Skip to content
Octo Inc. — Data Protection Unit
Octoberus DATA

RESOURCES — FREE, NO SIGN-UP

Documentation center

Real working material, not brochures. We publish it openly because an informed company makes a better client — and because the clock is running for everyone.

Frequently asked questions

The 15 we get every single week.

When does Law 21,719 come into force? +

On December 1, 2026. It was published on December 13, 2024 with a 24-month transition period.

Which companies does it apply to? +

Every public or private organization processing personal data in Chile, regardless of size or industry.

What is the Personal Data Protection Agency? +

The new public body that supervises compliance, handles complaints, issues sanctions and regulations. It can act on its own initiative or on anyone’s complaint.

How large are the fines? +

Up to 5,000 UTM for minor, 10,000 UTM for serious and 20,000 UTM for very serious infringements. Repeat serious/very serious offenses: up to 2% or 4% of annual Chilean revenue.

What about SMEs? +

Obligations apply from December 2026 all the same. For the first 12 months the Agency may issue written warnings instead of fines — time to fix, not to wait.

What are ARCOP rights? +

Access, Rectification, Cancellation (erasure), Objection and Portability: the rights any data subject can exercise against your company, with legal response deadlines.

What is the Record of Processing Activities (RoPA/RAT)? +

The formal inventory of every business process using personal data: purpose, legal basis, data categories, recipients, retention and security measures.

Is consent collected under the old law still valid? +

Only if it meets the new standard: specific, informed, unambiguous and revocable. Generic "all purposes" authorizations do not survive.

What is a lawful basis? +

The legal justification of each processing activity. Consent is one of several: contract, legal obligation, legitimate interest and others also exist.

What must I do after a data breach? +

Assess severity and notify the Agency — and affected individuals when risk requires — within legal deadlines, documenting everything. You need a written, rehearsed procedure beforehand.

Can I send data outside Chile (cloud, HQ, SaaS)? +

Yes, under the new regime: adequate countries, contractual clauses or other safeguards. Foreign SaaS without documented safeguards becomes an infringement.

Do I need a DPO? +

The law promotes appointing a prevention officer with autonomy and resources. For most mid-size companies, an external DPO with tooling is cheaper and more defensible than improvising the role internally.

What is the infringement prevention model (art. 49)? +

A formal compliance program — analogous to Law 20,393 — that the law recognizes as a mitigating factor and that can be certified. The best cost/protection ratio in the regime.

Do security cameras and access control count as personal data? +

Yes: images, biometrics and access logs identify people. Video surveillance and biometric control need a legal basis, subject information and deletion terms.

How long does it take to comply? +

Depends on the starting point: a tidy SME, 2–3 months; a mid-size company with several systems, 4–6. That is why the assessment is urgent even if implementation is scheduled later.

Your question isn't here?
We answer within 24 business hours.

Ask →