/ Control Organizations in the Protection of Personal Data

January 6, 2020

It is imperative to determine the authority that will finally take command of the protection of personal data. The role of compliance models must be made clear, and in general the self-regulation in the face of incidents or infringement reports.


One of the great questions we faced during 2019 was that of the supervisory bodies that would assume the role of guarantor for the protection of personal data. Although in August the Senate Committee approved the Council for Transparency (CPLT by its Spanish initials) for the role, this decision is not definite, as the draft law which amends Law 19.628 is still waiting to move through the Chamber of Deputies, where it is not clear whether the agreement reached in the upper house will be ratified.

As could be expected, in the absence of clear authority on the matter a number of entities have extended their inspection powers to claim their intervention in the protection of personal data, in some cases due to a lack of explicit legal basis.

The first of these has naturally been the CPLT. In 2008 with the entry into force of the Law 20.285 on access to public information, part of their role and functions were established as that of “upholding the adequate compliance with the Law 19.628 […], on behalf of the bodies of State administration.” With the latest agreement with the Senate, CPLT will have a difficult task in assessing the exercise of transparency on one side and privacy on the other. It has been discussed that this would not pose a problem, as both rights are “two sides of the same coin”, yet the probability that the protection of one will be hampered in favor of an almost exclusive attention to the other is quite high. The international experience has shown us this considering the exponential growth of requirements and reports on violations of the protection of personal data.

Furthermore, the National Consumer Service (Sernac), has approached the subject of the protection of consumer rights, by stipulating that providers using cookies must give warning of it, thus linking them (quite forcefully, we think) with the concept of accurate and timely information.

With an approach focused on cybersecurity, the Financial Market Commission (CMG by its initials in Spanish), has dictated three updated Compilations of Banking Standards (RAN by its initials in Spanish) and recently put up the fourth edition for comment, regarding the management of information security and cybersecurity, which is expected to enter into force in March of this year.

In September 2019 the Superintendence of Health together with eight other superintendencies demonstrated their commitment by signing a collaboration agreement on cybersecurity with the Ministry of the Interior, as part of a coordinated effort between the regulatory bodies against the growing number of incidents, frauds and cybernetic attacks.

Although it is favorable and noteworthy that all these actors are taking awareness and manifesting their interest in the protection of personal information, a common thread with clear directives and criteria is needed to nurture this conviction, thus avoiding a myriad of dissimilar reasoning and the existence of varying penalties for a same case, which would conflict with the principle of non bis in idem.

In this situation we believe it is essential as a first step to elevate the standard of cybersecurity in Chile, through the enactment of the law modifying the current law 19.628. It is urgent for this law to define the authority that will finally take responsibility for the protection of personal data (whether it be the CPLT or the as yet not dismissed Agency for the Protection of Personal Data, as an autonomous and independent entity). The role of compliancy models must be made clear, and in general of self-regulation in the face of incidents or infraction reports. Likewise, it is necessary to have coordination in the inspection as well as revision of the effective scope of the powers of each of the supervisory bodies that we have mentioned, to guarantee that the current constitutional rights and the right of free enterprise be respected, especially in the case of entrepreneurs and SMEs.

It is necessary that this draft legislation be allowed to advance through the Congress, to establish Chile as a technological pole and a safe harbor in matters of cybersecurity, creating a safe cybernetic ecosystem that guarantees the adequate protection that our personal data deserves.

Jaime Urzúa

Associate – Alessandri