Data Law 21.719 / Data Protection Agency

Personal Data Protection Agency

New supervisory authority created by Law 21.719, with broad enforcement, investigation and sanctioning powers to ensure effective compliance with the personal data protection regulatory framework in Chile.

Decentralized Public Service

With legal personality and own assets under presidential supervision

Data Protection Agency

Decentralized public service with technical and budgetary autonomy. Functions of supervision, enforcement and sanctioning of compliance with Law 21.719.

The Agency adopts a functional independence model that allows it to exercise its powers without external interference, guaranteeing objectivity and impartiality in its administrative and sanctioning decisions.

Its organizational structure includes specialized units in enforcement, investigation, conflict resolution and international cooperation, allowing a comprehensive response to data protection challenges in Chile.

Agency Powers and Authorities

Enforcement Powers

Power of direct inspection of facilities, systems and documentation of data controllers and processors, including access to records and databases.

→ Scheduled and complaint-based inspections
→ Access to computer systems
→ Request for information and documents

Sanctioning Power

Authority to impose administrative sanctions for violations of Law 21.719, including fines, warnings and specific corrective measures.

→ Fines up to 2% of annual revenue
→ Processing cessation orders
→ Specific corrective measures

Regulatory Functions

Authority to issue general instructions, technical guidelines and interpretative pronouncements to clarify the scope and application of data protection regulations.

→ Mandatory general instructions
→ Sectoral best practice guidelines
→ Interpretative pronouncements

Rights Protection

Competence to hear and resolve complaints from data subjects regarding violations of their rights, acting as an alternative dispute resolution instance.

→ Claims for exercise of rights
→ Mediation between subjects and controllers
→ Specific compliance orders

International Cooperation

Authority to establish cooperation mechanisms with foreign authorities and international organizations to facilitate cross-border compliance and information exchange.

→ Bilateral cooperation agreements
→ Participation in international networks
→ Regulatory information exchange

Educational Function

Competence to develop training, awareness and dissemination programs for data protection culture for both organizations and citizens.

→ Sectoral training programs
→ Citizen awareness campaigns
→ Certifications and quality seals

Administrative Procedures

The Agency carries out its functions through structured administrative procedures that guarantee due process and proportionality in its decisions, respecting the principles of Chilean administrative law.

Complaint or Detection

Initiation of the procedure by complaint from data subjects, Agency's own detection or third-party communication about possible violations of data protection regulations.

Preliminary Investigation

Initial assessment of the reported facts, collection of background information and determination of the appropriateness of initiating a formal sanctioning administrative procedure.

File Instruction

Development of the administrative investigation with information requests, inspections, hearings and technical-legal analysis of the relevant facts and circumstances.

Charge Formulation

Preparation and notification of charges to the alleged offender, granting time to present defenses and exercise the right to defense through relevant allegations and evidence.

Final Resolution

Issuance of reasoned resolution that acquits or sanctions the investigated party, determining the applicable sanction and specific corrective measures for regulatory compliance.

Remedies and Compliance

Possibility of filing administrative and judicial remedies against the resolution, monitoring compliance with sanctions and corrective measures imposed by the Agency.

Key Procedural Timelines

72h

Security breach notification

15d

Time for defense submissions

180d

Maximum procedure duration

30d

Time to file appeals

Frequently asked questions

What is Chile's Data Protection Agency?

It is the autonomous public body created by Law 21.719 with its own legal personality and budget. Its role is to enforce compliance with the new data-protection regime, issue technical regulation and decide complaints by data subjects and sanctioning procedures against controllers and processors.

When does the Agency become operational?

Law 21.719 sets a 24-month vacatio legis from its publication (December 2024). The Agency operates fully from December 2026, with a Board appointed through Chile's senior public-management system. Until then, Law 19.628 and its earlier regime remain in force.

What sanctioning powers does the Agency have?

It applies tiered fines: minor breaches up to 5,000 UTM, serious up to 10,000 UTM and very serious up to 20,000 UTM. For repeated very serious breaches it can order temporary suspension of processing. Sanctions are imposed after due administrative process with right of defence.

Who can the Agency supervise?

Any natural or legal person, public or private, processing personal data of subjects in Chile. Supervision can be initiated ex officio or on complaint, and covers both controllers and processors.

How is a complaint filed with the Agency?

By electronic submission identifying the controller, the facts, the rights infringed and the relief sought. The Agency notifies the controller, conducts the procedure and issues a reasoned resolution. Resolutions can be challenged judicially under general rules.

Transform Your Legal Challenges into Competitive Advantages

Discover how our innovative approach can drive your business

Schedule ConsultationMeet the Team→