Data Protection & Cybersecurity

Last verified on Monday 18th December 2017

Chile

Claudio Magliona, Nicolás Yuraszeck and Carlos Araya
García Magliona & Cía Abogados
  1. 1.

    Is there any provision in your country’s law for privacy and data protection?

  2. Yes, Chile has a legal framework for privacy and data protection.

  3. 2.

    Has your country adopted a general legal framework for the protection of personal data? 

  4. The legal framework for privacy and data protection can be found in article 19 No. 4 of the Political Constitution of the Republic of Chile that guarantees the respect and protection of privacy and honour of the person and his or her family at a constitutional level. In addition, Chile has a dedicated data protection law, Law No. 19,628 on Privacy Protection, which was published in the Official Gazette on 28 August 1999 (the Law). The Law regulates the automatic and non-automatic processing of personal data by government or private entities in data registries or banks.

  5. 3.

    Has your country adopted a general legal framework on cybersecurity matters?

  6. In 1993 Chile implemented Law 19.223 on Cybercrime with four provisions; however, this law is now obsolete, which has been the subject of criticism. On 21 April, Chile deposited the instrument of accession to the Budapest Convention on Cybercrime. The accession of this international instrument is a commitment both of the government of Chile and the National Policy on Cybersecurity. This will allow Chile to be part of a faster and more efficient system of international cooperation, receiving assistance on the development of national capabilities to face threats in cyberspace in the best way possible. On 1 August 2017, Chile became the 54th signatory to the Treaty and the first of South America. In addition, this will mean the modification of several internal laws in order to adapt to the provisions of the Treaty. Currently, the Ministry of the Interior is preparing a bill that will come to implement into domestic legislation the already approved Convention.

  7. 4.

    How does the law of your jurisdiction define personal data? Can the definition extend to data relating to businesses?

  8. According to the Law, personal data is defined as any information relating to an identified or identifiable individual. The aforesaid definition cannot be extending to data relating to business, only to identified or identifiable individuals.

  9. 5.

    Does your country’s data protection legal framework distinguish between sensitive and non-sensitive data?

  10. Yes, according to the Law, sensitive data is personal data that refers to the physical or moral characteristics of persons or to facts or circumstances of their private life or intimacy, such as personal habits, racial origin, ideologies and political opinions, beliefs or religious convictions, conditions of physical or psychic health and sex life. Non-sensitive data is personal data that is not encompassed as sensitive data.

  11. 6.

    Identify the basic principles in force in your country for the processing of personal data. Is there a general limitation for the processing of personal data?

  12. One of the main principles established in the Law is the Finality Principle. The Law expressly foresees that personal data must be used only for the purposes it has been collected for, and those purposes must be permitted by the Chilean legal system. In all cases, the information must be exact, updated and truthfully reflect the real situation of the data subject. There are two exceptions to the aforesaid principle, and these are when the data has been collected from sources available to the public and when the individual has given his or her express consent in the data processing. Another implied principle in data processing is the authorisation of the subject of data and data accuracy. There are a few limitations for the processing of personal data:

    • personal data must be eliminated or cancelled when there are no legal grounds for their storage or when the data have expired;
    • personal data must be modified when they are erroneous, inexact, equivocal or incomplete; and
    • personal data shall be blocked if their accuracy cannot be established or their validity is doubtful and their cancellation is not appropriate.

    In addition, government agencies that process personal data on sentences for felonies, administrative infractions or disciplinary failures may not communicate them after the statute of limitations applicable to the criminal or administrative action, sanction or penalty has elapsed, or after the sanction or penalty has been served. Finally, financial data may not be processed in the following cases:

    • after five years since the respective obligation was enforceable;
    • in the case of debts incurred during a period of unemployment;
    • in the case of data relating to obligations that have been paid or extinguished by other legal means; and
    • in the case of debts of electricity, water, telephone, gas and highways.
  13. 7.

    Do special data protection rules apply to certain industries, such as financial services, healthcare and telecommunications? Is the processing of personal data on the internet specifically provided for? 

  14. Regarding financial data, this may not be processing in the following cases:

    • after five years since the respective obligation was enforceable;
    • in the case of debts incurred during period of unemployment;
    • in the case of data relating to obligations that have been paid or extinguished by other legal means; and
    • in the case of debts of electricity, water, telephone, gas and highways. Conditions of physical or psychic health are considered sensitive data.

