This comparative table presents the main differences between Law 19,628 and the new Data Protection Law.
| Law 19,628 | New Data Protection Law | |
|---|---|---|
| Legal basis for processing | It sets forth several legal basis that can be summarized in: 1) The law 2) The consent of the data subject | Consent is established as a general rule, and new legal basis are introduced, among which are: 1) Data related to economic, financial, banking or commercial obligations 2) Execution or fulfillment of a legal obligation 3) Execution or enforcement of a contract 4) Satisfaction of legitimate interests of the data controller or a third party; 5) Formulation, exercise or defense of a right before the courts of justice or public bodies |
| Principles for the processing | It does not contain explicit guiding principles. They are built on various standards. | They are explicitly regulated, among which are: 1) Lawfulness and faithfulness 2) Purpose 3) Proportionality 4) Quality 5) Liability 6) Security 7) Transparency and information 8) Confidentiality |
| Data subject rights | It sets forth the rights of: 1) Information 2) Modification 3) Cancellation (or Deletion) 4) Blocking | It sets forth the rights of: 1) Access 2) Rectification 3) Deletion 4) Objection 5) Opposition to automated decisions 6) Portability 7) Blocking |
| Supervisory authority | There is no centralized supervisory authority. Control is exercised in a diffuse manner by the courts of justice, the Transparency Council, and the Consumer Protection Bureau (SERNAC). | A Data Protection Agency is created. The Agency will have regulatory, supervisory, sanctioning and certifying powers. |
| Duties of the data controller | There is no section in the law regulating the duties or obligations of data controllers, but certain general duties are set out by the law, such as the obligation to keep secret (Article 7). | The data controller has a series of generic and specific obligations. These include: (i) the duty of secrecy or confidentiality; (ii) the duty of information or transparency; (iii) the duty of protection by design and by default; and (iv) the duty to adopt security measures; among others. |
| International data transfer | International data transfer is not regulated. There are no restrictions on transfers of personal data to other countries or jurisdictions. Accordingly, the general rules apply. | International transfers are specifically regulated. It is lawful in certain circumstances and grounds set forth by law. Rules are provided to determine the condition of “adequate country” to transfer data from Chile. |
| Data security | The duty of security is implicit in article 11, which imposes a duty on the data controller to “take care of the data with due diligence”. | The New Data Protection Law contains the following considerations: 1) Security principle. 2) Obligation to adopt security measures. 3) Obligation to report and record breaches of security measures. 4) Security obligations for the data processor (mandatario or agent) in the processing of personal data. |
| Infractions and associated penalties | Fine of 1 to 10 Monthly Tax Units (Unidades Tributarias Mensuales or “UTM”) (78 to 780 USD, approx.), or 10 to 50 UTM (780 to 3,900.00 USD, approx.) in the case of financial or banking data. No catalog of offenses is established. Fine determined by a civil court judge. | A catalog of infractions (minor, serious and very serious) is established, with fines of up to 20,000 UTM (USD 1,139,350.00, approx.) and, in extreme cases, suspension of treatment for up to 30 days. |