Web Analytics

Articles

Chile is moving towards economic diversification with a new Data Protection Law

By: Samuel Hammer

December 17, 2024

The OECD recommends that Chile diversify its economy. In other words, it proposes that the country expand its primary area, which historically has been natural resources -in particular, copper-to other activities. According to experts, Chile must change its approach and stop being a mere exporter of raw materials to implement a model that prioritizes knowledge and technology.

In this context, during this year and after seven years of processing, the Chilean Congress recently approved the new Personal Data Protection Law, which has been in force since December 13. The law is based on the recommendation of the OECD, which advises striking a balance between the protection of privacy and the transfer of data given the accelerated exchange of information we are immersed in. Thus, the new law updates the current regulation, considering the General Data Protection Regulation of the European Union as an example.

Therefore, the new law seeks to achieve equilibrium and balance economic, legal, and political perspectives, establishing a regulatory framework that protects people’s rights in processing their personal data without hindering the free flow of information.

The text defines that any processing of personal data carried out by an individual or legal person, including public bodies, must respect the rights and freedoms of individuals and shall be subject to the provisions of this law.

Among the guiding principles, the law considers that data may only be processed lawfully and fairly, must be collected for specified, explicit, and lawful purposes, and must be strictly limited to those that are necessary, adequate, and relevant to the purposes of the processing.

Among the changes of the new law, we can highlight the following novelties:

  • Rights of the holders. In the old Law 19.628, some rights were briefly regulated. However, the new law expressly and in detail enshrines a series of rights. In particular, Article 4 of the draft law provides that every person, acting by themselves or through their legal representative or agent, as appropriate, has the right to access, rectify, delete, oppose, portability, and block their personal data. It is indicated that such rights are personal, non-transferable, and non-waivable and cannot be limited by any act or convention.
  • Obligation of the data controller. In turn, the new law states that the data controller has a series of obligations, among which are to inform and make available to the owner the background information that proves the lawfulness of the data processing it carries out, to ensure that personal data are collected from lawful sources for specific, explicit and lawful purposes and that their processing is limited to the fulfillment of these purposes; duty of secrecy or confidentiality; duty to adopt security measures; duty to report to the Agency any breaches of the security measures, among others.
  • Creation of the Personal Data Protection Agency. It will be an autonomous corporation of a technical, decentralized nature under public law, with legal personality and its own assets. The Agency will be made up of three full-time directors, appointed by the president and ratified by the Senate, and will aim to ensure the adequate protection of the rights that guarantee the private life of people and their personal data. In addition, it will monitor compliance with its provisions and may even establish sanctions against offenders. The Agency will have, among others, the following attributions: to determine infringements and non-compliances of data controllers or data processors; to resolve requests and claims made by data owners; to certify, register, and supervise the infringement prevention models and compliance programs and to manage the National Registry of Sanctions and Compliance.
  • Sanctions stated in the new law. The law differentiates between minor, grave, and very grave infringements, establishing fines for tax benefits of up to 20.000 UTM (close to 1.3 million euros). It is important to note that, in cases of recidivism, the infringement can triple the base amount. Even if fines were imposed for repeated very grave infringements, within a period of twenty-four months, the Agency could order the suspension of the data processing operations and activities carried out by the data controller for a period of up to 30 days.
  • Creation of the National Registry of Sanctions and Compliance. The National Registry of Sanctions and Compliance will be of free access and administered electronically by the Personal Data Protection Agency. It will report sanctioned entities, indicating the seriousness of the infraction, the sanctioned conduct, mitigating and aggravating circumstances, and the sanction imposed. The entry will be kept for five years.

Logically, the new Personal Data Protection Law does not in any way represent a guarantee that Chile will reach the economic indices of developed countries, whose economy is focused on innovation and development. However, with the entry into force of the law in question, minimum standards will be raised, and our country will be inviting public and private entities to trust national regulation as a guarantor of the adequate protection of personal data, which, over the years, could turn Chile into a country that not only depends economically on its quality as a mining exporter but is also characterized as a focus of attraction for R&D around the world.

Contact us
This site is registered on wpml.org as a development site.