a Go.
ES Let's talk
§ Chile Law 21,719 · Full enforcement Dec 1, 2026

We implement the technical components of Chile's Law 21,719 into your system.

We adapt your stack (Django, Next.js, WordPress, Astro or other) to the technical requirements of Chile's new Personal Data Protection Law. Fixed price, defined timeline, backed by 3 real production systems.

days until full enforcement December 1, 2026
Book initial audit See what the package covers
§ What the law requires in technical terms

Six components your system must be able to execute

The law defines legal obligations. We describe the technical components that make them executable. When each obligation applies to your case is defined by your lawyer; how to build the component is our job.

01

Per-endpoint purpose log

Every read or write of personal data is tied to the purpose justifying it. The legal obligation is defined by the regulation; the technical component is built once and reused.

02

Operational ARCOPOL system

Access, rectification, cancellation, opposition, portability, opposition to automated decisions, limitation. Each is a separate technical flow with its own auditable log.

03

Auditable consent revocation

A toggle is not enough. The data subject must be able to prove when consent was withdrawn, which data remained under residual treatment, and under which alternative legal basis.

04

Automated decision logging

If an AI agent, credit score, or selection filter takes decisions affecting the data subject, it must be logged. When this applies is defined by regulation; how it is implemented we resolve.

05

Processor handoff traceability

Who accessed, for what purpose, under which processor agreement. Applies to integrations with CRM, email marketing, external AI agents, hosting.

06

Purpose-bound retention policy

Each piece of data lives only as long as its legitimate purpose requires. Beyond that: anonymization or deletion. Implementation: per-table scheduled jobs, never bulk deletion.

§ Real experience

3 production systems handling personal data

We do not talk about Chile's Law 21,719 from theory. We implemented it across three different verticals with distinct risks. Each case covers a different dimension of the law.

№ 01

BioAudita

Organic certifier
Legal role
Data controller + processor
Law 21,719 dimension
Manufacturer data and audit outcomes that affect the commercial license of the data subject.
Technical implementation
PostgreSQL row-level security, per-endpoint purpose log, legal attribution banner (responsibility for accuracy stays with manufacturer and issuing certifier, not the platform).
№ 02

tcultura.com

Event ticketing
Legal role
Data controller
Law 21,719 dimension
Consent, purpose-bound retention, behavioral data (attendance to cultural events).
Technical implementation
Granular consent at purchase, revocation system, explicit retention policy by event purpose.
№ 03

Nubiq

Conversational AI agents
Legal role
Data processor
Law 21,719 dimension
Automated decision-making (ARCOPOL letter G) and sensitive data inferable from conversations.
Technical implementation
Prompt and response logs, opt-out from using conversations for training, record of automated versus human decisions.
§ Modular service · reference price

Law 21,719 SME implementation

Modular service for SMEs with a defined web stack. Each case combines one or more technical modules. The initial audit determines which apply, their real complexity on your system, and the final price.

Available technical modules

Each implementation combines one or several modules according to the audit result. Final complexity of each module is evaluated against your real stack.

  • 01

    Technical audit + personal data map

    Diagnosis of your current stack (Django, Next.js, WordPress, Astro or other) and map of personal data in transit and at rest. Deliverable: technical report with gaps, risks, and recommended modules.

    Complexity: Baseline · scales with number of services and tables
  • 02

    Per-endpoint purpose logging

    Every read or write of personal data is tied to the purpose justifying it. Auditable log table, capture middleware, internal query panel.

    Complexity: Medium · depends on endpoint count and data volume
  • 03

    Operational ARCOPOL system

    The seven data subject flows (access, rectification, cancellation, opposition, portability, opposition to automated decisions, limitation). Subject interface, per-request audit log, automated deadlines.

    Complexity: High · depends on number of data sources to federate
  • 04

    Consent revocation with audit trail

    System that records when the data subject withdrew consent, which data remained under residual treatment, and under which alternative legal basis. Exportable report.

    Complexity: Medium · scales with product consent types
  • 05

    Purpose-bound automated retention

    Per-table scheduled jobs. Each piece of data lives only as long as its legitimate purpose requires; upon expiry, anonymization or deletion. Report of what was deleted, when, and why.

    Complexity: Medium · depends on number of distinct purposes
  • 06

    Processor handoff traceability

    Who accessed, for what purpose, under which processor agreement. Applies to integrations with CRM, email marketing, external AI agents, hosting. Report by processor and by purpose.

    Complexity: Variable · depends on number of external integrations

Also includes

  • Internal technical documentation deliverable to your lawyer or DPO
  • 30 days of post-implementation support
  • Private repository with implemented code owned by you

Law 21,719 frequently asked questions

If your question isn't here, email us at [email protected] or via WhatsApp.

01 Is my SME subject to Law 21,719?

Your lawyer decides that. The law applies to anyone processing personal data of data subjects in Chile, with exceptions. If you sell online, have a contact form, a customer base with email or RUT, or use AI agents with conversations, you most likely qualify. Confirm with a data protection specialist.

02 Do I need a plugin or a full rewrite?

It depends on the system. Pure WordPress sometimes resolves with a custom plugin plus configuration. Django, Next.js, or custom backend applications require architecture: log tables, deletion policies, data subject views, integration with existing flows. There is no universal plugin.

03 How long does implementation take?

Between 4 and 8 weeks depending on stack complexity and volume of tables with personal data. Initial audit takes 1 week. The bulk of work is building ARCOPOL flows, purpose logging, and retention policy. Final scope is confirmed by the audit.

04 What if I am not ready by December 1, 2026?

Sanctions and effective deadlines are interpreted by the Chilean Data Protection Agency. Technically, the proactivity principle recommends having the minimum components operational before full enforcement. Your lawyer can advise on priorities.

05 Why aGo instead of a law firm?

A law firm tells you what the law says and how to interpret it. aGo lab implements the technical components in your system. We work jointly: your lawyer defines scope and interpretation, we build the architecture. We have 3 production systems applying these patterns (BioAudita, tcultura, Nubiq).

06 Is post-implementation maintenance included?

Implementation includes 30 days of post-delivery support. Ongoing maintenance (periodic audits, new endpoints, stack changes) is contracted separately as a monthly plan from 15 UF/month + VAT.

§ Technical notice

Technical notice, not legal advice

aGo lab is a technology studio. We describe how to implement software systems that can help comply with Chile's Personal Data Protection Law 21,719, not the official interpretation of the statute.

For legal decisions about compliance, consult a lawyer specialized in data protection. Law 21,719 enters full force on December 1, 2026. Verify the official text at bcn.cl and the doctrine of the Chilean Data Protection Agency.