Compliance

The 19.628 Law: Chile's Take on Personal Data Protection

Our last stop in our data protection laws series takes us south to uncover a key law in one of the capitals of innovation of the southern hemisphere: Chile. See how it compares to the likes of GDPR, and how to comply with it properly.

May 16, 2019

To crown the series of articles covering data legislations, we had to take it back to our home country, Chile! As one of the summits of innovation in the southern hemisphere, it's no wonder the Latin American country has an active data treatment law: The 19.628 Law.

This legislation covers the treatment of personal data in registries or data banks. By that we mean any procedure or array of operations -automatized or not- that collect, store, write, organize, elaborate, select, extract, confront, connect, communicate, loan, transfer, transmit, OR cancel personal data in any way.

The 19.628 Law at its Core

When it comes to the treatment of personal data, this law demands that it is approved by law, or by written and explicit consent of the rightful owner of the data. Like we've seen in GDPR, the 19.628 law also requires full disclosure of the data's purpose and disclosure prior to the collection.

However, there are still some considerations to be taken. For example, data that comes from public access resources doesn't demand consent. Furthermore, the law also considers that when the data and its usage 'expires', it should be eliminated, modified, or blocked without consent.

What Rights Do the People Have?

People, or the data's rightful owners, have the right to request all information related to them, as well as the origin of the collection, and the purpose or destination of the data.

As well as:

  • Requesting de modification of data that isn't accurate.
  • Demanding the deletion of the data when there its storage isn't legally bound or has expired.
  • Taking their consent back and soliciting the deletion or blocking of data provided previously.


Overall, they are quite similar to the standard set by GDPR and followed by the likes of CalOPPA. These requests should be free for the person requesting them and should come with a copy of the changed registry.

This is a right and it can't be limited by convention, unless it interferes the proper functioning of a public organization's audit procedures, or signifies the disclosure of legally established secrets, as well as any conflict it could generate with the State's security/interests.

The Data Regulator's Responsibilities

The organization in charge of these data banks has a two-day time frame to deliver any request demanded by users. Once that time expires, the user can take legal actions through its assigned judge. This right also applies to a negative by the regulator due to national security concerns.

If the judge does fail in favor of the person related to the data, he or she will set a fixed time-frame of delivery and, if applicable, can impose a fine that varies between 1 to 10 UTM, or 10 to 50 UTM (or Monthly Tax Unit) when commercial, economic, or financial information is disclosed without legal approval.

What's more, the law considers that the data regulator must compensate the user for the moral or patrimonial harms it could have caused when disclosing any personal information.

How Does it Apply to Public Organisms?

Finally, when it comes to public organisms, the Chilean law establishes that these institutions can only process personal data that's directly related to their trade. In this case, no consent is required.

The Identification and Civil Registration Service is in charge of regulating and having registry of all data banks in public organizations of a public manner. In it, they must detail its legal purpose and basis of existence, type of data, and the type of people it includes.

On the same Issue

Three crucial online student privacy laws

Get a deep understanding of the main student privacy laws that keep data safe in the digital classroom. Learn how these regulations work and what they mean.

September 28, 2023
keep reading
Simplify SOC 2 Compliance: A Comprehensive Guide for IT & MSP teams

In a world where "the cloud" isn't just a reference to where Simba's dad lives in "The Lion King", but a critical infrastructure for many organizations, SOC 2 compliance is vital

May 24, 2023
keep reading
Securing Student Data: Your Complete Guide to FERPA Compliance

FERPA is a bit like the 'Marauder's Map' from Harry Potter - in the wrong hands, student information could cause havoc, but in the right hands, it can guide.

May 17, 2023
keep reading
Navigating IT governance: a comprehensive guide to frameworks and benefits

IT governance: frameworks, benefits, and choosing the right one. Learn more for effective IT management.

May 9, 2023
keep reading