Main Changes of the NDPA
An Analysis of the New Data Protection Act of Chile
The recent update to the Data Protection Law of Chile, known as the New Data Protection Act (NDPA), represents a significant shift in the regulation of personal data processing in the country. This law, aligned with international standards such as the European Union’s General Data Protection Regulation (GDPR), seeks to modernize the protection of fundamental rights in the digital environment.
In this article, we will explore the main changes introduced by the NDPA, highlighting its key innovations and differences compared to the previous Law No. 19,628 of 1999.
1. Focus on the protection of fundamental rights
One of the most relevant changes introduced by the NDPA is its emphasis on privacy as a fundamental right, constitutionally protected. Unlike the previous regulation, which focused on data processing from a technical perspective, the new law positions data protection as an extension of human rights. This approach reinforces the need for companies and public entities to adopt proactive measures to ensure the security and confidentiality of personal data.
2. Expansion of the scope of application
The NDPA applies to all entities, whether public or private, that process personal data in Chile, regardless of whether the company is established in the country or not. This change is similar to the GDPR’s extraterritorial approach and aims to ensure the protection of the rights of Chilean data subjects, even when their data is processed outside national territory.
Main changes of the NDPA compared to Law No. 19,628
3. Informed and explicit consent
The previous regulation allowed data processing based on generic consent. However, the NDPA requires that consent be explicit, informed, freely given, and revocable. This change reinforces the need for data controllers to implement clear and accessible transparency policies for data subjects.
4. New obligations for data controllers
Additional responsibilities are introduced for organizations that process personal data, including:
- The obligation to appoint a Data Protection Officer (DPO) to oversee regulatory compliance.
- The implementation of appropriate technical and organizational measures to protect personal data.
- The requirement to conduct data protection impact assessments where significant risks are identified.
5. Strengthened data subject rights
The NDPA introduces an expanded set of rights for data subjects, strengthening their ability to control how their personal data is collected, used, and protected. The main rights include:
Right of access: data subjects may request and obtain confirmation as to whether their personal data is being processed, as well as information on the purposes, categories of data processed, and recipients to whom the data has been disclosed.
Right to rectification: data subjects may request the correction of their personal data if it is inaccurate, incomplete, or outdated.
Right to erasure: data subjects have the right to request the deletion of their personal data in cases such as when the data is no longer necessary, consent has been withdrawn, the data has expired, or it was obtained unlawfully.
Right to object: allows data subjects to object to the processing of their data in specific circumstances, such as direct marketing or automated decision-making that significantly affects them.
Right to data portability: data subjects may receive their personal data in a structured, commonly used, and machine-readable format, facilitating its transfer to another controller without technical obstacles.
Right to restriction of processing: data subjects may request the temporary suspension of processing activities under certain circumstances, such as when the accuracy or lawfulness of the processing is contested.
Right to be forgotten: grants data subjects the ability to request the deletion of their data when it is no longer necessary for its original purpose or when consent has been withdrawn.
These rights not only promote greater control for individuals over their information, but also require companies and public entities to adapt their processes to ensure compliance.
Additionally, the NDPA reinforces the principles governing data processing, including:
- Principle of lawfulness and fairness: processing must be carried out in accordance with the law and in a transparent manner for the data subject.
- Principle of purpose limitation: data must be processed for legitimate, specific, and explicit purposes.
- Principle of proportionality: only the minimum data necessary to fulfill the purpose of processing should be collected.
- Principle of data quality: processed data must be accurate and kept up to date.
- Principle of accountability: the controller must ensure compliance with the regulation.
- Principle of security: appropriate technical and organizational measures must be implemented to protect personal data.
- Principle of transparency and information: processing must be clear and understandable for the data subject.
- Principle of confidentiality: personal data must be protected against unauthorized access.
Together, these rights and principles strengthen the framework for personal data protection, aligning Chilean legislation with international standards.
Main Changes of the NDPA regarding sanctions and enforcement
6. Creation of a Data Protection Authority
One of the most significant changes is the creation of an independent authority responsible for supervising and promoting compliance with the law: the Data Protection Agency (DPA). This authority has powers to:
- Supervise data processing activities.
- Investigate potential infringements.
- Impose administrative and financial sanctions.
7. Stricter sanctioning regime
The NDPA introduces a significantly higher system of fines compared to the previous regulation, with penalties that may reach up to 4% of the company’s annual global turnover, in line with the sanctions established under the GDPR.
