logo Lawwwing

Chile vs. GDPR: Similarities and Differences. The Most Complete Comparison.

Personal data protection is no longer an exclusively European issue. With the approval of its new Personal Data Protection Law, Chile is taking a decisive step toward a regulatory model inspired by the European Union's General Data Protection Regulation (GDPR), incorporating new rights for individuals and greater obligations for organizations that process personal data. In […]
Legal Lawwwing
July 16, 2026

Personal data protection is no longer an exclusively European issue. With the approval of its new Personal Data Protection Law, Chile is taking a decisive step toward a regulatory model inspired by the European Union's General Data Protection Regulation (GDPR), incorporating new rights for individuals and greater obligations for organizations that process personal data.

In this article we analyze the main similarities and differences between the new Chilean regulation and the European GDPR, from data processing principles and data subjects' rights to legal bases, controllers' obligations, the sanctions regime, and supervisory authorities. A practical comparison to understand what's changing and how to prepare to comply with both regulatory frameworks.

Similarities: How are the GDPR and Law 21.719 alike?

The new Chilean law is clearly inspired by the GDPR. This can be seen both in its structure and in essential concepts, such as definitions, the principles governing personal data processing, and the accountability model, overseen by an independent supervisory authority.

Below, we review the main similarities between both regulations and how Chile has adapted the European model to its own regulatory framework.

1. Definition of personal data and the identifiability criterion

Both laws use practically the same formula to define the concept of personal data. Both define it as an identified or identifiable person, meaning that their identity can be determined directly or indirectly through one or more identifiers.

2. Special categories: sensitive data

Both regulations agree on granting enhanced protection to data revealing racial or ethnic origin, political opinions, religious beliefs, health data, genetic data, biometric data, and sexual orientation. As a general rule, processing this data is prohibited and is only exempted when there is explicit consent or a specific legal exception that allows it.

3. Guiding principles of processing

Both regulations agree on the guiding principles governing data protection law:

  • Lawfulness, fairness, and transparency: processing must comply with the law and the data subject must be informed clearly.
  • Purpose limitation: data must be collected for specific, explicit, and lawful purposes.
  • Minimization or proportionality: only data that is strictly necessary to achieve the intended purpose should be processed.
  • Accuracy: data must be accurate and kept up to date.
  • Security: technical and organizational measures must be applied to protect data against unauthorized access or accidental loss.
4. Legal basis for processing

Both regulations agree that processing is lawful when the following conditions are met:

  • Consent. Provided it is freely given, specific, informed, and unambiguous.
  • Performance of a contract
  • Compliance with a legal obligation
  • Legitimate interest of the controller, unless the data subject's rights override it
  • Public interest
5. Rights of data subjects

Both the GDPR and Law 21.719 guarantee similar powers for individuals to control their information and exercise the following rights:

  • access
  • rectification
  • erasure
  • objection
  • portability
  • the right not to be subject to decisions based solely on automated processing

Regarding grounds for erasure, both regulations agree on:

  • data that is no longer necessary for the original purpose
  • withdrawal of consent
  • unlawful processing
  • compliance with a legal obligation

Both regulations establish that these rights are personal, non-transferable, and inalienable.

6. Response deadlines

Both regulations set a one-month deadline, extendable by a further month, to respond to data subject requests.

They also agree that the response must be free of charge, except for repetitive requests or those that are manifestly unfounded or excessive. Furthermore, any refusal must always be justified, indicating the means of appeal before the supervisory authority.

7. Controllers and processors

Both laws precisely distinguish between:

  • controller: who decides the purposes and means
  • processor/agent: who processes data on behalf of another

Both regulations require that the relationship between controller and processor be set out in a contract with a minimum required content. Additionally, both laws prohibit sub-processing without the express authorization of the original controller.

8. Accountability

Both laws require that the controller not merely comply, but also have a duty to demonstrate that compliance.

For this reason, both include data protection by design and by default, meaning technical and organizational measures must be established before processing begins, taking into account the state of the art, implementation costs, and risks.

Both also establish the obligation to carry out a Data Protection Impact Assessment when processing poses a high risk to individuals' rights.

Both regulations agree on the scenarios that generate high risk:

  • Systematic evaluation of personal aspects / profiling with significant legal effects.
  • Large-scale processing of special categories of data.
  • Systematic monitoring of publicly accessible areas.
9. Territorial scope and international transfers

The GDPR and Law 21.719 both have extraterritorial effect, applying to controllers not established in their territory if they offer goods or services to their residents or monitor their behavior. Both regulations allow data transfers to third countries that have an adequacy decision or through the use of standard contractual clauses.

10. Data Protection Agency

Both laws provide for the creation of an independent public authority, with its own investigative and sanctioning powers, including:

  • Investigative powers
  • Sanctioning powers
  • Advisory powers

Differences: How do the GDPR and Law 21.719 differ?

