The essentials in 30 seconds
- From Law 19.628 (1999) to Law 21.719: the most far-reaching reform of the Chilean data system.
- Applies to any organization, public or private, that processes personal data in Chile, including foreign companies.
- ARSOP rights for individuals and fines of up to 20,000 UTM for organizations.
- Full enforcement by the Personal Data Protection Agency begins on December 1, 2026.
If you searched for "data protection law" without knowing the exact number, you are in the right place. In Chile, that search today points to two regulations that are best understood together: the historic Law 19.628, in force since 1999, and the new Law 21.719, published on December 13, 2024, which modernizes it completely. This page is a starting point: it explains what the data protection law is, who it obligates, what rights it grants to individuals, what it requires of companies and what penalties it establishes. If you want the full legal picture, start with the definitive guide to Law 21.719.
Think of it as a general map, not a step-by-step manual. Here you will find the big picture; when you need to get into the operational terrain (what to document, in what order and with what evidence), we point you to our definitive compliance guide, which develops each point in detail.
What the data protection law is and why it matters
The data protection law is the set of rules that governs how organizations collect, store, use, share and delete the information that identifies a person: their name, national ID number, email, health data, consumption habits, location or any other data that makes it possible to recognize them. Its underlying purpose is simple but demanding: that individuals retain control over their own information and that those who process it do so in a legitimate, secure and transparent manner.
It matters because personal data has stopped being an administrative byproduct and has become a critical asset, and also a risk. A leak, misuse or an uncontrolled database is no longer just a technical problem: it is a legal, reputational and financial one. For any organization in Chile, understanding the data protection law is today as fundamental as understanding its tax or labor obligations.
This change in status is what explains the recent reform. Chile moved from a model designed for the records of the 1990s to a model designed for the digital economy, where the large-scale processing of data is the norm and not the exception.
From Law 19.628 to Law 21.719: what changes and why
For more than two decades, data protection in Chile was governed by Law 19.628, of 1999. It was pioneering at the time, but it fell short in the face of the internet, the cloud, data analytics and artificial intelligence. It had neither an effective supervisory authority nor a deterrent penalty regime, which in practice left many obligations without real consequences.
Law 21.719, published on December 13, 2024, changes that scenario at its root. It is the most far-reaching reform of the Chilean data protection system: it introduces a supervisory authority with teeth, a clear catalog of rights for individuals, concrete obligations for those who process data and a substantial fines regime. In place of a mere declarative duty, it establishes a model of enforceable accountability.
This new law is inspired by the European standard, the General Data Protection Regulation (GDPR). That means Chile adopts concepts and requirements equivalent to those already in force in Europe: principles such as proactive accountability, defined roles of controller and processor, risk assessments and security duties. For companies, aligning the country with the European framework has a practical advantage: it makes it easier to operate and do business with organizations that already meet that international standard.
- Law 19.628 (1999): historic framework, without an effective supervisory authority or deterrent penalties.
- Law 21.719 (December 13, 2024): comprehensive reform that modernizes the system and aligns it with the GDPR.
- From declarative compliance to enforceable, supervised and sanctionable compliance.
Who the law applies to
The scope of application is broad and deliberately inclusive. The law reaches any organization, public or private, that processes personal data in Chile. It does not distinguish by size or by sector: a large company, an SME, a municipality, a public service, a clinic, a school or a foundation are all equally covered if they handle information about individuals.
The coverage also crosses borders. It reaches foreign companies that offer goods or services in the country or that process data of individuals located in Chile, even if they have no local office. This dimension, known as extraterritorial scope, follows the same logic as the European standard: what determines the obligation is not where the company is located, but who its activity is directed at.
The practical conclusion is direct: if your organization collects or uses data of individuals in Chile, the law applies to you. The relevant question is no longer whether it affects you, but how prepared your operation is to respond.
What rights it grants to individuals: ARSOP
The heart of the law is recognizing individuals as the owners of their data, with rights they can exercise before any organization that processes it. These rights are grouped under the acronym ARSOP and are the point where the legal framework becomes tangible in day-to-day life.
For organizations, these rights are not an ornament: they translate into the obligation to have channels to receive requests, verify the identity of the person submitting them and respond within the defined timeframes. A disorganized ARSOP process is one of the fastest ways to expose yourself to a complaint before the authority.
- Access: the individual can find out what data of theirs you hold and how you process it.
- Rectification: they can require you to correct inaccurate or outdated data.
- Deletion: they can ask you to delete their data when there is no longer any basis to retain it.
- Objection: they can object to certain uses of their data.
