Update of the Personal Data Protection Act in Chile

[najmulseo2020]

How to design a data governance program that supports compliance with the regulations
At the end of August, Law 19,628 on the Protection of Private Life in Chile was updated. This new regulatory framework for the processing and protection of personal data requires companies to design new data governance strategies that guarantee compliance.

The regulation emphasizes the need to obtain explicit and informed consent for the collection of personal data, strengthening the rights of data subjects and urging the implementation of appropriate security measures.

At this point, data governance is a key tool for organizations to comply with the law and, at the same time, optimize data management to improve their business results.

In this article, we review the updates to the Chilean jamaica phone number lead data protection law and detail the data management practices that must be implemented to comply with the law.

Personal Data Protection Act: What are the updates?
Promulgated in August 1999, Law 19,628 on the Protection of Private Life laid the initial foundations for protecting personal data in Chilean territory.

Although at the time its scope was adequate, digitalisation, technological growth and the constant flow of information circulating in digital channels changed the landscape, making it necessary to introduce a more robust approach that took into account the challenges of data protection in the digital age.

Against the backdrop of the amendment to Article 19 No. 4 of the Chilean Constitution, which in 2018 elevated the protection of personal data to the rank of fundamental right, the update of Law 19,628 introduces key principles such as legality, purpose, proportionality, quality , responsibility, security, transparency, information and confidentiality in the processing of personal data.

It thus seeks to ensure appropriate treatment of personal data in order to protect the rights of data subjects and facilitate the secure exchange of information with countries operating with similar models.

Rights of the owner
The law recognises and strengthens the rights of data owners to access, rectification, cancellation and opposition, known as ARCO. The right to portability is now added to these rights.

These safeguards allow individuals to have greater control over their personal data, being able to request access to their data, correct inaccurate information, object to certain uses of their personal information, and transfer their data from one entity to another in a secure and convenient manner.

Access . Provides individuals with the ability to know whether their personal data is being processed, why the processing is taking place, and what categories of data are being handled.
Rectification . Enables individuals to correct data that is inaccurate or incomplete. It is essential to ensure that personal information handled by entities reflects the current reality of the data holders.
Cancellation . Better known as the “right to be forgotten,” it allows individuals to request the deletion of their personal data if there are no longer reasons to retain it or when it is no longer necessary for the purposes for which it was collected, among other situations.
Objection . Allows individuals to object to the processing of their personal data in certain circumstances. This includes processing of data for marketing purposes, scientific or historical research, or profiling.
Portability . Enables individuals to receive personal data provided to an entity in a structured, commonly used and machine-readable format, as well as to request that these records be transmitted directly to another entity, whenever technically feasible. In this way, the mobility of personal data between services is simplified, thus promoting competition and innovation.
Data collection and consent
Before carrying out any collection of personal information, the regulations establish that entities must have the explicit and well-informed consent of the data subjects.

Consent must be given on an informed basis. This means that data subjects must be aware of the specific purpose for which their data is collected, in order to ensure a legitimate and transparent basis for its processing.

Data processing and security
Companies must implement technical and organisational measures aimed at protecting personal data against any form of improper processing, loss or unauthorised access.

This includes ensuring the accuracy, relevance and integrity of records for the purposes for which they are processed, highlighting the importance of keeping information up to date and secure.