Chile: Data Protection Laws of the World Handbook: Second Edition - Chile
E-Commerce And Privacy Alert

LAW

Chile has enacted the following laws and regulations regarding the protection of personal data:

• Law No. 19,628 concerning the protection of personal data applicable to the public and private databases (last amended by Law No. 20,575 of February 17, 2012);
• Decree No. 779 (year 2000) of the Ministry of Justice, concerning the regulations applicable to databases of personal data maintained by public entities;
• Law No. 20,285 that regulates access to the public information and protects personal data in article 5 (first paragraph), article 21 No. 2 and article 33 m); and
• Decree No. 13 (year 2009) of the General Ministry of the Presidency, containing regulations implementing Law No. 20,285.

DEFINITION OF PERSONAL DATA

Personal data means any information concerning identified or identifiable natural persons.

DEFINITION OF SENSITIVE PERSONAL DATA

Sensitive data means personal data regarding the physical or moral characteristics of an individual, facts or circumstances of an individual's private life or intimacy, such as personal habits, race, ideologies, political opinions, beliefs or religious convictions, current physical or psychological health status, and sex life.

NATIONAL DATA PROTECTION AUTHORITY

The Jueces de Letras (first instance courts), the Appeal Courts and the Supreme Court serve as the national authorities in charge of the protection of the personal data. The Consejo para la Transparencia has authority regarding the personal data held by any public entity.

REGISTRATION

Chilean law contains only one registration requirement in respect of databases of personal data held by public entities. This registry is maintained by the Servicio de Registro Civil (article 22, Law No. 19,628).

There is no registration requirement for private databases (although private databases may be registered for IP protection purposes on the national Intellectual Property Registry, according to the Law No. 17,334).

DATA PROTECTION OFFICERS

The distributors of registries or databases that contain personal data of an economic, financial, banking or commercial nature, must appoint a natural person in charge of the treatment of the personal data, with whom the data subjects exercise his/her rights granted under Law No. 19,628 (e.g. the right to request an accounting of information held and disclosed by the database owner during the previous 12 months).

COLLECTION AND PROCESSING

Under Law No. 19,628, the processing or use of personal data is only permissible under the following specific circumstances:

• Where expressly authorised by the Law;
• With the express authorization of the individual data subject;
• When the personal data have been collected from public sources;
• When the personal data is economical, financial or commercial in nature;
• When the information is contained in listings related to a specific category of individuals that only disclose information such as the allegiance of such individual to such specific group, his/her profession or activity, educational diplomas, address and date of birth;
• By a private legal entity for the exclusive use of the entity, its affiliates and associates; and
• By entities affiliated with any of the abovementioned legal entities that use the information for statistical purposes, price listing purposes or other purposes for the general benefit of its associates.

When the personal data concerns economic, financial or commercial obligations, Chilean law imposes special obligations:

• such data may only be processed for the purposes of assessing credit risk or processing credit approvals;
• disclosure of such data can only be made to "established merchants" and entities that participate in the credit risk assessment, and then only for the purposes of credit approval;
• such data cannot be requested during processes of personnel selection, pre-school admission, undergraduate or graduate admissions, emergency medical care or application for a public office;
• controllers of such databases or distributors of such registries or databases, in carrying out their business, must adhere to the following principles: legitimacy, access and opposition, information, quality of data, finality, proportionality, transparency, non-discrimination, limits of use and security in treatment of personal data. In the event of a civil complaint by a data subject, the controller has the burden of proof in demonstrating to the judge that the controller exercised due diligence in its treatment of personal data;
• distributors of registries or databases of such nature shall have a registration system that tracks access and delivery of personal information, identifying the name of the person or entity who requested the information, the purpose, date and time of the request, and the person responsible for the delivery of the information. Data subjects (referred to as data holders under Chilean law) may request, every 4 months and at no cost, an accounting of the information registered in such system during the last 12 months;
• data subjects may request that the entities responsible for such databases provide to them a certificate of the past due credit obligations registered in such databases (which is different from a general credit risk assessment);
• the database controllers may only communicate personal data regarding past due credit obligations where the default of the individual is unquestionable;
• the database controllers may not communicate obligations that have already been extinguished, or whose due dates and conditions have been extended, renegotiated, novated, or that became payable more than 5 years earlier; and
• the law suspends communication regarding any debts of the unemployed (until the person becomes employed).

