← Back to blog

From Law 19.628 to Law 21.719: What Really Changes

Law 19.628 governed Chile for a quarter of a century without a specialized supervisory authority to enforce it. Law 21.719, published on December 13, 2024, with full enforcement starting December 1, 2026, changes that equation entirely: it creates the Personal Data Protection Agency, defines enforceable rights, and establishes penalties that carry real weight. This is the comparison that matters.

Law 21.719

The essentials in 30 seconds

  • Law 19.628, enacted in 1999, was designed for a world of registries and files that predated the internet: it stated obligations, but it never had a specialized supervisory authority or a penalty regime with any deterrent effect.
  • Law 21.719 creates the Personal Data Protection Agency, with powers to audit and impose penalties. For the first time, there is a real institutional counterpart.
  • Concrete management instruments appear: a Record of Processing Activities (RAT), a Data Protection Impact Assessment (DPIA), a Data Protection Officer (DPO), differentiated controller and processor roles, and the duty to report breaches.
  • The penalty regime escalates to 5,000, 10,000, or 20,000 UTM depending on severity, and a National Registry of Sanctions is established.
  • The fundamental change is proactive accountability, a principle the law borrows from the European GDPR: declaring that you comply is no longer enough, you have to be able to prove it with evidence.

The same sentence comes up in almost every first meeting with a company: we already comply with the data protection law. It almost always means the same thing: there is a privacy policy published on the website, a consent checkbox on some form, and the comfort of knowing that no one has ever complained. For twenty-five years, under Law 19.628, that was enough in practice. With Law 21.719, it stops being enough. If you want the full picture, start with our guide to the data protection law in Chile.

This is not a change in wording or a cosmetic update to the previous text. It is a change of model: from a declarative rule to a system with an authority, verifiable obligations, and consequences. In this article we compare both laws across the dimensions that genuinely move the needle, and we close with the gaps that emerge when a company measures its inherited compliance against what the new standard requires.

What Law 19.628 Did and the World It Was Designed For

When Law 19.628 was published in 1999, Chile put in writing that personal data deserves protection at a time when the subject was barely part of the public conversation. That merit is real and worth acknowledging before criticizing it. The problem was not its intent, but the world it was written for: a world of archives, registries, and databases consulted on an occasional basis, long before a person's commercial, employment, and financial life became scattered across dozens of interconnected systems.

In that context, Law 19.628 worked primarily as a statement of principles: it established that people have a say over their own information. But its architecture assumed processing that was identifiable, stable, and low in volume. It did not anticipate digital platforms, profiling, large-scale analytics, cloud providers, or international data flows as the everyday practice of any mid-sized company.

The result was a rule that aged quickly. As data processing became a core function of virtually every business, the distance between what the law described and what actually happened in day-to-day operations grew wider and wider.

The Limits of Law 19.628: Obligations Without Consequences

A legal framework needs three things to work: clear rules, someone to supervise them, and consequences when they are breached. Law 19.628 had the first only partially, and lacked the second and the third at the scale required.

Without a specialized supervisory authority, there was no dedicated body to interpret the rule, set common criteria, audit on its own initiative, or receive complaints with any real capacity to resolve them. The burden of reacting fell almost entirely on the affected individual, who rarely had the time, the information, or the incentives to do so.

And without a substantial penalty regime, non-compliance was cheap. When the expected cost of non-compliance approaches zero, data protection stops being a management decision and becomes a formality: you draft a policy, publish it, and consider the matter closed. For years, that was what compliance meant in Chile.

  • No specialized authority: no one with a dedicated mandate to interpret the rule, set criteria, or audit on its own initiative.
  • No substantial penalties: non-compliance carried no cost capable of changing a business decision.
  • Burden on the data subject: the affected individual had to pursue any complaint on their own.
  • No management instruments: it did not contemplate figures such as the record of processing activities, the impact assessment, or the data protection officer.
  • Pre-internet design: the rule was not conceived for large-scale, automated, or outsourced processing.

