

Personal data protection is no longer an exclusively European issue. With the approval of its new Personal Data Protection Law, Chile is taking a decisive step toward a regulatory model inspired by the European Union's General Data Protection Regulation (GDPR), incorporating new rights for individuals and greater obligations for organizations that process personal data.
In this article we analyze the main similarities and differences between the new Chilean regulation and the European GDPR, from data processing principles and data subjects' rights to legal bases, controllers' obligations, the sanctions regime, and supervisory authorities. A practical comparison to understand what's changing and how to prepare to comply with both regulatory frameworks.
The new Chilean law is clearly inspired by the GDPR. This can be seen both in its structure and in essential concepts, such as definitions, the principles governing personal data processing, and the accountability model, overseen by an independent supervisory authority.
Below, we review the main similarities between both regulations and how Chile has adapted the European model to its own regulatory framework.
Both laws use practically the same formula to define the concept of personal data. Both define it as an identified or identifiable person, meaning that their identity can be determined directly or indirectly through one or more identifiers.
Both regulations agree on granting enhanced protection to data revealing racial or ethnic origin, political opinions, religious beliefs, health data, genetic data, biometric data, and sexual orientation. As a general rule, processing this data is prohibited and is only exempted when there is explicit consent or a specific legal exception that allows it.
Both regulations agree on the guiding principles governing data protection law:
Both regulations agree that processing is lawful when the following conditions are met:
Both the GDPR and Law 21.719 guarantee similar powers for individuals to control their information and exercise the following rights:
Regarding grounds for erasure, both regulations agree on:
Both regulations establish that these rights are personal, non-transferable, and inalienable.
Both regulations set a one-month deadline, extendable by a further month, to respond to data subject requests.
They also agree that the response must be free of charge, except for repetitive requests or those that are manifestly unfounded or excessive. Furthermore, any refusal must always be justified, indicating the means of appeal before the supervisory authority.
Both laws precisely distinguish between:
Both regulations require that the relationship between controller and processor be set out in a contract with a minimum required content. Additionally, both laws prohibit sub-processing without the express authorization of the original controller.
Both laws require that the controller not merely comply, but also have a duty to demonstrate that compliance.
For this reason, both include data protection by design and by default, meaning technical and organizational measures must be established before processing begins, taking into account the state of the art, implementation costs, and risks.
Both also establish the obligation to carry out a Data Protection Impact Assessment when processing poses a high risk to individuals' rights.
Both regulations agree on the scenarios that generate high risk:
The GDPR and Law 21.719 both have extraterritorial effect, applying to controllers not established in their territory if they offer goods or services to their residents or monitor their behavior. Both regulations allow data transfers to third countries that have an adequacy decision or through the use of standard contractual clauses.
Both laws provide for the creation of an independent public authority, with its own investigative and sanctioning powers, including:
As we've seen, Chile's Law 21.719 closely aligns with European data protection law. Even so, let's go over the important differences that exist compared to the GDPR.
Under the GDPR, appointing a DPO is mandatory:
Under Law 21.719, appointing a DPO is optional, and this role is instead structured as a certified crime/infraction prevention model overseen by the Agency.
The EU's data protection regulation establishes that the controller must notify a security breach to the supervisory authority within a maximum of 72 hours.
However, Chilean law requires reporting such a breach to the Agency "without undue delay", but does not set a maximum notification deadline.
Chilean law specifically creates a National Registry of Sanctions and Compliance, which is public and free of charge. This registry records not only sanctioned controllers, but also those that have adopted certified prevention models.
Under European law, although supervisory authorities may publish their sanctioning decisions, the regulation does not establish a national registry as in the Chilean system.
The GDPR establishes that processing minors' data is lawful from age 16, although it grants Member States flexibility to lower this threshold to as young as 13.
Chilean law, however, draws a distinction between:
Consent to process data of children under 14, and sensitive data of adolescents under 16, must always be given by their parents or legal representatives.
Law 21.719 introduces the right to blocking as a power of the data subject to request the temporary suspension of any processing operation while a request for rectification, erasure, or objection is being resolved.
The European Regulation, however, contemplates a similar concept through "restriction of processing." But in Chile, blocking is presented as a specific, mandatory procedural step before the controller while other rights are being processed.
| GDPR | Chile | |
| DPO | mandatory | optional |
| Security breach notification | maximum 72h | “without undue delay” |
| Publication of sanctions | no obligation to publish sanctions | Registro Nacional de Sanciones y Cumplimiento |
| Minors | Treatment is legal from age 16. MS may lower the limit to 13 years. | - “Children”: Under 14 years of age -“Teenagers”: Between 14 and 18 years of age Consent for the processing of data of children under 14 years of age, and sensitive data of adolescents under 16 years of age, must be given by their parents or legal guardians. |
| Right to block | Similar to “limitation of treatment” | Right of the holder to request the temporary suspension of any processing operation while a request for rectification, erasure or objection is resolved. |
| Similarities | Definition of personal data and the identifiability criterion Prohibition of processing sensitive data Principles of processing: - Lawfulness, fairness, and transparency - Purpose - Minimization or proportionality - Accuracy - Security Legal basis: - Consent - Contract - Legal obligation - Legitimate interest of the controller - Public interest Rights of data subjects: - access - rectification - erasure - objection - portability - not to be subject to automated decisions Response time: 1 month + 1 month extension Controller and processor → contractual relationship Proactive responsibility: - Security by design and by default -Impact assessments Extraterritorial effects Data Protection Agency | |
The entry into force of Law No. 21.719 reflects a clear convergence with the standards established by the General Data Protection Regulation (GDPR). The incorporation of principles such as accountability, data protection by design, the expansion of data subjects' rights, and stronger obligations for data controllers demonstrates the Chilean legislature's intention to establish a robust framework aligned with international best practices.
However, this alignment does not mean that the two legal frameworks are fully equivalent. Law 21.719 introduces several important differences, including the optional appointment of a Data Protection Officer (DPO), the right to block, specific rules governing minors' consent, the absence of a fixed deadline for notifying personal data breaches, and the creation of a National Register of Sanctions and Compliance. If your ecommerce business has customers in Chile, these particular requirements must be taken into account, as you will need to comply with the new legislation, which will enter into force in December 2026.
Ecommerce businesses that already comply with the GDPR have a significant head start, as many of their existing policies, procedures, and technical and organizational measures are consistent with the new Chilean framework. However, assuming that GDPR compliance automatically guarantees compliance with Law 21.719 may expose your business to legal risks.
To help your ecommerce business comply with Law 21.719, Lawwwing offers a compliance software solution specifically designed to meet the requirements of Chile's new data protection framework. Our platform automatically generates and keeps up to date all the legal documents your online store needs, while also implementing a cookie banner that complies with the new legislation.
Make the switch to Lawwwing today and keep your website legally compliant at all times.
💡 Want to learn more about Law 21.719? Read our article.