/ New Regulation on Prevention Models for Personal Data Protection Violations
September 26, 2025Diego Cordova Y.
Associate
On August 28, the Office of the Comptroller General of the Republic received for legal review Decree No. 662/2025 from the Ministry of Finance. This decree regulates the requirements, modalities, and procedures for the implementation, certification, registration, and supervision of prevention models for violations referred to in Article 49 of Law 21.719 on personal data protection. The decree is currently undergoing the legal review process.
Key highlights from the regulation include:
1. Voluntary Nature and General Duty of Compliance
The regulation emphasizes that implementing a prevention model is voluntary. However, it clarifies that this does not exempt data controllers from the general duty to adopt preventive and compliance measures as defined in Law 19.628.
2. Minimum Content of Compliance Programs
The regulation outlines the minimum required content for a compliance program:
a. Identification of the data controller and their legal representative.
b. Appointment of a Data Protection Officer (DPO), including specification of their powers and resources.
c. Record of Processing Activities (RAT): detailing data categories, legal bases, automated decisions, international transfers, retention periods, etc.
d. Risk matrix: identifying activities with higher likelihood of violations, considering the severity of potential sanctions.
e. Internal protocols and procedures: clear rules to prevent non-compliance based on the type of data processed and associated risks.
f. Reporting and complaint mechanisms: expedited internal channels for employees and third parties; obligation to report to the Agency and data subjects, including the possibility of self-reporting.
g. Internal sanctions: disciplinary rules for non-compliance, applicable to employees or public officials.
h. Dissemination and training: the program must be known by all members of the organization.
3. Scope of Compliance Programs
The regulation requires that program obligations be incorporated into employment contracts, service agreements, and internal regulations of responsible entities. This means employees and providers must be contractually bound to comply with the data protection standards adopted by the organization.
4. Role of the Data Protection Officer
Appointing a DPO is mandatory if an organization adopts and certifies a prevention model.
The DPO may be internal (employee or executive) or external, through a service contract with a natural or legal person. If a legal entity is contracted, the natural person acting as DPO must be identified.
In business groups, a single DPO may be appointed provided the entities share common policies and standards.
5. Certification, Registration, and Supervision
The future Data Protection Agency will be responsible for certifying, registering, and supervising prevention models.
Certification is voluntary, valid for three years, and renewable upon review. Certified models will be listed in the National Registry of Sanctions and Compliance, which will be publicly accessible and serve as a mitigating factor in case of violations.
The Agency will have the authority to request information, monitor implementation, and revoke certifications in case of non-compliance.
Other Regulations Mandated by Law 21.719
In addition to the Prevention Models Regulation, the law mandates the issuance of other key regulations, which are still pending:
- Regulation defining data anonymization procedures for data sharing between public entities and with private individuals or organizations.
- Regulation establishing the official address of the future Data Protection Agency.
- Regulation defining the operating rules of the Agency’s Governing Council.