Do I Have to Report a Data Breach? To Whom and When?
Yes. The controller must report breaches to the Data Protection Agency without undue delay, and to the affected people when sensitive, minors' or financial data are involved. Not reporting is itself an infraction, and the clock starts when you learn of the breach, not when you finish investigating it.
This page answers the operational questions a breach forces at once: the duty and its standard, who must be told and what the notice contains, what happens if you stay silent, when the incident is also a crime, and how to be ready so the deadline is manageable. It closes with the questions that come up in the first hour of an incident.
The duty and its standard
The obligation is not to investigate first and report later. It is to report promptly, on a standard the law states in words, not in hours.
Article 14 sexies of Law 19.628, as amended by Law 21.719, requires the controller to report breaches of security measures to the Agency by the most expedient means possible and without undue delay. It is a conduct standard, not a fixed clock, and it is demanding precisely because it is open: the reasonable time is measured from awareness of the breach, and a slow or hesitant response is hard to justify after the fact.
The first decision inside that window is who has to be told.
Who is notified
The Agency is always notified. Whether the affected people must also be told depends on the nature of the compromised data.
The Agency, always
Every breach of security measures is reported to the Data Protection Agency, by the most expedient means and without undue delay. This duty does not depend on how many records were affected; it depends on the breach having occurred.
The data subjects, when it matters most
The controller must also communicate to the affected people when the breach involves sensitive data, data of children and adolescents, or data on economic, financial, banking or commercial obligations, precisely the categories where harm to the person is greatest.
Staying silent is not a neutral option; it is a separate breach of its own.
The cost of not reporting
The failure to notify is sanctioned in its own right, and the exposure does not always stop at the administrative plane.
A fineable infraction
Not reporting a notifiable breach is sanctionable within the Article 35 regime, with fines up to 20,000 UTM for very serious infringements. See sanctions and fines.
When the breach is a crime
If it involves unlawful access or an attack on data or systems, it can be a computer crime under Law 21.459. See corporate criminal exposure to cyber incidents.
A board matter
The handling of the breach falls within the board\'s duty of care. See board liability under the Data Protection Law.
None of this is manageable in real time without preparation done in advance.
Being ready before it happens
The report standard is only reachable if the security and response groundwork already exists.
- Security measures appropriate to the risk, as required by Article 14 quinquies, so breaches are detected rather than discovered late.
- An incident-response plan that names who decides, how severity is assessed and what is communicated, so the notification is a step, not an improvisation.
- A prior gap assessment against the law, so the duty is understood before it is triggered. That is the point of a data-law diagnosis.
Could your company report in time?
The "without undue delay" standard is unforgiving to companies that improvise. The data-law diagnosis reviews your security duties and response plan against Law 21.719 and leaves the notification path defined before an incident tests it.
Request a data-law diagnosisFrequently asked questions
Who must be notified of a data breach?
Always the Data Protection Agency. In addition, the affected data subjects when the breach involves sensitive data, data of children and adolescents, or data on economic, financial, banking or commercial obligations. Notice to the Agency is the general rule; notice to data subjects depends on the nature of the data compromised (Article 14 sexies).
Within what deadline must it be reported?
The law sets no exact number of hours: it requires reporting by the most expedient means possible and without undue delay (Article 14 sexies). In practice, that standard requires a response capability already in place, because the clock starts when the company becomes aware of the breach, not when it finishes investigating it.
What happens if I do not notify?
Failing to report a breach that should have been communicated is an infraction in itself, sanctionable by the Agency within the regime of Article 35, with fines scaling up to 20,000 UTM for very serious infringements. On top of that administrative exposure comes the reputational aggravation of the omission surfacing through another channel.
Can a data breach also be a crime?
Yes. If the breach stems from unlawful access, interception or an attack on the integrity of data or systems, the event can be a computer crime under Law 21.459, with criminal liability for individuals and, through Law 21.595 and the catalog of Law 20.393, for the company. The administrative report and the criminal response are handled in parallel.
How is the standard met without improvising?
With the security measures appropriate to the risk required by Article 14 quinquies and an incident-response plan defined before it is needed: who decides, how severity is assessed, what is communicated and to whom. Without that plan, the duty to report without undue delay is very hard to meet in the moment.
Official sources
- Law 19.628 as amended by Law 21.719, Articles 14 quinquies (security measures), 14 sexies (breach reporting) and 35 (fines): BCN/LeyChile
- Law 21.719 on the Protection of Personal Data (reform and entry into force): BCN/LeyChile
- Law 21.459 on Computer Crimes (when the breach is also an offense): BCN/LeyChile
Transform Your Legal Challenges into Competitive Advantages
Discover how our innovative approach can drive your business