January 14, 2025
We have released the new Chile Privacy Law that will revolutionize how we process personal data today, take a look on what you need to know to stay compliant:
What Do You Need to Know to Stay Compliant?
When does this law come into effect?
The new Law No. 19,628, on the protection of personal data was officially published on December 13, 2024.Its provisions will enter into force on December 01, 2026.
Does this law apply to you?
Even if your company is not based in Chile, this new law will apply to you if your processing operations are intended to offer goods or services to data subjects who are in Chile, or intended to monitor the behavior of data subjects who are in Chile, including their analysis, tracking, profiling, or prediction of behavior.
What new obligations do you need to comply with ?
- Provide new detailed information to data subjects: before collecting their personal data, you must inform them about the categories of personal data collected, data recipients and international data transfers, data retention period, among other details. Clinical trial sponsors You must implement this ese new information details in their your ICFs to be compliant, otherwise you will be in non-compliance.
- Sign a contract with your processors: contracts with your processors must include mandatory clauses, such as the subject-matter, duration and purpose of the processing, sub-contracting limitations, security measures to be implemented .
- Notify data breaches to the Agency and data subjects : In the event of a breach, you must notify the Data Protection Agency and affected data subjects without undue delay. Be careful, don’t miss a notification!
- Perform a Data Protection Impact Assessment (DPIA): If processing presents a high risk to the rights of the data subjects, you must carry out, prior to the start of the processing operations, a DPIA. Are you going to run a clinical study in Chile? You will surely have to perform one.
These main obligations are essential and may be complemented by additional requirements. Stay informed!
Have the Subjects’ Rights Changed?
As with any data protection law, safeguarding the rights of data subjects is fundamental—it lies at the very core of what data protection laws stand for
The new law expands individuals’ rights :
- to object to the processing of their data.
- to obtain information about automated individual decisions, including profiling.
- to block the processing of personal data.
- to data portability.
Good news: the timeframe to respond to these rights requests extends from 2 to 30 days, with a possible 30-day extension.
Couple of news that impacts the health sector:
• The term “pseudonymization” is introduced and such pseudonymized data must be protected:
Pseudonymized data refers to data processed in such a way that it can no longer be attributed to a data subject without the use of additional information, provided that such additional information is separately provided and is subject to technical and organizational measures designed to ensure that the personal data are not attributed to an identified or identifiable natural person.
Therefore, so, if you are a sponsor and have access only to pseudonymized data, you are required to protect it and comply with all legal obligations for its processing , implementing the measures stipulated by law.
• Data relating to health and the human biological profile are classified as sensitive data.
Such data may only be processed with the consent of the data subject and for the purposes provided for by special laws on health matters. Of course, there are exceptions, for example, when the processing of data is essential to safeguard the life of the data subject, or when they are used for research purposes that serve purposes of public interest or are for the benefit of human health, or for the development of medical products or supplies that could not be developed otherwise.
⚠️ Sponsors, be vigilant for your clinical studies in Chile.
What are the risks of non-compliance?
The penalties under the law are severe:
- Minor violations: written warning or a fine of up to 5,000 monthly tax units.[1] (i.e. failing to respond, responding incompletely or late to data subjects’ rights requests)
- Serious violations: fine of up to 10,000 monthly tax units. (i.e. Processing personal data without the consent of the data subject or without an appropriate legal basis)
- Very serious violations: fine of up to 20,000 monthly tax units. (i.e. Deliberately failing to report personal data security breaches.)
[1] Chilean Tax units (UTM): It’s a unit of money that corresponds to an equivalent amount in Chilean pesos. In Dec 2024, the amount is $67.294 Chilean pesos.
What’s next? Prepare today!
At MyData-TRUSt we have experts in data protection and clinical trials who can support you from dealing with a data breach to preparing your compliance program.
📞 Do you have activities or projects in Chile? Contact us to learn more about our services: [email protected]
Grace Conde
