Personal Data Protection Agency audits: what they'll request (and how to prepare).

An audit is not an ambush: it's a verification. The authority wants to confirm that the organization processes personal data in accordance with the law and, above all, that it can demonstrate it. That's why preparation isn't about “having everything perfect on the day of the visit,” but about having built —beforehand— a program with traceability.

In this article we cover the Agency's powers, the documents it usually requests, how an inspection unfolds and what you can do today to arrive calm. If the scope of the law isn't clear yet, start with the definitive guide to Law 21.719; and to organize your preparation, use the compliance checklist.

1. What the Agency is and its powers

The Personal Data Protection Agency is the supervisory authority created by Law 21.719. It is the body responsible for overseeing compliance and has powers to audit, open proceedings and apply sanctions. In practice, it concentrates the supervisory power that previously was scattered or simply did not exist with this force.

Its powers include requesting information, conducting inspections, ordering corrective measures and resolving data subject complaints. The sanctions regime behind those powers classifies infringements as minor (up to 5,000 UTM), serious (up to 10,000 UTM) and very serious (up to 20,000 UTM), with aggravation for recidivism. We analyze that regime in detail in fines and sanctions of Law 21.719.

2. When and why you can be audited

An audit can originate in different ways. Knowing them helps understand the risk:

• A data subject complaint: a person who believes their rights were violated files a complaint.
• A breach notification: a reported security incident can trigger a review.
• Ex officio audit: the Agency itself initiates the review, sometimes by sector or by the risk level of the processing.
• Media coverage or a pattern of complaints: public situations that draw the authority's attention.

The practical message: you don't need to “do something wrong” to be audited. It's enough for someone to complain or for your sector to come into focus. That's why preparation is preventive, not reactive.

3. What documents they'll request

This is the core of the article. When the Agency reviews an organization, it looks for evidence that data processing is under control. This is the “compliance folder” worth having ready:

• Records of Processing Activities (RoPA): what data you process, for what purpose, on which lawful basis, with whom you share it and how long you keep it. Usually the first thing requested.
• Policies and procedures: privacy policy, internal data-handling policies and documented procedures.
• Consent records: proof of when, for what and how consent was obtained, when that is the lawful basis.
• Processor agreements (DPA): agreements with the third parties that process data on your behalf, with data protection clauses.
• Breach log: an incident record and evidence of the notifications made on time.
• Impact assessments (DPIA): for high-risk processing.
• DPO / owner appointment: who is responsible for data protection and with what mandate.
• Training evidence: records of who was trained, when and on what.
• International transfer documentation: what data leaves Chile and under what guarantees.

4. How an audit unfolds

Although every case is different, an inspection usually follows a recognizable sequence:

• Initial request: the Agency requests information and documentation within a set deadline.
• Evidence analysis: what was provided is reviewed and contrasted with the reality of the processing.
• Additional requests or inspection: clarifications, interviews or a visit may be requested.
• Findings and responses: if non-compliance is detected, the organization can present its responses and evidence.
• Resolution: it closes without observations, with corrective measures or with a sanction, depending on the case.

The quality and timeliness of your responses matter. An organization that delivers orderly evidence on time projects a mature program; one that improvises, the opposite.

5. Accountability: the principle that protects you

Accountability is the backbone of Law 21.719. It means the burden of demonstrating compliance falls on whoever processes the data. It's not enough to state “we comply”: you must be able to show it with records, policies and traceability.

Properly understood, this principle is good news. It turns compliance into something you can build: every document you generate today is an argument in your favor tomorrow. That's why the RoPA, consent records and breach log are not bureaucracy, but your best defense.

6. Mitigating factors and the Infringement Prevention Model

The law contemplates circumstances that can mitigate liability. Among the most relevant:

• Certified Infringement Prevention Model: having one acts expressly as a mitigating factor.
• Documented, living program: evidence of a serious, sustained compliance effort.
• Cooperation with the authority: responding on time, providing evidence and remediating.
• Timely corrective measures: fixing what's detected without delay.

The reverse is also true: recidivism and obstruction aggravate. That's why it's best to treat each finding as a documented improvement opportunity, not a problem to hide.

7. Mistakes that aggravate your situation

• Not being able to show a RoPA or basic compliance evidence.
• Not having notified a breach to the Agency without undue delay and by the most expedient means.
• Not handling data subject rights or doing so late.
• Obstructing the audit or providing incomplete or late information.
• Processing data without a lawful basis or with invalid consents.

8. How to prepare today

Don't wait for the request to put your house in order. These actions reduce risk directly:

• Build and keep the RoPA current; it's your first deliverable.
• Assemble a compliance folder with all the front-3 documents ready to hand over.
• Test your breach plan with a drill.
• Verify that your ARSOP rights process responds on time (see how to respond to ARSOP requests).
• Formally appoint the owner or DPO and keep a record of training.

Frequently asked questions

What is the Personal Data Protection Agency?

It is the supervisory authority created by Law 21.719 to oversee personal data protection in Chile. It has powers to audit compliance, open proceedings and apply sanctions. It begins exercising its supervisory role from December 1, 2026.

What documents can it request in an audit?

Typically it requests the evidence of accountability: the Records of Processing Activities (RoPA), policies and internal procedures, consent records, processor agreements (DPA), the breach log, impact assessments (DPIA), the DPO appointment and training evidence.

Does having an Infringement Prevention Model help?

Yes. Having a certified Infringement Prevention Model acts as a mitigating factor. Beyond certification, demonstrating a documented, living program —even if not everything is perfect— evidences accountability and improves the organization's position.

What mistakes aggravate the situation?

Not being able to show a RoPA or compliance evidence, not having notified a breach without undue delay, not handling data subject rights, and obstructing the audit. A complete lack of documentation and obstruction aggravate liability.