International Data Transfers
Regulatory framework for cross-border personal data transfers under Law 21.719, establishing specific protection mechanisms to ensure continuity of protection level outside Chilean territory.
International Transfers
Transfers require guarantees of equivalent protection in the destination country. Law 21.719 establishes hierarchical mechanisms: adequacy decisions, appropriate safeguards, and specific exceptions.
Adequacy Decisions
Official recognition by the Data Protection Agency that a third country offers a level of protection essentially equivalent to Chilean standards.
- Comprehensive legal framework assessment
- Analysis of supervisory authorities
- Periodic review of conditions
Standard Contractual Clauses
Model contracts approved by the Agency establishing specific obligations for data importers, guaranteeing equivalent protection through contractual commitments.
- Data importer obligations
- Third-party beneficiary rights
- Effective remedy mechanisms
Binding Corporate Rules (BCR)
Internal policies of multinational corporate groups establishing uniform data protection standards applicable to all entities within the corporate group.
- Application to entire corporate structure
- Agency approval
- Internal compliance mechanisms
Certifications and Codes of Conduct
Sector-specific certification programs and approved codes of conduct demonstrating compliance with specific data protection standards in transfers.
- Specific sector certifications
- Industry codes of conduct
- Supervision by accredited bodies
Transfer Assessment Process
Determining the appropriate mechanism for each international transfer requires systematic analysis considering multiple specific legal, technical, and operational factors.
1. Identification of Destination Country
Precise determination of the data-receiving jurisdiction, considering not only the importer's country of establishment, but also possible sub-transfers and location of servers or processing centers.
2. Adequacy Decision Verification
Consultation of the official registry of countries with valid adequacy decisions. If one exists, the transfer may proceed without additional safeguards, subject to the specific conditions of the decision.
3. Alternative Mechanisms Evaluation
In the absence of an adequacy decision, analysis of the applicability of standard contractual clauses, BCR, certifications, or codes of conduct according to the specific characteristics of the transfer.
4. Complementary Risk Analysis
Additional assessment of factors such as the destination country's legal framework, government access powers, judicial independence, and existence of effective remedies for data subjects.
5. Implementation and Documentation
Formalization of the selected mechanism through appropriate documentation, inclusion in the Record of Processing Activities, and establishment of ongoing compliance monitoring procedures.
Special Considerations by Sector
Frequently asked questions
What are international transfers of personal data under Law 21.719?
They are data communications to recipients located outside Chile. The law requires a legal basis and safeguards equivalent to the Chilean standard: adequate level of protection in the receiving country, standard contractual clauses, binding corporate rules or specific Agency authorisation.
Which countries have an adequate level of protection?
The Agency publishes the official list of countries and international organisations with adequate protection. Until determined, alternative safeguards apply. Countries with a GDPR-equivalent regime and those with specific treaties are expected to be recognised as adequate.
What are standard contractual clauses (SCCs)?
Model contracts that the Agency may approve as sufficient safeguard between data exporter and importer. They include obligations, subject rights and control mechanisms. Until Agency approval, European SCCs are a usual technical reference but not automatic regulatory equivalents.
What are Binding Corporate Rules (BCRs)?
Binding internal policies of a multinational group that guarantee equivalent protection across subsidiaries. They require Agency approval. Useful for recurrent intra-group transfers and reduce transactional contractual burden.
What happens if transfers occur without adequate safeguards?
It is a serious or very serious breach of Law 21.719 with fines up to 20,000 UTM. The Agency may order suspension of transfers and demand return or deletion of the data. In regulated sectors additional sectoral sanctions may accumulate.
Transform Your Legal Challenges into Competitive Advantages
Discover how our innovative approach can drive your business
