Cyber SecurityData Privacy Legislations

The 19.628 Law: Chile’s Take on Personal Data Protection

Our last stop in our data protection laws series takes us south to uncover a key law in one of the capitals of innovation of the southern hemisphere: Chile. See how it compares to the likes of GDPR, and how to comply with it properly.

Feature Image

To crown the series of articles covering data legislations, we had to take it back to our home country, Chile! As one of the summits of innovation in the southern hemisphere, its no wonder the Latin American country has an active data treatment law: The 19.628 Law.

This legislation covers the treatment of personal data in registries or data banks. By that we mean any procedure or array of operations -automatized or not- that collect, store, write, organize, elaborate, select, extract, confront, connect, communicate, loans, transfers, transmits, OR cancels personal data in any way.

The 19.628 Law at its Core

When it comes to the treatment of personal data, this law demands that it is approved by law, or by written and explicit consent of the rightful owner of the data. Like we’ve seen in GDPR, the 19.628 law also requires full disclosure of the data’s purpose and disclosure prior to the collection.

However, there are still some considerations to be taken. For example, data that comes from public access resources doesn’t demand consent. Furthermore, the law also considers that when the data and its usage ‘expires’, it should be eliminated, modified, or blocked without consent.

What Rights Does the People Have?

People, or the data’s rightful owners, have the right to request all information related to them, as well as the origin of the collection, and the purpose or destination of the data.

As well as:

  • Requesting de modification of data that isn’t accurate.
  • Demanding the deletion of the data when there its storage isn’t legally bound or has expired.
  • Taking their consent back and soliciting the deletion or blocking of data provided previously.


Overall, they are quite similar to the standard set by GDPR and followed by the likes of CalOPPA. These requests should be free for the person requesting them and should come with a copy of the changed registry.

This is a right and it can’t be limited by convention, unless it interferes the proper functioning of a public organization’s audit procedures, or signifies the disclosure of legally-established secrets, as well as any conflict it could generate with the State’s security/interests.

The Data Regulator’s Responsibilities

The organization in charge of these data banks has a two-day time frame to deliver any request demanded by users. Once that time expires, the user can take legal actions through its assigned judge. This right also applies to a negative by the regulator due to national security concerns.

If the judge does fail in favor of the person related to the data, he or she will set a fixed time-frame of delivery and, if applicable, can impose a fine that varies between 1 to 10 UTM, or 10 to 50 UTM (or Monthly Tax Unit) when commercial, economic, or financial information is disclosed without legal approval.

What’s more, the law considers that the data regulator must compensate the user for the moral or patrimonial harms it could have caused when disclosing any personal information.

How Does it Apply to Public Organisms?

Finally, when it comes to public organisms, the Chilean law establishes that these institutions can only process personal data that’s directly related to their trade. In this case, no consent is required.

The Identification and Civil Registration Service is in charge of regulating and having registry of all data banks in public organizations of a public manner. In it, they must detail its legal purpose and basis of existence, type of data, and the type of people it includes.

Nicolas Poggi

Nico Poggi is Prey's growth and mobile research manager at Prey Inc, exploring innovations, and the evolution of the security and privacy landscape. Nico also serves as the brand's curator, overseeing the company's voice across its platform and communications.