The essentials in 30 seconds
- Law 21.719 classifies violations as minor (up to 5,000 UTM), serious (up to 10,000 UTM) and most serious (up to 20,000 UTM).
- In case of recidivism the fine can be tripled: a repeated most-serious violation reaches up to 60,000 UTM.
- Alternatively, and only for companies that are not small businesses, recidivism is sanctioned with 2% (serious) or 4% (most serious) of annual revenue from sales and services in Chile.
- There are accessory sanctions (suspension of processing, publication of the sanction) and one key mitigating factor: a certified Infringement Prevention Model.
- The law is mandatory from December 1, 2026: prevention is the best investment.
In today's dynamic digital landscape, personal data protection has ceased to be optional and has become an unavoidable legal obligation. In Chile, the enactment of Law 21.719 has marked a turning point, establishing a robust framework for the processing of personal information. However, beyond the benefits of greater privacy for citizens, this law carries a component that is critical for companies: fines and sanctions for non-compliance.
Ignoring or underestimating the implications of Law 21.719 not only puts your company's reputation at risk, but can also translate into significant financial losses. In this article we break down the sanctions regime the law sets out, analyze real international non-compliance cases that serve as a warning, and provide practical advice to avoid these costly consequences. For the full picture of the regulation, start with our definitive guide to Law 21.719.
Types of fines and sanctions under Law 21.719
Law 21.719 establishes a system of violations and sanctions designed to ensure effective compliance with the regulation. Fines are not arbitrary: their amount is determined by considering the severity of the violation, the nature of the data affected, the number of people harmed, the intent of the offender and any recurrence, among other criteria. The law classifies violations into three main categories, with fines expressed in Monthly Tax Units (UTM):
| Category | Base fine | Recidivism |
|---|---|---|
| Minor | Warning or up to 5,000 UTM | The fine can be tripled |
| Serious | Up to 10,000 UTM | Up to triple, or 2% of annual revenue from sales and services in Chile* |
| Most serious | Up to 20,000 UTM | Up to triple (60,000 UTM), or 4% of annual revenue from sales and services in Chile* |
As the table shows, the highest base fine is for most-serious violations (20,000 UTM). The figure of 60,000 UTM is not the general cap: it corresponds exclusively to the tripling for recidivism of a most-serious violation. The typical conduct in each category is:
- Minor violations: formal breaches or those with a lesser impact on privacy, such as omissions in the information provided to the data subject.
- Serious violations: processing data without an adequate legal basis or failing to respond to data subject rights requests within the time limits.
- Most-serious violations: considerable harm to data subjects, massive data breaches, unlawful processing of sensitive data or obstruction of the Agency's oversight.
*The percentage calculation on revenue only applies in case of recidivism and only to companies that do not qualify as small businesses under Law 20.416. In addition, the calculation basis is annual revenue from sales and services in Chile, not global turnover. For an SME, the cap remains the UTM amount of the corresponding category.
How the fine and recidivism are calculated
Understanding the mechanics of the sanction avoids common misunderstandings. The base fine depends on the category of the violation, and the Agency sets it within the range according to the criteria already mentioned. Recidivism occurs when the controller commits a new violation of the same category within the period set by the law after a prior sanction; in that scenario, the fine can be tripled relative to the category cap. That is why a repeated most-serious violation can reach up to 60,000 UTM.
Beyond the financial component, the law provides for accessory sanctions that can seriously affect operations: the temporary suspension of processing activities and the publication of the sanction in a national compliance registry. And there is a relevant mitigation route: having a duly certified Infringement Prevention Model acts as a mitigating circumstance when determining the sanction.
Accessory sanctions and mitigating factor. In addition to the fine, the Agency may order the temporary suspension of processing activities and the publication of the sanction in a national registry. Conversely, a certified Infringement Prevention Model demonstrates diligence and can reduce the amount of the fine. Learn how we approach prevention on our Law 21.719 page and in our case studies.
Beyond financial fines, non-compliance can entail other serious consequences:
- Reputational damage: a data breach or public sanction can destroy client trust and damage brand image irreparably.
- Loss of trust and clients: an incident or mishandling of data can lead to client churn and make it harder to attract new ones.
- Legal action: affected individuals may claim compensation for damages, adding legal costs and settlements.
- Suspension of operations: in extreme and repeated cases, the Agency could order the temporary suspension of data processing.
Real non-compliance cases: lessons from around the world
To understand the magnitude of the sanctions, it is useful to look at real cases in countries that already apply regulations similar to the GDPR, which inspired Law 21.719. These examples demonstrate that authorities impose substantial fines regardless of the size or prestige of the brand.
Google (France): lack of transparency and consent
In 2019, the CNIL fined Google EUR 50 million for lack of transparency, inadequate information and the absence of valid consent for ad personalization. The case underscores the importance of explicit consent and clarity in privacy policies.
