By Matías Zegers, Carla Illanes, Juan Cristóbal Ríos, and José Tomás Musalem
Last Monday, May 8, the Personal Data Protection Bill (“the Bill”) concluded its discussion in the Chamber of Deputies and was submitted back to the Senate, where it was originally filed. Considering the prompt processing of the Bill over the past few months, it is expected that during late 2023 Chile will finally have a regulation appropriate to the digital economy environment in which we operate, with a governing authority, new rights for data subjects and the possibility for organizations to certify their compliance models; among other matters.
The main amendments introduced by the Bill are as follows:
a. New obligations for the Data Controller: these will be required to make data subjects aware of the background information that certifies the lawfulness of its processing; to maintain secrecy or confidentiality about personal data concerning a data subject; and, in accordance with the corresponding state of the art, implement appropriate technical and organizational measures from the design prior to and during the processing of personal data.
b. Consent and law will cease to be the main sources of data processing, incorporating (i) legitimate interest, (ii) processing based on necessity for the performance of an agreement (including pre-contractual relationships) and (iii) processing carried out in accordance with the law for the formulation, exercise, or defense of a right before courts of law or public agencies.
c. Processing of sensitive data may only be carried out when the data subject expressly gives his or her consent, by means of a written or verbal declaration or by an equivalent technological means. The exception to this rule will be verified when the processing of data is necessary for the exercise of rights and the fulfilment of obligations of the data controller or the data subject, in the labor or social security sphere, and is carried out according to law.
d. Likewise, new processing principles are incorporated: lawfulness and fairness; purpose; proportionality; quality; accountability; transparency and information, and confidentiality.
e. A new figure is implemented: the data protection officer (“DPO”): each data controller must appoint a DPO, which must be independent from the administration and in micro, small and medium-sized enterprises, the owner, or the highest authority may personally assume the tasks of the DPO. Among other duties, the DPO must cooperate and act as the Data Protection Agency’s point of contact and assist the members of the organization in identifying the risks associated with the processing activity and the measures to be adopted to safeguard the rights of the data subjects.
f. Infringement Prevention Model: The Bill develops a catalogue of infringements and sanctions, mitigating and aggravating factors, an infringement procedure, and a judicial complaint procedure. Finally, it establishes a system that prevents and encourages voluntary compliance with the law.
g. Fines: The following distinctions must be made:
- Minor infringements: written warning or fine of 1 to 100 Monthly Tax Units (UTM) (roughly, between USD 80 and USD 8,000).
- Serious infringements: fine of up to 10,000 UTM (roughly, USD 800,000). In the case of companies, up to the equivalent of 2% of the annual income from sales and services and other activities of the business in the last calendar year, with a maximum of 10,000 UTM.
- Very serious: fine of up to 20,000 UTM (roughly, USD 1,600,000). In the case of companies, a fine of up to the equivalent of 4% of the annual income from sales and services and other activities of the business in the last calendar year, with a maximum of 20,000 UTM.
h. Data Protection Agency (DPA): it must ensure the effective protection of the rights that guarantee the privacy of individuals and their personal data and supervise their compliance.
i. Cross-border transfers of personal data are regulated, determining the cases in which they will be lawful, including transfers to organizations, entities or persons that provide adequate levels of personal data protection or that are covered by standard contractual clauses.
The progression of the Bill offers a strategic opportunity for those who anticipate its implementation. In this regard, the path taken by organizations in Europe in relation to the 2018 enactment of the General Data Protection Regulation provides us with a series of best practices that are important to bear in mind in Chile, especially considering that the Bill establishes an obligation for the data controller to adopt measures aimed at preventing the commission of breaches.
In general, in the European process, the design of diagnoses made it possible to establish a baseline on the current status, gaps and challenges of each entity, which contributed to the organizations’ progress in the construction of implementable, measurable, and perfectible breach prevention models over time.
In short, in a global context where public opinion, consumers and users imply greater importance to the reputation of companies in terms of privacy, in the European experience, the development by organizations of compliance programmes certified by their respective agencies allowed them to act more quickly in the face of security breaches and threats, a fundamental element when it comes to facing this challenge.
For more information, please contact:
* This report provides general information on certain legal or commercial issues in Chile, and is not intended to analyze in detail the matters contained herein, nor is it intended to provide specific legal advice on such matters. The reader is advised to seek legal advice before making any decision regarding the matters contained in this report. This report may not be reproduced by any means or in any part without the prior consent of DLA Piper Chile.