Personal Data Protection Law
On August 27, Congress sent to the executive branch the Law that establishes a new framework for the treatment of Personal Data, modifying the current Law No. 19,628 on the protection of private life.
Along with changing the name to “On the protection of Personal Data”, the Law incorporates various modifications to the current regulatory body as indicated below:
1. Modification of article 1 of the Law and creation of article 1 bis
After its modification, the new article 1 establishes the meaning and scope of the Law, indicating that all processing of personal data must respect the rights and freedoms of individuals, and will be subject to the provisions of this law.
Likewise, article 1 bis will establish the territorial scope of application of the Law, establishing the circumstances under which the provisions of the Law will be applied to the processing of personal data.
2. Modification of Article 2 of the Law. Definitions.
The Law modifies the following concepts of the current article 2: a) Data storage; c) Communication of personal data; f) Personal data; g) Sensitive personal data; i) Publicly accessible sources.
In addition, the Law eliminates the following concepts: j) Modification of data; l) Data dissociation procedure; m) Registry or database; n) Person responsible for the registry or database; ñ) Owner of the data; o) Data processing; replacing them with the following: k) Anonymization; l) Pseudonymization; m) Personal database; n) Person responsible for data; ñ) Owner of data or holder; o) Data processing;
Finally, the Law introduces the following concepts: p) Consent; q) Right of access; r) Right of rectification; s) Right of deletion; t) Right to object; u) Right to the portability of personal data; v) Transfer of personal data; w) Profiling; x) Third party agent or person in charge; y) Agency; z) National Registry of Sanctions and Compliance.
3. Replacement of Article 3 of the Law. Principles.
The new Law modifies the current Article 3, replacing it entirely with a new one that incorporates the principles that govern the processing of personal data. These principles are: a) Principles of legality and loyalty; b) Principle of purpose; c) Principle of proportionality; d) Principle of quality; e) Principle of responsibility; f) Principle of security; g) Principle of transparency and information; h) Principle of confidentiality.
4. Replacement of Title I of the Law: On the rights of the holder of personal data
The new Law replaced the current “Title I On the use of personal data” with the following: “Title I On the rights of the holder of personal data”
The new Title regulates the rights of access, rectification, deletion, opposition, portability and blocking of personal data.
In addition, the new Law regulates the form and means in which the data holder may exercise his or her rights and the procedure before the data controller.
5. Replacement of Title II of the Law: On the processing of personal data and special categories of data
The new Law replaced the current “Title II On the rights of data holders” with the following: “Title II On the processing of personal data and special categories of data”. This new title is made up of three paragraphs:
5.1 First Paragraph: Consent of the owner, obligations and duties of the person responsible and data processing in general.
The Law states that, as a general rule, personal data may be processed when there is consent from the owner. In addition to the above, it indicates the cases in which it will not be necessary to have the consent of the owner to process their data.
Also, the first paragraph lists the obligations of the data controller in relation to the data of the owners:
a) Inform and make available to the owner the background information that proves the lawfulness of the data processing that is carried out. Likewise, the owner must promptly deliver said information when requested.
b) Ensure that personal data is collected from lawful sources of access for specific, explicit and lawful purposes, and that its processing is limited to the fulfillment of these purposes.
c) Communicate or transfer, in accordance with the provisions of this law, accurate, complete and current information.
d) Delete or anonymize the owner's personal data when it was obtained for the execution of pre-contractual measures.
e) Comply with the other duties, principles and obligations that govern the processing of personal data provided for in this law.
In addition, the Law indicates the following duties of the data controller: i) Duty of confidentiality; ii) Duty of information or transparency; iii) Duty of protection by design and by default; iv) Duty to adopt security measures; v) Duty to report breaches of security measures; vi) Differentiation of compliance standards.
Finally, the Law regulates the transfer of personal data.
5.2 Second Paragraph: On the processing of sensitive personal data.
The Law establishes that, as a general rule, sensitive personal data may only be processed with the express consent of the owner, except in certain exceptional cases in which the consent of the owner will not be necessary.
Regarding sensitive personal data relating to health and the human biological profile, the Law establishes that they may only be processed in compliance with the requirements for the processing of sensitive personal data and for the purposes provided for by special laws on health matters. In addition, it establishes that, exceptionally, these data may be processed without the consent of the owner.
Regarding biometric personal data, the Law establishes that they may only be processed in compliance with the requirements for the processing of sensitive personal data and provided that the holder is provided with certain specific information (e.g. identification of the biometric system used)
5.3 Third paragraph: On the processing of special categories of personal data:
Other types of personal data regulated by the Law are: Personal data relating to children and adolescents; Personal data for historical, statistical, scientific and study or research purposes and Geolocation data.
6. Replacement of Title IV of the Law: On the processing of personal data by public bodies
The Law fully replaced the current “Title IV On the processing of data by public bodies” with the following: “Title IV On the processing of personal data by public bodies”.
