GUIDE — UPDATED JULY 2026
The definitive guide to Law 21,719
Everything a company operating in Chile needs to understand about the new data protection regime, on a single page and without legalese.
01 — What is Law 21,719?
Law 21,719, published on December 13, 2024, replaces the personal data regime Chile had since 1999 (Law 19,628) with one equivalent to European standards. It comes into force on December 1, 2026 and applies to every organization — public or private, large or small — that processes personal data in Chile, and even to foreign companies offering goods or services to people in Chile.
The fundamental change is one: compliance stops being declarative and becomes demonstrable and enforced. An agency with sanctioning power is born, fines reach boardroom-level figures and people gain rights with mandatory response deadlines.
02 — The concepts you need to master
Personal data is any information linked to an identified or identifiable person: name and tax ID, but also email, license plate, geolocation, camera footage, access logs, IP address. Sensitive data (health, biometrics, ideology, sex life, ethnic origin) gets reinforced protection.
Processing is any operation on that data: collecting, storing, using, disclosing, even deleting. Whoever decides the why and the how is the controller (your company); whoever processes on someone else's behalf is the processor (your cloud provider, your payroll provider, your marketing agency).
Every processing activity needs a lawful basis: consent, performance of a contract, legal obligation, legitimate interest or others the law establishes. Choosing the right basis is the most important design decision — consent is no longer the only route, and often not the right one either.
03 — The obligations for your company
- Record of processing activities (RoPA): a formal inventory of all your processing activities, with purpose, legal basis, recipients, retention periods and measures.
- Duty of information and transparency: policies and notices that tell the truth about what you do, in plain language.
- Security proportional to risk: adequate technical and organizational measures — access control, encryption, backups, incident management.
- Breach notification: after a security breach, notify the Agency (and affected individuals when applicable) within strict deadlines.
- Processor contracts: every vendor that touches personal data must operate under a data processing agreement (DPA).
- Impact assessments (DPIA): mandatory for high-risk processing — sensitive data at scale, systematic observation, automated decisions.
- International transfers: moving data out of Chile requires an adequate country, clauses or documented safeguards.
- Proactive accountability: the umbrella principle — complying is not enough, you must be able to prove you comply.
04 — People's rights
Data subjects can exercise the ARCOP rights against your company: Access to their data, Rectification of inaccurate data, Cancellation (erasure) when there is no reason to keep it, Objection to specific processing and Portability in a structured format. Add to that protection against significant automated decisions without human intervention.
Each right has response deadlines, and failing to respond is a standalone infringement. The real requirement is operational: an intake channel, identity verification, resolution criteria and a record of every request.
05 — Enforcement and sanctions
The Personal Data Protection Agency enforces on its own initiative or on complaint — from anyone, for free. The fines: up to 5,000 UTM (minor), 10,000 UTM (serious) and 20,000 UTM (very serious). For repeat offenses within 24 months: up to 2%–4% of annual revenue from sales and services in Chile.
It can also suspend processing for up to 30 days, ban it permanently and publish the sanction in the national public registry. SMEs get a 12-month sanctioning grace period (written warning before a fine) — the obligations still apply from day one.
06 — The infringement prevention model (art. 49)
The hidden gem of the regime, and the section almost every summary omits. The law allows adopting an infringement prevention model — analogous to the crime prevention model of Law 20,393 — with a prevention officer, a risk matrix, protocols, oversight and an internal channel.
Its effect is material: having the model operating and with evidence is a mitigating factor when grading sanctions, and it can be certified. In a regime with fines of up to 20,000 UTM, the difference in grading pays for the model many times over. We cover it in detail in our Prevention Model service.
07 — How to start
The proven sequence: gap assessment first (know where you stand), documentation next (RoPA, policies, DPAs), then operational workflows (ARCOP, breaches) and finally ongoing maintenance (DPO, monitoring, regulatory updates). We detail realistic timelines in the 30/60/90 plan.
Two free ways to start today: the interactive self-assessment (10 minutes, instant result) or the compliance checklist to work through with your team.
LEGAL NOTE
This guide is informational and does not constitute legal advice. The deliverables of our services are reviewed by lawyers specialized in data protection.