/ CMF will Monitor Personal Data of Financial Clients

In June 2021, the CMF issued the policy of standards and general principles on market conduct related to the protection of financial clients. In the absence of a supervisory body for the protection of personal data, the CMF will be able to supervise the treatment of their data by financial institutions.

Macarena Gatica
Partner Alessandri

The supervision of market conduct exercised by the Financial Market Commission (CMF) is based on two pillars. The first is aimed at safeguarding the existence of a transparent and integral securities market, in which the entities under supervision report reliable information to the public, without abuses or manipulations by the actors that intervene in the market and that protect the rights of minority shareholders. The second pillar seeks to protect the financial client, guaranteeing fair treatment in the commercialization process and during the term of the financial contract.

In June 2021, the CMF issued the policy of standards and general principles on market conduct related to the protection of the financial client, which is developed on the basis of five general principles applicable to financial institutions: i) fair treatment of clients of financial institutions; ii) adequate management of conflicts of interest; iii) protection of client information; iv) transparency in the marketing and advertising of financial products; and v) diligent management of complaints and submissions.

With respect to the protection of customer information, the regulation applies principles already defined in the privacy protection law 19,628, such as the bases of lawfulness of data processing: the law and consent, the rights of information, rectification, cancellation of data processing, principles of proportionality, lawfulness, transparency and purpose contemplated in the bill that modifies the aforementioned law.

Regarding security, it states that the safeguarding of financial and personal data is one of the main responsibilities of the financial services industry and adds that financial institutions must adopt all necessary measures to protect the information.

Pursuant to Ran 20-10, in force since December 2020, financial institutions must adopt operational risk management and cybersecurity systems. It also alludes to Ran 20-7, as it indicates that the institution must be aware of outsourcing risks. It also adds that they must verify that the provider has mechanisms in place to safeguard information and that it must report security breaches.

Finally, it is stated that the institutions must consider compliance with legislation in relation to the handling of customer information between related parties.

Thus, the CMF will be able to supervise the treatment that financial institutions make of their data. This situation arises from the lack of a supervisory body for the protection of personal data. A similar case will occur with respect to personal data in a consumer relationship, in which, in accordance with art. 15 bis of bill 12,409, it may be supervised by Sernac.

We can only hope that Chile will soon have an organic regulation on data protection that applies to all data subjects regardless of their status as consumers, workers or financial clients. Otherwise, the protection of this data will depend on the quality of the data holder or the relationship in which the data is processed.