The essentials in 30 seconds
- The Personal Data Protection Agency is the supervisory authority created by Law 21.719: the Chilean system had rules since 1999, but no specialized body dedicated to enforcing them.
- Its mandate is to oversee compliance with Law 21.719 and sanction the infringements it identifies. Its scope covers both controllers and processors.
- Fines are tiered according to severity, with caps of 5,000, 10,000 and 20,000 UTM. Sanctions imposed are published in the National Registry of Sanctions.
- The core of the new framework is proactive accountability: the RAT, the ARSOP rights procedure, breach management and supporting documentation (DPIA and DPO where applicable).
- Full enforcement begins on December 1, 2026. What gets measured is not your intention to comply, but the evidence that you do.
Law 21.719, published on December 13, 2024, modernizes Chile's data protection framework and reaches full enforcement on December 1, 2026. Among all its changes, one reorders the rest: the creation of the Personal Data Protection Agency, the supervisory authority the Chilean system never had. If you want the full picture, start with our guide to the data protection law in Chile.
This article is a close look at that authority: what it is, what it can do, who falls within its scope and what documentation you will need to be able to show when it comes asking.
What the Personal Data Protection Agency is
Law 19.628, in force since 1999, was Chile's data protection framework for more than two decades. The system it built had rules, but no specialized body dedicated to overseeing compliance: standards on paper and little practical pressure to apply them.
The Agency fills that gap. It is the supervisory authority of the new framework: a specialized body whose mandate is to oversee how organizations process personal data and to sanction the infringements it identifies. The design does not start from scratch: Law 21.719 draws on the European GDPR, where data protection authorities are the engine of the system.
That is why its arrival is the most significant institutional change in the new framework. The mechanisms the law introduces (the RAT, ARSOP rights, the duty to notify breaches) only become enforceable because someone is responsible for enforcing them. Without a supervisory authority, a catalogue of duties is a statement of good intentions; with one, it becomes a verifiable standard.
What the Agency can do: audit and sanction
Law 21.719 gives the Agency what the previous system never had: oversight of compliance and the power to sanction. The first defines how it reaches your organization; the second, how much it costs when it arrives and finds nothing.
It is worth being precise about scope, because this is where many companies get it wrong. Oversight looks at both the controller (who decides why and how data is processed) and the processor (who processes data on behalf of another). Having your own house in order is not enough if the vendors processing data on your company's behalf are not at the same level: across that entire chain, the evidence has to exist as well.
- Oversee compliance with Law 21.719 by those who process personal data, whether controllers or processors.
- Impose sanctions when it identifies infringements, within the fine regime expressed in UTM established by the law itself.
- Keep a public record of what it sanctions: the sanctions imposed are published in the National Registry of Sanctions.
When enforcement begins: December 1, 2026
Two dates set the calendar. Law 21.719 was published on December 13, 2024 and full enforcement begins on December 1, 2026. Almost two years separate them, and that is where the costliest misunderstanding lies: reading that window as an extension rather than as working time.
The date does not mark the start of preparation; it marks the moment you get measured. A RAT thrown together at the last minute, an ARSOP rights procedure nobody has tested, or a breach protocol written the week before do not produce the only thing an authority can review: evidence with a history, with dates and with owners. Whatever is improvised in November 2026 will show.
What documentation an audit can review
An audit comes down to a single question asked in many ways: can you demonstrate it? That is the core of the proactive accountability running through Law 21.719: complying is not enough, you must be able to prove it with documentation and records. The specifics will depend on each case, but the mechanisms the law itself defines indicate where it will look:
In poorly prepared organizations, one phrase comes up again and again, and it is not bad faith: we do it, but it is not documented. Before an authority that evaluates evidence, that looks too much like not doing it. If you respond to data subject requests but do not record when they arrived, who handled them and what you replied, you have no way to prove it. Evidence is not a byproduct of compliance: it is the product.
- The Record of Processing Activities (RAT): what data you process, for what purpose, for how long, with whom you share it and under what safeguards.
