The Chilean Personal Data Protection Law (the “Law”) establishes a new regulatory framework for the processing and protection of personal data, ensuring the protection of individuals’ fundamental rights and freedoms. The main reforms introduced by the new Law are detailed below:
- General principles: The Law is based on key principles that govern the processing of personal data. These principles include lawfulness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality. Data must be processed lawfully, fairly, and transparently, ensuring that it is collected for specific, explicit, and legitimate purposes. The Law requires that only necessary data be collected for these purposes and that it be kept accurate and up-to-date. Data controllers must also ensure that personal data is protected against unauthorized or unlawful processing and against accidental loss, destruction, or damage by implementing appropriate technical and organizational measures.
- Obligations for companies: The Law imposes various obligations on entities that process personal data. Companies must obtain explicit, informed, and specific consent from individuals before processing their personal data. They are also required to maintain transparency by providing clear information about data processing activities, including the purposes of data collection and the rights of data subjects. Additionally, companies must implement appropriate security measures to protect personal data against unauthorized access, security breaches, and other risks. The Law also requires companies to notify the Personal Data Protection Agency in the event of any data breach that poses a risk to individuals’ rights and freedoms.
- Rights of data subjects: The Law establishes several rights for data subjects. These include the right to access their personal data, the right to rectify any inaccuracies, the right to request the deletion of their data, and the right to object to certain types of data processing. Furthermore, individuals have the right to data portability, which allows them to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another data controller. The Law also provides for the right to restrict processing, where individuals can request the suspension of data processing activities under certain circumstances.
- Transitional provisions: The Law includes transitional clauses to ensure a smooth implementation of the new regulations. These provisions allow for a specified period during which companies and public entities must align their data processing activities with the new legal requirements. During this transition period, entities are required to review and update their data protection policies, procedures, and security measures to comply with the Law. The Personal Data Protection Agency will provide guidance and support to organizations during this period, ensuring that all entities are fully compliant by the end of the transition.