Comparison of Law 19.628 and the Data Protection Bill
This comparative table presents the main differences between Law 19,628 and the Data Protection Bill.
| Law 19,628 | Data Protection Bill | |
|---|---|---|
| Legal basis for processing | It sets forth several legal basis that can be summarized in: i) The law ii) The consent of the data subject | Consent is established as a general rule, and new legal basis are introduced, among which are: i) Data related to economic, financial, banking or commercial obligations ii) Execution or fulfillment of a legal obligation iii) Execution or enforcement of a contract iv) Satisfaction of legitimate interests of the data controller or a third party; v) Formulation, exercise or defense of a right before the courts of justice or public bodies |
| Principles for the processing | It does not contain explicit guiding principles. They are built on various standards. | They are explicitly regulated, among which are: i) Lawfulness and faithfulness ii) Purpose iii) Proportionality iv) Quality v) Liability vi) Security vii) Transparency and information viii) Confidentiality |
| Data subject rights | It sets forth the rights of: i) Information ii) Modification iii) Cancellation (or Deletion) iv) Blocking | It sets forth the rights of: i) Access ii) Rectification iii) Deletion iv) Objection v) Opposition to automated decisions vi) Portability vii) Blocking |
| Supervisory authority | There is no centralized supervisory authority. Control is exercised in a diffuse manner by the courts of justice, the Transparency Council, and the Consumer Protection Bureau (SERNAC). | A Data Protection Agency is created. The Agency will have regulatory, supervisory, sanctioning and certifying powers. |
| Duties of the data controller | There is no section in the law regulating the duties or obligations of data controllers, but certain general duties are set out by the law, such as the obligation to keep secret (Article 7). | The data controller has a series of generic and specific obligations. These include: (i) the duty of secrecy or confidentiality; (ii) the duty of information or transparency; (iii) the duty of protection by design and by default; and (iv) the duty to adopt security measures; among others. |
| International data transfer | International data transfer is not regulated. There are no restrictions on transfers of personal data to other countries or jurisdictions. Accordingly, the general rules apply. | International transfers are specifically regulated. It is lawful in certain circumstances and grounds set forth by law. Rules are provided to determine the condition of “adequate country” to transfer data from Chile. |
| Data security | The duty of security is implicit in article 11, which imposes a duty on the data controller to “take care of the data with due diligence”. | The Bill contains the following considerations: i) Security principle. ii) Obligation to adopt security measures. iii) Obligation to report and record breaches of security measures. iv) Security obligations for the data processor (mandatario or agent) in the processing of personal data. |
| Infractions and associated penalties | Fine of 1 to 10 Monthly Tax Units (Unidades Tributarias Mensuales or “UTM”) (78 to 780 USD, approx.), or 10 to 50 UTM (780 to 3,900.00 USD, approx.) in the case of financial or banking data. No catalog of offenses is established. Fine determined by a civil court judge. | A catalog of infractions (minor, serious and very serious) is established, with fines of up to 20,000 UTM (USD 1,560,000.00, approx.) and, in extreme cases, suspension of treatment for up to 30 days. |