Enforcement begins
Dec 2026
The Data Protection Agency begins enforcement on December 1.
Medical records and health data are sensitive data: reinforced consent, impact assessments and traceability. We implement Law 21.719 in clinics and providers to be ready for December 2026.
No obligation · Reply within 24 business hours
Organizations that have trusted Alaya Digital Solutions
We support clinics, medical centers and healthcare providers in protecting sensitive data and complying with Law 21.719.
Dec 2026
The Data Protection Agency begins enforcement on December 1.
Every
company
Public or private, large or SME. If you process personal data, you must comply.
20k UTM
Over CLP 1.39 billion. For the most serious violations, also 4% of annual revenue.
Assessment
Know where you stand. Then: roadmap, implementation and ongoing support.
The new Data Protection Agency investigates on complaint or on its own initiative. These are the most frequent scenarios in practice.
"A device with records was left accessible; it's health data on hundreds of patients."
Health data is sensitive: maximum protection. A breach like this is a most-serious violation: up to 20,000 UTM or 4% of revenue + publication in the National Registry.
"I asked for a copy of my record and tests weeks ago and still no response."
Access to health data must be resolved within the legal deadline. Failing the data subject right over sensitive data is a serious violation.
"We use patients' data for reminders and campaigns, as always."
Health data requires specific consent and, often, an impact assessment (DPIA). Processing it without a reinforced basis exposes you to penalty.
Sanctions are published in the National Registry administered by the Agency. The reputational damage —hard to measure, impossible to reverse— often outweighs the financial one.
How do I get ready? →Imagine that tomorrow the Agency requires you to prove that a specific customer authorized the use of their data. How long does it take your team to pull the evidence together?
Without a system: days digging through spreadsheets and folders. Risk of error and a penalty for failing to demonstrate compliance.
With AlayIAtrust: you search the name and the entire trail appears — consents, data subject requests, notice version, date and channel.
We implement Law 21.719 in healthcare providers and other sectors that process sensitive data in Chile. We combine over 20 years of experience in complex projects with our own methodology for diagnosis, prioritization, plan, execution and ongoing operation. These are the components we leave up and running inside your organization.
Records of processing activities (RoPA): which data you process, for what purpose and on what basis.
We define and document the legal basis for every personal-data processing activity.
Processes to handle access, rectification, erasure, objection and portability within deadline.
A procedure to detect, contain and notify incidents to the Agency and to data subjects.
Processing clauses and contracts (DPAs) with vendors and third parties that access data.
Data protection impact assessments (DPIAs) for high-risk processing, when applicable.
Roles, internal policies and team training to sustain compliance over time.
Privacy notices, policies and evidence organized and ready for an audit.
Most organizations don't know what to do first or who should lead it. We hand you a clear roadmap from day one.
30 minutes, no obligation. We assess processing activities, risks and gaps against Law 21.719.
This weekWe rank findings by regulatory risk and business impact.
FocusA prioritized roadmap: what to do first, who on your team leads it and which solution fits.
2 — 4 weeksLegal and operational implementation plus technology enablement: contracts, policies, consents and training.
1 — 6 monthsMonitoring, internal audits and support in the event of an audit.
ContinuousAn enterprise implementation takes 3 — 6 months; an SME solution, 1 — 4 months. It's best to start early so you're ready in time.
Initial assessmentWe are not a startup selling a basic platform, nor a global consultancy operating from abroad. We work as your team in Chile — legal counsel, OneTrust technology and support throughout the process, in a single team and 100% on the ground.
Specialized lawyers + data engineers in a single team. Most firms sell you software only or consulting only — we take you to compliance.
A full team on the ground. We live the Chilean regulatory framework every day — we are no one's branch office.
An Alaya Digital Solutions company, advising large organizations since 2005.
Experience in complex governance, security and digital transformation projects for leading clients in banking, retail, mining and the public sector.
You already know the law, the risks and the way we work. These are the two implementation paths we offer. We help you choose the right one based on the size and maturity of your organization.
Fast implementation
Everything you need to comply with the law without the complexity of an enterprise solution. Simpler, faster, ready in a few months.
For exporters, fisheries, distributors and construction firms.
World-leading technology
For organizations with large data volumes, multiple systems and the highest regulatory demands. A platform used by large organizations worldwide.
For banking, retail, holdings and multinationals.
Not sure which one is right for you? We'll figure it out together in 30 minutes, no obligation. Book an assessment →
To any natural or legal person, public or private, that processes personal data in Chile. It also applies to foreign companies that offer goods or services in the territory.
The initial assessment carries no obligation. We schedule a 30-minute meeting, evaluate your situation and deliver a report with gaps and concrete recommendations.
It depends on size and digital maturity. An SME solution is implemented in 1 to 4 months. An enterprise solution takes 3 to 6 months. That's why we recommend starting now.
We work with both profiles. We have solutions designed specifically for SMEs and mid-market, and enterprise solutions for banking, retail and multinationals.
Three things: we are 100% on the ground in Chile, we combine legal counsel with technology in the same team, and we have 20 years of experience with clients in banking, retail, mining and the public sector.
Each sector processes different data and faces its own risks. See the approach for yours.
Start with an assessment. In 30 minutes you'll know how far —or how close— you are to compliance.