Written by León Lanis V., Paralegal
In previous blogs, we have discussed possible changes the Chilean data protection reform may bring, including the creation of new institutions, sanctions, rights and responsibilities. Lately, this bill has seen great advances which have expanded the horizon of its reforms and we now have a more complete text which might not see further changes until it becomes law. In this blog, we will update you on the latest advances and how it may impact compliance in your business.
GUIDING PRINCIPLES
The bill establishes various principles which should guide any treatment of personal data. Non-compliance with these principles will directly lead to fines and sanctions from the Data Protection Agency, which we will discuss further on.
The guiding principles as the bill stands today are:
- Legitimacy: meaning that any data you are using must comply with the rules of consent.
- Goodwill: any activity related to the data must be done on the benefit of the data’s owner and never to seek an impairment.
- Transparency: all usage of personal data must be duly recorded and the owner must have knowledge of every type of usage his/her data has.
- Proportionality: this means that the collection, processing, usage and disclosure of personal data must always be proportionate to the purpose to which they were collected.
- Purpose: in pair with the aforementioned, each collection and usage of data must have purpose.
- Quality: this means that when data is collected, the holder must ensure the data is up to date, relevant, consistent and complete throughout the process of using such data.
- Responsibility: the holder of the data is liable for any ill-use of the data, in that sense, it must ensure the confidentiality, integrity and availability of the data at all times.
ENHANCEMENT OF RIGHTS
The previous regulation of these matters only included only a handful of rights which could not cover completely the risks associated with personal data usage. This bill currently includes the following rights:
- Access: which means that the owner must be able to access his/her data at all times without any hindering;
- Rectification: the owner can rectify his/her data anytime in order to ensure it is up-to-date, any obstruction to this may relate to not allowing the quality of the data;
- Suppression: this is one of the most debated rights, it means that the owner of the personal data can request, at his convenience, that the holder erases any historical data related to his/her person. This is widely known as the right to be forgotten;
- Limitation: the owner of the data can limit the scope of the use of his/her data
- Portability: data holders must ensure the capability to carry part or the whole of a person’s data to another holder at the request from the owner;
- Opposition: this mainly means that the owner can oppose use of data where it has not consented to such use.
RULES OF CONSENT
Consent is the prime element for any collection, processing, usage or disclosure of personal data. Consent is defined by Chilean law as “the freewill of a person to enter into a bilateral legal act”. Although this was mentioned in the law to be amended, consent was very subjective and there were no clear rules as to how effectively manage the consent of a user or data owner.
The new law will bring specific rules in order to avoid loopholes that may negatively impact data owners.
The following are the rules of consent:
- Consent must be pure and simple: this means that the consent must be subject to conditions which are normal to this type of activities;
- It must be free: consent can’t be given under vice or defect (fraud, moral force or error);
- Specific: consent can’t be general, it must specify each type of activity the user is consenting the data to be subjected to;
- Unequivocal: this means that consent can’t be vague, it must be done under complete knowledge of its effects;
- Essentially revocable: the owner can revoke consent at any given moment.
INSTITUTION
As mentioned in previous blogs, the data protection amendment will create a Data Protection Agencia (Agencia Nacional de Protección de Datos), which will be the prime enforcer of the mentioned principles and will ensure the compliance of its provisions. We previously mentioned that this Agency will be capable of creating sectoral regulations, make investigations into non-compliant companies or people, amongst many other powers. One of these powers is the penalise non-compliance; the most important penalisation is fines, which are now more or less settled into the text, which are categorised as follows:
- Minor offence: penalised with UTM 100 (around USD $7.000)
- Serious: penalised with 2% of yearly invoices
- Very serious: penalised with 4% of yearly invoices.
COMPLIANCE OFFICER
Last but not least, the up-to-date text includes that any company that deals with personal data (whether in collection, processing, usage or communication) must have a Data Protection Delegate or Officer (DPO). This will probably have more specific regulations once the Data Protection Agency is in force, as this may signify a heavy cost to small businesses. The DPO must create internal compliance models in order to ensure the company is up-to-date with the regulation.
CONCLUSION
The data protection amendment will bring heavy new regulatory costs to most companies which deal with personal data. These costs are in order to ensure the full protection of data owners in pair with the modern risks associated with these activities.
Non-compliance with these matters, as mentioned, will signify severe penalisations, and experience has shown that Data Protection Agencies (such as the ones implemented in Europe) are very drawn to issuing high penalties.
It is imperative, for almost all companies, to know how their activities may trigger the oversight of the Agency, even if the law is not yet into force. Preparing in advance may ensure a better company culture in regards to data protection and avoid future pitfalls when using personal data of costumers.