The Law establishes that, as a general rule, the processing of personal data by public bodies is lawful when it is carried out in the performance of their legal functions. In addition to the above, the Law regulates the transfer of personal data by public bodies and an administrative procedure for protection and claims of illegality.
Finally, Title IV establishes the creation of a regulation that will regulate the conditions, modalities and instruments for the communication or transfer of personal data between public bodies and with private persons or bodies.
7. Replacement of Title V of the Law: On the international transfer of personal data
The Law completely replaced the current “Title V On liability for violations of this law” with the following: “Title V On the international transfer of personal data”
The Law indicates the cases in which international data transfer operations are lawful and entrusts their supervision to the Data Protection Agency.
8. New Titles VI, VII and VIII
8.1 Title VI: Control Authority for Personal Data Protection
The Law creates Title VI Control Authority for Personal Data Protection, by virtue of which the Personal Data Protection Agency is created, an autonomous corporation under public law, of a technical, decentralized nature, with legal personality and its own assets, whose purpose is to ensure the effective protection of the rights that guarantee the private life of individuals and their personal data, in accordance with the provisions of the Law.
In addition to creating this new institution, the Law establishes its functions and powers, determines its senior management, its composition, remunerations, statutes, among others.
8.2 Title VII: infringements and their sanctions, procedures and responsibilities
The Law creates a title on infringements and their sanctions, procedures and responsibilities, indicating that, as a general rule, the data controller who infringes the principles, rights and obligations will be sanctioned in accordance with the rules established in this title, which is composed of five paragraphs.
8.2.1 First paragraph: Responsibility, infringements and sanctions applicable to natural persons or legal entities under private law.
The Law classifies infringements into three categories: minor, serious and very serious, establishing causes for each of them. In addition, with respect to each of these infringements, the Law provides for the following sanctions:
Minor infringements: Fine of up to 5,000 UTM;
Serious infringements: Fine of up to 10,000 UTM;
Very serious infringements: Fine up to 20,000 UTM
Finally, the Law establishes mitigating, aggravating and accessory sanctions, in addition to creating a National Registry of Sanctions and Compliance administered by the Agency.
8.2.2 Second paragraph: Administrative procedures
The Law establishes a procedure for the protection of rights before the Personal Data Protection Agency in the event that the Controller denies all or part of the request made by the Holder or when there is no response from the Controller within the legal period in accordance with article 11 of the Law.
Along with the previous procedure, the Law establishes an administrative procedure instructed by the Agency ex officio or at the request of a party for infringements of the Law committed by Data Controllers. These violations may be due to non-compliance with the principles, rights or obligations established in the Law.
8.2.3 Third paragraph: Regarding the judicial claim procedure
The Law establishes that if a natural or legal person considers that an administrative act that paralyzes the procedure or a final or termination resolution issued by the Agency, he or she may file a claim of illegality before the Court of Appeals of Santiago or before the Court of Appeals of the claimant's domicile at his or her choice.
8.2.4 Fourth paragraph: Regarding the responsibility of public bodies, of the authority or superior head of the body and of its officials
The Law establishes the duty of responsibility of the superior head of the public body, establishing various sanctions in the event of violations of the norms established in the Law. Likewise, the Law establishes sanctions for the officials of the public body who are individually responsible, which will be determined by the administrative statute.
8.2.5 Fifth paragraph: Civil Liability
The Law establishes, as a general rule, that the data controller must compensate the financial and non-financial damage caused to the data subject(s) when, in their data processing operations, they infringe the principles established in article 3, the rights and obligations established in this law and cause them harm (without prejudice to the exercise of other rights granted by law to data subjects). Civil actions arising from the infringement of the Law expire after 5 years.
In addition, the Law establishes an obligation for data controllers to prevent the commission of infringements established in the Law and sets out the elements with which the voluntary model for the prevention of infringements must be certified, registered and supervised by the Agency in accordance with the provisions of the Regulation to be issued.
8.3 Title VIII: Processing of personal data by the National Congress, the Judiciary and public bodies with constitutional autonomy
The Law establishes that the processing of personal data by the National Congress, the Judiciary, the Office of the Comptroller General of the Republic, the Public Prosecutor's Office, the Constitutional Court, the Central Bank, the Electoral Service and the Electoral Court, and other special courts created by law, is lawful when it is carried out for the fulfillment of their legal functions, within the scope of their powers and in accordance with the special regulations established in their respective organic laws and the provisions of Title IV of this law applicable to public bodies, with the exception of the provisions of article 14 quinquies and articles 44 to 46
9. Validity
The amendments to Laws No. 19,628, on the protection of private life; No. 20,285, on access to public information, and No. 19,496, which establishes standards for the protection of consumer rights, will enter into force on the first day of the twenty-fourth month following the publication of this law in the Official Gazette.
Furthermore, the regulations referred to in the law must be issued within six days from the publication of the law in the Official Gazette.