Law 21.719 for banking & finance · Chile

Law 21.719 in banking
and financial services.

Large volumes of sensitive data, multiple systems and the highest regulatory demands. We take you to compliance with Law 21.719 —legal, operations and technology— to be ready for the December 2026 enforcement.

Request assessment See the implementation plan

No obligation · Reply within 24 business hours

Enforcement begins
days
hrs
min
sec
20k UTM maximum fine
3-6 Months to implement
100% Team based in Chile

Organizations that have trusted Alaya Digital Solutions

We support banks, financial firms and insurers in complex data-governance projects and Law 21.719 compliance.

The law in 30 seconds

What you need
to know. Fast.

Enforcement begins

Dec 2026

The Data Protection Agency begins enforcement on December 1.

Who it applies to

Every
company

Public or private, large or SME. If you process personal data, you must comply.

Maximum fine

20k UTM

Over CLP 1.39 billion. For the most serious violations, also 4% of annual revenue.

What to do

Assessment

Know where you stand. Then: roadmap, implementation and ongoing support.

What happens if you don't comply?

This isn't a law
that stays on paper.

The new Data Protection Agency investigates on complaint or on its own initiative. These are the most frequent scenarios in practice.

01

A customer demands access to
their data and profiling.

"I want to know what data you hold about me, how you calculate my score and who you share it with."

Consequence →

You must grant access and explain the processing within deadline. Without traceability across systems, it's a serious violation: up to 10,000 UTM or 2% of revenue.

02

A breach exposes your
customers' financial data.

"We detected unauthorized access to the customer base, but we wanted to contain it quietly."

Consequence →

With financial data the risk is maximal. Not notifying the Agency and data subjects is a most-serious violation: up to 20,000 UTM or 4% of annual revenue + National Sanctions Registry.

03

You share data with bureaus or
third parties without a basis or contract.

"We send data to scoring agencies and affiliates as we always have."

Consequence →

Every transfer needs a lawful basis and a processing contract (DPA). Transferring without grounds is a violation and passes the risk down the whole chain.

Sanctions are published in the National Registry administered by the Agency. The reputational damage —hard to measure, impossible to reverse— often outweighs the financial one.

How do I get ready? →
The real case

"Prove to me that
Ms. Juanita Pérez
did give her consent."

Imagine that tomorrow the Agency requires you to prove that a specific customer authorized the use of their data. How long does it take your team to pull the evidence together?

Without a system: days digging through spreadsheets and folders. Risk of error and a penalty for failing to demonstrate compliance.

With AlayIAtrust: you search the name and the entire trail appears — consents, data subject requests, notice version, date and channel.

See how it works
Privacy Operations
Customer

Juanita Pérez González

RUT 12.345.678-9 · Customer since 2021
  • Marketing consent Granted · Web · Apr 12, 2024
    Channel
    Web form (checkout)
    Legal basis
    Express consent
    Text accepted
    Privacy notice v2.3
    Evidence
    Time-stamped record · hash a3f9…e21
  • Privacy notice v2.3 Accepted · Apr 12, 2024
    Version
    2.3 (current)
    Purposes
    Marketing and profiling
    Record
    IP 190.xx.xx.xx · Apr 12, 2024, 14:22
    Status
    Accepted by the data subject
  • Access request (data subject) Received · Mar 02, 2026 · Resolved in 8 days
    Type
    Right of access
    Legal deadline
    In business days
    Resolution
    8 days — within deadline
    Owner
    DPO · evidence attached
  • Partial revocation Email marketing · Apr 15, 2026
    Scope
    Email marketing only
    Effect
    Immediate removal from campaigns
    Channel
    Preference center
    Confirmation
    Sent to the data subject the same day
What we implement

Concrete compliance deliverables,
not just recommendations.

We're already implementing Law 21.719 in banking and financial services organizations in Chile. We combine over 20 years of experience in complex projects with our own methodology for diagnosis, prioritization, plan, execution and ongoing operation. These are the components we leave up and running inside your organization.

Data inventory & records

Records of processing activities (RoPA): which data you process, for what purpose and on what basis.

Lawful bases

We define and document the legal basis for every personal-data processing activity.

ARSOP rights management

Processes to handle access, rectification, erasure, objection and portability within deadline.

Breach notification

A procedure to detect, contain and notify incidents to the Agency and to data subjects.

