A step-by-step guide to extraterritoriality and international transfers under Law 21.719 (Chile).

If your company has operations, vendors or users outside Chile, there are two questions you cannot leave unanswered: does Law 21.719 reach you while you are outside the country? and which mechanisms are valid for moving data abroad without falling out of compliance? In this article we answer both in a practical way, with operational steps and a ready-to-use checklist. For an overview of the regulation, see our definitive guide to Law 21.719.

1) Executive summary

Law 21.719 modernizes data protection in Chile, creates the Personal Data Protection Agency, and compliance is mandatory from December 1, 2026 (it was published on December 13, 2024, with a 24-month adjustment period). It aligns principles and obligations with frameworks such as the GDPR, requires proactive accountability, transparency, and security, and specifically regulates international transfers of personal data.

For companies with operations, vendors, or users outside Chile, two issues are critical: extraterritorial scope (when the law applies if you are outside Chile) and the valid mechanisms for transferring data to other countries. If you come from the European world, it helps to review the differences between Law 21.719 and the GDPR.

2) Territorial scope and extraterritoriality

The law applies to controllers or processors established in Chile and also, on an extraterritorial basis, to those who, while located abroad, process data of individuals who are in Chile, when they offer goods or services to those individuals or monitor their behavior within the country. In practice, if you direct your service to users in Chile or process the data of Chileans in that context, the law reaches you even if you are based abroad.

Operational consequence: if your headquarters are outside Chile but you acquire customers in Chile, you must map which processing activities are carried out with respect to individuals in Chile, identify the legal basis, and align your contracts and policies with Law 21.719.

3) International transfers: conditions and mechanisms

Law 21.719 permits transferring personal data outside Chile when the destination meets conditions that ensure an adequate level of protection. Typical mechanisms include:

• Countries with an adequate level of protection, recognized by the authority.
• Contractual clauses that ensure equivalent rights and safeguards.
• Binding corporate rules for corporate groups (BCRs).
• Other instruments that the Agency or future regulation may specify.

Practical recommendation: before transferring, assess the legal framework of the recipient country, the vendor's role, the technical safeguards (encryption, access control, segregation), and document the decision.

4) Exceptions that enable a transfer

In addition to the mechanisms above, the law provides for situations that allow a transfer without going through an "adequate country" or standard clauses, for example:

• Express consent from the data subject, informed of the risks.
• Performance of a contract with the data subject or pre-contractual measures at their request.
• Public interest or compliance with obligations arising from international treaties.

These exceptions do not replace due diligence: you must assess proportionality, necessity, and mitigation measures, and maintain a documentary trail.

5) Operational steps to comply when transfers are involved

1. Inventory and data map. Identify which personal data leaves Chile, for what purposes, to which countries, and with which vendors.
2. Legal basis and minimization. Verify that the processing has a lawful basis and that you transfer only what is necessary.
3. Assess the destination. Review the regulatory framework of the recipient country, security controls, and the vendor's track record.
4. Select the mechanism. Adequacy, contractual clauses, BCRs, or another valid safeguard; include security and incident-notification clauses.
5. Transparency. Update the privacy policy: purposes, legal basis, third parties, countries, and data subject rights.
6. Security. Encryption in transit and at rest, access control, vulnerability management, testing, and audits.
7. Records and evidence. Maintain a ROPA / record of processing activities, assessments, and contracts; this demonstrates accountability.
8. Incident protocol. Define how to assess, mitigate, and notify breaches affecting transferred data.

6) What to review in contracts with vendors (processors)

• Purpose and obligation to follow instructions. The processor will only process data according to your documented instructions.
• Security measures. Minimum standards, encryption, access controls, logging, and auditing.
• Sub-processors. Conditions for their use and an up-to-date list of sub-processors.
• Locations. Countries where data is stored or accessed.
• Incidents. Notification timelines "without undue delay," minimum content, and cooperation.
• Return or deletion. Upon termination of the service, verifiable return or erasure.

7) Interaction with the GDPR and other regulations

If you already comply with the GDPR or LGPD, you will have a head start: principles, records, DPIAs, transparency, and security are convergent. Even so, review the local nuances of Law 21.719 (definitions, rights, sanctions, and the role of the Agency) and adapt your texts and procedures to the Chilean terms. We analyze the differences point by point in Law 21.719 vs. the GDPR.

8) Breach notification when transfers are involved

If a breach affects data that has been transferred or is located abroad, assess the risk to data subjects in Chile. If the threshold is met, you must notify the authority and, where applicable, the affected individuals. Plan for contractual coordination to receive alerts from the vendor in time so you can meet the obligation to report without undue delay.

9) Quick checklist (international transfer)

• Have you identified the data, purposes, countries, and vendors involved?
• Have you confirmed the legal basis and minimization?
• Have you assessed the recipient country's framework and the safeguards?
• Do you have contractual clauses or BCRs in place where there is no "adequacy"?
• Have you updated the privacy policy and the record of processing activities?
• Can you demonstrate security proportionate to the risk (encryption, access, auditing)?
• Is there an incident protocol with timelines and minimum content?

Frequently asked questions

Does Law 21.719 apply to me if I am outside Chile?

Yes, if you offer goods or services to individuals who are in Chile or monitor their behavior within the country. In that case, you must comply with respect to the processing carried out on individuals in Chile, even if your headquarters are abroad.

Can I transfer data to any country if I have consent?

Express consent may enable the transfer, but you must inform the data subject of the risks and maintain security measures and documentary evidence. It is always advisable to assess whether more robust mechanisms exist, such as countries with an adequate level of protection, contractual clauses or binding corporate rules (BCRs).

What sanctions apply for non-compliance with Law 21.719?

Violations are classified as minor (up to 5,000 UTM), serious (up to 10,000 UTM) and most serious (up to 20,000 UTM). In case of recidivism the fine can be tripled—up to 60,000 UTM—or a percentage of annual revenue from sales and services in Chile (2% for serious recidivism and 4% for most-serious) for companies that are not small businesses, in addition to corrective measures and reputational exposure. We detail the full regime in Fines and sanctions under Law 21.719.

How do I reflect international transfers in my privacy policy?

Include purposes, legal basis, data categories, third parties, countries or the criteria for determining them, retention periods, rights and contact channels. If you use cloud vendors, identify their role and the safeguards applied to the transfer.