- The ARSOP rights procedure: how you receive, verify, respond to and record requests for access, rectification, erasure, objection and portability.
- Breach management: how you detect incidents, how you assess them and how you meet the duty to notify.
- The relationship with your processors: which vendors process data on your company's behalf, under what instructions and with what controls.
- Supporting documentation: the DPIA for processing operations that warrant it and the designation of a DPO where applicable.
Fines in UTM and the National Registry of Sanctions
Law 21.719 establishes a fine regime tiered according to the severity of the infringement, with three caps:
The figures are expressed in UTM rather than pesos, and that detail has consequences: because it is an inflation-indexed unit, the ceiling of the fine holds its value over time in real terms. At the highest tier, the magnitude is enough to affect the annual results of a mid-sized company. That change of scale explains why data protection stopped being an exclusively legal matter and reached the boardroom.
The financial penalty is not the only cost, and it is often not the most expensive one. The law provides for a National Registry of Sanctions where the sanctions imposed are published. That publicity turns an administrative file into searchable information: for a client evaluating a contract renewal, for a tender committee, for your competitors. The fine is paid once; the registry remains.
- Up to 5,000 UTM at the lowest tier of the regime.
- Up to 10,000 UTM at the intermediate tier.
- Up to 20,000 UTM at the highest tier.
How to prepare before December 1, 2026
Preparing for the Agency is not a last-week formality. What you will need to show cannot be built in a rush: it requires gathering information scattered across departments, making decisions nobody has made yet and putting them in writing. Here is the short path:
Behind every point lies the same principle: proactive accountability. The Agency will not evaluate your discourse on privacy, but your ability to demonstrate, with documents and dates, that you made informed decisions and carried them out. Even when there is a finding, whoever arrives with an organized file discusses an adjustment; whoever improvises discusses their entire credibility. That is why December 1, 2026 is not the date to start preparing: it is the date you get measured.
- Build your RAT and keep it alive: it is the foundation everything else rests on.
- Design an ARSOP rights procedure that actually works: intake channel, owner, identity verification, internal response deadline and a record of every request.
- Prepare a breach protocol covering detection, assessment, notification and subsequent learning.
- Put your processor chain in order: which vendors process data on your company's behalf, under what instructions and with what controls.
- Assess whether you need to designate a DPO and carry out a DPIA for higher-risk processing operations.
- Leave a trail of everything: decisions, dates, owners and evidence of execution. An undated document does not prove when you did things.
Be ready when the Agency comes to audit
At AlayIAtrust we help Chilean organizations build the evidence the Agency will be able to review starting December 1, 2026: the RAT, the ARSOP rights procedure, the breach protocol, the relationship with processors and supporting documentation. Request an assessment and find out your real starting point.
Schedule an assessmentFrequently asked questions
What is the Personal Data Protection Agency?
It is the supervisory authority created by Law 21.719 to oversee compliance with Chilean data protection rules. Under Law 19.628, in force since 1999, the system had rules but no specialized body dedicated to enforcing them. The Agency oversees those who process personal data, whether controllers or processors, and can sanction the infringements it identifies.
When does the Agency begin enforcement?
Law 21.719 was published on December 13, 2024 and full enforcement begins on December 1, 2026. That window of almost two years is there to adapt, not to postpone the work: the RAT, the ARSOP rights procedure and breach management take months. December 1, 2026 is the evaluation date, not the starting point.
What documentation can the Agency review in an audit?
The specifics depend on each case, but the mechanisms of the law itself indicate where it will look: the Record of Processing Activities (RAT), the procedure you use to handle ARSOP rights, breach management and the duty to notify breaches, the relationship with your processors, and supporting documentation such as the DPIA and the designation of a DPO where applicable. The underlying principle is proactive accountability: complying is not enough, you must be able to prove it.
How large are the fines and where are sanctions published?
The regime is tiered according to the severity of the infringement, with caps of 5,000, 10,000 and 20,000 UTM. In addition, the law provides for a National Registry of Sanctions where the sanctions imposed are published. That reputational component often weighs more than the fine: payment happens once, the publication remains.