After more than seven years of processing, the new Personal Data Protection Law No. 21.719 was published on December 13, 2024, which amends Law No. 19.628 and is aligned with European standards in terms of data protection and processing, and which creates the Data Protection Agency, responsible for ensuring the effective protection of the rights that guarantee the privacy of individuals and their personal data, monitoring compliance with the law and sanctioning those who violate it.
Although the regulation comes into force on December 1, 2026, companies should start implementing it now to comply with the law and avoid high fines for non-compliance.
For this reason, BH Compliance and Alessandri Abogados held the webinar “Personal Data Protection: challenges and opportunities of the new law”, which featured the lawyer partner of Alessandri Abogados, Macarena Gatica and the deputy director of BH Compliance, Tomás Undurraga, in addition to being moderated by Susana Sierra, CEO of BH Compliance.
Susana Sierra opened the webinar by presenting the current panorama of personal data, stressing that “data is today’s gold”, and that the growing amount of personal information we share has generated the urgent need to regulate its treatment. He mentioned as an example the General Data Protection Regulation of the European Union, which has motivated other countries to develop their own regulations to be able to do business with its members. This trend will also be reflected in Chile, where companies will demand compliance with the new law by establishing strategic alliances, creating a virtuous circle.
Susana emphasized that, just as 2024 was the year of regulations, 2025 will be the year of implementation, as companies will have to start working on this regulation, together with others such as the Economic Crimes Law, the Cybersecurity Framework Law, the Karin Law, among others.
Then it was the turn of Macarena Gatica, who explained the key concepts for understanding the requirements of the new law and the changes that companies will have to face. She explained what is meant by personal data, how it is distinguished from sensitive data and what its treatment implies. He also discussed the new categories of data established by the law, such as geolocation data and data related to minors, and referred to the difference between data controller and data processor in the new regulations. She also clarified that, with the new regulation, public access sources can no longer be used without restriction and that it will be necessary to have a basis of lawfulness.
Finally, Macarena stressed the importance of having a compliance structure in place to manage risks.
In this line, Tomás Undurraga explained how compliance is related to the law, clarifying first of all that a violation of the law does not generate criminal liability for legal entities. He also referred to the Infringement Prevention Model included in the regulation, which consists of a compliance program focused on the protection of personal data. This model, which companies can adopt voluntarily, will provide a guide to ensure proper data processing, prevent possible infringements and guarantee compliance with the law.
The BH Compliance lawyer also pointed out that the Data Protection Agency will be in charge of certifying that the Infringement Prevention Model complies with the requirements established in the law, in addition to supervising them. It should be noted that a certified Model can be taken as a mitigating factor in the commission of an infraction in data processing operations.
At the end, Tomás gave advice for companies to implement this law in a comprehensive manner, covering all areas and seeking to generate synergies. He also warned of the serious reputational risk to which companies that do not comply with the regulations are exposed by being recorded in the registry as having been sanctioned.