What Law 21.719 Actually Introduces

Law 21.719, published on December 13, 2024, does not update the previous text: it changes the model. It moves from a declarative logic to a logic of verifiable management, with institutional backing and associated consequences. Full enforcement begins on December 1, 2026, and in our experience that is the deadline most companies are underestimating.

The centerpiece is the creation of the Personal Data Protection Agency, with powers to audit and impose penalties. For the first time, there is an institutional counterpart: a body that can review how your company processes data. That single difference reorders everything else, because it turns every obligation into something someone can come and verify.

On that foundation, the law incorporates a set of concrete instruments, inspired by the European GDPR:

And above all of it stands the principle of proactive accountability: complying is not enough, you have to be able to demonstrate that you comply. Evidence stops being an accessory to the privacy program and becomes the program itself.

  • ARSOP rights: access, rectification, erasure, objection, and portability, enforceable against whoever processes the data, with the Agency as the authority responsible for supervising compliance.
  • Record of Processing Activities (RAT): the inventory of what data you process, for what purpose, who you share it with, and for how long.
  • Data Protection Impact Assessment (DPIA): the analysis of processing activities that pose a significant risk to individuals.
  • Data Protection Officer (DPO): a role with defined responsibility over the privacy program.
  • Breach notification: the duty to report incidents affecting personal data.
  • Differentiated controller and processor roles: your suppliers enter the equation and the relationship with them must be formalized.

A Conceptual Comparison: Law 19.628 vs. Law 21.719

If the change had to be summed up in one sentence, it would be this: Law 19.628 described a duty; Law 21.719 organizes a system. These are the dimensions where the difference becomes tangible:

Read together, these differences all point in the same direction. Data protection stops being a legal text in the website footer and becomes a process with an owner, evidence, internal deadlines, and auditing. It is a change in kind, not in degree.

  • Authority: before, no specialized body with real powers. Now, the Personal Data Protection Agency, which audits and imposes penalties.
  • Compliance logic: before, declarative (stating that you complied was enough). Now, proactive accountability (you have to prove it with evidence).
  • Rights: before, limited recognition with uncertain enforcement. Now, the ARSOP catalog, enforceable and supervised by the Agency.
  • Internal instruments: before, none defined. Now, RAT, DPIA, DPO, and breach notification.
  • Supplier chain: before, no clear operational distinction. Now, differentiated controller and processor roles, each with its own obligations.
  • Penalties: before, no real deterrent effect. Now, fines of up to 5,000, 10,000, or 20,000 UTM depending on severity, plus a National Registry of Sanctions.
  • Reference standard: before, an isolated local rule. Now, a law that draws on the European GDPR.

Fines and the National Registry of Sanctions: The End of Cheap Non-Compliance

The component that captures a board's attention fastest is the financial one. Law 21.719 establishes a penalty regime that escalates with the severity of the infringement: up to 5,000 UTM, up to 10,000 UTM, and up to 20,000 UTM at the highest tier. These are figures that change the conversation. They stop being an acceptable operating cost and become a risk the board has to confront directly.

The effect, moreover, is not only financial. The law provides for a National Registry of Sanctions, which places penalties on public record. For a company that sells trust, and today almost every company sells some measure of trust, that is a cost that is hard to quantify and even harder to reverse.

But the fundamental point is not the fine. It is that there is now someone with the power to verify, and real consequences tied to the outcome of that verification. That is exactly what Law 19.628 never had, and why breaching it never hurt.

If Your Company Thought It Complied With Law 19.628, This Is What Is Missing

The standard changed its object. Before, you were assessed on what you declared; now, you are assessed on what you can prove. And most organizations discover, once they do the exercise, that they are missing even the starting point: a reliable inventory of the data they process.