As we've seen, Chile's Law 21.719 closely aligns with European data protection law. Even so, let's go over the important differences that exist compared to the GDPR.

1. Data Protection Officer

Under the GDPR, appointing a DPO is mandatory:

  • for all public authorities
  • when the core activities consist of regular and systematic monitoring of data subjects on a large scale
  • when there is large-scale processing of sensitive data or data relating to criminal convictions

Under Law 21.719, appointing a DPO is optional, and this role is instead structured as a certified crime/infraction prevention model overseen by the Agency.

2. Deadlines for reporting security breaches

The EU's data protection regulation establishes that the controller must notify a security breach to the supervisory authority within a maximum of 72 hours.

However, Chilean law requires reporting such a breach to the Agency "without undue delay", but does not set a maximum notification deadline.

3. Publication of sanctions

Chilean law specifically creates a National Registry of Sanctions and Compliance, which is public and free of charge. This registry records not only sanctioned controllers, but also those that have adopted certified prevention models.

Under European law, although supervisory authorities may publish their sanctioning decisions, the regulation does not establish a national registry as in the Chilean system.

4. Age of consent for minors

The GDPR establishes that processing minors' data is lawful from age 16, although it grants Member States flexibility to lower this threshold to as young as 13.

Chilean law, however, draws a distinction between:

  • "children" ("niños y niñas"): under 14 years old
  • "adolescents": between 14 and 18 years old

Consent to process data of children under 14, and sensitive data of adolescents under 16, must always be given by their parents or legal representatives.

5. Right to blocking

Law 21.719 introduces the right to blocking as a power of the data subject to request the temporary suspension of any processing operation while a request for rectification, erasure, or objection is being resolved.

The European Regulation, however, contemplates a similar concept through "restriction of processing." But in Chile, blocking is presented as a specific, mandatory procedural step before the controller while other rights are being processed.

GDPRChile
DPOmandatoryoptional
Security breach notificationmaximum 72h “without undue delay”
Publication of sanctionsno obligation to publish sanctionsRegistro Nacional de Sanciones y Cumplimiento
MinorsTreatment is legal from age 16. MS may lower the limit to 13 years.- “Children”: Under 14 years of age
-“Teenagers”: Between 14 and 18 years of age

Consent for the processing of data of children under 14 years of age, and sensitive data of adolescents under 16 years of age, must be given by their parents or legal guardians.
Right to blockSimilar to “limitation of treatment”Right of the holder to request the temporary suspension of any processing operation while a request for rectification, erasure or objection is resolved.
SimilaritiesDefinition of personal data and the identifiability criterion

Prohibition of processing sensitive data

Principles of processing:
- Lawfulness, fairness, and transparency
- Purpose
- Minimization or proportionality
- Accuracy
- Security

Legal basis:
- Consent
- Contract
- Legal obligation
- Legitimate interest of the controller
- Public interest

Rights of data subjects:
- access
- rectification
- erasure
- objection
- portability
- not to be subject to automated decisions

Response time: 1 month + 1 month extension

Controller and processor → contractual relationship

Proactive responsibility:
- Security by design and by default
-Impact assessments

Extraterritorial effects

Data Protection Agency 

The entry into force of Law No. 21.719 reflects a clear convergence with the standards established by the General Data Protection Regulation (GDPR). The incorporation of principles such as accountability, data protection by design, the expansion of data subjects' rights, and stronger obligations for data controllers demonstrates the Chilean legislature's intention to establish a robust framework aligned with international best practices.

However, this alignment does not mean that the two legal frameworks are fully equivalent. Law 21.719 introduces several important differences, including the optional appointment of a Data Protection Officer (DPO), the right to block, specific rules governing minors' consent, the absence of a fixed deadline for notifying personal data breaches, and the creation of a National Register of Sanctions and Compliance. If your ecommerce business has customers in Chile, these particular requirements must be taken into account, as you will need to comply with the new legislation, which will enter into force in December 2026.

Ecommerce businesses that already comply with the GDPR have a significant head start, as many of their existing policies, procedures, and technical and organizational measures are consistent with the new Chilean framework. However, assuming that GDPR compliance automatically guarantees compliance with Law 21.719 may expose your business to legal risks.

How can you comply?

To help your ecommerce business comply with Law 21.719, Lawwwing offers a compliance software solution specifically designed to meet the requirements of Chile's new data protection framework. Our platform automatically generates and keeps up to date all the legal documents your online store needs, while also implementing a cookie banner that complies with the new legislation.

Make the switch to Lawwwing today and keep your website legally compliant at all times.

💡 Want to learn more about Law 21.719? Read our article.

Blog

Related Articles

Businesses trust Lawwwing to ensure their legal compliance, keeping their documents up-to-date and avoiding penalties.
cross