Differences between Law 21.719 and the GDPR: a guide for international companies.

In the digital age, where data flows across borders, the protection of personal information has become a global concern and a legislative priority. Companies operating internationally face the challenge of complying with a range of privacy regulations, each with its own particularities. In this context, the European Union's General Data Protection Regulation (GDPR) has established a gold standard, influencing legislation around the world. With the enactment of its Law 21.719, Chile has taken a significant step to modernize its data protection framework, closely aligning it with the principles of the GDPR.

For companies with a presence or interests in Chile and Europe, understanding the similarities and, crucially, the differences between Law 21.719 and the GDPR is fundamental. It is not only about avoiding fines, but about building trust with customers and operating ethically in a global market. In this article we break down both regulations, offer a clear comparison table, and provide an essential guide so that international companies can effectively adapt to the Chilean requirements. For the full picture of the Chilean regulation, see our definitive guide to Law 21.719.

An overview: Law 21.719 and the GDPR

Before diving into the comparisons, it is essential to understand the essence of each regulation.

The GDPR: the global privacy standard

The General Data Protection Regulation (EU Regulation 2016/679) entered into force in May 2018 and is the strictest data privacy and security law in the world. Although it is a European Union law, its scope is extraterritorial, meaning that it affects any organization that processes the personal data of EU citizens, regardless of where it is located. Its fundamental principles include:

• Lawfulness, fairness, and transparency: data must be processed lawfully, fairly, and transparently.
• Purpose limitation: data must be collected for specified, explicit, and legitimate purposes.
• Data minimization: only the data that is strictly necessary should be collected.
• Accuracy: data must be accurate and kept up to date.
• Storage limitation: data must be kept only for as long as necessary.
• Integrity and confidentiality: data must be processed ensuring appropriate security.
• Accountability: organizations are responsible for demonstrating compliance.

The GDPR grants individuals a set of robust rights, including the rights of access, rectification, erasure (the right to be forgotten), restriction of processing, data portability, and objection. In addition, it imposes strict obligations on data controllers and processors, such as the need to obtain explicit consent, carry out impact assessments (DPIA), and notify security breaches.

Law 21.719: Chile's response to modern privacy

Law 21.719, published on December 13, 2024, is the new Chilean regulation governing the protection and processing of personal data. This law updates the former Law No. 19.628 and seeks to align Chile with international standards, including principles and rights similar to those of the GDPR. Its main objectives are to strengthen the rights of data subjects and to establish a robust legal framework for the handling of their data by any entity that processes personal data within the national territory.

The guiding principles of Law 21.719 are very similar to those of the GDPR, including lawfulness, purpose, proportionality, quality, security, and accountability. The law also broadens and strengthens data subjects' rights, recognizing the data subject rights (Access, Rectification, Cancellation, and Objection) and the right to portability. A fundamental change is the creation of a Personal Data Protection Agency as the oversight body, with the power to monitor compliance and apply sanctions.

Key similarities

• Fundamental principles: both share lawfulness, fairness, transparency, purpose limitation, minimization, accuracy, storage limitation, integrity, confidentiality, and accountability.
• Data subjects' rights: both grant robust rights over personal data, including access, rectification, erasure, objection, and portability.
• Explicit consent: in general, both require free, specific, informed, and unambiguous consent, especially for sensitive data.
• Impact assessments: both require assessments for high-risk processing (DPIA under the GDPR, EIPD under Law 21.719).
• Breach notification: the obligation to notify the supervisory authority and, in certain cases, the data subjects is common to both.
• The role of the DPO / data officer: both provide for a data protection officer, with differences in whether it is mandatory and in its title.
• International transfers: both regulate transfers to countries without an adequate level of protection, requiring safeguards.

Key differences

While the similarities are notable, the differences can have a significant impact on the compliance strategy of an international company:

• Territorial scope: the GDPR has a more explicit and broader extraterritorial scope. Law 21.719 applies to processing carried out in Chile, although it may also have implications for foreign companies that process the data of people in Chile or that offer goods and services in the country.
• Supervisory authority: the GDPR relies on the European Data Protection Board (EDPB) and authorities in each member state. Law 21.719 creates a new Personal Data Protection Agency as the sole national oversight authority.
• Amount and calculation basis of fines: GDPR fines can reach up to 20 million euros or 4% of annual global turnover, whichever is higher. Law 21.719 sanctions most-serious violations with up to 20,000 UTM, extendable to up to 60,000 UTM only for recidivism; the 2% or 4% percentage is calculated only on revenue from sales and services in Chile and only for recidivism of companies that are not small businesses. We go deeper in Fines and sanctions under Law 21.719.
• Legal basis: although both recognize several bases, the interpretation of each may vary. The GDPR is stricter in its definition of legitimate interest.
• Sensitive data: both define special categories, but the specific lists have slight variations.
• Implementation timelines: the GDPR has been in force since 2018. Law 21.719 was published on December 13, 2024, and compliance is mandatory from December 1, 2026.

