Compliance

The 19.628 Law: Chile's Take on Personal Data Protection

Our last stop in our data protection laws series takes us south to uncover a key law in one of the capitals of innovation of the southern hemisphere: Chile. See how it compares to the likes of GDPR, and how to comply with it properly.

May 16, 2019

To crown the series of articles covering data legislations, we had to take it back to our home country, Chile! As one of the summits of innovation in the southern hemisphere, it's no wonder the Latin American country has an active data treatment law: The 19.628 Law.

This legislation covers the treatment of personal data in registries or data banks. By that we mean any procedure or array of operations -automatized or not- that collect, store, write, organize, elaborate, select, extract, confront, connect, communicate, loan, transfer, transmit, OR cancel personal data in any way.

The 19.628 Law at its Core

When it comes to the treatment of personal data, this law demands that it is approved by law, or by written and explicit consent of the rightful owner of the data. Like we've seen in GDPR, the 19.628 law also requires full disclosure of the data's purpose and disclosure prior to the collection.

However, there are still some considerations to be taken. For example, data that comes from public access resources doesn't demand consent. Furthermore, the law also considers that when the data and its usage 'expires', it should be eliminated, modified, or blocked without consent.

What Rights Do the People Have?

People, or the data's rightful owners, have the right to request all information related to them, as well as the origin of the collection, and the purpose or destination of the data.

As well as:

  • Requesting de modification of data that isn't accurate.
  • Demanding the deletion of the data when there its storage isn't legally bound or has expired.
  • Taking their consent back and soliciting the deletion or blocking of data provided previously.


Overall, they are quite similar to the standard set by GDPR and followed by the likes of CalOPPA. These requests should be free for the person requesting them and should come with a copy of the changed registry.

This is a right and it can't be limited by convention, unless it interferes the proper functioning of a public organization's audit procedures, or signifies the disclosure of legally established secrets, as well as any conflict it could generate with the State's security/interests.

The Data Regulator's Responsibilities

The organization in charge of these data banks has a two-day time frame to deliver any request demanded by users. Once that time expires, the user can take legal actions through its assigned judge. This right also applies to a negative by the regulator due to national security concerns.

If the judge does fail in favor of the person related to the data, he or she will set a fixed time-frame of delivery and, if applicable, can impose a fine that varies between 1 to 10 UTM, or 10 to 50 UTM (or Monthly Tax Unit) when commercial, economic, or financial information is disclosed without legal approval.

What's more, the law considers that the data regulator must compensate the user for the moral or patrimonial harms it could have caused when disclosing any personal information.

How Does it Apply to Public Organisms?

Finally, when it comes to public organisms, the Chilean law establishes that these institutions can only process personal data that's directly related to their trade. In this case, no consent is required.

The Identification and Civil Registration Service is in charge of regulating and having registry of all data banks in public organizations of a public manner. In it, they must detail its legal purpose and basis of existence, type of data, and the type of people it includes.

On the same Issue

HIPAA Checklist: Maintaining Security and Complying with Patient Data Privacy

Navigate through the Health Insurance Portability and Accountability Act requirements and learn which ones are a must-apply for your organization.

February 12, 2022
keep reading
Expert Guide to Online Student Data Protection

The breach of a student's data privacy is not a recent concern, but one that is only now starting to gain attention due to the consequences of a public lack of concern. It is time to understand this issue, and treat it

November 2, 2021
keep reading
Three Laws That Protect Students' Online Data and Privacy

Controlling the privacy of students was a matter of locking records up back then. Now, in the digital classroom era, the risk of leaks increased, and the unwanted collection of data through unregulated online platforms and software caused the need for smarter privacy laws.

February 4, 2021
keep reading
The EU-US Privacy Shield Is No More: What It Means To Our Personal Data

The ruling that governed data protection between the EU and the US is in shambles. What are the consequences for the US organizations dealing with european data?

August 31, 2020
keep reading