Infringements under the Data Protection Bill

Current regulatory context v/s Data Protection Bill

The new regulation will represent a paradigm shift with respect to the level of effective enforcement of legal obligations related to personal data. Below is a brief comparative chart with the main new features and the impact that the new regulation will have:

Law 19,628	Data Protection Bill
i) Fine of 1 to 10 Monthly Tax Units (Unidades Tributarias Mensuales or “UTM”) (78 to 780 USD, approx.), or 10 to 50 UTM (780 to 3,900.00 USD, approx.) in the case of financial or banking data. ii) No catalog of offenses is established. iii) Fine determined by a civil court judge.	i) A catalog of infractions is established, which classifies them as minor, serious and very serious. ii) Penalties range from a written warning to a maximum of UTM 20,000 (USD 1,560,000.00, approx.). iii) Mitigating and aggravating circumstances of responsibility are set forth. iv) There are several criteria that the Data Protection Agency (the “Agency”) must apply prudently when determining the amount of a fine. v) Accessory penalties are established in case of repeated very serious infringements. vi) A National Registry of Sanctions and Compliance will be created.

Law 19,628

Data Protection Bill

i) Fine of 1 to 10 Monthly Tax Units (Unidades Tributarias Mensuales or “UTM”) (78 to 780 USD, approx.), or 10 to 50 UTM (780 to 3,900.00 USD, approx.) in the case of financial or banking data.
ii) No catalog of offenses is established.
iii) Fine determined by a civil court judge.

i) A catalog of infractions is established, which classifies them as minor, serious and very serious.
ii) Penalties range from a written warning to a maximum of UTM 20,000 (USD 1,560,000.00, approx.).
iii) Mitigating and aggravating circumstances of responsibility are set forth.
iv) There are several criteria that the Data Protection Agency (the “Agency”) must apply prudently when determining the amount of a fine.
v) Accessory penalties are established in case of repeated very serious infringements.
vi) A National Registry of Sanctions and Compliance will be created.

Infringements of the Data Protection Bill

One of the most important changes in the Data Protection Bill is the complete restructuring of the system of infringements and the way in which they will be imposed by the future supervisory authority, i.e., the Agency.

Under the Bill, there are three categories of infringements:

Minor infringements
Serious infringements
Very serious infringements

By way of illustration, conducts such as partially failing to comply with the duty of transparency information, omitting to respond to requests made by the data subject in accordance with the law, lacking an individualized postal address, mail or equivalent electronic means of communication with the data controller, among others, are considered minor infringements (Article 34 bis).

On the other hand, processing personal data without the data subject’s consent, or without a background or legal basis that grants lawfulness to the processing, communicating or transferring personal data without the consent of the data subject, among others, are conducts that constitute serious infringements (Article 34 ter).

Finally, conducts such as processing personal data fraudulently, maliciously using the data for a purpose other than that consented by the data subject or provided for in the law authorizing the processing, knowingly carrying out international data transfer operations in contravention of the provisions of the law, among others, are very serious infringements (Article 34 quarter).

Penalties

In this order of ideas, minor infringements are punished with a written warning or a fine of up to 100 UTM (7,800.00 USD, approx.).
In turn, serious infringements are punished with fines up to 5,000 UTM (390,000.00 USD, approx.) or, in the case of companies, a fine equivalent to up to 2% of the annual income from sales and services and other business activities in the last calendar year, with a maximum of up to 10,000 UTM (780,000.00 USD, approx.).

Finally, very serious infringements are punished with fines up to 10,000 UTM (780,000.00 USD, approx.) or, in the case of companies, a fine equivalent to up to 4% of the annual income from sales and services and other business activities in the last calendar year, with a maximum of up to 20,000 UTM (1,560,000.00 USD, approx.).

Determination of the amount of fines

While in current Law 19,628 penalties may rise up to a maximum of 10 UTM (780 USD, approx.) or 50 UTM (3,900.00 USD approx.) (depending on whether the data are of an economic nature), in the case of the Data Protection Bill, the determination of the amount of the fine will depend, among others, on the following factors: (i) seriousness of the conduct; (ii) mitigating or aggravating circumstances of liability that may be present in relation to the sanctioned conduct; (iii) number of data subjects affected; (iv) economic capacity of the infringer; etc.

Accessory penalties

The Agency will be entitled to impose, as an accessory penalty to the fines, the suspension of the data processing operations and activities carried out by the data controller, for a term of up to 30 days, which may be extended if the data controller does not adopt the necessary measures to comply with the requirements set forth by the Agency.