Data protection & privacy laws in Chile (2026)

Law 19.628, in force since 18 August 1999, regulates the processing and protection of personal data of natural persons across both private and public bodies, and grants access, rectification, cancellation and opposition (ARCO) rights. It will be renamed and substantially replaced when Law 21.719 takes effect.

A 2018 constitutional reform added protection of personal data to Article 19 No. 4 of the Political Constitution, which guarantees respect and protection of private life and of the person's personal data, to be regulated by law.

Law 21.719, published in the Diario Oficial on 13 December 2024, modernizes Chile's regime along GDPR lines — lawful bases for processing, expanded data-subject rights (access, rectification, erasure, portability, objection, and rights regarding automated decision-making/profiling), DPIAs, and records of processing activities. Full entry into force is 1 December 2026.

Law 21.719 creates the Agencia de Protección de Datos Personales (APDP), an autonomous public-law corporation with powers to investigate, sanction, and issue technical rules. It begins exercising enforcement and sanctioning functions from December 2026.

The new law imposes transparency/clear-information duties, a record of processing activities, security measures, mandatory data-breach notification to the APDP (and to affected individuals for sensitive data, minors under 14, or financial/banking data at high risk), and appointment of a Data Protection Officer for certain controllers.

Infringements are graded minor/serious/very serious, with fines up to 20,000 UTM; for large companies that repeatedly commit serious or very serious breaches, fines may instead reach a percentage of prior-year annual revenue (up to 2% / 4%). Cross-border transfers follow a layered GDPR-style framework (adequacy, contractual clauses/BCRs, certifications).