The essentials in 30 seconds
- Law 21.719 provides for the figure of the Data Protection Officer (DPO).
- It is not mandatory for everyone: whether it is required depends on the nature, the volume and the risk of the processing.
- It is required —or strongly recommended— when there is sensitive data at large scale, systematic monitoring of individuals or in public bodies.
- It can be internal or external (DPO as a service). For many SMEs, external is more efficient.
- Even when it is not mandatory, appointing someone responsible is the best way to demonstrate proactive accountability.
"Do I have to hire someone just for this?" That is the first reaction of many companies when they hear about the DPO. The short answer is: it depends —and it is worth understanding what it depends on, because appointing (or not) a Data Protection Officer has concrete effects in an audit. If you want the full legal picture, start with the definitive guide to Law 21.719.
What the DPO (Data Protection Officer) is
The Data Protection Officer —DPO for short— is the person or service that ensures the organization processes personal data in accordance with the law. It is not a purely technical nor a purely legal role: it is a bridge between senior management, the areas that process data (marketing, HR, sales, IT), the data subjects and the Personal Data Protection Agency.
It is the Chilean equivalent of the DPO under the European GDPR. If you are interested in the comparison, we cover it in Law 21.719 vs GDPR.
Does Law 21.719 require you to have a DPO?
The law provides for the figure, but does not impose a single threshold for everyone. Whether it is mandatory is assessed according to the nature, the volume and the risk of the processing each organization carries out. In practical terms, there are three situations where appointing a DPO goes from "recommended" to "essential":
- When sensitive data is processed at large scale (health, biometric data, socioeconomic situation, among others).
- When the activity involves systematic observation or monitoring of individuals (profiling, scoring, tracking).
- In public bodies and in particularly regulated sectors.
For the rest of organizations, the appointment may not be strictly mandatory, but it remains the best way to demonstrate proactive accountability —the principle that runs through the whole of Law 21.719: complying is not enough, you must be able to demonstrate that you comply.
When is it required? A quick guide
This table guides the decision. It does not replace a case-by-case analysis —the real risk depends on the exact type and volume of data— but it helps you find your bearings:
| Type of organization | Does it need a DPO? |
|---|---|
| Public body | Yes, appointment expected |
| Clinic, medical center or laboratory (health data) | Yes, sensitive data at large scale |
| Banking, finance, insurance (scoring/profiling) | Yes, systematic monitoring |
| Retail / e-commerce with marketing and mass profiling | Strongly recommended |
| SME that processes customer and employee data | Recommended (internal or external) |
| Small company with minimal, low-risk processing | At least a designated person responsible |
Does your sector process sensitive data or carry out profiling? Review the specific approach for health, banking and finance or SMEs.
Internal vs external DPO
The law does not require the DPO to be an employee. It can be internal (someone on your team) or external (a specialized service, known as DPO as a service). Each option has its place:
- Internal DPO: knows the organization from the inside. It makes sense in large companies, with enough volume and complexity to justify a dedicated role.
- External DPO: brings specialized expertise without the cost of a full-time role, with independence and an up-to-date view of the regulatory framework. It is usually the most efficient option for SMEs and the mid-market.
In both cases there are three conditions the role must meet to be valid: expert knowledge, autonomy (the outcome of their analysis must not be dictated to them) and a direct line to senior management.
What functions the DPO performs
- Overseeing compliance with Law 21.719 within the organization.
- Advising the areas that process data and senior management.
- Acting as the point of contact with the Personal Data Protection Agency and with data subjects.
- Coordinating the handling of ARCO rights and breach management.
- Ensuring the Record of Processing Activities (RPA) and the impact assessments (DPIA) are maintained.
- Promoting a culture of privacy: training and internal policies.
What you risk if you do not appoint one
When the appointment is required and does not exist, a compliance gap arises: beyond the risk of a sanction, it weakens the company's defense in an audit, because there is no one to attest to the program or answer for it. Violations of Law 21.719 range from minor (up to 5,000 UTM) to most serious (up to 20,000 UTM); see the detail in fines and sanctions.
And even when the DPO is not mandatory, its absence shows: rights not answered on time, breaches managed in a rush and a record of processing activities that no one keeps up to date. The role exists, precisely, so that someone holds compliance as a responsibility and not as "what we do when we can."
How to get started
The first step is not to hire someone, but to know whether you need one and to what extent. That is resolved with an assessment: what data you process, at what scale and with what risk. From there you decide whether an internal DPO, an external one or, at least, a designated person responsible with a clear plan is the right fit. We also cover it in the compliance checklist, front number 1: governance.
Not sure whether your company needs a DPO?
In a 30-minute assessment we evaluate your data processing and tell you whether one is required —internal or external— and where to start. No commitment.
Schedule an assessmentFrequently asked questions
Is a DPO mandatory in Chile under Law 21.719?
Law 21.719 provides for the figure of the Data Protection Officer (DPO). Whether it is mandatory depends on the nature, the volume and the risk of the processing: it is required —or strongly recommended— when sensitive data is processed at large scale, when there is systematic monitoring of individuals or in public bodies. Even when it is not strictly mandatory, appointing someone responsible is a key measure of proactive accountability.
Can the DPO be external?
Yes. The DPO can be an internal employee or an external service (DPO as a service). What matters is that they have expert knowledge, autonomy to carry out their role, sufficient resources and a direct line to senior management. For many SMEs, an external DPO is more efficient than creating the role internally.
What functions does the DPO perform?
Overseeing compliance with Law 21.719, advising the organization, acting as the point of contact with the Personal Data Protection Agency and with data subjects, coordinating the handling of ARCO rights and breach management, and ensuring the record of processing activities and impact assessments are maintained.
What does my company risk if it does not appoint a DPO when required?
When the appointment is required, not having a DPO is a compliance gap that may lead to a sanction and weakens the company's defense in an audit. Even when it is not mandatory, its absence usually translates into a lack of coordination: rights not answered on time, poorly managed breaches and an outdated record of processing activities.