The essentials in 30 seconds
- Law 21.719 modernizes personal data protection in Chile and is inspired by the European GDPR.
- It was published on December 13, 2024 and compliance is mandatory from December 1, 2026.
- It applies to every organization—public or private, large or SME—that processes personal data in Chile.
- Fines reach up to 20,000 UTM and triple on recidivism (up to 60,000 UTM or a percentage of revenue).
- The path: gap assessment → policies and consent → technology → continuous improvement.
In an increasingly digitalized world, protecting personal data is no longer a technical matter—it is a business priority. Chile is no exception: with the enactment of Law 21.719, the country took a momentous step to safeguard people's privacy and align with the most demanding international standards. This legislation completely modernizes the previous legal framework and changes the way companies must handle personal information.
Its implementation is not only a legal obligation: it is an opportunity to strengthen trust with your clients and ensure the sustainability of your business. In this guide we break down everything you need to know—from the fundamentals to the practical steps—to comply in time and avoid the costly fines associated with non-compliance. For an overview of our services, see our Law 21.719 page.
1. What exactly is Law 21.719?
Law 21.719, published on December 13, 2024, is Chile's new legislation governing the protection and processing of personal data. Its main objective is to strengthen the rights of data subjects and establish a robust legal framework for how data is handled by companies, public and private institutions, and even individual developers. After a 24-month adjustment period, compliance is mandatory from December 1, 2026, the date on which the new Personal Data Protection Agency may audit and sanction.
In essence, the law requires that any entity that collects, stores, uses or transfers personal data do so transparently, securely and with the explicit consent of the data subject. Having a generic privacy policy is no longer enough: organizations must now be proactive, clearly informing people what their data will be used for and allowing individuals to exercise control over it.
Comparison with the previous law (19.628)
Law 21.719 does not fully repeal the former Law No. 19.628 of 1999 on Protection of Private Life; instead, it amends and complements it. However, it radically changes the approach and gives data protection far greater prominence. While 19.628 had become obsolete and limited in scope, 21.719 introduces fundamental principles and stricter obligations. The key differences include:
- Explicit consent: it requires clear and unambiguous consent, in contrast to the implied consent allowed under the previous law.
- Expanded rights: it strengthens data subject rights (access, rectification, cancellation and objection) and introduces the right to data portability.
- Personal Data Protection Agency: it creates an autonomous oversight body with the power to supervise compliance and impose sanctions.
- Guiding principles: lawfulness, purpose, proportionality, quality, security and proactive accountability.
Comparison with the European GDPR
Law 21.719 is strongly inspired by and aligns closely with the European Union's General Data Protection Regulation (GDPR), one of the strictest privacy frameworks in the world. This similarity is no accident: Chile seeks to facilitate data exchange with countries that already meet high standards. The main similarities include free and informed consent, data subject rights, proactive accountability, impact assessments and the notification of security breaches.
This alignment positions Chile as a regional benchmark, but it imposes an adaptation challenge. If your company already complies with the GDPR or has international operations, we recommend reviewing our detailed comparison in Differences between Law 21.719 and the GDPR.
2. Who is affected and what does it mean for Chilean companies?
Law 21.719 has a broad scope and affects any entity—a natural or legal person, public or private—that processes personal data in the national territory. This includes everything from large corporations to SMEs, entrepreneurs and non-profits. If your company collects, stores, uses or transfers any information that can identify a person, this law applies to you.
Specific legal obligations
The law imposes obligations on both the data controller (who decides on the processing) and the data processor (who processes data on the controller's behalf). The most relevant ones:
- Lawfulness principle: all processing must have a clear legal basis, with consent being the most common.
- Purpose principle: data must be collected for specific, explicit and legitimate purposes.
- Proportionality and minimization: collect only the data that is strictly necessary.
- Quality: data must be accurate, complete and up to date.
- Security: implement appropriate technical and organizational measures.
- Transparency and information: clearly inform how, why and for how long data is collected.
