Is the Board Liable for Breaching the Data Protection Law?

Not in the way many assume. Law 21.719 fines the company, not the director in person. But a fine of up to 20,000 UTM and a public listing are damage to the company, and answering for that damage is a board duty. The distinction is the whole point.

This page separates two things that get merged in board conversations: who the Data Protection Law actually sanctions, and why the exposure still reaches the directors. It covers the administrative regime and its figures, the governance duty that sits above it, the proactive-accountability standard the company is measured against, and how a board evidences its diligence. It closes with the questions directors ask most.

Who answers, and on what plane

The law sanctions the company as data controller. The board answers on a separate, corporate-governance plane. Confusing the two leads either to false calm or to misplaced alarm.

The company (data controller)

Bears the administrative liability: fines from the Data Protection Agency and registration in the sanctions registry. This is the direct sanction the law creates, and it lands on the entity, not on the individual who sits on the board.

The board (governance duty)

Does not receive the administrative fine, but owes the duty of care of Article 41 of Law 18.046. If the company is fined for a compliance failure the board neither demanded nor supervised, the exposure is internal civil liability and reputation, not a personal administrative penalty.

To weigh the governance duty, it helps to see the size of the sanction that falls on the company.

The administrative regime

The reform graduates infringements and attaches figures that make data compliance a board-level financial matter, not an IT footnote.

Art. 34 ter

Graduated infringements

Infringements are classified as minor, serious and very serious, each with its own sanction band. The category depends on the duty breached and the harm to data subjects.

Art. 35

Fines up to 20,000 UTM

Very serious infringements reach up to 20,000 UTM. For a repeat or systemic failure, the figure is material on any balance sheet and squarely a governance concern.

Registry

Public sanctions record

Sanctions are entered in a public registry. The reputational effect on clients, counterparties and the market often outlasts the fine itself.

Administrative liability is not the ceiling either. Depending on how the incident occurred, the same event can cross into criminal law.

When the incident is also a computer crime

A data breach and a computer crime are not the same case, but they often share the same facts. Where they overlap, the exposure stops being only the company's.

When a data incident involves unlawful access, interception, or an attack on the integrity of data or systems, it is no longer only an administrative matter under Law 21.719: it can be a computer crime under Law 21.459. Since Law 21.595, those offenses count as second-category economic crimes when committed within a company or for its benefit, and they belong to the catalog of Law 20.393. The consequence is direct: the same event can expose the individuals who ran or allowed it to personal criminal liability, and the company to corporate criminal liability, on top of the Agency\'s fine. The corporate criminal exposure to cyber incidents develops this track, and it connects the data question back to the personal liability of managers and directors.

What turns both the company sanction and this criminal exposure into a board question is the standard the law uses to judge compliance.

Proactive accountability and the duty of care

The reform does not only ask the company to comply; it asks it to prove that it complies. That standard is what binds the board.

Under proactive accountability, the absence of policies, records and verifiable measures is read as non-compliance before the Agency. Article 41 of Law 18.046, in turn, requires directors to exercise the care and diligence people ordinarily apply to their own affairs. Put together, a board that let a known deadline pass without demanding a data-compliance program cannot later claim the failure was purely operational: the standard for its own diligence was set by the same law that fines the company.

How the board evidences diligence

The law names the very tools a board should demand, and adopting them operates in the company's favor.

  • A data protection officer with real independence and resources (Article 50). See the DPO role.
  • An infringement-prevention model (Article 51), whose adoption the law recognizes as a mitigating factor.
  • A documented gap assessment against the law before it becomes enforceable, so diligence is provable, not asserted. This is the point of a data-law diagnosis.

The same question, under the other laws

The exposure of those who run the company repeats across regimes, with different rules each time. The same question arises for managers and directors under the Economic Crimes Law and for the employer under the Ley Karin.

Can your board prove its diligence?

The difference between a fine and a defensible position is documented evidence of compliance built before the law is enforced. The data-law diagnosis maps your processing against Law 21.719 and delivers the prioritized program a board can point to.

Request a data-law diagnosis

Frequently asked questions

Does Law 21.719 impose criminal liability on directors?

No. The regime of Law 21.719, which amends Law 19.628, is administrative: it sanctions the data controller, that is the company, with fines from the Data Protection Agency. It does not create an offense or a personal fine for the director. The board's exposure is indirect and of a different order: it is a corporate-governance duty.

How large are the fines and who do they apply to?

Infringements are classified as minor, serious and very serious (Article 34 ter), and very serious ones can reach 20,000 UTM (Article 35). They apply to the company as data controller. On top of the fine sits registration in the sanctions registry, a reputational effect the law itself contemplates.

So why should the board be concerned?

Because a fine of that size and a public registration are damage to the company, and Article 41 of Law 18.046 requires directors to administer with the care and diligence of a sound administrator. Neglecting data compliance, with the law's entry into force long known, is precisely the kind of omission that compromises that duty toward the company and its shareholders.

What is proactive accountability and why does it matter here?

It is the principle that the controller must not only comply but be able to demonstrate compliance, through policies, records and verifiable measures. It shifts the burden to the company: before the Agency, the absence of evidence reads as non-compliance. For the board, it is the standard against which its diligence will be measured.

How is governance diligence evidenced?

With the tools the law itself recognizes: a data protection officer (Article 50) and an infringement-prevention model (Article 51), whose adoption operates as a mitigating factor. A board that demands, resources and supervises these pieces turns a possible fine into a case of provable diligence rather than omission.

Can a data breach amount to a crime?

Yes, depending on how it happens. If it involves unlawful access, interception or an attack on the integrity of data or systems, it can be a computer crime under Law 21.459, separate from the administrative infringement of Law 21.719. Since Law 21.595 those offenses are second-category economic crimes within the catalog of Law 20.393, exposing both individuals and the company to criminal liability, on top of the Agency's fine.

Official sources

Transform Your Legal Challenges into Competitive Advantages

Discover how our innovative approach can drive your business

© 2025 AnguitaOsorio, all rights reserved.
Chile

Contact

Contáctanos

Phone:

+56 2 2760 4512

Location:

Cerro el Plomo 5420, office 1306, Las Condes, Metropolitan Region.