What sensitive personal data is under Law 21.719 and how to protect it

Law 21.719, published on December 13, 2024, modernizes Chile's data protection framework and enters full enforcement on December 1, 2026. Inspired by the European GDPR standard, it incorporates a distinction that many organizations have not yet internalized: certain data, because of its potential for harm, receives a higher level of protection than the rest. If you want the full legal picture, start with the definitive guide to Law 21.719.

If your company processes health, biometric, or socioeconomic data, or information on minors, this category affects you directly. Below we review which data is sensitive, why the standard is stricter, and how to manage it without slowing down your operation.

What sensitive personal data is

Sensitive personal data is data that refers to especially intimate aspects of a person or that, if used improperly, can give rise to discrimination or serious harm. Law 21.719 separates it from the rest of personal data precisely because its misuse has deeper consequences for the dignity and rights of the data subject.

The logic is simple: leaking a customer's email address is a problem; leaking their medical diagnosis, their sexual orientation, or their level of debt can mark them for a long time. That is why the law raises the requirements for processing this category and reduces the situations in which it is allowed without consent.

Which categories Law 21.719 considers sensitive

Following the European standard on which it is based, the rule recognizes a set of categories that receive this special treatment. It is worth knowing them in detail, because many appear in everyday human resources, occupational health, marketing, or customer assessment processes without the company realizing it.

A distinctive feature of the Chilean case is that the data subject's socioeconomic situation is also considered sensitive data. This is relevant for banking, retail, fintech, debt collection, insurance, and any organization that segments or assesses people according to their ability to pay or income level.

• Health data, including medical history, diagnoses, and physical or psychological condition.
• Biological profile and biometric data used to uniquely identify a person, such as fingerprint, face, or iris.
• Racial or ethnic origin.
• Union, political, or trade affiliation.
• Religious or philosophical beliefs.
• Sexual life and sexual orientation.
• Socioeconomic situation, a distinctive feature of the Chilean case compared with other frameworks.

Why it carries a stricter standard

Processing sensitive data is not prohibited, but it is subject to stricter conditions. The general rule is that you need the consent of the data subject, and that consent must be free, informed, and unequivocal: the person has to clearly understand which sensitive data you will process and for what purpose. The exceptions that allow you to forgo consent are narrow and should be interpreted restrictively.

Beyond consent, the law calls for reinforced security measures, consistent with the greater risk this information entails. And because of that same level of risk, the processing of sensitive data often warrants a Data Protection Impact Assessment (DPIA), the exercise that lets you anticipate risks and document how you mitigate them before starting the processing.

All of this is framed within the principle of proactive accountability: it is not enough to comply, you must be able to demonstrate it. Before the Personal Data Protection Agency, the organization must be able to evidence its legal bases, security measures, and the decisions it made.

• Legal basis: consent is the rule; the exceptions are limited and should be justified.
• Reinforced security: access controls, encryption, minimization, and traceability appropriate to the risk.
• DPIA: a prior assessment of the impact when the processing may entail a high risk to the rights of the data subject.
• Documentation: the ability to demonstrate compliance to the Agency at any time.

Reinforced protection of children and adolescents

The data of children and adolescents receives especially reinforced protection. The premise is that minors are particularly vulnerable and do not always understand the consequences of sharing their information, so the organization's standard of care must be higher than with an adult.

In practice, this means that the best interests of the minor must guide every processing decision, that information directed at children and adolescents or at their representatives must be clear and age-appropriate, and that consent must be managed considering the role of those responsible for their care. Schools, educational platforms, apps, pediatric health services, and brands that target young audiences must pay particular attention to this category.

• Place the best interests of the minor at the center of every processing activity.
• Provide clear, age-appropriate information, including to parents or representatives.
• Limit collection to what is strictly necessary and avoid intrusive profiling.
• Reinforce security and controls when the service targets minors.

How to identify it in the RAT

You cannot protect what you do not know you have. That is why the first step is to map your processing activities in the Record of Processing Activities (RAT) and explicitly flag where there is sensitive data. The RAT is the inventory that describes what data you process, for what purpose, on what legal basis, with whom you share it, and how long you retain it.

When building the RAT, review each activity and ask yourself whether any of the sensitive categories appear in it, even indirectly. An application form that asks for affiliation with a private health insurer (isapre) reveals health data; a form that asks about dietary restrictions may reveal religious beliefs; a credit assessment processes socioeconomic situation. Flagging these points lets you prioritize risk and decide where to apply reinforced consent, additional security, or a DPIA.

• Inventory all flows where you collect, store, or share personal data.
• Prominently flag the activities that include any sensitive category.
• Record the legal basis applied, usually consent, for each sensitive processing activity.
• Also identify international transfers of sensitive data, given their greater exposure.

How to protect it in your organization

With sensitive data already identified, protection is built by combining legal, technical, and organizational measures. The goal is twofold: to reduce the likelihood of an incident and to be in a position to demonstrate due diligence if the Agency requests it or if a breach occurs that you must report.

It is advisable to support this work with the roles and mechanisms that the law itself contemplates. Appointing a Data Protection Officer (DPO) when applicable, organizing the relationship between the data controller and the data processor, preparing for the duty to report breaches, and having processes to handle ARSOP rights (Access, Rectification, Suppression or Cancellation, Objection, and Portability) are the pieces that sustain compliance day to day.

• Apply the principle of minimization: collect only the sensitive data that is essential for the purpose.
• Reinforce security: encryption, role-based access control, audit logs, and secure backups.
• Carry out a DPIA for the highest-risk sensitive processing activities and document the measures adopted.
• Manage consent in a traceable way and facilitate the exercise of ARSOP rights.
• Prepare your breach notification protocol, bearing in mind that an incident involving sensitive data is more serious.

What you risk if you do not protect it

From December 1, 2026, enforcement is full, and the Personal Data Protection Agency can impose sanctions according to the seriousness of the infringement: fines of up to 5,000 UTM for minor infringements, up to 10,000 UTM for serious ones, and up to 20,000 UTM for the most serious. Given the potential harm involved, the improper processing of sensitive data is among the situations that are most worth preventing.

Beyond the fine, a breach or improper use of sensitive data erodes the trust of customers, employees, and partners, and can carry a reputational cost that is hard to reverse. Getting ahead is not only about avoiding a sanction: it is about building intelligent trust and sustaining the relationship with those who share their most intimate information with you.

Frequently asked questions

What is sensitive personal data under Law 21.719?

It includes, among others, health data, the biological profile and biometric data, racial or ethnic origin, union, political or trade affiliation, religious or philosophical beliefs, and sexual life and orientation. In the Chilean case, the data subject's socioeconomic situation is also considered sensitive.

Why does sensitive data carry a stricter standard?

Because its improper use can cause discrimination or serious harm to the person. That is why the general rule for processing it is free, informed, and unequivocal consent, reinforced security measures are expected, and the highest-risk processing activities often require a Data Protection Impact Assessment (DPIA).

Do I always need consent to process sensitive data?

As a general rule, yes: the data subject's consent is the primary legal basis for sensitive data. The law contemplates exceptions, but they are narrow and should be interpreted restrictively, so it is advisable to thoroughly document the legal basis for each processing activity.

How do I protect the data of children and adolescents?

By processing it with reinforced protection: place the best interests of the minor at the center of every decision, provide clear, age-appropriate information to them and to their representatives, limit collection to what is necessary, and apply stricter security controls. This is especially relevant for schools, educational platforms, apps, and services aimed at minors.