← Back to blog

Lawful bases and consent under Law 21.719: when you need consent and when you do not

Before processing any personal data, your company needs a reason that the law recognizes as valid: a lawful basis. Consent is only one of them, and requesting it for everything is usually a mistake. This guide explains what a lawful basis is, which ones exist, what makes consent valid, and when you can do without it because another basis applies, all designed to help you arrive prepared for the full enforcement that begins on December 1, 2026.

Lawful bases - Law 21.719

The essentials in 30 seconds

  • Consent is only ONE of the lawful bases. Requesting it for everything is a mistake: in many cases another basis applies, such as the performance of a contract or compliance with a legal obligation.
  • The general framework inspired by the GDPR recognizes, among others, six bases: consent, performance of a contract, legal obligation, legitimate interest, protection of a person's life or integrity, and the exercise of functions of public bodies.
  • To be valid, consent must be freely given, informed, specific, and unambiguous, and it must always be revocable with the same ease with which it was granted.
  • For sensitive data the general rule is consent, with narrow exceptions that should be interpreted restrictively.
  • Every processing activity must rest on a basis and be documented in the Record of Processing Activities (ROPA). Without a basis, the processing is unlawful.

Law 21.719, published on December 13, 2024, modernizes Chile's data protection framework and enters full enforcement on December 1, 2026, under the oversight of the Personal Data Protection Agency. Inspired by the European GDPR standard, it introduces a principle that many organizations have not yet internalized: you cannot process personal data simply because you happen to have it on hand. Every processing operation must rest on a lawful basis, and consent is just one of the available options. If you want the full legal picture, start with the definitive guide to Law 21.719.

One of the most common mistakes is requesting consent for absolutely everything. In many cases another basis applies, and forcing consent is not only unnecessary but can also render it invalid. Below we review what a lawful basis is, which ones the general framework recognizes, what requirements make consent valid, and how to document all of this in your Record of Processing Activities. If you want the complete legal overview, start with the definitive guide to Law 21.719.

What a lawful basis is

A lawful basis is the legal justification that allows an organization to process personal data. Put another way, it is the answer to the question: why do I have the right to collect, use, store, or share this data. Under Law 21.719, no processing is lawful unless it rests on at least one of the bases the law recognizes. Simply having the data available, or having it be useful to the business, is not enough: you need a reason that the law accepts.

This is a significant shift in mindset. The starting point is not that you may process data and then look for a way to justify it afterward, but the reverse: first you identify the lawful basis that covers each activity, and only then do you carry it out. This order is part of the principle of accountability, which requires companies to be able to demonstrate at any time that they process data lawfully.

Each processing operation rests on a single primary basis, chosen according to its purpose. The same piece of data can support different processing operations under different bases: a customer's email may be processed to fulfill their purchase (performance of a contract) and, separately, to send them promotions (which may require consent). Conflating both purposes under a single basis is a common source of non-compliance.

Which bases the general framework recognizes

The general framework inspired by the GDPR recognizes several lawful bases. None is superior to another: the right approach is to choose the one that best fits the specific purpose of the processing. These are the main ones.

  • Consent of the data subject. The person authorizes the processing of their data for a specific purpose. It is the best-known basis, but not the only one, nor the one that applies by default.
  • Performance of a contract to which the data subject is a party. It allows processing of the data necessary to fulfill a contract with the person or to take steps prior to their request, such as processing an order, providing a service, or managing a subscription.
  • Compliance with a legal obligation of the controller. This covers the processing that the law requires of the company, such as retaining tax documentation or providing information to an authority when the regulations so require.
  • Legitimate interest of the controller or of a third party. It enables certain reasonable processing operations for the operation of the business, provided that this interest is weighed against the rights and freedoms of the data subject. If the person's rights prevail, this basis does not apply.
  • Protection of the life or integrity of the data subject or of another person. It is invoked in situations where the processing is necessary to protect a vital interest, typically emergencies.
  • Exercise of functions of public bodies. It covers the processing carried out by public bodies in the performance of their functions.

What makes consent valid

When consent is the appropriate basis, not just any authorization will do. To be valid under Law 21.719, consent must meet four characteristics, and it must also always be revocable.

These requirements exist because weak consent protects no one: neither the data subject, whose will was not truly free or informed, nor the company, which believed it had a solid basis and did not.

  • Freely given. The person must be able to decide without pressure or negative consequences for refusing. If the service is conditioned on accepting processing that is not necessary to provide it, the consent loses its freely given character.
  • Informed. Before accepting, the data subject must know who will process their data, for what purpose, and in what manner. Without clear and prior information, there is no valid consent.
  • Specific. It must be granted for specific purposes, not as a general and open-ended authorization. Different purposes require, in principle, separate consents.
  • Unambiguous. It must be expressed through a clear, affirmative action. Silence, pre-ticked boxes, or mere inaction are not enough to consider it granted.
  • Revocable. The person may withdraw their consent at any time, and doing so must be as easy as granting it. Revocation does not affect the lawfulness of the prior processing, but it requires stopping the uses that depended on that basis.