These are the gaps that appear most often when compliance inherited from Law 19.628 is measured against what Law 21.719 requires:

None of these gaps close in a week, and several depend on different areas: technology, legal, operations, and people. That is why December 1, 2026 is much closer than the calendar suggests.

  • There is no Record of Processing Activities: no one knows precisely what data exists, where it is, or who uses it.
  • Consent is used as the basis for everything, with no evidence of how it was obtained or which specific processing activities it covers.
  • There is no operational procedure to respond to ARSOP requests with traceability and within reasonable timeframes.
  • Suppliers that process data on the company's behalf have no contracts reflecting the controller-processor relationship.
  • No impact assessments have been carried out on the higher-risk processing activities.
  • There is no breach response plan covering detection, analysis, and notification.
  • There is no identifiable owner of the privacy program, nor evidence that the program works.

Conclusion: What Changes Is the Model, Not the Wording

Law 19.628 played a historic role: it put the subject on the table when almost no one was talking about it. Law 21.719 does what its predecessor could not: it gives it an institutional owner, an enforceable catalog of rights, concrete instruments, and consequences. By drawing on the GDPR, it also leaves Chilean companies speaking the same language as their international clients, partners, and suppliers.

For an organization that believed itself covered, the conclusion is uncomfortable but clear: compliance inherited from Law 19.628 does not automatically become compliance with Law 21.719. The work has to be redone starting from the inventory. The good news is that there is still time, and the effort pays off: a well-built privacy program does more than avoid fines, it also brings order to operations and sustains the trust that now defines the relationship with customers.

Is your compliance still anchored in Law 19.628?

We run a gap assessment against Law 21.719 and show you, with evidence, what is missing before December 2026. First assessment session at no cost.

Schedule an assessment

Frequently asked questions

What is the main difference between Law 19.628 and Law 21.719?

The main difference is not in the text, but in the model. Law 19.628, from 1999, stated obligations but never had a specialized supervisory authority or a deterrent penalty regime, so many of those obligations carried no real consequences. Law 21.719 creates the Personal Data Protection Agency, with powers to audit and impose penalties, defines a catalog of ARSOP rights, incorporates concrete instruments such as the Record of Processing Activities, the impact assessment, the Data Protection Officer, and breach notification, and establishes a penalty regime of up to 5,000, 10,000, or 20,000 UTM depending on severity.

If my company complied with Law 19.628, does it already comply with Law 21.719?

No. In practice, complying with Law 19.628 usually meant having a privacy policy published and a consent clause on your forms. Law 21.719 introduces the principle of proactive accountability: declaring that you comply is not enough, you have to be able to prove it with evidence. At a minimum, that requires an inventory of processing activities (RAT), a working procedure for handling ARSOP requests, contracts that reflect the relationship with your processors, impact assessments for higher-risk processing, and a breach response plan.

When can enforcement and penalties begin under Law 21.719?

Law 21.719 was published on December 13, 2024, and full enforcement begins on December 1, 2026. From that date, the Personal Data Protection Agency will be able to audit and apply the penalty regime. The intervening time is precisely the window to build the inventory, close gaps, and get the evidence in order, a job that involves technology, legal, operations, and people, and that cannot be resolved in the final weeks.

Is Law 21.719 the same as the European GDPR?

It is not the same, but it draws on it and shares its underlying logic: proactive accountability, rights that individuals can enforce, differentiated roles between controller and processor, instruments such as the record of processing activities and the impact assessment, and a supervisory authority with the power to impose penalties. That inspiration is good practical news: if your company already operates under the European standard, you start with an advantage, and if it does not, the work you do in Chile brings you closer to an internationally recognized framework.

You may also be interested in

Essential guide

Data Protection Law in Chile: the complete guide

Law 21.719

Law 21.719: the definitive guide to comply and avoid fines

Law 21.719

All the Law 21.719 deadlines: key dates

Next step

Is your company ready
for December 2026?

A no-obligation 30-minute assessment.

Request an assessment