British Airways (United Kingdom): security breach due to lack of measures
In 2019, the ICO proposed a fine of GBP 183 million (approx. EUR 204M) against British Airways for a breach that affected half a million customers, caused by a lack of security measures that allowed payment data to be stolen. The case highlighted the seriousness with which security breaches are treated.
H&M (Germany): unlawful monitoring of employees
In 2020, the Hamburg authority fined H&M EUR 35.3 million for unlawfully collecting and storing employees' personal data, including details of their private lives, health and beliefs. It highlights the importance of protecting employee data and limiting the collection of sensitive information.
Amazon (Luxembourg): record fine for targeted advertising
In 2021, the Luxembourg authority imposed a record fine of EUR 746 million on Amazon for breaching the GDPR's processing principles in connection with targeted advertising. It demonstrates that not even large corporations are exempt from the highest sanctions.
Samsung Electronics: compliance and trust
By contrast, companies such as Samsung Electronics have strengthened digital trust by implementing consent management solutions. As Leanne White, Data Privacy Lead at Samsung Electronics, sums it up: "The biggest difference since we started working with OneTrust is that we now give users more control. They decide how their data is managed, and that builds trust." Investing in the right tools not only avoids sanctions but also creates a competitive advantage.
10 tips to avoid fines and ensure compliance
- Carry out a thorough assessment: identify what data you handle, where it is stored, how it is processed and who has access to it. A complete mapping reveals gaps and areas for improvement.
- Obtain valid consent: ensure that consent is freely given, specific, informed and unambiguous, and that it can be withdrawn easily.
- Implement robust security measures: encryption, firewalls, access control, backups and ongoing training.
- Establish clear policies and procedures: document your privacy policies, the handling of data subject rights and your incident response plans.
- Appoint a data protection officer (DPO): internal or external, they help oversee compliance and act as a liaison with the Agency.
- Manage data subject rights: implement efficient processes for access, rectification, erasure, objection and portability.
- Train your staff: human error is one of the main causes of breaches; invest in continuous training.
- Use specialized technology: platforms such as OneTrust automate data mapping, consent, data subject rights requests and risk assessment.
- Conduct regular audits: regularly verify the effectiveness of your measures and adjust as needed.
- Stay up to date: closely follow changes to Law 21.719 and the Agency's guidelines.
Conclusion: prevention is the best investment
Law 21.719 is a call to action for every company in Chile. Fines for non-compliance are an unavoidable reality, and the international cases show that authorities are determined to enforce the regulation. However, beyond the fear of penalties, this law represents an opportunity to strengthen the relationship with your clients, build a solid reputation and ensure the sustainability of your business.
Prevention is, without a doubt, the best investment. By adopting a proactive approach, implementing the right measures and relying on expert advice, your company will not only avoid financial and legal risks but also position itself as a benchmark for trust and transparency. To take the first step, let's talk in an assessment.
Want to avoid the fines under Law 21.719?
From gap assessments to OneTrust implementation. 30-minute assessment.
Book an assessmentFrequently asked questions about fines and sanctions
What is the maximum fine under Law 21.719?
Most-serious violations are punishable by a fine of up to 20,000 UTM: that is the highest base fine. Only in case of recidivism can the fine be tripled, reaching up to 60,000 UTM. For companies that are not small businesses, most-serious recidivism may alternatively be sanctioned with up to 4% of annual revenue from sales and services in Chile.
How is the percentage of revenue calculated?
The percentage applies only to recidivism and only to companies that do not qualify as small businesses under Law 20.416: 2% of annual revenue from sales and services in Chile for serious recidivism and 4% for most-serious recidivism. The calculation basis is revenue in Chile, not global turnover.
What does recidivism mean?
Recidivism occurs when the controller commits a new violation of the same category within the period set by the law after a prior sanction. The consequence is that the fine can be tripled relative to the category cap, reaching up to 60,000 UTM for a repeated most-serious violation.
Does having an Infringement Prevention Model reduce the sanction?
Yes. Having a duly certified Infringement Prevention Model acts as a mitigating circumstance when determining the sanction. It demonstrates proactive accountability and diligence, and can reduce the amount of the fine.
When can the Agency impose sanctions?
Law 21.719 was published on December 13, 2024, and compliance is mandatory from December 1, 2026, after a 24-month adjustment period. From that date the Personal Data Protection Agency may audit and impose fines.
What happens if I do not notify a security breach?
Failing to notify a breach to the Agency without undue delay—and, where applicable, to the affected data subjects—is a sanctionable conduct usually classified as a serious or most-serious violation depending on the risk and harm caused. It can lead to fines and accessory sanctions such as the temporary suspension of processing activities.