Cyber SecurityData Privacy Legislations

The 19.628 Law: Chile’s Take on Personal Data Protection

Our last stop in our data protection laws series takes us south to uncover a key law in one of the capitals of innovation of the southern hemisphere: Chile. See how it compares to the likes of GDPR, and how to comply with it properly.

Feature Image

To crown the series of articles covering data legislations, we had to take it back to our home country, Chile! As one of the summits of innovation in the southern hemisphere, it’s no wonder the Latin American country has an active data treatment law: The 19.628 Law.

This legislation covers the treatment of personal data in registries or data banks. By that we mean any procedure or array of operations -automatized or not- that collect, store, write, organize, elaborate, select, extract, confront, connect, communicate, loan, transfer, transmit, OR cancel personal data in any way.

The 19.628 Law at its Core

When it comes to the treatment of personal data, this law demands that it is approved by law, or by written and explicit consent of the rightful owner of the data. Like we’ve seen in GDPR, the 19.628 law also requires full disclosure of the data’s purpose and disclosure prior to the collection.

However, there are still some considerations to be taken. For example, data that comes from public access resources doesn’t demand consent. Furthermore, the law also considers that when the data and its usage ‘expires’, it should be eliminated, modified, or blocked without consent.

What Rights Do the People Have?

People, or the data’s rightful owners, have the right to request all information related to them, as well as the origin of the collection, and the purpose or destination of the data.

As well as:

  • Requesting de modification of data that isn’t accurate.
  • Demanding the deletion of the data when there its storage isn’t legally bound or has expired.
  • Taking their consent back and soliciting the deletion or blocking of data provided previously.

Overall, they are quite similar to the standard set by GDPR and followed by the likes of CalOPPA. These requests should be free for the person requesting them and should come with a copy of the changed registry.

This is a right and it can’t be limited by convention, unless it interferes the proper functioning of a public organization’s audit procedures, or signifies the disclosure of legally established secrets, as well as any conflict it could generate with the State’s security/interests.

The Data Regulator’s Responsibilities

The organization in charge of these data banks has a two-day time frame to deliver any request demanded by users. Once that time expires, the user can take legal actions through its assigned judge. This right also applies to a negative by the regulator due to national security concerns.

If the judge does fail in favor of the person related to the data, he or she will set a fixed time-frame of delivery and, if applicable, can impose a fine that varies between 1 to 10 UTM, or 10 to 50 UTM (or Monthly Tax Unit) when commercial, economic, or financial information is disclosed without legal approval.

What’s more, the law considers that the data regulator must compensate the user for the moral or patrimonial harms it could have caused when disclosing any personal information.

How Does it Apply to Public Organisms?

Finally, when it comes to public organisms, the Chilean law establishes that these institutions can only process personal data that’s directly related to their trade. In this case, no consent is required.

The Identification and Civil Registration Service is in charge of regulating and having registry of all data banks in public organizations of a public manner. In it, they must detail its legal purpose and basis of existence, type of data, and the type of people it includes.

About the author

Nicolas Poggi

Nicolas Poggi is the head of mobile research at Prey, Inc., provider of the open source Prey Anti-Theft software protecting eight million mobile devices. Nic’s work explores technology innovations within the mobile marketplace, and their impact upon security. Nic also serves as Prey’s communications manager, overseeing the company’s brand and content creation. Nic is a technology and contemporary culture journalist and author, and before joining Prey held positions as head of indie coverage at TheGameFanatics, and as FM radio host and interviewer at IndieAir.