8. Obligation to notify data breaches
Another important development is the obligation to notify the DPA and data subjects of any data breach affecting personal data within a specified timeframe. This requirement seeks to ensure a prompt and transparent response to incidents that may compromise users’ privacy.
Main Changes of the NDPA regarding the processing of sensitive data
9. Greater protection for sensitive data
The NDPA establishes stricter standards for the processing of sensitive data, such as health information, biometric data, or religious beliefs. The processing of such data requires the explicit consent of the data subject, except in very limited circumstances.
10. Regulation of automated data processing
The use of advanced technologies, such as artificial intelligence and automated decision-making systems, is addressed by the NDPA. Organizations must ensure transparency in these processes and prevent discriminatory biases.
Main Changes of the NDPA in the context of digital transformation
11. Adaptation to the digital environment
The NDPA includes specific provisions to address challenges in the digital environment, such as:
- Data protection in e-commerce platforms.
- Regulation of digital marketing and the use of cookies.
- Processing of personal data on social media platforms.
12. Impact on international data transfers
The new law establishes clearer restrictions on the transfer of personal data to third countries. Data may only be transferred to countries that ensure an adequate level of protection or through the use of specific contractual clauses that guarantee data protection.
Main Changes of the NDPA regarding its implementation
13. Phased implementation
The New Data Protection Act (NDPA) establishes a transitional period before its full entry into force. This transition period aims to provide companies, public bodies, and other data controllers with a reasonable timeframe to comply with the new regulatory requirements.
During this stage, which extends for a period of two years from its publication in the Official Gazette, entities must review and update their processes related to personal data handling. This includes:
- Review and update of privacy policies: organizations must ensure their policies meet new standards of transparency, explicit consent, and data subject rights.
- Appointment of a Data Protection Officer (DPO): organizations subject to this obligation must designate a person responsible for overseeing compliance.
- Implementation of technical and organizational measures: controllers must ensure data security by adopting systems and processes that minimize risks of breaches or unauthorized access.
- Staff training: employees must be informed and trained on the new legal requirements to ensure proper data handling.
- Updating contracts and legal clauses: agreements with third parties, providers, and partners must be revised to comply with the law, especially regarding international data transfers.
This gradual approach allows entities to implement necessary changes in an orderly manner, minimizing operational and financial impact. It also provides time for the new Data Protection Agency (DPA) to organize, define procedures, and begin its supervisory role.
This transition period does not exempt organizations from preparing, as once the deadline expires, sanctions for non-compliance will be strictly enforced. Therefore, it is essential for companies to begin adapting early to mitigate legal risks and ensure compliance with the new standards. Review the legislative progress here.
14. Education and awareness programs
The law also establishes the need to develop training and awareness programs in data protection, both in the public and private sectors, to promote a culture of privacy.
Main Changes of the NDPA and its impact on the business sector
15. Review of contracts and policies
Companies must update their contracts and privacy policies to align with the new legal requirements. This includes revising consent clauses and incorporating provisions related to data portability and the right to be forgotten.
16. Increase in initial costs
Although compliance with the NDPA may involve significant initial costs (such as appointing a DPO or implementing new technologies), it also generates long-term benefits, including increased customer trust and reduced legal risks.
Main Changes of the NDPA from an international perspective
17. Alignment with global standards
The NDPA aims to position Chile more competitively at a global level by aligning with international frameworks such as the GDPR. This will facilitate business relationships with foreign companies and strengthen Chile’s image as a reliable destination for technological investment.
18. Regulatory interoperability
The new law promotes interoperability with other international regulations, which is particularly relevant in sectors such as e-commerce and digital services.
Main Changes of the NDPA within the Chilean legal framework
19. Partial repeal of Law No. 19,628
The NDPA replaces a significant portion of Law No. 19,628, while maintaining certain provisions that will be complemented by future regulations.
20. Focus on modernization
This legislative reform not only aims to protect privacy, but also to modernize Chile’s legal system, adapting it to the challenges of the digital economy.
Conclusion
The main changes introduced by the NDPA represent a profound shift in how Chile approaches personal data protection. This new law not only strengthens data subjects’ rights, but also imposes greater responsibilities on companies and public entities, aiming to create a safer and more transparent digital environment.
With the implementation of the NDPA, Chile takes a significant step toward consolidating a modern and effective legal framework aligned with current digital demands. However, adapting to this new regulation may pose a significant challenge for organizations that process personal data.
If you need guidance to comply with the NDPA—from updating your privacy policies to managing personal data or appointing a Data Protection Officer—Start Click can assist you. Our team provides tailored legal advice to help your organization stay compliant and protect your clients’ information. Contact us now!