RESOURCES — FREE, NO SIGN-UP
Documentation center
Real working material, not brochures. We publish it openly because an informed company makes a better client — and because the clock is running for everyone.
The definitive Law 21,719 guide
The entire regime explained for companies: obligations, rights, sanctions and the prevention model almost nobody covers.
Read the guide → 02Compliance checklist
28 concrete checks ordered by priority. Printable, to work through with your team.
Open the checklist → 0319,628 vs. 21,719: what changes
The side-by-side comparison between the old law and the new one, with the three differences that change your operation.
See the comparison → 04Interactive self-assessment
32 questions, instant result: your readiness level by area and what to prioritize.
Start now →The 15 we get every single week.
When does Law 21,719 come into force? +
On December 1, 2026. It was published on December 13, 2024 with a 24-month transition period.
Which companies does it apply to? +
Every public or private organization processing personal data in Chile, regardless of size or industry.
What is the Personal Data Protection Agency? +
The new public body that supervises compliance, handles complaints, issues sanctions and regulations. It can act on its own initiative or on anyone’s complaint.
How large are the fines? +
Up to 5,000 UTM for minor, 10,000 UTM for serious and 20,000 UTM for very serious infringements. Repeat serious/very serious offenses: up to 2% or 4% of annual Chilean revenue.
What about SMEs? +
Obligations apply from December 2026 all the same. For the first 12 months the Agency may issue written warnings instead of fines — time to fix, not to wait.
What are ARCOP rights? +
Access, Rectification, Cancellation (erasure), Objection and Portability: the rights any data subject can exercise against your company, with legal response deadlines.
What is the Record of Processing Activities (RoPA/RAT)? +
The formal inventory of every business process using personal data: purpose, legal basis, data categories, recipients, retention and security measures.
Is consent collected under the old law still valid? +
Only if it meets the new standard: specific, informed, unambiguous and revocable. Generic "all purposes" authorizations do not survive.
What is a lawful basis? +
The legal justification of each processing activity. Consent is one of several: contract, legal obligation, legitimate interest and others also exist.
What must I do after a data breach? +
Assess severity and notify the Agency — and affected individuals when risk requires — within legal deadlines, documenting everything. You need a written, rehearsed procedure beforehand.
Can I send data outside Chile (cloud, HQ, SaaS)? +
Yes, under the new regime: adequate countries, contractual clauses or other safeguards. Foreign SaaS without documented safeguards becomes an infringement.
Do I need a DPO? +
The law promotes appointing a prevention officer with autonomy and resources. For most mid-size companies, an external DPO with tooling is cheaper and more defensible than improvising the role internally.
What is the infringement prevention model (art. 49)? +
A formal compliance program — analogous to Law 20,393 — that the law recognizes as a mitigating factor and that can be certified. The best cost/protection ratio in the regime.
Do security cameras and access control count as personal data? +
Yes: images, biometrics and access logs identify people. Video surveillance and biometric control need a legal basis, subject information and deletion terms.
How long does it take to comply? +
Depends on the starting point: a tidy SME, 2–3 months; a mid-size company with several systems, 4–6. That is why the assessment is urgent even if implementation is scheduled later.