a Go.
ES Let's talk
· Sixto Valdés

Chile Law 21.719: how to tell if your system complies

A practical guide to evaluate whether your current software, or the one being built for you, can comply with Chile's new data protection law before December 2026. With a 10-question checklist.

Law 21.719ComplianceChileArchitecturePersonal data

On December 1st, 2026, Chile’s Law 21.719 enters full force. It creates the Personal Data Protection Agency (APDP) and replaces the older Law 19.628 from 1999. For most medium companies the debate has stayed abstract: principles, rights, sanctions. Concrete tools to decide are missing.

This article is the opposite. It is a guide to evaluate whether the system your company uses today, or the one being built for you, can meet what the law requires. It does not sell a plugin. It does not sell consulting. It gives questions and criteria so you and your team make the call.

What changes with the new law

Law 21.719 does not start from scratch. It substantially modifies Law 19.628 from 1999, renaming it “Personal Data Protection” and reforming most of its articles. The difference matters: the older law never had an administrative sanctioning authority, so the last twenty years of complaints went through civil courts or through SERNAC under consumer law.

The new law changes that. It creates the APDP, an autonomous public-law corporation with its own legal personality, functional independence from the executive, and real powers: it issues regulations, audits, receives complaints, opens investigations on its own initiative, imposes sanctions, orders corrective measures and publishes a National Registry of Sanctions and Compliance.

What the law requires from your system

§ Five mandatory demonstrations
  1. 01 Who consented to what, and when. Free, informed, specific, unambiguous consent. Explicit for sensitive data.
  2. 02 Legal basis for each processing. Consent is not the only one: legal obligation, contract, legitimate interest, defence of rights.
  3. 03 That you can fulfil data subject rights within deadline. Access, Rectification, Cancellation, Opposition, Portability, Blocking.
  4. 04 What you process, why, and for how long. Record of Processing Activities (RPA) up to date.
  5. 05 That you know when there was a breach and whom to notify. Without undue delay to the APDP when there is reasonable risk.
§ Important observation

The law applies to the processing of personal data, not to the size of your company. A blog with a comments form already processes personal data. A store with a newsletter too. Thinking “we are too small for them to audit us” is the most expensive position your company can take.

The six technical capabilities

§ Technical map

If your system cannot do one of these six things, there is a real problem.

01

Consents

Who consented to what and when. Granular and revocable.

02

ARCO+ map

Access, rectification, deletion, opposition, portability, blocking.

03

Processing record

Live RPA: what data, what for, how long.

04

Immutable logs

Traceability the operator cannot modify.

05

Automatic retention

Deletion or anonymisation when the term expires.

06

Breaches

Detect and notify the APDP without undue delay.

What each capability looks like

§ Self-diagnosis

Complies vs. does not comply.

When it works
When it fails
01 Consents
Panel with history per person and revocation that propagates to all modules.
Excel on someone's laptop. Or worse: 'they accepted the terms at signup'.
02 ARCO+ map
Locate all data of a person in minutes. Automated workflow per system.
Someone logs into 5 systems, copies to Word, deletes from some, forgets backups.
03 RPA
Living inventory accessible to legal and IT. Updated with every change.
'We have a privacy policy on the website.' That is not an RPA.
04 Logs
Append-only, hash chain or write-once. Administrator cannot edit.
Editable logs. Or 7-day rotation without archive.
05 Retention
Policies per category. Automated deletion routines.
'We keep everything just in case.'
06 Breaches
Automatic detection. Escalation flow. APDP template ready.
You find out because a client saw their data on pastebin.

Honest examples from systems we built

At TCultura, an event platform, every sign-up separates consent by purpose: one checkbox to attend (contract basis), another for future invitations (consent), another for public event photos (explicit consent). The attendee can revoke any of them without emailing support.

At Bioaudita, an organic certification platform, traceability of who accesses which data is part of the data model from day one. A producer can request their full history and receive it in exportable format.

At Sign DataNubi, an electronic signature platform, each signature is cryptographically chained to the previous one through a hash chain. Modifying a single past signature breaks the entire chain. This was done for Chile’s Law 19.799 on electronic documents, not for 21.719. But the pattern serves the same purpose: the system operator cannot tamper with evidence.