- Record of processing activities: keep a detailed record of all activities.
- Impact assessments (DPIAs): mandatory for high-risk processing.
- Breach notification: inform the Agency and, in certain cases, the affected individuals.
Types of protected data
The law protects personal data—any information relating to an identified or identifiable person—: identification (name, national ID), contact, financial, health, biometric, genetic, location and online behavior data. It grants reinforced protection to sensitive data—racial origin, political ideology, beliefs, health, sexual life, biometric and genetic data—whose processing requires explicit and reinforced consent.
In practice, this directly affects areas such as Human Resources (employee data), Marketing and Sales (databases and cookies), Customer Service (recordings and chats) and E-commerce (payment and shipping data). The law requires a paradigm shift: moving from a reactive approach to a proactive one, integrating privacy by design and by default across all operations.
3. Steps to effectively comply with Law 21.719
Compliance is not a one-time event but an ongoing process that requires a structured approach and the adaptation of internal practices. These are the key steps:
1. Initial gap assessment
The first step is to understand where your company stands today against the new law. The assessment should include a data inventory (what is collected, where it is stored, who accesses it and who it is shared with), an end-to-end process mapping, an analysis of current legal bases, a review of third-party contracts and a risk assessment. It is the foundation on which everything else is prioritized; you can see how we approach it with real clients in our case studies.
2. Implementing policies and procedures
With the gaps identified, you develop and implement: a clear and accessible privacy policy, internal data-handling policies, procedures for the exercise of data subject rights, a security incident response plan, and confidentiality and data processing agreements with employees and third parties.
3. Consent management
Consent is the cornerstone of the law. Implied or tacit consent is no longer valid. It must now be freely given (without coercion), specific (for defined purposes), informed, unambiguous (through a clear affirmative action) and revocable as easily as it was given. Companies must review all collection points—web forms, contracts, mobile apps—and keep a record of consent.
4. The role of the Data Protection Officer (DPO)
The DPO is an expert who acts as the point of contact between the company, the data subjects and the Agency. They advise on obligations, oversee compliance, handle inquiries, collaborate with the Agency and carry out internal audits. Whether the role is mandatory depends on the nature and scale of processing, but having one—internal or external—is key to demonstrating proactive accountability.
4. Technology and compliance
Complying with such a complex regulation can seem overwhelming, especially if you handle large volumes of data or lack specialized legal and IT teams. Technology is an indispensable ally: it automates tasks, manages consent and provides the traceability needed to demonstrate compliance. Privacy Management Platforms (PMPs) typically cover:
- Data mapping and discovery: automatically identify and classify personal data across your systems.
- Consent management: collect, record and manage consent and cookie preferences in a granular way.
- Data subject rights requests (DSAR): automate the receipt, verification and response to data subject requests.
- Impact assessments (DPIAs): guide risk assessment for high-risk projects.
- Incident management: document and notify breaches without undue delay.
- Vendor management: assess the risk of third parties with access to data.
- Policy automation: generate and keep notices and policies always up to date.
Why OneTrust is the recommended leading tool
Within the ecosystem of solutions, OneTrust has established itself as the leading platform globally. The reasons:
- Comprehensive coverage: an all-in-one suite that covers privacy, security and data governance.
- Scalability and adaptability: it serves companies of all sizes and is configured for a variety of global regulations.
- Cutting-edge technology: it incorporates AI and automation to simplify complex tasks.
- Market recognition: a consistent leader in the Gartner Magic Quadrant.
- Community and support: a vast network of users, partners and experts.
- Strategic alliances: local partners such as AlayIAtrust in Chile provide expert guidance within the national regulatory context.
Implementing a platform like OneTrust alongside an expert partner not only eases compliance: it turns privacy management into a competitive advantage. We go deeper into the how in Implementing OneTrust in Chile.
