Enactment of the Law
Official publication of Law 21.719 in the Official Gazette on December 13, 2024.
Home / Data Protection /Law 21.719
Law 21.719 Data Protection Chile
Law 21.719 is the new Chilean personal data protection law, published on December 13, 2024. It replaces the regime of Law 19.628 and introduces a regulatory architecture aligned with international standards such as the GDPR, with specific obligations for security, transparency and demonstrable accountability for organizations that process personal data in Chile.
Key Changes
Mandatory Legal Basis
All processing requires specific legal grounds
Enforceable Rights
Data subjects can exercise rights through formal procedures
Breach Notification
72 hours to notify incidents to the authority
Sanctioning Regime
Fines up to 20,000 UTM for violations
Fundamental Principles
Eight binding principles requiring implementation through verifiable controls
Lawfulness
Requires valid legal basis and documentation to prove it. The controller must demonstrate compliance (accountability).
Purpose
Determined, explicit and lawful purposes. Further processing is limited to these declared purposes.
Security
Technical and organizational measures appropriate to the risk. Breach notification within 72 hours.
Regulatory Structure
The law organizes compliance obligations around guiding principles, data subject rights, and specific duties of the data controller.
Fundamental Principles
The law establishes eight principles governing personal data processing. These principles operate as verifiable obligations that the controller must implement and document.
Detailed analysis of each principleData Subject Rights
The law recognizes specific rights enforceable through formal procedures. The controller must respond within established timeframes.
Rights fulfillment proceduresController Obligations
The controller must comply with specific obligations: clear information, activity records, security measures and breach notification.
Detailed obligationsData Protection Officer
Article 50 establishes the obligation to appoint a DPO for certain controllers. The DPO oversees compliance and acts as a point of contact.
DPO requirements and functionsData Subject Rights
Rights enforceable through formal procedures. Response deadline: 15 business days.
Access
Obtain confirmation about processing and access processed data.
Rectification
Correct inaccurate data or update incomplete information.
Erasure
Delete data when the purpose ceases or consent is withdrawn.
Portability
Receive data in structured format for transfer to another controller.
Automated Decisions
Limit decisions based exclusively on automated processing.
Implementation Timeline
The law establishes a gradual implementation period. The Data Protection Agency will begin its functions in December 2026, when the enforcement and sanctions regime will come into force.
DEC 2024
2025
Transition Period
Preparation phase and development of complementary regulations by the authority.
DEC 2026
Full Entry into Force
Complete enforcement of Law 21.719 and operation of the Data Protection Agency.
Key Figures of the New Legislation
Relevant data for implementing data protection regulations
24
Months
Implementation period until December 2026
8
Principles
Guiding principles of data processing
7
Rights
Strengthened data subject rights
2026
Effective Date
Year of full entry into force
Obligations, deadlines and sanctions
Compliance with Law 21.719 is structured around the controller's material obligations, tight legal deadlines and a sanctions regime scaled by severity.
Main obligations
- Identify valid legal bases for each processing activity and document traceability (lawfulness and accountability).
- Keep an up-to-date Record of Processing Activities (ROPA) available to the Agency.
- Appoint a Data Protection Officer in the cases covered by Article 47, including public bodies and large-scale or sensitive processing.
- Implement technical and organizational measures appropriate to the risk, consistent with the security principle.
- Sign data processing agreements (DPA) with processors regulating instructions, confidentiality and security.
Key deadlines
- 15 business days to respond to data subject rights requests (access, rectification, deletion, opposition, portability).
- 72 hours to notify the Agency of security breaches that pose risk to data subjects.
- December 1, 2026: full entry into force and effective operation of the sanctions regime.
Sanctions
- Minor infringements: fines up to 5,000 UTM.
- Serious infringements: fines up to 10,000 UTM, including failure to appoint a DPO where required.
- Very serious infringements: fines up to 20,000 UTM, plus corrective measures and publication of the sanction.
Frequently asked questions
What is Law 21.719?
It is the new Chilean personal data protection law, published on December 13, 2024. It replaces the regime of Law 19.628 and introduces a regulatory architecture aligned with international standards such as the General Data Protection Regulation.
When does Law 21.719 enter into force?
The Law contemplates a 24-month vacancy period, so its full entry into force occurs on December 1, 2026. During the interim period, organizations must adapt processes and appoint Data Protection Officers where applicable.
What rights does it recognize for data subjects?
Access, rectification, deletion, opposition, portability and restriction of processing. Controllers must respond to requests within legal deadlines and keep records of evidence.
What is the Data Protection Officer (DPO)?
It is the figure responsible for supervising compliance within the organization, advising management and serving as the point of contact with the Agency. Its appointment is mandatory for public sector controllers and for organizations carrying out large-scale processing.
What sanctions does the law contemplate?
Fines that scale according to severity up to 20,000 UTM for very serious infringements. The Personal Data Protection Agency is the supervisory authority, with power to impose corrective measures and sanctions.
What obligations does the data controller have?
Principles of lawfulness, purpose, quality and security; duty to inform the data subject; maintenance of processing activity records; impact assessments where applicable; breach notification to the Agency; and DPO appointment in the cases provided for.
Related reading
These pages go deeper into operational aspects of Law 21.719 compliance and its interaction with other Chilean regulations.
Official sources
Transform Your Legal Challenges into Competitive Advantages
Discover how our innovative approach can drive your business
Schedule ConsultationMeet the Team→
