In line with the GDPR, the new law innovates expressly regulating the territorial scope of application of the law. Find out how the new law addresses this matter in the following article.
Current regulatory context v/s Data Protection Bill
Law No. 19,628 does not expressly set forth its territorial scope of application However, considering that its general application pursuant to its Article 1 (“the processing of personal data in registries or data banks by public entities or private parties will be subject to the provisions of this law”), and considering the provisions of article 14 of the Chilean Civil Code, that provides as a general and subsidiary principle the territoriality of the law in our country, it is possible to conclude that this principle was implicitly applicable to Law No. 19,628. Thus, Law No. 19,628 applied to any processing of personal data carried out in Chile, regardless of the residence, citizenship or physical location of the data subject, and would not have apply to processing carried out abroad. If at least part of the processing took place in Chile (e.g., the initial collection of the data), then that law would have applied.
On the other hand, the new law expressly regulates the scope of its territorial application.
The following chart illustrates the change introduced in this matter with the new law:
| Law No. 19,628 | Data Protection Bill |
|---|---|
| It is not explicitly stated but it can be inferred from article 1 of Law No. 19,628 and art. 14 of the Chilean Civil Code. | The provisions of the new law will have territorial application, depending on certain circumstances, including (i) when the data controller or data processor is based in national territory, (ii) when the operations affect data subjects located in Chile, (iii) when the operations are carried out on behalf of data controllers based in Chile or (iv) pursuant to a contract or international law. |
Territorial scope of the Data Protection Bill
The new data protection law provides for its territorial scope of application, stipulating, as the GDPR, that in some cases its rules may apply extra-territorially:
- When the data controller or the data processor (mandatario or agent) is established or incorporated in national territory.
- When the data processor, regardless of its place of establishment or incorporation, carries out the personal data processing operations on behalf of a data controller established or incorporated in national territory.
- When the data controller or the data processor is not established in the national territory but the personal data processing operations carried out but them are intended to: (i) offer goods or services to data subjects who are in Chile, regardless of whether such data subjects are required to pay; or (ii) monitor the behavior of data subjects who are in national territory, including the analysis, tracking, profiling or prediction of behavior.
In addition, it is stated that the new law also applies to the processing of personal data carried out by a data controller who, although not established in national territory, is subject to national legislation pursuant to a contract or international law.