When you do not need consent

Here is the point that causes the most confusion. If a processing operation rests on another lawful basis, you do not need to request consent, and requesting it can even be counterproductive. Asking for consent for something already covered by another basis suggests to the data subject that they can refuse, when in reality the processing will proceed anyway because it rests on a different basis.

A typical example is the performance of a contract. If a customer buys from your store, processing their name, address, and payment method to process and ship the order rests on the performance of the contract, not on consent. It makes no sense to ask for permission to use the shipping address: without it, no delivery is possible.

The same applies to compliance with a legal obligation. If the regulations require you to retain certain documentation or report information to an authority, that obligation is your lawful basis. The data subject cannot object to processing that the law orders you to carry out, so requesting consent would be misleading.

Legitimate interest can also enable processing without consent, but with one condition: you must weigh your interest against the rights and expectations of the data subject and keep a record of that analysis. It is not a catch-all. If the impact on the person is high or the processing would not be expected by them, this basis probably does not apply and it is worth reconsidering the approach.

Sensitive data: the general rule is consent

With sensitive personal data the logic is reversed. Given its greater potential for harm, the general rule for processing it is the consent of the data subject, which must also meet the validity requirements described earlier. Here consent is not just one basis among many, but the starting point.

The law provides exceptions that allow sensitive data to be processed without consent, but they are narrow and should be interpreted restrictively. When in doubt with health data, biometrics, socioeconomic status, or other sensitive categories, the prudent approach is to rely on consent and document it with special care. You can learn more in the post on sensitive data under Law 21.719.

How to document the basis of each processing operation in the ROPA

Identifying the correct basis is not enough if it is not recorded. The Record of Processing Activities (ROPA) is the tool where you document, for each activity, which lawful basis it rests on. This record is a central piece of accountability: before the Personal Data Protection Agency, it is the evidence that each processing operation has a legal foundation.

When describing an activity in the ROPA, indicate the purpose, the categories of data involved, and the lawful basis that supports it. If the basis is consent, also keep the record of how and when it was obtained. If it is legitimate interest, keep a record of the balancing carried out against the rights of the data subject.

The exercise of completing the ROPA often reveals problems before an audit does: activities with no clear basis, consents requested where another basis applied, or purposes mixed under a single justification. That is why it is worth treating it as a diagnosis rather than a formality. Review the guide on the Record of Processing Activities to build it step by step.

Common mistakes to avoid

When organizing their lawful bases, most organizations stumble over the same points. Knowing them in advance saves you costly corrections.

  • Processing data without a basis. The most serious mistake: collecting or using data without having identified a lawful basis. Processing without a basis is unlawful, even if the data seems harmless or useful.
  • Requesting consent when another basis applies. Asking for permission for something covered by the performance of a contract or by a legal obligation creates confusion and a false impression that the data subject can object.
  • Using generic or pre-ticked consents. A broad, ambiguous consent, or one with pre-ticked boxes, is neither specific nor unambiguous, and is therefore not valid.
  • Changing the purpose without reviewing the basis. Reusing data for a purpose different from the original one without assessing whether the basis remains valid is a frequent source of non-compliance.
  • Keeping no record. Choosing the basis well but not documenting it in the ROPA leaves you with no way to demonstrate the lawfulness of the processing when asked.

Organize your company's lawful bases before December 2026

At AlayIAtrust we help Chilean organizations identify the correct lawful basis for each processing operation, review their consents, and document everything in a solid ROPA. Let's talk about how to arrive prepared for the full enforcement of Law 21.719.

Schedule an assessment

Frequently asked questions

Do I always need consent to process personal data?

No. Consent is only one of the lawful bases. Many processing operations rest on another basis, such as the performance of a contract or compliance with a legal obligation, and in those cases you do not need to request consent. Requesting it when another basis applies is a common mistake.

What makes consent valid under Law 21.719?

To be valid, consent must be freely given, informed, specific, and unambiguous. In addition, it is always revocable: the person may withdraw it at any time, and doing so must be as easy as granting it. A generic or ambiguous consent, or one with pre-ticked boxes, does not meet these requirements.

Do I need consent to process sensitive data?

As a general rule, yes: for sensitive data the consent of the data subject is the primary basis, and it must meet the validity requirements. The law provides exceptions, but they are narrow and should be interpreted restrictively, carefully documenting the basis of each processing operation.

How do I record the lawful basis of each processing operation?

In the Record of Processing Activities (ROPA). For each activity you must indicate the purpose, the categories of data, and the lawful basis that supports it. If the basis is consent, keep the record of how it was obtained; if it is legitimate interest, keep a record of the balancing against the rights of the data subject.

You may also be interested in

Law 21.719

Law 21.719: the definitive guide to comply and avoid fines

Web

Cookies and web consent under Law 21.719

Sensitive data

Sensitive data under Law 21.719: what they are and how to protect them

Next step

Is your company ready
for December 2026?

A no-obligation 30-minute assessment.

Request an assessment