All about the new data protection regulation in Chile (Ley 21.719)
Trusted by thousands of companies worldwide
What is Chile’s New Data Protection Law 21.719?
Chile’s Law 21.719, approved in March 2024, is the country’s modern and comprehensive data protection regulation. It replaces the outdated 1999 law and brings Chile closer to international privacy standards such as GDPR and LGPD.
This new law:
• Establishes the Agencia de Protección de Datos Personales (APDP)
• Introduces stricter requirements for processing personal data
• Grants stronger rights to individuals
• Creates a framework of penalties for non-compliance
Key Principles of Law 21.719
Lawfulness, fairness, and transparency
Organizations must process personal data based on a valid legal basis, ensuring that individuals clearly understand how their information will be collected, used, and shared. Transparency also requires providing accessible privacy notices, avoiding deceptive patterns, and informing people of their rights. Processing must always align with user expectations and Chile’s legal framework.
Purpose limitation
Data may only be collected for specific, explicit, and legitimate purposes that are communicated to the individual at the time of collection. Any secondary use must be compatible with the original purpose, and organizations cannot repurpose personal data for unrelated activities without proper justification or renewed consent.
Data minimization
Controllers must ensure that they only collect the personal data strictly required to fulfill the declared purpose. This means avoiding excessive data points, limiting optional fields, and regularly reviewing the necessity of each category of information. Minimization reduces compliance risks and strengthens privacy by design.
Accuracy
Organizations must take reasonable steps to keep personal data accurate, complete, and up to date. This includes verifying information at the point of collection, enabling users to request corrections easily, and establishing internal processes to prevent outdated or incorrect information from being used in decision-making.
Storage limitation
Personal data may only be retained for as long as necessary to fulfill the legitimate purpose for which it was collected. Once that purpose has been achieved, the data must be deleted, anonymized, or archived securely. A clear retention schedule helps organizations respect this principle and comply with legal obligations.
Integrity and confidentiality
Controllers are required to implement robust technical and organizational measures to protect personal data from unauthorized access, alteration, loss, or misuse. This includes encryption, access controls, internal policies, staff training, and incident response plans that safeguard confidentiality throughout the data lifecycle.
Accountability
Organizations must be able to demonstrate full compliance with Law 21.719 at any time. Accountability includes documenting processing activities, conducting DPIAs for high-risk operations, maintaining audit trails, designing internal governance programs, and ensuring that both internal teams and external processors adhere to privacy obligations.
Compliance Requirements
Legal basis must be established for each processing activity
Consent must be informed, explicit, specific, and revocable
Data subject rights: access, correction, deletion, portability & more
DPIAs for high-risk processing activities
Processor oversight and updated contracts
Internal governance including policies, training, and a record of processing activities (ROPA)
Fines for non-compliance
Minor infractions
Serious infractions
Very serious infractions
UTM = “Monthly Tax Unit”, which is “an index used by the Chilean government to express taxes, fines, and penalties in a way that automatically adjusts with inflation."
Additional sanctions include:
Applied when an ongoing processing activity poses a serious or immediate risk to individuals’ rights, especially if it lacks a valid legal basis, involves sensitive data, or continues despite previous warnings.
• Orders to Delete Unlawful Data:
Issued when personal data was collected or processed without a proper legal basis, retained longer than allowed, or used for purposes not originally disclosed. This ensures that improperly obtained data is not further used or circulated.
• Public Reprimands:
Used in cases involving widespread impact, systemic compliance failures, or lack of cooperation with the APDP. Public reprimands aim to promote accountability and inform affected individuals.
Compliance Checklist
✓ Identify all processing activities
✓ Define legal bases
✓ Review and update consent collection
✓ Implement user rights request workflows
✓ Deploy security and breach procedures
✓ Update vendor contracts
✓ Conduct DPIAs when needed
✓ Train teams on Law 21.719 requirements
✓ Establish retention and deletion rules
✓ Deploy a compliant consent banner
✓ Keep audit-ready documentation
Does Chile’s Law 21.719 Affect You?
Your organization must comply if it:
• Is based in Chile, or
• Offers goods/services to people in Chile, or
• Processes data of Chilean residents, even if operating abroad.
This extraterritorial scope means that many international companies fall under the law.
Why Choose Didomi for Chile Compliance
Advanced consent management
Collect, store, and manage consent in line with Chile’s explicit consent rules.
Preference centers
Give users control over their choices at any time.
Audit-ready logs
Maintain complete proof of consent and processing activities.
Multiregional compliance
Manage GDPR, CCPA, LGPD, and Law 21.719 from one platform.
Flexible integrations
SDKs, APIs, server-side, and Webflow-friendly deployments.
Setting Up a Consent Banner for Chile
Use clear, neutral language
.webp){kind=small}
Provide granular options for analytics, marketing, personalization
%20(1).webp){kind=small}
Include an always-available preference link
.webp){kind=small}
Store consent logs with timestamps
Offer a localized Spanish (Chile) version