5. Risks and fines for not complying with the law
Non-compliance with Law 21.719 can have severe consequences. Beyond reputational damage, companies are exposed to significant financial penalties. The law classifies violations into three categories, with fines expressed in Monthly Tax Units (UTM) that increase progressively:
| Category | Base fine | Recidivism |
|---|---|---|
| Minor | Warning or up to 5,000 UTM | The fine can be tripled |
| Serious | Up to 10,000 UTM | Up to triple, or 2% of annual revenue from sales and services in Chile* |
| Most serious | Up to 20,000 UTM | Up to triple (60,000 UTM), or 4% of annual revenue from sales and services in Chile* |
*The percentage calculation on revenue only applies to companies that do not qualify as small businesses under Law 20.416. The law also provides for accessory sanctions (such as the temporary suspension of processing activities) and the publication of sanctions in a national registry. Having a certified Infringement Prevention Model acts as a mitigating factor.
The most common sanctionable conduct includes processing data without a legal basis, failing to uphold data subject rights, a lack of security measures resulting in a breach, failing to notify breaches without undue delay, international transfers without safeguards and obstructing the Agency's work. We analyze the full regime in Fines and sanctions under Law 21.719.
Notable international cases
Because the Chilean law is inspired by the GDPR, European cases anticipate how strict the authorities can be:
- Google (France, 2019): EUR 50M for lack of transparency and valid consent in ad personalization.
- British Airways (United Kingdom, 2019): a proposed GBP 183M for a breach that affected half a million customers.
- H&M (Germany, 2020): EUR 35.3M for unlawful monitoring of employees.
- Amazon (Luxembourg, 2021): a record fine of EUR 746M for its data processing for advertising purposes.
To understand the real impact of a leak—and how it could have been prevented—see Real data breach stories.
Conclusion
Law 21.719 is an unavoidable reality in Chile and its impact is profound and transformative. Beyond the legal obligations and the risk of fines, it represents a unique opportunity to build a relationship of greater trust and transparency with your clients, strengthening your reputation and positioning you as a leader in a market that is increasingly privacy-conscious.
The time to adapt is now. Preparing in advance will not only allow you to comply with the law before December 1, 2026, but also optimize your processes, improve the security of your information and ensure the sustainability of your business in the digital age.
Ready to ensure your company's compliance?
Specialists in Law 21.719 and a OneTrust partner in Chile. 30-minute assessment, no obligation.
Book an assessmentFrequently asked questions about Law 21.719
When does Law 21.719 take effect?
It was published on December 13, 2024, and full compliance begins on December 1, 2026, after a 24-month adjustment period. From that date the Personal Data Protection Agency may audit and sanction.
Who does Law 21.719 apply to?
To any natural or legal person, public or private, that processes personal data in Chile: from large corporations to SMEs, entrepreneurs and non-profits. If you collect, store, use or transfer data that identifies a person, the law applies to you.
What are the fines for non-compliance?
Violations are classified as minor (up to 5,000 UTM), serious (up to 10,000 UTM) and most serious (up to 20,000 UTM). In case of recidivism the fine can be tripled—up to 60,000 UTM—or a percentage of annual revenue from sales and services in Chile (2% for serious recidivism and 4% for most-serious) for companies that are not small businesses.
Is a Data Protection Officer (DPO) mandatory?
The DPO role is included in the law and whether it is mandatory depends on the nature and scale of processing. Even when not mandatory, having an internal or external DPO is a key measure to demonstrate proactive accountability and coordinate compliance.
How does it differ from the European GDPR?
Law 21.719 is strongly inspired by the GDPR: both share free and informed consent, data subject rights, proactive accountability, impact assessments and breach notification. The main differences are in the amounts and calculation basis of the fines (in UTM and on revenue in Chile) and in the design of the supervisory authority.
Where should a company start?
With a gap assessment: inventory what data is processed, where it is stored and who it is shared with; map processes; review legal bases and third-party contracts; and assess risks. From that diagnosis you prioritize policies, consent management, rights handling and security measures.