What happens if your company is not ready for the Data Law by December 1, 2026?

On that date the amendments of Law 21.719 to Law 19.628 become enforceable and the Personal Data Protection Agency can sanction. The question worth answering is which of your current data operations would already fall within an infringement category.

The short answer

Law 21.719 enters into force on December 1, 2026. From that date, the Personal Data Protection Agency can impose fines of up to 5,000 UTM for minor infringements, 10,000 UTM for serious ones and 20,000 UTM for very serious ones (Article 35, Law 19.628). There is no grace period.

The fine is not the whole exposure. Sanctions are recorded in a public registry (Article 39), civil liability toward data subjects runs separately (Article 34), and repeat infringements escalate the amounts. The company that prepares in time also gains something concrete: the law rewards it with express mitigating circumstances (Article 36).

Where the date comes from

Law 21.719 was published in the Official Gazette on December 13, 2024. Its first transitional article sets the entry into force of the amendments to Law 19.628 for the first day of the twenty-fourth month after publication: December 1, 2026. The same law ordered the enforcement apparatus to be ready in advance: the regulations within six months of publication, and the Board of the Agency appointed six months before entry into force (second and fourth transitional articles).

The infringements enforceable from that date

Article 34 of Law 19.628 classifies infringements as minor, serious and very serious, and Articles 34 bis to 34 quáter list them. These are not exotic scenarios: several describe routine practices in companies that never adapted their data operations.

Minor: up to 5,000 UTM

Formal duties

Written reprimand or fine. They include failing the duty of information and transparency (Article 14 ter), lacking an updated and working contact channel for data subjects, and answering rights requests late or incompletely (Article 34 bis).

Serious: up to 10,000 UTM

Processing without legal basis

They include processing personal data without consent or another lawful basis, or for a different purpose; disclosing data without consent where it is required; and hindering the exercise of access, rectification, erasure, objection or portability rights (Article 34 ter).

Very serious: up to 20,000 UTM

Knowing or fraudulent conduct

They include fraudulent processing; knowingly processing or disclosing sensitive data or children’s data against the law; deliberately omitting the notification of security breaches; and knowingly unlawful international data transfers (Article 34 quáter).

The caps are not the ceiling in every case. If the company does not remedy the causes within sixty days, the fine increases by 50%. Recidivism allows the Agency to apply up to three times the amount and, for companies above the small-business threshold of Law 20.416, up to 2% or 4% of annual revenue for repeated serious or very serious infringements (Article 35). The full regime is covered in sanctions and fines under Law 21.719.

The cost that does not appear in the fine

Article 39 of Law 19.628 creates the National Registry of Sanctions and Compliance: public, free to access and electronic. A sanction does not stay between the company and the Agency; it becomes verifiable by clients, banks, insurers and counterparties in due diligence. And Article 34 makes explicit that administrative liability runs without prejudice to civil or criminal liability toward the affected data subjects.

What the law grants to those who prepare

Article 36 lists express mitigating circumstances: unilateral remediation, cooperation with the Agency, absence of prior sanctions, self-reporting, and diligent compliance with data supervision duties evidenced by certification. That certification comes from the infringement prevention model of Article 49: a voluntary compliance program that requires, among other elements, designating a data protection officer. The Agency certifies it and lists certified entities in the public registry (Article 51).

The logic mirrors what Law 20.393 does in criminal matters: the program is voluntary, its effects are not. The company that documents prevention before the infringement occurs litigates from a different position than the one that improvises afterwards.

What must be operating by December 1

  • An inventory of data processing activities, each with an identified lawful basis: consent (Article 12) or one of the other sources of lawfulness (Article 13). How to choose between them is covered in consent or legitimate interest.
  • Procedures and deadlines to answer access, rectification, erasure, objection and portability requests from data subjects.
  • The duty of information and transparency covered: privacy policy available and a working contact channel (Article 14 ter).
  • Security measures proportional to the processing (Article 14 quinquies) and a protocol to report breaches to the Agency without undue delay (Article 14 sexies).
  • Contracts in force with data processors that set instructions, purposes and security measures.
  • A documented decision on designating a data protection officer and adopting the Article 49 prevention model.

Where does your company stand today?

The Data Law diagnosis contrasts your current data processing against the obligations enforceable from December 1, 2026 and delivers a gap list prioritized by infringement category.

Request the Data Law diagnosis

Frequently asked questions

When does Law 21.719 enter into force?

On December 1, 2026. The law was published in the Official Gazette on December 13, 2024, and its first transitional article sets the entry into force of the amendments to Law 19.628 for the first day of the twenty-fourth month after publication.

Is there a grace period or an extension?

No. The transitional provisions of Law 21.719 contemplate no grace period. On the contrary, they order enforcement to be ready in advance: the regulations had to be issued within six months of publication, and the Board of the Agency is appointed six months before entry into force (second and fourth transitional articles).

What are the maximum fines?

Up to 5,000 UTM for minor infringements, up to 10,000 UTM for serious ones and up to 20,000 UTM for very serious ones (Article 35, Law 19.628). If the company does not remedy the causes within sixty days, the fine increases by 50%. Recidivism allows up to three times the amount and, for companies above the small-business threshold, up to 2% or 4% of annual revenue.

Does the law also apply to SMEs?

Yes. Article 33 reaches every data controller, whether a natural or legal person, public or private. The law recognizes size differences in dosage: the Agency must set differentiated standards considering smaller companies (Article 14 septies), and revenue-percentage fines only apply to larger companies.

Is the infringement prevention model mandatory?

No, it is voluntary (Article 49). Its effects are not: diligent compliance evidenced by the Agency’s certification is a mitigating circumstance (Article 36 No. 5), and certified entities are listed in the National Registry of Sanctions and Compliance, a public registry (Articles 39 and 51).

Official sources

Transform Your Legal Challenges into Competitive Advantages

Discover how our innovative approach can drive your business

© 2025 AnguitaOsorio, all rights reserved.
Chile

Contact

Contáctanos

Phone:

+56 2 2760 4512

Location:

Cerro el Plomo 5420, office 1306, Las Condes, Metropolitan Region.