the infrastructure is located in the provider's facilities. Among the requirements of the Chapter, are the following: (i) for purposes of contracting any type of service through the cloud modality, the board of directors of the entity must make an annual statement on the risk tolerance that it is willing to assume in this type of outsourcing; (ii) notwithstanding the proper compliance with the different requirements contained in Chapter 20-7, financial institutions may outsource public or private cloud services for non-critical services; and (iii) specific requirements for the cloud service provider (certifications of the cloud service provider; safety mechanisms of the cloud service provider; etc).
26. Does your country provide for protection of personal data under the control of government agencies?
Yes. The Law contains specials provisions with regard to personal data under the control of government agencies. According to the Law, personal data processing by a government agency may only be carried out for matters within its scope of jurisdiction subject to the aforesaid rules. In those conditions, the consent of the subject shall not be necessary. Government agencies that process personal data about sentences for felonies, administrative infractions or disciplinary failures may not communicate them after the statute of limitations applicable to the criminal or administrative action, sanction or penalty has elapsed, or after the sanction or penalty has been served. The Service of Civil Registration and Identification shall keep a record of personal data banks managed by government agencies.
27. Does your country allow the right to access data under the control of government agencies?
Yes, unless the right to access data under the control of government agencies may prevent or hinders proper compliance with the supervisory functions of the government agency requested or, affects the confidentiality or secrecy established in legal or regulatory provisions, the security of the nation, or the national interest. In addition, Law No. 20.285 (Access to Public Information) contains provisions with regard to causes of secrecy or reservation by virtue of which access to information may be totally or partially denied by government agencies.
28. Does your country provide for self-regulation?
There is no legal provision with regard to self-regulation, but the Law does not prohibit self-regulation of companies. Companies may elaborate their own policies and procedures regarding personal data and cybersecurity. The only limit for such procedures is the respect of the current legal framework for data protection and cybersecurity.