- Portability: they can request their data in a format that allows them to reuse it or take it to another provider.
What obligations it imposes on companies
In response to those rights, the law places a set of concrete duties on those who process data. The principle that organizes them all is proactive accountability: it is not enough to comply; you must be able to demonstrate that you comply, with documentation, processes and evidence. The burden of proof shifts toward the organization.
In practical terms, this comes down to several pieces that work together. Every processing activity must rest on a lawful basis, that is, a legitimate reason to process the data, such as the person's consent or the performance of a contract or legal obligation. And the relationship between the party that decides the purposes of the processing (the controller) and the party that carries it out on their behalf (the processor) must be expressly regulated.
On that foundation stand the core operational obligations that we summarize below. Each of them is a piece of compliance, and its detailed development lives in our definitive guide.
- Record of Processing Activities (RAT): an inventory of what data you process, for what purpose and on what lawful basis.
- Data Protection Impact Assessments (EIPD): analyzing and mitigating risks before processing operations that could significantly affect individuals.
- Data Protection Officer (DPO): where applicable, designating a person responsible for ensuring compliance.
- Security: applying appropriate technical and organizational measures to protect the information.
- Breach notification: reporting security incidents that affect personal data, in accordance with the duties set by the law.
What penalties it establishes and who enforces it
The element that gives the law its real force is its penalty regime. Non-compliance can lead to substantial fines, tiered according to the severity of the infringement: up to 5,000 UTM in the least serious cases, up to 10,000 UTM in serious ones and up to 20,000 UTM in the most severe. Expressed in monthly tax units, the ceiling on penalties turns carelessness into a material financial risk for any organization.
Enforcement is placed in the hands of the Personal Data Protection Agency, the new supervisory authority the law creates for this purpose. It is the body responsible for overseeing compliance, receiving complaints and applying penalties. Its very existence marks the difference from the previous regime: for the first time, there is an entity with a specific mandate to enforce the rules.
The message for organizations is clear. The combination of an active authority and significant fines transforms data protection, which could previously be treated as an optional best practice, into an obligation with concrete consequences.
Key deadlines and how to start preparing
The date that organizes all planning is December 1, 2026: that is when full enforcement of the new law begins. Until then there is a preparation window, but it is best read realistically, because adapting processes, systems and contracts takes time and cannot be resolved in the final weeks.
The most useful starting point is to understand before acting. Beginning by knowing what data your organization processes, for what purpose and on what lawful basis is what later allows you to build the RAT, decide whether you need a DPO, prioritize the EIPD and organize your security measures. Without that initial diagnosis, any later effort runs the risk of remaining incomplete.
This page gave you the big picture. The natural next step is to get into the concrete plan: where to start, in what order and with what deliverables. For that, review our definitive compliance guide, where each obligation in this framework is developed as an operational path, with checklists and priorities. If you prefer expert support, at AlayIAtrust we help organizations build that intelligent trust on their data, from diagnosis to implementation.
Ready to move from understanding to complying?
You now have the general overview of the data protection law in Chile. The next step is a concrete assessment of your organization against Law 21.719. At AlayIAtrust we support you from the initial analysis to implementation, with a focus on building intelligent trust. Let's talk before December 1, 2026.
Schedule an assessmentFrequently asked questions
What is the data protection law currently in force in Chile?
Two regulations coexist. The historic Law 19.628, of 1999, and the new Law 21.719, published on December 13, 2024, which reforms the system in depth. Full enforcement of the new law begins on December 1, 2026, which is why it is today the central reference for preparing.
Who does the data protection law apply to?
To any organization, public or private, that processes personal data in Chile, regardless of its size or sector. It also reaches foreign companies that offer goods or services in the country or that process data of individuals located in Chile, even if they have no local office.
What rights does the law give me as the owner of my data?
The ARSOP rights: Access, Rectification, Deletion, Objection and Portability. They allow you to find out what data of yours an organization processes, correct it, request its deletion, object to certain uses and request your data in a reusable format.
What fines does Law 21.719 establish?
The penalties are tiered according to severity: up to 5,000 UTM for less serious infringements, up to 10,000 UTM for serious ones and up to 20,000 UTM for the most severe. Enforcement is handled by the Personal Data Protection Agency, the new supervisory authority.
How should my company start preparing?
The best first step is a diagnosis: identifying what data you process, for what purpose and on what lawful basis. On that foundation you build the Record of Processing Activities, the impact assessments, the designation of a DPO where applicable and the security measures. You will find the operational detail in our definitive compliance guide.