Enactment of the Law
Official publication of Law 21.719 in the Official Gazette on December 13, 2024.
Home / Data Protection /Law 21.719
Law 21.719 on Personal Data Protection
The new data protection law establishes compliance standards aligned with international regulations. It introduces specific obligations for security, transparency and demonstrable accountability for organizations that process personal data in Chile.
Key Changes
Mandatory Legal Basis
All processing requires specific legal grounds
Enforceable Rights
Data subjects can exercise rights through formal procedures
Breach Notification
72 hours to notify incidents to the authority
Sanctioning Regime
Fines up to 20,000 UTM for violations
Fundamental Principles
Eight binding principles requiring implementation through verifiable controls
Lawfulness
Requires valid legal basis and documentation to prove it. The controller must demonstrate compliance (accountability).
Purpose
Determined, explicit and lawful purposes. Further processing is limited to these declared purposes.
Security
Technical and organizational measures appropriate to the risk. Breach notification within 72 hours.
Regulatory Structure
The law organizes compliance obligations around guiding principles, data subject rights, and specific duties of the data controller.
Fundamental Principles
The law establishes eight principles governing personal data processing. These principles operate as verifiable obligations that the controller must implement and document.
Detailed analysis of each principleData Subject Rights
The law recognizes specific rights enforceable through formal procedures. The controller must respond within established timeframes.
Rights fulfillment proceduresController Obligations
The controller must comply with specific obligations: clear information, activity records, security measures and breach notification.
Detailed obligationsData Protection Officer
Article 50 establishes the obligation to appoint a DPO for certain controllers. The DPO oversees compliance and acts as a point of contact.
DPO requirements and functionsData Subject Rights
Rights enforceable through formal procedures. Response deadline: 15 business days.
Access
Obtain confirmation about processing and access processed data.
Rectification
Correct inaccurate data or update incomplete information.
Erasure
Delete data when the purpose ceases or consent is withdrawn.
Portability
Receive data in structured format for transfer to another controller.
Automated Decisions
Limit decisions based exclusively on automated processing.
Implementation Timeline
The law establishes a gradual implementation period. The Data Protection Agency will begin its functions in December 2026, when the enforcement and sanctions regime will come into force.
DEC 2024
2025
Transition Period
Preparation phase and development of complementary regulations by the authority.
DEC 2026
Full Entry into Force
Complete enforcement of Law 21.719 and operation of the Data Protection Agency.
Key Figures of the New Legislation
Relevant data for implementing data protection regulations
24
Months
Implementation period until December 2026
8
Principles
Guiding principles of data processing
7
Rights
Strengthened data subject rights
2026
Effective Date
Year of full entry into force
Transform Your Legal Challenges into Competitive Advantages
Discover how our innovative approach can drive your business
Schedule ConsultationMeet the Team→