In any case, personal data must be precise, updated and consistent with the real situation of the individual to whom the data relates. Furthermore, data obtained from non public sources may only be used for the purposes for which they were collected.

The law expressly prohibits any kind of predictive models or commercial risk scorings that are not based solely on objective information concerning delinquencies or rejected/retuned negotiable instruments (e.g. checks) of individuals or entities. An individual affected by a violation of this prohibition may require that the information be immediately eliminated from the database and may seek damages against the responsible entity.

The processing of sensitive data is permitted only: (i) where expressly authorised by the law; (ii) with the consent of the data subject; or (iii) for the purpose of providing health benefits.

The Law No. 19,628 entitles any person to request from a public or private entity information regarding: (i) his/her personal data held by the entity; (ii) the source of the data; (iii) the purpose of storage; and (iv) the identity of the persons or entities that have received his or her personal data from the entity. The data subject's right to request access to, demand modification or deletion of, or to block future use of his or her personal data, cannot be limited by agreement.

TRANSFER

The transfer or disclosure of personal data is subject to substantially the same restrictions as those applicable to collection and processing.

SECURITY

Entities may be liable to data subjects for security breaches. The party responsible for any database of personal data has a duty to protect the information it contains and is responsible for any damages suffered as a result of non compliance with this obligation.

Chilean law regulates the security of any electronic transmission of personal data. The law states that the database owner may use an automatic procedure to transfer personal data, provided that the rights of the individuals are safeguarded and the transmission relates to business purposes of the parties to the communication. Further, for any electronic transmissions, an entity must keep a record of the: a) identity of the person requiring the information; b) motive and purpose of the transfer; and c) kind of data that is transmitted.

Chilean law mandates that any employees of public or private entities who handle personal information are subject to a confidentiality obligation that extends after the termination of their employment agreement. However, it does not require implementing specific security measures.

BREACH NOTIFICATION

In Chile, there is no duty to notify a data subject or regulator when personal data is lost or stolen.

ENFORCEMENT

If the owner controller of a registry or database, does not respond to a data subject's request within 2 business days, or denies the request, the data subject may file a claim before the Juez de Letras for the protection of his or her rights. Any decision of the Juez de Letras may be appealed to the relevant Appeals Court. The Supreme Court determines cases where access is denied based upon a national security or the national interest.

Courts are authorised to impose a fine of 2 to 50 UTM (as of this writing approximately US$170 to $4,250).

In addition, Law No. 20,285 provides that any person may demand a public entity to eliminate any of his or her data collected, processed or stored in violation of the applicable law. If the public entity denies the request or if it does not provide any answer, the data subject may file a claim before the Consejo para la Transparencia. The resolution of the Consejo para la Transparencia may, in turn, be appealed before the Appeals Court of Santiago. Violations of personal data laws may also result in disciplinary procedures against a public entity.

It is also a criminal offense to do any of the following:

• Destroy or disable all or part of a system for the treatment/protection of personal information;
• Block or modify the functioning of a database;
• Appropriate, use or unlawfully obtain knowledge of the personal information included in a database or to unlawfully intercept, interfere with or access personal data or databases;
• Alter, damage or destroy the data contained in a database; or
• To reveal or to disclose the data contained in an information system.

ELECTRONIC MARKETING

Article 28B of the Consumer Protection Law provides that any promotional or advertising communication sent by electronic mail shall indicate the subject matter, the identity of the sender and a valid address to which the recipient may opt out of receiving future communication (opt-outs must be honored immediately).

Promotional emails that are anonymous emails or that do not contain all the required information violate the law.

If the company sends any promotional email to a consumer after the consumer's opt-out request, the sender is subject to a fine up to 50 UTM (approximately US$4,250).

ONLINE PRIVACY (INCLUDING COOKIES AND LOCATION DATA)

Chile does not have an online privacy law that regulates cookies, location data or other conventional means of online tracking. However, Law No. 19,223 protects online privacy by criminalizing the following conduct, among others:

• To intercept, interfere with or access to an information system with the purpose of taking possession, using or unlawfully obtaining knowledge about the information contained in such system; or
• To maliciously reveal or disclose the data contained in an information system.

The wording of Law 19233 is very broad. It is possible that a court could consider that the use of cookies and other similar tracking devices under certain circumstances is a violation of the law.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.

DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com