    The sensitive data may not be subject of processing, unless it is necessary for the determination or granting of health benefits. Doctors’ prescriptions and laboratory analyses or exams and services related to health are confidential. Their content can only be revealed or copied with the express consent of the patient, granted in writing. Whoever disclosure their content improperly, shall be punished eventually with high financial penalty. The aforementioned do not prevent drug stores from publishing, for statistical purposes, the sales of pharmaceutical products of any nature, including the name and amount thereof. In no case shall the information provided by the pharmacies state the name of the patients who present the prescriptions, nor the name of the medical doctors that issued them, nor data that serves to identify them. Finally, there are no special provisions regarding processing of personal data on the internet, hence general rules apply.

  15. 8.

    Are there specific rules for the processing of personal data of minors?

  16. Currently, there are no provisions regarding the processing of personal data of minors. Hence, general rules apply, ie, is necessary to comply with the provisions contained in the Law, especially, those regarding the authorisation or consent of the individual, the finality principle and inform about the potential communication to the public of the data. Since the subject of data is a minor it will require the authorisation of the parents.

  17. 9.

    What are the sanctions and remedies for non-compliance with data protection and cybersecurity laws? Is there criminal liability for non-compliance with the data protection and cybersecurity laws?

  18. Breaches of data protection caused by improper processing of data may eventually lead to fines determined by the Law (ranging from US$70 to US$700 and US$700 to US$3500 if the breach comes from financial data). Fines are viewed and determined in a summary procedure. The Law establishes a general rule under which both non-monetary and monetary damages that result from willful misconduct or negligence in the processing of personal data shall be compensated. In those cases, the amount of compensation shall be established reasonably by the civil judge, considering the circumstances of the case and the relevance of the facts. There is no criminal liability for non-compliance with data protection. Regarding cybersecurity, as previously stated, Law No. 19.223, which established criminal liability for the actions described therein, is obsolete.

  19. 10.

    Does your jurisdiction have an independent authority (or authorities) with responsibility for regulating data protection and cybersecurity? What are the enforcement powers of the authorities?

  20. No, Chile has no independent authority with responsibility for regulating data protection and cybersecurity.

  21. 11.

    Is notification or registration required before collecting, processing and transferring personal data? 

  22. No, notification or registration is not required before collecting, processing and transferring personal data.

  23. 12.

    What are the main obligations applicable to data controllers to process personal data? 

  24. The Law defines the person responsible for the data registry or bank as the private legal entity or individual, or government agency, that has the authority to implement the decisions related with the processing of personal data. The main obligations of the person responsible for the data registry or bank are related to grounds for data processing, that have to meet the following requirements:

    • the processing of personal data is authorised by one of the three following means: the Law, another legal provision or the subject of personal data specifically consents thereto;
    • the rights granted by the Law to the subject of personal data are observed;
    • the purpose of the personal data processing is permitted by the Chilean legal system;
    • full exercise of the fundamental rights of the subjects of personal data is respected; and
    • the authorisation granted by the subject related to the processing of his or her personal data must be stated, informed about the purpose of the storage and its possible communication to the public and must be stated in writing.

    Finally, the person responsible for the personal data bank shall proceed to delete, modify or block data, when appropriate without prior request by the subject.

  25. 13.

    Is there a specific regime applicable to the processing of personal data on behalf of third parties? 

  26. Currently, the Law has no special regime applicable to the processing of personal data on behalf of third parties. The only provision related to that matter is in the case that processing of personal data is carried out by voluntary representation, in which general rules shall apply. The power shall be granted in writing, and the conditions of use of the data shall be specially stated for the record. The representative shall respect those stipulations.

  27. 14.

    Is the informed consent of the data subjects required before processing personal data? Are there lawful ways to process personal data without consent?

