Data Protection Regulations: Law No. 19628 ON PROTECTION OF PRIVATE LIFE
Regulatory purpose: The law regulates the "processing of personal data in registers or data banks by public bodies or private individuals".
- Data controller: Yes. Responsible for the register or database, the private natural or legal person, or the respective public body, which is responsible for the decisions related to the processing of personal data (Art. 2 letter n Law N°19628).
- Data Processor: No.
- Data Protection Officer: No.
Supervisory Authority: No. A Personal Data Protection Agency is in the making.
- Other: No information.
- Freedom in the processing of personal data (Art. 1 Law N°19628).
- Information and consent of the data subject (Arts. 10, 17 and 24 Law N°19628).
- Principle of purpose (Art. 9 Law N°19628 and Law N°20575).
- Data quality (Art. 9 paragraph 2 of Law N°19628).
- Special protection of sensitive data (Art. 2 letter g) Law N°19628).
- Data security (Art. 11 Law N°19628).
- Duty of secrecy (Art. 7 Law N°19628).
- Proportionality (Art. 3 letter c) Bulletin 11144-7)
- Guarantees against the transfer and communication of data to third parties (Art. 5 Law N°19628).
- Register of Processing Activities: Yes.
- Impact Assessments: No.
- Risk analysis: Yes.
- Technical and organisational security measures: No.
- Duty to inform: Yes.
- Data Protection Officer: No.
- Other obligations:
Deletion of data (Art.6 clause 1 Law N°19628)
Right of communication to third parties by controllers of personal data (Art.2 letter c) of Bulletin 11144-7)
Information and transparency (Art.14 ter Bulletin 11144-7)
Confidentiality (Art.14 bis Bulletin 11144-7)
Data subjects' rights:
- Right of Access: Yes.
- Right of rectification: Yes.
- Right of Suppression: Yes.
- Right to limitation: Yes.
- Right to portability: No.
- Right to object: Yes.
- Automated individual decisions, including profiling: No information.
- Other rights: No information.
They are allowed only to countries with an adequate level of protection, according to the Agency's criteria; or to countries that do not have an adequate level of protection in certain specific scenarios, including, among others, when there is the express consent of the holder; in specific international banking, financial or stock exchange transfers, transfers between companies belonging to the same corporate group, related companies or companies subject to the same controller; or when made for the purpose of providing or requesting international judicial assistance (Art°15 Bulletin 11144-7).
Yes, catalogue of infringements:
- The Bill classifies infringements as minor, serious and very serious, and provides for fines ranging from 1 to 5,000 UTM (approximately $46,000 CLP to $231,840,000 CLP, as of the date of entry of the Bill).
In case of repeated serious or very serious infringements, the Agency may order the suspension of treatment operations and their compliance with the law.
- In the event of a repeat offence, a fine of up to three times the amount specified in the law may be applied. Recidivism will occur when there are two or more sanctions in a period of 24 months.
- Actions to sanction the infringements described in the Draft prescribe three years after the infringement, but the offender must pay damages.
Certification or accreditation of compliance for companies: No.
Other related legislation:
- Law No. 20.575 which establishes the principle of purpose in the processing of personal data. Bill Boletín N°11144-07 which regulates the protection and processing of personal data and creates the Personal Data Protection Agency.
- Law No. 21.236 on financial portability.
- Law No. 20.471 on number portability.