Skip to main content

Chile Law 19.628 on the Protection of Private Life

Chile's Law 19.628 was Latin America's first data protection law and has been overhauled by Law 21.719 to mirror the GDPR, adding a lawful-basis model, expanded data subject rights, breach notification, and a new independent regulator with substantial fining powers.

Jurisdiction
Chile

Chile Law 19.628 on the Protection of Private Life

Chile's Law No. 19.628 on the Protection of Private Life, in force since August 28, 1999, was Latin America's first dedicated data protection statute. For many years it was considered comparatively weak, lacking an independent supervisory authority. That changed with the enactment of Law No. 21.719 in late 2024, a sweeping reform that modernizes the regime to resemble the European GDPR; the new framework phases in with a principal implementation period running into 2026.

Who It Applies To

The law applies to the processing of personal data carried out by public bodies and private parties in Chile. The 2024 reform broadens extraterritorial reach to cover controllers and processors outside Chile that target goods or services to people in Chile or monitor their behavior, mirroring the GDPR's approach. It establishes a new Personal Data Protection Agency as an independent regulator, addressing the historic enforcement gap.

Key Requirements

Under the modernized framework, processing must rest on a lawful basis such as consent, contract, legal obligation, or legitimate interest, and must follow principles of lawfulness, purpose limitation, proportionality, quality, transparency, security, and accountability. Data subjects gain strengthened rights, often summarized as ARCO plus portability and the right to block processing. Sensitive data receives special protection. Controllers must adopt security measures, notify the authority and affected individuals of certain breaches, and may need to conduct impact assessments and adopt compliance programs.

Penalties for Non-Compliance

The reform introduces a tiered sanctions regime. Serious and very serious infringements can draw substantial fines, with the highest tier reaching amounts measured in thousands of tax units and, for the gravest cases, a percentage of annual revenue. The new agency can also order corrective measures.

How to Comply

Establish a lawful basis for each processing activity and document it. Build mechanisms for the expanded data subject rights, apply heightened safeguards to sensitive data, and implement security and breach-notification procedures. Prepare compliance programs and, where required, data protection impact assessments ahead of full enforcement.

Practical Notes

The 2024 reform under Law 21.719 fundamentally changes the compliance posture in Chile, moving from a weak, registration-light regime to a GDPR-style framework with an independent regulator and meaningful fines. Organizations should use the implementation period to establish lawful bases, build rights-handling processes, and prepare impact assessments and compliance programs before full enforcement begins.

Building a Durable Program

Organizations operating across borders should treat this regime as one input into a unified, principles-based privacy program rather than a standalone checklist. Practical foundations include maintaining a current record of processing activities that documents purposes, lawful bases, data categories, recipients, retention periods, and any cross-border transfers; classifying data so that sensitive categories receive heightened safeguards by default; and embedding privacy-by-design reviews into product and engineering workflows so that new features are assessed before launch. Robust consent and preference management, demonstrable through audit logs, is essential where the law is consent-centric, since the burden of proving a valid lawful basis typically rests on the controller. Incident-response runbooks should encode the applicable breach-notification timelines and decision criteria so that the organization can act within tight windows. Vendor management should ensure processors are bound by contracts that flow down core obligations, and periodic audits should verify that controls remain effective. Aligning to recognized frameworks such as ISO 27701 and privacy-by-design principles helps satisfy overlapping obligations across jurisdictions while reducing duplicated effort and the risk of gaps.