Law 21.719 compliance is not a plugin. It is architecture.

Quick audit checklist

§ Ten questions for your team

Print this and answer it with your IT team.

  1. 01 Your system has a panel where you can see who consented to what and when.
  2. 02 You can locate all of a specific person's data in under 10 minutes.
  3. 03 There is an up-to-date and accessible Record of Processing Activities (RPA).
  4. 04 There are auditable access logs that the administrator cannot modify.
  5. 05 You have retention policies configured and automated per data category.
  6. 06 If there is a security breach, you know in how many hours you would notify the APDP and whom.
  7. 07 You know which external providers receive your clients' data and signed a DPA with each.
  8. 08 Your system automatically blocks processing when the subject revoked consent.
  9. 09 You can respond to an ARCO+ request within the legal timeframe without new development.
  10. 10 If the person who knows the system best leaves, someone else can demonstrate compliance to the APDP.
§ Interpretation

9-10 yes: probable compliance. Polish remaining.

6-8 yes: partial compliance. Risk. Prioritise the “no” answers.

5 or fewer: probable non-compliance. 7 months left. Urgent plan.

Answering “yes” is not the same as complying. The APDP audits with evidence.

If software is being built for you now: what to require

§ Clauses and deliverables
  1. 01 Data model that separates personal from operational data.
  2. 02 API or panel for consent management.
  3. 03 API for ARCO+ rights.
  4. 04 Exportable immutable logs.
  5. 05 Deliverable RPA document.
  6. 06 DPA signed with each identified subprocessor.
  7. 07 Documented breach notification procedure.
  8. 08 Penetration tests or security audit before go-live.
  9. 09 Training for the client team.
  10. 10 Update guarantee against regulatory changes.

Five red flags in your SaaS provider

§ Signals not to sign
  1. 01 No DPA ready or resistance to sign one.
  2. 02 Cannot tell you in which country your data resides.
  3. 03 No defined deadline to notify you of breaches.
  4. 04 Does not return your data in exportable format if you leave.
  5. 05 No access logs available.
§ Cases that already happened

Data breaches are already happening in Chile. In May 2024, CMF and SERNAC formally questioned Banco Santander after a leak with clients in Chile. In November 2025, SERNAC initiated a compensatory procedure against an automotive company for the leak of approximately 392,000 records found on the deep web.

Neither led to fines under Law 21.719 (not in force yet), but they illustrate the risk is real.

Official resources

The difference between complying and not complying is months. The difference between complying well and complying badly is architecture.

If your team is evaluating building or reforming a system with compliance integrated from the architecture, let’s talk. Twenty minutes, no commitment.

§ FAQ

Frequently asked questions

Does Law 21.719 apply to my small business?

Yes. The law applies to the processing of personal data, not to company size. A blog with a comments form or a store with a newsletter already processes personal data. The obligation is the same for big and small companies.

What is the maximum fine for breaching Law 21.719?

Up to 20,000 UTM (approximately USD 1.6M at current exchange) for serious violations. In case of recidivism, the fine may triple or reach 4% of annual revenue in Chile, whichever is greater.

If I already comply with European GDPR, am I covered in Chile?

Not automatically. GDPR compliance is a good baseline, but Law 21.719 has specific requirements: locally adapted privacy notices, contracts with providers in Chile (DPA under Chilean law), local interpretation of legitimate interest, and adequacy rules the APDP is still issuing.

When does Law 21.719 enter into force?

On December 1st, 2026, full enforcement begins. There is a transition period before that, but systems should be ready earlier to avoid being non-compliant from day one.

What is the APDP?

It is the Personal Data Protection Agency created by Law 21.719. An autonomous public-law corporation with its own legal personality. Real powers: issues regulations, audits, receives complaints, opens investigations, imposes sanctions and publishes a National Registry of Sanctions.

What should I require from my SaaS provider to comply with the law?

A signed DPA, documented data residency, defined deadline to notify breaches, full data exportability when ending the contract, and access to audit logs. If your provider cannot offer these five points, there is concrete risk.