Contracts with processors & third parties

Processing clauses and contracts (DPAs) with vendors and third parties that access data.

Impact assessments

Data protection impact assessments (DPIAs) for high-risk processing, when applicable.

Training & internal governance

Roles, internal policies and team training to sustain compliance over time.

Policies & documentation

Privacy notices, policies and evidence organized and ready for an audit.

Implementation methodology

Our own methodology:
5 stages, from diagnosis to ongoing operation.

Most organizations don't know what to do first or who should lead it. We hand you a clear roadmap from day one.

  1. 01

    Diagnosis

    30 minutes, no obligation. We assess processing activities, risks and gaps against Law 21.719.

    This week
  2. 02

    Gap prioritization

    We rank findings by regulatory risk and business impact.

    Focus
  3. 03

    Compliance plan

    A prioritized roadmap: what to do first, who on your team leads it and which solution fits.

    2 — 4 weeks
  4. 04

    Execution

    Legal and operational implementation plus technology enablement: contracts, policies, consents and training.

    1 — 6 months
  5. 05

    Ongoing operation

    Monitoring, internal audits and support in the event of an audit.

    Continuous
⚠ Important

Getting ready takes months,
not weeks.

An enterprise implementation takes 3 — 6 months; an SME solution, 1 — 4 months. It's best to start early so you're ready in time.

Initial assessment
Why AlayIAtrust

We don't sell software.
We take you to compliance.

We are not a startup selling a basic platform, nor a global consultancy operating from abroad. We work as your team in Chile — legal counsel, OneTrust technology and support throughout the process, in a single team and 100% on the ground.

⚖+</>

Legal & technology

Specialized lawyers + data engineers in a single team. Most firms sell you software only or consulting only — we take you to compliance.

CL

100% in Chile

A full team on the ground. We live the Chilean regulatory framework every day — we are no one's branch office.

20+

Years of experience

An Alaya Digital Solutions company, advising large organizations since 2005.

Complex projects

Experience in complex governance, security and digital transformation projects for leading clients in banking, retail, mining and the public sector.

AlayIAtrust solutions

Now for the
concrete path.

You already know the law, the risks and the way we work. These are the two implementation paths we offer. We help you choose the right one based on the size and maturity of your organization.

SME & mid-market

End-to-end SME solution

Fast implementation

Everything you need to comply with the law without the complexity of an enterprise solution. Simpler, faster, ready in a few months.

  • Consent management
  • Data subject rights with SLA
  • Records of processing
  • Implementation 1 — 4 months

For exporters, fisheries, distributors and construction firms.

Enterprise

Enterprise solution

World-leading technology

For organizations with large data volumes, multiple systems and the highest regulatory demands. A platform used by large organizations worldwide.

  • Full privacy platform
  • Privacy + Consent + Risk + Ethics
  • Specialized legal counsel
  • Continuous support

For banking, retail, holdings and multinationals.

Not sure which one is right for you? We'll figure it out together in 30 minutes, no obligation. Book an assessment →

Frequently asked questions

What clients ask us most.

Which companies does the new law apply to?

To any natural or legal person, public or private, that processes personal data in Chile. It also applies to foreign companies that offer goods or services in the territory.

How much does the initial assessment cost?

The initial assessment carries no obligation. We schedule a 30-minute meeting, evaluate your situation and deliver a report with gaps and concrete recommendations.

How long does a full implementation take?

It depends on size and digital maturity. An SME solution is implemented in 1 to 4 months. An enterprise solution takes 3 to 6 months. That's why we recommend starting now.

Do you work with mid-sized companies or only large ones?

We work with both profiles. We have solutions designed specifically for SMEs and mid-market, and enterprise solutions for banking, retail and multinationals.

How are you different from other consultancies?

Three things: we are 100% on the ground in Chile, we combine legal counsel with technology in the same team, and we have 20 years of experience with clients in banking, retail, mining and the public sector.

Solutions by industry

Law 21.719,
for your sector.

Each sector processes different data and faces its own risks. See the approach for yours.

Overview SMEs Banking & finance Healthcare
Next step

Is your company ready
for December 2026?

Start with an assessment. In 30 minutes you'll know how far —or how close— you are to compliance.

We reply within 24 business hours · No obligation

Or reach us directly: +56 9 6629 1149 comercial@alayiatrust.com