/ Data protection bill is sent to the Senate

The bill that regulates the protection of personal data passed to the third constitutional stage. We detail the main changes underwent by Bulletin 11,144-07.

Jaime Urzúa
Associate Attorney
Alessandri Abogados

The following is a summary of the main aspects that have changed since the entry of the restated bill that regulates the protection and processing of personal data and creates the Personal Data Protection Agency (Bulletin 11,144-07) to the Chamber of Deputies until its dispatch to the Senate for its third constitutional stage:

1. Territorial scope of the bill:

The bill now considers that “the provisions of this law shall apply to the processing of personal data carried out under any of the following circumstances:

a) When the data controller or agent is established or constituted in national territory.

b) When the agent, regardless of its place of establishment or incorporation, carries out the personal data processing operations on behalf of a data controller established or incorporated in national territory.

c) When the data controller or agent is not established in the national territory but its personal data processing operations are intended to offer goods or services to data subjects who are in Chile, regardless of whether they are required to pay, or to monitor the behavior of data subjects who are in the national territory, including their analysis, tracking, profiling or prediction of behavior.

This law shall also apply to the processing of personal data carried out by a data controller who, not being established in national territory, is subject to national law by virtue of a contract or international law”.

2. The concepts of “outdated data”, “statistical data”, “data blocking”, “deletion or cancellation of data” (now renamed “right of erasure”), “database” and “search engines” are deleted.

3. Regarding the definition of sensitive personal data, the concept of “personal habits” as a type of sensitive data is eliminated, but the “socioeconomic situation” of the data holder is added and would be as follows: “those personal data that refer to the physical or moral characteristics of persons or to facts or circumstances of their private life or intimacy, such as those that reveal ethnic or racial origin, political, union or trade union affiliation, socioeconomic situation, ideological or philosophical convictions, religious beliefs, data relating to health, human biological profile, biometric data, and information relating to the sex life, sexual orientation and gender identity of a natural person will have this condition”.

4. The right of access includes the right to access meaningful information about the logic applied in the event that the data controller makes automated individual decisions, including profiling.

5. In the case of legal entities not incorporated in Chile, the data controllers must designate in writing, before the Agency, a representative domiciled in the country, so that the holder may exercise his/her rights under this law and receive the necessary judicial or administrative communications and notifications.

6. The concept of “ostensible imbalance” is eliminated with respect to obtaining the consent of the data controller.

7. Example cases are made explicit for the regulation of the duty to adopt security measures.

8. The obligation to carry out a Privacy Impact Assessment is established when it is likely that a type of processing, due to its nature, scope, context, technology used or purposes, may result in a high risk to the rights of data subjects.

9. It is specified which guarantees are considered adequate to carry out international data transfers.

10. The appointment of the President of the Agency shall be made by the Board of Directors of said institution and not by the President of the Republic.

11. It is added as an infringement to the law the delivery of incomplete information in the process of registration or certification of the infringement prevention model.

12. Minor infractions shall be sanctioned with a written warning or a fine of up to 100 monthly tax units. Serious infringements shall be sanctioned with a fine of up to 5,000 monthly tax units or, in the case of companies, a fine of up to the equivalent of 2% of the annual income from sales and services and other activities of the business in the last calendar year, with a maximum of 10,000 monthly tax units. Very serious infringements shall be sanctioned with a fine of up to 10,000 monthly tax units or, in the case of companies, a fine of up to the amount equivalent to 4% of the annual income from sales and services and other activities of the line of business in the last calendar year, with a maximum of 20,000 monthly tax units.

13. The form of adoption of an infringement prevention model changes. Now the model must consist of a compliance program, which must contain, at least, the designation of a DPO and the identification of the type of information that the data controller treats, among others.

14. With respect to Law 19,496, and specifically Article 15 bis, the supervisory powers of Sernac with respect to the processing of data in a consumer relationship are eliminated. Notwithstanding the foregoing, the collective actions of the LPDC with respect to the personal data of consumers, within the framework of consumer relations (Articles 2 bis and 58 bis of the LPDC) remain unaffected.

15. The amendments to the Privacy Law, to Law No. 20,285, on access to public information, and the LPDC, shall enter into force on the first day of the 24^th month following the publication of the Bill in the Official Gazette.

16. The National Congress, the Judiciary, the Office of the Comptroller General of the Republic, the Public Ministry, the Constitutional Court, the Central Bank, the Electoral Service and the Electoral Justice, and other special courts created by law shall not be subject to the control powers nor to the sanctioning powers of the Agency that may affect their constitutional autonomy.