Data Protection Officer (DPO)
Central figure in the new data governance scheme under Law 21.719, with specific functions of supervision, advisory and point of contact with the Personal Data Protection Agency.
Is appointing a DPO mandatory in Chile?
No. Article 50 of Law 19.628, as amended by Law 21.719, states that the controller "may" appoint a data protection officer: it is voluntary and there is no infringement for not appointing one. It becomes required upon adopting the Article 49 infringement prevention model, whose first element is that appointment, certifiable by the Agency and recognized as a mitigating circumstance (Article 36 No. 5).
With Law 21.719, data protection stops being a paper annex that is signed and forgotten: the law demands proactive accountability, and the DPO is the axis that makes it demonstrable. This hub explains the role and links the deeper guides: what the DPO does in practice, why it must be autonomous, and whether to run it in-house or as a service.
Main DPO Functions
These are the officer's main functions within the organization.
Compliance Supervision
Continuous monitoring of compliance with Law 21.719 and associated regulations, including internal audits and evaluation of implemented protection measures.
Staff Training
Development and implementation of training and awareness programs for personnel involved in personal data processing.
Impact Assessments
Facilitation and supervision of Data Protection Impact Assessments (DPIA) for high-risk processing.
Point of Contact
Acting as the main point of contact with the Data Protection Agency and handling inquiries from data subjects.
Specialized Advisory
Provision of technical and legal advice on data protection matters, including analysis of new processing and technologies.
Records Management
Maintenance of the Record of Processing Activities (RoPA) and documentation of implemented compliance measures.
With the functions clear, the next question is how the appointment fits into the company and what it is worth.
External DPO Implementation Models
External Data Protection Officer services combine specialized legal expertise with sectoral technical knowledge, providing structural independence and economies of scale for organizations of various sizes.
Core Services (Retainer)
Continuous monitoring, permanent advisory, point of contact management and staff training.
Strategic Services (Project-Based)
Incident response, DPIA, DPA contracts, specialized policies and international transfers.
Multidisciplinary Team
Specialist lawyers, technical consultants and sector experts with international experience.
Technology Platform
Specialized tools for RoPA management, request tracking and executive reporting.
Specialized Service Structures
External DPO models are typically structured in complementary modalities: continuous supervision through monthly retainers and project-based services for highly complex technical requirements.
Information about DPO ModelsAdvantages of External vs. Internal DPO
What the appointment translates into for the organization.
Structural Independence
- Greater objectivity in assessments
- Absence of internal conflicts of interest
- Unconditioned critical capacity
Specialization and Experience
- Multi-sector expertise
- Knowledge of best practices
- Continuous regulatory updates
Economic Efficiency
- Lower cost than full-time DPO
- Access to multidisciplinary team
- Professional insurance coverage included
Frequently asked questions
Short answers to the most frequent questions about the officer.
Is appointing a DPO mandatory in Chile?
No. Article 50 of Law 19.628, as amended by Law 21.719, states that the data controller may appoint a data protection officer: it is a voluntary decision, and the law contemplates no infringement for not appointing one. The appointment becomes required when the company adopts the infringement prevention model of Article 49, whose first element is precisely that appointment.
What is a Data Protection Officer (DPO)?
The person appointed by the controller's highest directive or administrative authority to watch over personal data protection within the organization (Article 50, Law 19.628). The DPO must have autonomy from management in matters governed by the law, meet suitability, capability and specific-knowledge requirements, and serves as the contact point for data subjects. The DPO is bound by strict secrecy over the data they learn.
Who can take the role?
An internal or external person meeting suitability, capability and specific-knowledge requirements (Article 50). In micro, small and medium companies, the owner or top authorities may personally assume the tasks. A corporate group may appoint a single DPO if all its entities operate under the same standards and the DPO is accessible to all of them. The DPO may hold other functions, provided they create no conflict of interest.
What are the DPO's functions?
Article 50 assigns informing and advising the controller, processors and staff; promoting and participating in the data processing policy; supervising compliance with the law and that policy; ensuring ongoing training of personnel; assisting in identifying processing risks and their measures; and developing an annual work plan with accountability.
What does the company gain by appointing a DPO?
The appointment is the first element of the Article 49 infringement prevention model. That model, certified by the Agency, lists the company in the National Registry of Sanctions and Compliance (Article 51) and evidences the diligent compliance the law recognizes as a mitigating circumstance (Article 36 No. 5). Before the Agency and data subjects, it is the verifiable signal of data governance.
Related services
Explore complementary practice areas and regulatory analysis from our team.
In-house or outsourced DPO?
The hard-to-assemble hybrid profile, its costs and the DPO-as-a-Service model.
What the DPO does
The ten concrete functions of the officer under Law 21.719.
Autonomy and independence
Why the DPO cannot be judge and party, and the conflicts of interest it manages (Article 50).
Data Law diagnosis
Your company’s gaps against Law 21.719: processing activities, lawful bases and duties.
Law 21.719 Data Protection
The framework enforceable from December 1, 2026: principles, rights, duties and sanctions.
Impact assessment
When the law requires an impact assessment and how it is carried out.
Breach notification
Who to report a security breach to and when (Article 14 sexies).
Data subject rights
Access, rectification, erasure, objection and portability: how they are exercised and answered.
Board liability
The company faces fines up to 20,000 UTM; the board answers on its duty of care.
Transform Your Legal Challenges into Competitive Advantages
Discover how our innovative approach can drive your business