Personal data protection

Data Protection Officer (DPO)

Central figure in the new data governance scheme under Law 21.719, with specific functions of supervision, advisory and point of contact with the Personal Data Protection Agency.

Mitigating Circumstance
DPO appointment constitutes demonstration of due diligence

Is appointing a DPO mandatory in Chile?

No. Article 50 of Law 19.628, as amended by Law 21.719, states that the controller "may" appoint a data protection officer: it is voluntary and there is no infringement for not appointing one. It becomes required upon adopting the Article 49 infringement prevention model, whose first element is that appointment, certifiable by the Agency and recognized as a mitigating circumstance (Article 36 No. 5).

With Law 21.719, data protection stops being a paper annex that is signed and forgotten: the law demands proactive accountability, and the DPO is the axis that makes it demonstrable. This hub explains the role and links the deeper guides: what the DPO does in practice, why it must be autonomous, and whether to run it in-house or as a service.

Main DPO Functions

These are the officer's main functions within the organization.

Compliance Supervision

Continuous monitoring of compliance with Law 21.719 and associated regulations, including internal audits and evaluation of implemented protection measures.

Staff Training

Development and implementation of training and awareness programs for personnel involved in personal data processing.

Impact Assessments

Facilitation and supervision of Data Protection Impact Assessments (DPIA) for high-risk processing.

Point of Contact

Acting as the main point of contact with the Data Protection Agency and handling inquiries from data subjects.

Specialized Advisory

Provision of technical and legal advice on data protection matters, including analysis of new processing and technologies.

Records Management

Maintenance of the Record of Processing Activities (RoPA) and documentation of implemented compliance measures.

With the functions clear, the next question is how the appointment fits into the company and what it is worth.

External DPO Implementation Models

External Data Protection Officer services combine specialized legal expertise with sectoral technical knowledge, providing structural independence and economies of scale for organizations of various sizes.

Core Services (Retainer)

Continuous monitoring, permanent advisory, point of contact management and staff training.

Strategic Services (Project-Based)

Incident response, DPIA, DPA contracts, specialized policies and international transfers.

Multidisciplinary Team

Specialist lawyers, technical consultants and sector experts with international experience.

Technology Platform

Specialized tools for RoPA management, request tracking and executive reporting.

Specialized Service Structures

External DPO models are typically structured in complementary modalities: continuous supervision through monthly retainers and project-based services for highly complex technical requirements.

Information about DPO Models

Advantages of External vs. Internal DPO

What the appointment translates into for the organization.

Structural Independence

  • Greater objectivity in assessments
  • Absence of internal conflicts of interest
  • Unconditioned critical capacity

Specialization and Experience

  • Multi-sector expertise
  • Knowledge of best practices
  • Continuous regulatory updates

Economic Efficiency

  • Lower cost than full-time DPO
  • Access to multidisciplinary team
  • Professional insurance coverage included

Frequently asked questions

Short answers to the most frequent questions about the officer.

Is appointing a DPO mandatory in Chile?

No. Article 50 of Law 19.628, as amended by Law 21.719, states that the data controller may appoint a data protection officer: it is a voluntary decision, and the law contemplates no infringement for not appointing one. The appointment becomes required when the company adopts the infringement prevention model of Article 49, whose first element is precisely that appointment.

What is a Data Protection Officer (DPO)?

The person appointed by the controller's highest directive or administrative authority to watch over personal data protection within the organization (Article 50, Law 19.628). The DPO must have autonomy from management in matters governed by the law, meet suitability, capability and specific-knowledge requirements, and serves as the contact point for data subjects. The DPO is bound by strict secrecy over the data they learn.

Who can take the role?

An internal or external person meeting suitability, capability and specific-knowledge requirements (Article 50). In micro, small and medium companies, the owner or top authorities may personally assume the tasks. A corporate group may appoint a single DPO if all its entities operate under the same standards and the DPO is accessible to all of them. The DPO may hold other functions, provided they create no conflict of interest.

What are the DPO's functions?

Article 50 assigns informing and advising the controller, processors and staff; promoting and participating in the data processing policy; supervising compliance with the law and that policy; ensuring ongoing training of personnel; assisting in identifying processing risks and their measures; and developing an annual work plan with accountability.

What does the company gain by appointing a DPO?

The appointment is the first element of the Article 49 infringement prevention model. That model, certified by the Agency, lists the company in the National Registry of Sanctions and Compliance (Article 51) and evidences the diligent compliance the law recognizes as a mitigating circumstance (Article 36 No. 5). Before the Agency and data subjects, it is the verifiable signal of data governance.

Transform Your Legal Challenges into Competitive Advantages

Discover how our innovative approach can drive your business

© 2025 AnguitaOsorio, all rights reserved.
Chile

Contact

Contáctanos

Phone:

+56 2 2760 4512

Location:

Cerro el Plomo 5420, office 1306, Las Condes, Metropolitan Region.