Comparison table: Law 21.719 vs. GDPR

Feature	Law 21.719 (Chile)	GDPR (European Union)
Publication / entry into force	Published Dec. 2024 · gradual entry into force (Dec. 2024 and Dec. 2026)	In force since May 2018
Territorial scope	Processing in Chile; may apply to foreign companies that process the data of Chileans	Extraterritorial: any company that processes the data of EU citizens
Supervisory authority	Personal Data Protection Agency (new)	Authorities in each member state and the EDPB
Maximum fine	Up to 20,000 UTM (most serious); up to 60,000 UTM only for recidivism, or 2%/4% of revenue from sales and services in Chile (recidivism of large companies)	Up to €20M or 4% of annual global turnover, whichever is higher
Data subject rights	Access, Rectification, Cancellation, Objection (ARCO), Portability	Access, Rectification, Erasure, Restriction, Portability, Objection
Impact assessment	EIPD	DPIA
Breach notification	Mandatory to the Agency and, in certain cases, to the data subjects	Mandatory to the authority (72 h) and, in certain cases, to the data subjects
International transfers	Requires adequate safeguards (standard clauses, corporate rules)	Adequate safeguards + adequacy decisions

Adaptations for international companies with a presence in Chile

For companies that already comply with the GDPR, adapting to Law 21.719 will be a smoother process, but not without challenges. Some key considerations:

1. Data mapping and gap assessment: identify where the data you process in Chile is stored and compare your practices against Law 21.719.
2. Review of legal bases: make sure you have a valid legal basis for each processing activity and that you can demonstrate it.
3. Updating policies and notices: reflect the law's specific requirements, including the new Agency and the expanded rights of Chilean data subjects.
4. Consent management: review your mechanisms to ensure they meet the law's standards, especially for sensitive data and transfers.
5. Processes for rights: adapt your internal processes to handle data subject rights and portability requests within the deadlines.
6. Security measures: ensure appropriate technical and organizational measures, including incident management and breach notification.
7. Contracts with third parties: update the contracts with vendors that process data on your behalf.
8. Training and awareness: train your staff in Chile on the law's requirements.
9. The role of the DPO: assess the need to designate a data protection officer in Chile.
10. Continuous monitoring: establish audits to keep your practices up to date and compliant.

Data transfers between Chile and the European Union deserve special attention: see our analysis of extraterritoriality and international transfers under Law 21.719.

Conclusion: a step forward in global data protection

Chile's Law 21.719 and the European GDPR represent two fundamental pillars in the global data protection landscape. While the GDPR has laid the groundwork and greatly influenced Chilean legislation, Law 21.719 establishes a robust framework adapted to the country's reality, with its own particularities.

For international companies, understanding these differences and similarities is not only a matter of legal compliance, but an opportunity to strengthen trust with their customers, operate more ethically, and consolidate their reputation in a market that is increasingly privacy-conscious. To align your privacy program with both frameworks, let's talk in an assessment.

Frequently asked questions about Law 21.719 and the GDPR

Is Law 21.719 the same as the GDPR?

They are not identical, although Law 21.719 is strongly inspired by the GDPR. They share principles, data subject rights, proactive accountability, impact assessments and breach notification. The main differences are in the territorial scope, the design of the supervisory authority and the regime and calculation basis of the fines.

If I already comply with the GDPR, do I automatically comply with the Chilean law?

Not automatically, but you start with a big advantage. Complying with the GDPR covers a large part of the principles and obligations of Law 21.719. Even so, you must adapt policies and notices to the new Chilean Agency, review legal bases under the local law, adjust data subject rights processes and verify the safeguards for transfers to and from Chile.

Are the fines equivalent?

No. The GDPR reaches up to 20 million euros or 4% of annual global turnover, whichever is higher. Law 21.719 sanctions most-serious violations with up to 20,000 UTM, extendable to up to 60,000 UTM for recidivism; the 2% or 4% percentage is calculated only on revenue from sales and services in Chile and only for recidivism of companies that are not small businesses.

Does the Chilean law apply to foreign companies?

Law 21.719 applies to data processing carried out in Chile and may have implications for foreign companies that process the data of people in Chile or that offer goods and services in the country. The GDPR has a more explicit extraterritorial scope, but both can reach organizations outside their territory.

When does Law 21.719 take effect?

Law 21.719 was published on December 13, 2024, and compliance is mandatory from December 1, 2026, after a 24-month adjustment period. The GDPR, by contrast, has been in force since May 2018.