  28. Yes, such consent must be obtained in writing and the person providing the data must be informed about the purpose of the storage of his or her personal data and whether the data will be communicated to the public or not. The authorisation as any other authorisation can be obtained by electronic means. The aforesaid consent is not required when:

    • the personal data is originated or is gathered from sources available to the public when such data is: (i) of an economic, financial, banking or commercial nature; (ii) contained in listings relating to a class of persons and is limited to indicating information such as the fact of belonging to such a group, the person’s profession or business activity, educational degrees, and address or date of birth; or (iii) necessary for direct response commercial communications or direct sale of goods and services;
    • the personal data is processed by private legal entities for their exclusive use or the exclusive use of their associates and entities which are affiliated with them, for statistical or rate setting purposes or other purposes of general benefits for the associated; and
    • when processing of personal data is carried out by government agencies within its scope of jurisdiction.
  29. 15.

    What types of rights are granted in the law to data subjects over their information? 

  30. The rights granted by the Law are the following:

    • right to information or access (right to demand information about data about oneself, its origin and addressee, the purpose of the storage and the identification of the persons or agencies the data are regularly transmitted to);
    • right of modification (if the personal data is erroneous, inexact, equivocal or incomplete, and such situation has been evidenced, the subject shall have the right to have them amended);
    • right of blocking (to request the blocking of personal data when the subject has voluntarily provided his or her personal data or they are used for commercial communications and the subject does not want to continue to appear in the respective registry, either definitively or temporarily);
    • right of cancellation or elimination (notwithstanding legal exceptions, the subject may, also, demand they be eliminated if their storage lacks legal grounds or if they have expired and when the subject has voluntarily provided his or her personal data or they are used for commercial communications and does not want to continue appearing in the respective registry, either definitively or temporarily);
    • right to free copy (the information, modification or elimination of personal data shall be absolutely free of charge, and a copy of the pertinent part of the registry that has been changed shall also be provided at the subject’s request. If new modifications or eliminations of data are made, the subject may obtain a copy of the updated registry without cost, as long as at least six months have passed since the last time he or she made use of this right);
    • right to notify third parties (if the cancelled or modified personal data have been communicated previously to specific or determinable persons, the person responsible for the data bank shall advise them as soon as possible of the operation that has taken place. If it is not possible to determine the persons who have received a previous communication, then the person responsible for the data bank shall publish a notice that can be known generally to users accessing information in the data bank); and
    • the right to opposition (the subject may oppose to the use of his or her personal data for purposes of advertising, market research or opinion polls).
  31. 16.

    What is the general regime for the transfer of personal data abroad? Is there a general restriction on the transfer of personal data out of your country? Is the notification of, and approval of the transfer by, the competent authority necessary?

  32. At present, the Law does not contain a specific provision in this respect. However, considering that transfer of data is deemed as data processing according to the Law, it follows that it will require authorisation of the subject of personal data and the other requirements established by the Law, mentioned in the question 12. Currently, since there is no specific provision in this regard, there is no restriction on the transfer of personal data out of Chile, except those established for data processing. Finally, the notification of, and approval of the transfer by, the competent authority is not necessary because in Chile there is no data protection authority. 

  33. 17.

    What data security requirements are imposed in relation to the processing of personal data? 

  34. Regarding security requirements, the Law does not impose any type of security measures that data subjects and entities must take in relation to processing of personal data. Instead, it mentions that the person responsible for the registries or banks where personal data is stored after its collection shall manage them with due diligence, assuming responsibility for damages.

  35. 18.

    Is there any legal requirement in your jurisdiction for a data processor to have a data protection officer (DPO)? What are the main roles or responsibilities of the DPO? Can the DPO incur criminal liability for acts and omissions?

  36. Currently, in Chile there is no data protection authority.

  37. 19.

    Does your jurisdiction require notification to affected individuals or the authority in the event of data security breach? 

  38. No, the Law does not require notification to affected individuals or any authority in the event of a data security breach.

  39. 20.

    Is there any national law, regulation or guidance on the use of cookies in general or the use of tracking technologies?

  40. No, there is no national law, regulation or guidance on the use of cookies in general or the use of tracking technologies. However, if the cookies gather personal data, they may be deemed as data processing, hence companies that place cookies, will require consent of the data subject.

  41. 21.

    Is there any national law, regulation or guidance regarding fintech and data protection and cybersecurity?

