On 13 December 2024, Law 21.719 regulating the Protection and Processing of Personal Data and creating the Personal Data Protection Agency (hereinafter, the "New Law") was published.
This new law amends the current Law No. 19.628 on the protection of privacy in its entirety, modernising the national regulation on the protection of personal data and creating a regulatory body in charge of ensuring compliance.
Among the main innovations of the New Law is the creation of the Data Protection Agency (hereinafter, the Agency), a body that will have regulatory, supervisory and sanctioning powers, being able to initiate sanctioning procedures ex officio or at the request of a party, resolving claims made by data subjects against data controllers for infringement of these regulations.
With regard to the sanctioning procedure and the imposition of sanctions by the Agency, a system is contemplated for determining the fine that takes into account the economic benefit obtained, economic capacity, seriousness of the facts, degree of culpability, mitigating and aggravating factors, among others. Penalties may range from a written warning to fines of up to 20,000 T.U.M.U., depending on the minor, serious or very serious nature of the infringement. In cases of recidivism, the sanction may even be tripled up to 60,000 UTM or the equivalent of 2% or up to 4% of gross annual sales in the case of large companies.
The Agency may also certify, register and supervise infringement prevention models and compliance programmes and manage the National Compliance and Sanctions Register. In this way, the New Law innovates in regulation, expressly incorporating the possibility of adopting voluntary regulatory compliance programmes known as "Infringement Prevention Models" (hereinafter, MPI).
The essential elements or requirements of these Models include the designation of a personal data protection officer with the definition of the means and powers for his/her tasks; the identification of the type of information that the entity processes, the territorial scope in which it operates, the category, class or types of data or databases it administers; the identification of the activities or processes of the entity, whether habitual or sporadic, in the context of which the risk of infringements is generated or increases; the establishment of specific protocols, rules and procedures; internal reporting mechanisms for regulatory compliance, and mechanisms for reporting to the Data Protection Authority; and the existence of internal administrative sanctions, as well as procedures for denouncing or punishing the responsibilities of persons who fail to comply with the system for the prevention of infringements.
The New Law establishes that diligent compliance with the duties of supervision and management for data protection, verified by certification of the breach prevention programme to the Agency, will constitute an extenuating circumstance. In view of the above and in consideration of the heavy regulatory burden that, among other things, requires the implementation of technical and organisational security measures in cybersecurity matters, the creation of protocols for the reception of requests for the exercise of ARCO rights and the obligation to notify the Agency and the affected data subjects (in case of sensitive data or specific situations) about security breaches that imply significant risks, it is that the timely implementation of the security measures for cybersecurity matters, the creation of protocols for the reception of requests for the exercise of ARCO rights and the obligation to notify the Agency and the affected data subjects (in case of sensitive data or specific situations) about security breaches that imply significant risks, is that the timely implementation of the Infringement Prevention Model can be an effective tool not only to prevent significant sanctions, but also to address the enormous effort that organisations will have to face in order to comply with the standards required by the Law.
Conclusions
Although the New Law has only recently been published and its amendments to Law N°19.628 will enter into force on 1 December 2026, it is essential that organisations start now to adapt their operational structure and internal processes in order to comply with the new standards of this law.
The New Data Protection Law imposes a heavy regulatory burden on companies.
However, it also offers an opportunity by adopting a preventive and risk-based approach, which will make it possible to identify and mitigate risks, implement the necessary organisational and technical measures, and ensure effective compliance with the obligations imposed by this new regulation through the implementation of the Infringement Prevention Model and the appointment of a Data Protection Officer, thus avoiding future sanctions and strengthening the confidence of data subjects in the management of their personal data.