Global Data and Cyber Handbook

Chile

Select a Topic
Start Comparison
Regulators, Enforcement Priorities and Penalties
Jump to
Regulators, Enforcement Priorities and Penalties Start Comparison
Who are the main data privacy, non-personal data and/or cybersecurity regulator(s) in the jurisdiction?

Last review date: 1 January 2025

Starting in 2025, there will be three general regulators overseeing data protection and cybersecurity matters. These general regulators will operate alongside sector-specific regulators, which may also have authority over data privacy, non-personal data, and/or cybersecurity in areas such as banking, insurance, securities, health and telecommunications. The three general regulators will be (a) the Data Protection Agency, (b) the Cybersecurity Agency and (c) the Consumer Protection Authority (SERNAC).

As the Data Protection Act Reform enters into force within a 24-month term, the Data Protection Agency will be created and staffed during this period. However, it will only be able to enforce the Data Protection Act, including issuing sanctions and binding interpretations, starting from 13 December 2026.

In turn, the Cybersecurity Agency was created by presidential decree on 24 December 2024. The main aspects of the Cybersecurity Act, particularly those related to enforcement and audits, will enter into force in March 2025.

A reform to the Chilean Consumer Protection Act in December 2021 designated the Consumer Protection Authority (SERNAC) as the data protection authority in the context of consumer protection. Consequently, SERNAC is now a specially empowered consumer data protection authority. Through official communications, SERNAC has established guidelines and requirements for suppliers regarding the processing of consumers' personal data. One guideline addresses the criteria of equity in the stipulations contained in adhesion contracts, while another provides guidelines on consumer protection against the use of artificial intelligence systems in consumer relations.

Additionally, for the public sector, the Transparency Council acts to a certain extent as a data protection regulator concerning data processing conducted by public agencies.

How active is each of the regulator(s)?

Last review date: 1 January 2025

☒ Not very

The regulator has been historically inactive. However, because new agencies such as the Cybersecurity Agency and the Data Protection Agency have been just created it is expected that enforcement will increase significantly.

What are each of the regulator's anticipated enforcement priorities for the next 12 months?

Last review date: 1 January 2025

The main changes will stem from the recently established Cybersecurity Agency. Over time, the Data Protection Agency will become more active in enforcement and issuing binding interpretations. However, because the authority has not yet been appointed, this second aspect is not expected during 2025.

What trends are you seeing in regulatory investigations relating to data & cyber?

Last review date: 1 January 2025

Regulatory investigations or direct enforcement activity by data or cyber regulators are:

         Rare

Class actions/group actions under data or cyber regulation are:

         Rare

What are the potential penalties/remedies for non-compliance with the key data and cybersecurity laws in the jurisdiction?

Last review date: 1 January 2025

There are:

☒       administrative remedies /civil penalties applied by regulators and law enforcement

A data subject may bring a lawsuit against the government agency, private legal entity or individual responsible for the database, and the court can order the correction, blockage or elimination of the data from the database, as appropriate, and impose fines from USD 3,500 to USD 1,450,000.

Failure to timely deliver information or to update or amend any information in the manner ordered by the court may lead to a fine of up to UTM 50 (approximately USD 3,550) as well as to a suspension of up to 15 days in the case of governmental entities.

[Note that the UTM or Unidad Tributaria Mensual is a Chilean unit indexed to inflation so its value varies with time].

☒       criminal penalties from regulators and law enforcement

According to (c) Article 61 bis of Decree Law 3,500 issued by the Labor and Social Security Ministry on 1980, unauthorized use of personal data provided to the pension system is subject to the same sanctions as those established for fraud under Article 467 of the Chilean Criminal Code. These sanctions range from 541 days to five years of imprisonment, plus a fine that may range from UTM 15 (approximately USD 1,065) to UTM 30 (approximately USD 2,130).

This refers only to non-compliance of data privacy and security requirements, not to cybercrimes committed with willful misconduct.

☒       private remedies

The court can further award indemnification for damages (whether property and/or moral damages), if applicable.

If data subjects have private remedies, what form can these remedies take?

Last reviewed: 1 January 2025

      individual personal actions

    representative actions (e.g., brought by a consumer / data privacy body or the supervisory authority)

       class actions

{{ $store.state.loadingScreen.message }} ...