  42. No, currently there are no law, regulation or guidance regarding fintech companies and data protection and cybersecurity in Chile. Regulation on fintech is one of the main regulatory challenges of the Superintendency of Banks and Financial Institutions for the next years, but until now there is no regulation in that matter.

  43. 22.

    What requirements are imposed in your jurisdiction regarding "privacy by design", "privacy by default" and privacy impact assessment?

  44. In our jurisdiction there are no requirements imposed regarding “privacy by design” or “privacy by default”, only general requirements for data processing apply.

  45. 23.

    What requirements are imposed in your jurisdiction on the sending of unsolicited electronic commercial communications?

  46. The Law covers electronic marketing in the sense of establishing that no authorisation is required for electronic marketing when the information comes from sources available to the public. In addition, Law No. 19,496 on the Protection of Consumer Rights contains a provision regarding marketing by email (also known as spam). In that case, every promotional or advertising communication sent by email must indicate the subject, the identification of the sender and a valid email address to which the recipient can request the suspension of the advertising communication, which will remain banned from then on. Providers of direct promotional or marketing communications to consumers via mail, fax, telephone calls or messaging services shall indicate an expedited way the addressees may request the suspension thereof.

     

Interested in contributing to this Know-how?

E-mail our Co-Publishing Manager


Questions

  1. 1.

    Is there any provision in your country’s law for privacy and data protection?


  2. 2.

    Has your country adopted a general legal framework for the protection of personal data? 


  3. 3.

    Has your country adopted a general legal framework on cybersecurity matters?


  4. 4.

    How does the law of your jurisdiction define personal data? Can the definition extend to data relating to businesses?


  5. 5.

    Does your country’s data protection legal framework distinguish between sensitive and non-sensitive data?


  6. 6.

    Identify the basic principles in force in your country for the processing of personal data. Is there a general limitation for the processing of personal data?


  7. 7.

    Do special data protection rules apply to certain industries, such as financial services, healthcare and telecommunications? Is the processing of personal data on the internet specifically provided for? 


  8. 8.

    Are there specific rules for the processing of personal data of minors?


  9. 9.

    What are the sanctions and remedies for non-compliance with data protection and cybersecurity laws? Is there criminal liability for non-compliance with the data protection and cybersecurity laws?


  10. 10.

    Does your jurisdiction have an independent authority (or authorities) with responsibility for regulating data protection and cybersecurity? What are the enforcement powers of the authorities?


  11. 11.

    Is notification or registration required before collecting, processing and transferring personal data? 


  12. 12.

    What are the main obligations applicable to data controllers to process personal data? 


  13. 13.

    Is there a specific regime applicable to the processing of personal data on behalf of third parties? 


  14. 14.

    Is the informed consent of the data subjects required before processing personal data? Are there lawful ways to process personal data without consent?


  15. 15.

    What types of rights are granted in the law to data subjects over their information? 


  16. 16.

    What is the general regime for the transfer of personal data abroad? Is there a general restriction on the transfer of personal data out of your country? Is the notification of, and approval of the transfer by, the competent authority necessary?


  17. 17.

    What data security requirements are imposed in relation to the processing of personal data? 


  18. 18.

    Is there any legal requirement in your jurisdiction for a data processor to have a data protection officer (DPO)? What are the main roles or responsibilities of the DPO? Can the DPO incur criminal liability for acts and omissions?


  19. 19.

    Does your jurisdiction require notification to affected individuals or the authority in the event of data security breach? 


  20. 20.

    Is there any national law, regulation or guidance on the use of cookies in general or the use of tracking technologies?


  21. 21.

    Is there any national law, regulation or guidance regarding fintech and data protection and cybersecurity?


  22. 22.

    What requirements are imposed in your jurisdiction regarding "privacy by design", "privacy by default" and privacy impact assessment?


  23. 23.

    What requirements are imposed in your jurisdiction on the sending of unsolicited electronic commercial communications?


Other chapters in Data Protection & Cybersecurity

  • Brazil
    Mattos Filho Veiga Filho Marrey Jr e Quiroga Advogados (São Paulo)
  • Chile
    García Magliona & Cía Abogados
  • Colombia
    Cuberos Cortés Gutiérrez Abogados S.A.S
  • Costa Rica
    Nassar Abogados (San José)
  • Peru
    Montezuma & Porto (Lima)