International Data Transfers
Regulatory framework for cross-border personal data transfers under Law 21.719, establishing specific protection mechanisms to ensure continuity of protection level outside Chilean territory.
International Transfers
Transfers require guarantees of equivalent protection in the destination country. Law 21.719 establishes hierarchical mechanisms: adequacy decisions, appropriate safeguards, and specific exceptions.
This page walks through the mechanisms that enable a transfer, the order in which to assess them, and the sector-specific considerations.
Transfer mechanisms
The mechanisms below are the routes available to enable an international transfer. Each card summarizes one and the kind of operation it fits.
Adequacy Decisions
Official recognition by the Data Protection Agency that a third country offers a level of protection essentially equivalent to Chilean standards.
- Comprehensive legal framework assessment
- Analysis of supervisory authorities
- Periodic review of conditions
Standard Contractual Clauses
Model contracts approved by the Agency establishing specific obligations for data importers, guaranteeing equivalent protection through contractual commitments.
- Data importer obligations
- Third-party beneficiary rights
- Effective remedy mechanisms
Binding Corporate Rules (BCR)
Internal policies of multinational corporate groups establishing uniform data protection standards applicable to all entities within the corporate group.
- Application to entire corporate structure
- Agency approval
- Internal compliance mechanisms
Certifications and Codes of Conduct
Sector-specific certification programs and approved codes of conduct demonstrating compliance with specific data protection standards in transfers.
- Specific sector certifications
- Industry codes of conduct
- Supervision by accredited bodies
Update 2025: the model clauses are already approved
Until recently, the standard-clauses route depended on the Agency issuing local models. That changed at the end of 2025.
On 19 December 2025 the Diario Oficial published the resolution of the Undersecretariat of Economy (Resolución Exenta RAEX202503748, of 11 December 2025) approving model contractual clauses for the international transfer of personal data. Based on the models of the Ibero-American Data Protection Network (RIPD), they are the standard enabling mechanism for transfers to countries not yet declared to have an adequate level of protection.
They apply from publication and on a transitional basis, until the Data Protection Agency exercises the power of Article 28 of Law 21.719 to approve its own clauses or other mechanisms. Their adoption by the Ministry of Economy, before the Agency is operational, has drawn debate over the competence to issue them, so they are worth adopting while checking their fit with each operation.
With the mechanisms in view, the next step is to order the assessment of each transfer.
Transfer Assessment Process
Determining the appropriate mechanism for each international transfer requires systematic analysis considering multiple specific legal, technical, and operational factors.
- 1. Identification of Destination Country
Precise determination of the data-receiving jurisdiction, considering not only the importer's country of establishment, but also possible sub-transfers and location of servers or processing centers.
- 2. Adequacy Decision Verification
Consultation of the official registry of countries with valid adequacy decisions. If one exists, the transfer may proceed without additional safeguards, subject to the specific conditions of the decision.
- 3. Alternative Mechanisms Evaluation
In the absence of an adequacy decision, analysis of the applicability of standard contractual clauses, BCR, certifications, or codes of conduct according to the specific characteristics of the transfer.
- 4. Complementary Risk Analysis
Additional assessment of factors such as the destination country's legal framework, government access powers, judicial independence, and existence of effective remedies for data subjects.
- 5. Implementation and Documentation
Formalization of the selected mechanism through appropriate documentation, inclusion in the Record of Processing Activities, and establishment of ongoing compliance monitoring procedures.
Special Considerations by Sector
How the above lands depends on the sector. These are some common cases.
Financial Services
Additional banking regulation and AML/CFT
Healthcare
Special protection of sensitive data
Cloud Computing
Data localization and government access
Telecommunications
Lawful interception and digital sovereignty
Frequently asked questions
Common questions about international data transfers.
What are international transfers of personal data under Law 21.719?
They are data communications to recipients located outside Chile. The law requires a legal basis and safeguards equivalent to the Chilean standard: adequate level of protection in the receiving country, standard contractual clauses, binding corporate rules or specific Agency authorisation.
Which countries have an adequate level of protection?
The Agency publishes the official list of countries and international organisations with adequate protection. Until determined, alternative safeguards apply. Countries with a GDPR-equivalent regime and those with specific treaties are expected to be recognised as adequate.
What are standard contractual clauses (SCCs)?
Model contracts that operate as a sufficient safeguard between data exporter and importer, with obligations, subject rights and control mechanisms. Since December 2025 the Ministry of Economy approved model contractual clauses based on the Ibero-American Data Protection Network (RIPD) models, applying on a transitional basis until the Agency exercises its power under Article 28 of Law 21.719. They are now the standard enabling mechanism for transfers to countries not yet declared adequate.
What are Binding Corporate Rules (BCRs)?
Binding internal policies of a multinational group that guarantee equivalent protection across subsidiaries. They require Agency approval. Useful for recurrent intra-group transfers and reduce transactional contractual burden.
What happens if transfers occur without adequate safeguards?
It is a serious or very serious breach of Law 21.719 with fines up to 20,000 UTM. The Agency may order suspension of transfers and demand return or deletion of the data. In regulated sectors additional sectoral sanctions may accumulate.
Transform Your Legal Challenges into Competitive Advantages
Discover how our innovative approach can drive your business