Data & Privacy · Chile
Data protection & privacy law in Chile (2026)
Chile shaded by its data & privacy status
Data protection in Chile: comprehensive law, under Currently Law No. 19.628 (1999, 'sobre protección de la vida privada'), grounded in Constitution Art. 19 No. 4; comprehensively overhauled by GDPR-style Law No. 21.719 (published 13 Dec 2024), which enters into force 1 December 2026 and creates the Agencia de Protección de Datos Personales (APDP)..
Chile has had a general, cross-sector personal-data protection law in force since 1999 (Law 19.628), and personal-data protection is a constitutional right (Art. 19 No. 4). On 13 December 2024 Chile published Law 21.719, a comprehensive GDPR-aligned reform that creates an independent supervisory authority (the APDP), expands data-subject rights, and adds strong enforcement; it enters into full force on 1 December 2026 after a 24-month transition. As of May 2026 the modernized regime is enacted but not yet enforceable, so Law 19.628 remains the operative law while organizations prepare for the new obligations.
Key points
Law 19.628, in force since 18 August 1999, regulates the processing and protection of personal data of natural persons across both private and public bodies, and grants access, rectification, cancellation and opposition (ARCO) rights. It will be renamed and substantially replaced when Law 21.719 takes effect.
A 2018 constitutional reform added protection of personal data to Article 19 No. 4 of the Political Constitution, which guarantees respect and protection of private life and of the person's personal data, to be regulated by law.
Law 21.719, published in the Diario Oficial on 13 December 2024, modernizes Chile's regime along GDPR lines, lawful bases for processing, expanded data-subject rights (access, rectification, erasure, portability, objection, and rights regarding automated decision-making/profiling), DPIAs, and records of processing activities. Full entry into force is 1 December 2026.
Law 21.719 creates the Agencia de Protección de Datos Personales (APDP), an autonomous public-law corporation with powers to investigate, sanction, and issue technical rules. It begins exercising enforcement and sanctioning functions from December 2026.
The new law imposes transparency/clear-information duties, a record of processing activities, security measures, mandatory data-breach notification to the APDP (and to affected individuals for sensitive data, minors under 14, or financial/banking data at high risk), and appointment of a Data Protection Officer for certain controllers.
Infringements are graded minor/serious/very serious, with fines up to 20,000 UTM; for large companies that repeatedly commit serious or very serious breaches, fines may instead reach a percentage of prior-year annual revenue (up to 2% / 4%). Cross-border transfers follow a layered GDPR-style framework (adequacy, contractual clauses/BCRs, certifications).
Timeline - major decisions & events
Chile's GDPR-aligned data protection reform takes full legal effect and the newly created Agencia de Protección de Datos Personales (APDP), Chile's first dedicated, independent supervisory authority, commences operations with powers to issue binding instructions, conduct inspections, and impose administrative fines. The 24-month transitional window that began with the law's December 2024 publication expires on this date.
Biblioteca del Congreso Nacional de Chile ↗Key articles of the Cybersecurity Framework (DFL N°1-21.663, published December 2024) became operative, imposing mandatory incident-reporting duties and minimum security standards on designated 'essential services' and 'vital operators'. The Agencia Nacional de Ciberseguridad (ANCI) activated its supervisory and sanctioning powers, directly complementing data-breach obligations under Law 21.719.
Agencia Nacional de Ciberseguridad (ANCI) ↗Chile's Constitutional Court reviewed and approved Bills 11144-07 and 11092-07 (jointly constituting the Data Protection Act), removing the final institutional hurdle before presidential promulgation. The ruling confirmed the law's compatibility with constitutional guarantees after over eight years of legislative debate.
OneTrust DataGuidance ↗Chile's consumer protection agency SERNAC filed a formal complaint against Worldcoin (Grupo Optimistic SpA) at the 2nd Local Police Court of Las Condes for collecting iris scans without adequate consent, including from minors. SERNAC later obtained a precautionary order suspending biometric data collection from minors, the case became a landmark test of existing privacy rules against novel biometric technologies in the run-up to Law 21.719.
SERNAC (Servicio Nacional del Consumidor) ↗The Chilean government submitted a comprehensive legislative bill in the Senate to replace the 1999 data protection law, launching more than eight years of parliamentary debate. The bill proposed creating a supervisory authority and aligning the framework with the EU GDPR and other emerging international standards.
Biblioteca del Congreso Nacional — Historia de la Ley ↗Chile enacted its first computer-crime law, criminalising sabotage of information-processing systems, unauthorised access, and malicious destruction of data. One of the earliest such laws in Latin America, it provided a baseline privacy-adjacent enforcement tool until being superseded by the modernised Law 21.459 in 2022.
Biblioteca del Congreso Nacional de Chile ↗Chile - other topics
Data & Privacy in other countries
Last verified 5/25/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →