Page 1

OFFICIAL DIARY
OF THE REPUBLIC OF CHILE

I

SECTION

Ministry of the Interior and Public Security

LAWS, REGULATIONS, DECREES AND RESOLUTIONS OF GENERAL ORDER
No. 42,824

|

Monday, December 7, 2020

|

Page 1 of 15

General Norms
CVE 1860183

TIP FOR TRANSPARENCY
APPROVES THE UPDATED AND CONSOLIDATED TEXT OF THE
COUNCIL RECOMMENDATIONS FOR TRANSPARENCY ON
PROTECTION OF PERSONAL DATA BY THE BODIES OF THE
STATE ADMINISTRATION AND SUBSTITUTE TEXT THAT INDICATES
(Resolution)
No. 304 exempt.- Santiago, November 30, 2020.
Viewed:
The provisions of the Law of Transparency of the Public Function and Access to the
Information from the State Administration, approved by the first article of the law
No. 20,285; in Article 19 No. 4 of the Political Constitution of the Republic; in Law No. 19,628,
on Protection of Private Life; in the decree with force of law N ° 1 / 19.653, of 2000, of the
Ministry General Secretariat of the Presidency, which sets the consolidated text, coordinated and
systematized Law N ° 18,575, constitutional organic of general bases of the
State Administration; in Law No. 19,880, which establishes Bases of the procedures
administrative that govern the acts of the organs of the State Administration; in the decree
Supreme Court No. 20, of 2009, of the Ministry General Secretariat of the Presidency, which approves the
Bylaws of Operation of the Council for Transparency; in the minutes of the ordinary session
N ° 1,137, of the Board of Directors of the Council for Transparency, dated October 15,
2020; in the exempt resolution No. 167, of April 23, 2015, of the Council for Transparency,
that approves the Regulation of Substitutions and Subrogations of the Council for Transparency,
modified by exempt resolution No. 425, of August 14, 2019; in the exempt resolution
N ° 127, of June 3, 2020 of the Council for Transparency, which approved the modification of the
employment contract signed with Mr. David Ibaceta Medina, appointing him Legal Director
Owner of this Corporation; and in the exempt resolution No. 194, of August 27, 2020, of the
Council for Transparency, which appoints Mr. David Ibaceta Medina, as General Director
Alternate of this Corporation.
Considering:
a) That, paragraph 4 of article 19 of the Political Constitution of the Republic ensures that
all persons the right to the protection of personal data and establishes that the treatment and
Protection of these data will be carried out in the manner and conditions determined by law.
b) That the Fundamental Charter explicitly recognizes as a fundamental right the
right to informative self-determination, which now constitutes a limit to the exercise
sovereignty, in a duty of respect and promotion by the organs of the State and in a
norm that delimits the action of state bodies, who must submit their action to the new
fundamental right and the norms dictated in accordance with the Political Constitution.
c) That the constitutional text also established a special legal reserve, by virtue of the
which the treatment and protection of personal data will be carried out in the form and conditions that
determined by law. This reservation is especially relevant for the organs of the State, given the
principle of legality or legality in the actions of the State.
d) That the protection of personal data is covered, within the legal range, by the
Provisions of Law No. 19,628, on Protection of Private Life, which establish the rules
general information about the processing of personal data carried out by both the

CVE 1860183 |

Director:
Juanwww.diarioficial.cl
Jorge Lazo Rodríguez
Website:

| Central
Table: +562 2486 3600 Email: consultations@diarioficial.cl
Address: Dr. Torres Boonen N ° 511, Providencia, Santiago, Chile.

This document has been electronically signed in accordance with Law No. 19,799 and includes time stamping and electronic signature
advanced. To verify the authenticity of a printed representation of it, enter this code on the website www.diarioficial.cl

Page 2
OFFICIAL JOURNAL OF THE REPUBLIC OF CHILE
Monday, December 7, 2020

No. 42,824

Page 2 of 15

Administration of the State as individuals, determines a set of rights of the holders
and the obligations of those responsible for the treatment, in addition to establishing a special action
of judicial protection of these rights, called habeas data.
e) That the processes of collection, processing and transfer of personal data are
have intensified in the last decade and the digitization process of the administration of the
State will require that such operations increase steadily over time.
f) That the various measures adopted by the health authorities on the occasion of the
pandemic by Covid-19, have demonstrated the need to update the provisions of the law and
review the interpretation of some of its precepts, in addition to updating the criteria
set forth in the superseded recommendations.
g) That, due to the foregoing, the Council for Transparency deems it necessary
contribute to raising the standards of protection of personal data held by the bodies
of the State Administration in order to ensure the rights that the Constitution and the laws
recognize the holders thereof.
h) That, in this matter, literal m) of article 33 of the law of transparency of the function
public and access to information of the State Administration, approved by article
first of Law No. 20,285, on Access to Public Information (hereinafter, the "Law of
Transparency ") empowers the Council to ensure due compliance with Law No. 19,628 by
part of the organs of the State Administration, which enable it to verify the application
that public bodies carry out the provisions of that law, either through the resolution
of particular cases or the issuance of recommendations, such as this one.
i) That, in addition to ensuring the protection of personal data, from the entry into force
of the Transparency Law, this Council, hearing of claims for non-compliance with the
duties of active transparency and protection for denial of access to information, it has been
seen in the need to interpret the right of access to public information and the now
fundamental right to the protection of personal data, in a harmonious way, which has
generated abundant jurisprudence in this regard.
j) That, by virtue of accumulated experience and in exercise of the provisions of literal m)
of Article 33 of the Transparency Law, it has been deemed convenient to propose a series of
criteria that guide the application of the norms contained in Law N ° 19,628 and that
also specify the new fundamental right to the protection of personal data, all of this
in order to increase and improve the level of compliance with the obligations that the
The Constitution and the law impose on the organs of the State Administration in matters of
personal data protection.
k) That the principles of efficiency and effectiveness in the State Administration oblige the
State organizations to adopt technical, administrative and organizational measures
necessary in the fulfillment of their public functions to, on the one hand, manage
adequately their personal data processing systems, and, on the other, guarantee a
effective protection of people's rights. One way to implement these principles
-as the comparative experience shows- implies adopting the data protection approach
personal by design in the personal data processing systems whose managers are
organs of the State Administration.
l) That the processing of personal data carried out by the bodies of the Administration of the
The state of systems based on digital technologies generates new risks and threats to the
confidentiality, integrity and availability of information, which must be
identified, mitigated and managed under risk management guidelines. In this
In this sense, the organs of the State Administration must implement the measures of
security in the processing of personal data proposed in the National Policy of
Cybersecurity and in the presidential instructions on cybersecurity, whenever its correct
application can help mitigate these new risks and threats.
m) That Law No. 21,180 on Digital Transformation of the State introduced a series of
modifications to the rules on administrative procedure, in order to advance towards the
digitization of the administrative management of the State, through electronic communication
between organs of the State Administration, the establishment of procedures
electronic administrative procedures, digitization of documents, electronic notification and
implementation of the principle of interoperability, which will begin to come into force
starting in mid-2021 until its full implementation in 2024.
n) That, due to the foregoing, the Board of Directors of the Council for Transparency, in
ordinary session No. 1,137, dated October 15, 2020, unanimously agreed to approve the
modifications to the recommendations issued in 2011, which will materialize through the
present resolution that, for the purposes of an adequate understanding of them, will proceed

CVE 1860183 |

Director:
Juanwww.diarioficial.cl
Jorge Lazo Rodríguez
Website:

| Central
Table: +562 2486 3600 Email: consultations@diarioficial.cl
Address: Dr. Torres Boonen N ° 511, Providencia, Santiago, Chile.

This document has been electronically signed in accordance with Law No. 19,799 and includes time stamping and electronic signature
advanced. To verify the authenticity of a printed representation of it, enter this code on the website www.diarioficial.cl

Page 3
OFFICIAL JOURNAL OF THE REPUBLIC OF CHILE
Monday, December 7, 2020

No. 42,824

Page 3 of 15

to update and recast, both the new provisions, as well as those that are part of the
recommendations in force to date, ultimately proceeding to replace said text.
I resolve:
1 ° Approve the consolidated and updated text of the Recommendations on the Protection of
Personal Data by the Bodies of the State Administration:
COUNCIL RECOMMENDATIONS FOR TRANSPARENCY ON
PROTECTION OF PERSONAL DATA BY THE BODIES OF THE
STATE ADMINISTRATION
1. PURPOSE OF THE RECOMMENDATIONS.
These Recommendations are intended to guide the concrete application of the new
fundamental right to the protection of personal data, in addition to providing legal criteria to
the organs of the State Administration in the processing of personal data that carry out
within the scope of its powers, in order to comply with the legal obligations that
These have as data controllers, in accordance with the provisions of Law No. 19,628 and in
other relevant standards.
2. SCOPE OF APPLICATION OF THE RECOMMENDATIONS.
The Recommendations will be applicable to the processing of personal data carried out by the
organs of the State Administration, understood as those included in subsection
first of article 2 of the Transparency Law.
The Recommendations will be applicable both to the processing of personal data that
carried out within the national territory as to those that are verified extraterritorially
through hosting or data processing service providers, including services
cloud or in the cloud. Likewise, they will apply to eventual international transfers of
personal data made by public bodies in compliance with a legal mandate.
3. PREVIOUS DEFINITIONS.
For the purposes of applying these Recommendations, the following should be considered
definitions contained in article 2 of Law No. 19,628, on Protection of Private Life,
and, especially, it will be understood by:
3.1. Personal data, those related to any information concerning people
natural, identified or identifiable, whether it is numerical, alphabetical,
graphic, photographic, acoustic or of any other type, regardless of the support on which it appears.
Therefore, the basic elements of the definition are:
i. It must be information related to a natural person.
ii. It must be information that allows the holder to be identified. It is understood for these
effects by identifiable, any person whose identity can be determined, directly or
indirectly, for example, through one or more specific elements characteristic of its
physical, physiological, psychic, economic, cultural or social identity, as long as the effort
determination is not excessive or disproportionate.
iii. The owner can only be a natural person.
3.2. Sensitive data, those personal data that refer to the physical characteristics or
morals of the people or facts or circumstances of their private life or privacy, such as
personal habits, racial origin, political ideologies and opinions, beliefs or
religious convictions, physical or mental health states and sexual life.
3.3. Registry or data bank, the organized set of personal data is
automated or not and whatever the form or modality of its creation or organization, which
allow the data to be related to each other, as well as to carry out all kinds of data processing.
3.4. Responsible for the registry or database, the public body that performs the
processing of personal data within the scope of its powers and for compliance with
your legal functions, whether you perform it yourself, or through a manager.
3.5. Data processing, any operation or complex of operations or procedures
technical, automated or not, that allow collecting, storing, recording, organizing,
elaborate, select, extract, confront, interconnect, dissociate, communicate, yield, transfer,

CVE 1860183 |

Director:
Juanwww.diarioficial.cl
Jorge Lazo Rodríguez
Website:

| Central
Table: +562 2486 3600 Email: consultations@diarioficial.cl
Address: Dr. Torres Boonen N ° 511, Providencia, Santiago, Chile.

This document has been electronically signed in accordance with Law No. 19,799 and includes time stamping and electronic signature
advanced. To verify the authenticity of a printed representation of it, enter this code on the website www.diarioficial.cl

Page 4
OFFICIAL JOURNAL OF THE REPUBLIC OF CHILE
Monday, December 7, 2020

No. 42,824

Page 4 of 15

transmit or cancel personal data, or use them in any other way. These
Operations can be carried out directly by the person responsible for the registry or, also, by the
in charge of the treatment.
3.6. In charge of treatment, that natural or legal person that performs a treatment
of data by order or mandate of the person in charge of the database, to which the
general rules on the matter. It is also called an agent. The mandate should be
granted in writing, leaving special evidence of the conditions of use of the
data, and the agent will be obliged to respect these stipulations in the fulfillment of his
charge.
3.7. Sources accessible to the public, records of personal, public or private data,
that are permanently available to the public and whose consultation can be made by
Anyone.
3.8. Expired data, which has become out of date by provision of the law, by the
compliance with the condition or the expiration of the period indicated for its validity or, if there is no
Express rule, due to the change in the facts or circumstances that it states.
3.9. Statistical data, the data that at its origin, or as a consequence of its treatment, does not
it can be associated with an identified or identifiable owner.
3.10. Data dissociation, the procedure that is performed to dissociate a set of data from
personal data, irreversibly, of a specific or determinable person.
4. GUIDING PRINCIPLES OF DATA PROTECTION.
The guiding principles of data protection that inform its treatment by
of the organisms of the State Administration are the following: legality, quality,
information, security, confidentiality and special protection of sensitive personal data.
4.1. Principle of legality. In accordance with the constitutionalization of the right to
protection of personal data, which establishes a special legal reserve by virtue of which the
Treatment and protection of personal data may be carried out in the manner and conditions that
established by law, Article 4 of Law No. 19,628, states that it is only possible to process data from
personal character when there is legal authorization, either from law No. 19,628 itself or from other
norms of equal rank.
In the case of the organs of the State Administration, the generic legal authorization
for the processing of personal data is contained in article 20 of the law
N ° 19,628, which allows public bodies to process personal data only
with respect to matters within its competence and subject to the rules of articles 1 to 19 of
the same law, among which are the principles of legality, purpose, quality,
responsibility and security, together with the duties of information and special protection of
sensitive personal data, in addition to allowing the exercise of the rights of the holders.
4.2. Data quality principle. This principle is that the processed data must
be accurate, adequate, relevant and not excessive, and should be observed during collection and
subsequent processing of the data, including purging or deletion. Therefore, three
guiding principles:
a) Principle of truthfulness. In accordance with the second paragraph of article 9 of the law
N ° 19.628, personal data must be accurate, up-to-date and respond truthfully to the
actual situation of its owner. Therefore, the public body responsible for the database
data must, without the need for the owner's requirement, delete expired data and those
that are outside of its competence; block personal data whose accuracy cannot be
established or whose validity is doubtful and with respect to which its cancellation does not correspond; Y
modify inaccurate, misleading or incomplete data.
b) Principle of purpose. As provided in the first paragraph of article 9 of the law
N ° 19.628, personal data should be used only for the purposes for which they were
collected. The aforementioned purpose, in the case of organs of the State Administration, will be
determined according to the subjects of its competence and by the legal function
specific that you are executing and that justifies the processing of personal data.
c) Principle of proportionality. This principle, which is an application of the principles of
efficiency, effectiveness and suitable administration of the means that must be observed by the organs of the
State Administration, implies that only those data that are necessary can be collected
to achieve the purposes that justify its collection. Therefore, it will be understood that
the principle of proportionality when: the data or data collected, as well as its subsequent
treatment, are adequate or appropriate to the purpose that motivates it; are relevant or

CVE 1860183 |

Director:
Juanwww.diarioficial.cl
Jorge Lazo Rodríguez
Website:

| Central
Table: +562 2486 3600 Email: consultations@diarioficial.cl
Address: Dr. Torres Boonen N ° 511, Providencia, Santiago, Chile.

This document has been electronically signed in accordance with Law No. 19,799 and includes time stamping and electronic signature
advanced. To verify the authenticity of a printed representation of it, enter this code on the website www.diarioficial.cl

Page 5
OFFICIAL JOURNAL OF THE REPUBLIC OF CHILE
Monday, December 7, 2020

No. 42,824

Page 5 of 15

conducive to achieve the aforementioned purpose and not excessive in relation to said purpose
for which they have been obtained, in the sense that there is no other more moderate measure for the
achieving that purpose with equal effectiveness. In application of this principle, the organs o
public services must choose, among the various treatments that allow them to achieve
the intended purposes within the scope of its powers, by the one with the least incidence
have the right to the protection of personal data and by the use of means less
invasive.
4.3. Information duty. In accordance with the provisions of articles 3, 4 and 20 of the law
N ° 19,628, public bodies are obliged to inform their owner about the identity
of the body responsible for the database, of the purpose pursued with the treatment of the
information, possible communication to third parties and the rights that may be exercised
for them.
4.4. Safety principle. In accordance with the provisions of Article 11 of Law No. 19,628,
the person in charge of the records or databases where personal data is stored, after
collection, you must take care of them with due diligence, taking responsibility for the
damage. Therefore, the organs of the State Administration, in order to comply with the
above, they must apply security, technical and organizational measures that guarantee the
confidentiality, integrity and availability of information.
Likewise, regarding the security and confidentiality of electronic documents,
must strictly apply the provisions of Supreme Decree No. 83, of 2004, of the Ministry
General Secretariat of the Presidency, which approves the technical standard for the organs of the
State Administration, on security and confidentiality of electronic documents.
Finally, public bodies must implement the pertinent measures of the
National Cybersecurity Policy and Presidential Instructions that impose measures
specific information on cybersecurity that must be observed by the organs of the State administration.
4.5. Principle of confidentiality or secrecy. As prescribed by article 7 of the law
N ° 19,628, the people who work in the processing of personal data or have access to them
otherwise (such as those public officials authorized to access data banks
of the respective organizations), are obliged to keep secrecy about them, when
come from or have been collected from sources not accessible to the public, as well as on
the other data and antecedents related to the data bank, an obligation that does not cease for
have completed their activities in that field.
4.6. Duty of special protection of sensitive personal data. As prescribed by the
Article 10 of Law No. 19,628, there is a general prohibition on the processing of personal data
sensitive, except when a legal provision authorizes it, there is consent of the owner or they are
data necessary for the determination or granting of health benefits that correspond to
their headlines.
In this way, only the organisms of the State Administration that comply with the
with any of these express conditions, they may process personal data
sensitive, on which they must adopt adequate security measures at the level of
sensitivity and risk of the processed data.
5. RIGHTS OF PERSONAL DATA HOLDERS.
The holders of personal data, in accordance with the provisions of article 12 of the law
N ° 19,628, can exercise with respect to the organs of the State Administration, the rights
described in this section, bearing in mind the characteristics of independence,
gratuitousness and simplicity and the recommendations that in each case are indicated below.
5.1. Right to access your own data. Everyone has the right to demand from the body or
service that is responsible for a bank, information on the data relating to your person, your
origin and recipient, the purpose of storage and the individualization of the
persons or organizations to which your data is regularly transmitted.
In this case, the information will be provided free of charge, not even being possible
charge the direct costs of reproduction of that information. If the personal data is in
a database to which various organizations have access, the owner may request
information to any of them.
When in the exercise of the right of access to public information established in the Law
of Transparency, information is requested that, acting in the power of the Administration,
contain personal data owned by the applicant, the procedure will be applied

CVE 1860183 |

Director:
Juanwww.diarioficial.cl
Jorge Lazo Rodríguez
Website:

| Central
Table: +562 2486 3600 Email: consultations@diarioficial.cl
Address: Dr. Torres Boonen N ° 511, Providencia, Santiago, Chile.

This document has been electronically signed in accordance with Law No. 19,799 and includes time stamping and electronic signature
advanced. To verify the authenticity of a printed representation of it, enter this code on the website www.diarioficial.cl

Page 6
OFFICIAL JOURNAL OF THE REPUBLIC OF CHILE
Monday, December 7, 2020

No. 42,824

Page 6 of 15

established in said law, including the possibility of appealing for amparo before this Council, of
compliance with the provisions of article 24 and following of the Transparency Law. Not
However, with regard to free access, the provisions of Law No. 19,628 will be observed.
5.2. Right of rectification or modification. Everyone has the right to demand that
data that are erroneous, inaccurate, misleading or incomplete, are modified, provided that
duly accredit any of these circumstances and clearly indicate the correction
requested. The foregoing is without prejudice to the rectification or modification ex officio by the
public body or service, in direct application of the principles of data quality and
suitable administration of the State media.
5.3. Right of cancellation or elimination. Everyone has the right to demand that
delete those data whose storage lacks legal basis or is found
expired, unless there is a legal exception, as is the case of the provisions of the
Article 15 of Law No. 19,628.
Requests for rectification and cancellation will be free and must be provided,
in addition, at the request of the owner, a copy of the altered record in the relevant part. The organs o
Public services will not be authorized to charge direct costs of reproduction for the
delivery of such information. If new modifications or deletions of data are made,
The holder may also obtain a copy of the updated registration at no cost, provided that they have
at least six months have elapsed since the previous opportunity in which you made use of this
right. The right to obtain a free copy may be exercised personally by the owner of the data
or duly represented.
If the canceled or modified personal data had been previously communicated to
specific or determinable persons, the body must communicate to them, as soon as possible, the
operation carried out. If it is not possible to determine the persons who have been
communicated, will put a notice that may be of general knowledge to those who use the
data bank information. All this must be informed, in a timely manner and in writing, at the
data owner.
5.4. Right to data blocking. It is the right to demand the temporary suspension of any
stored data processing operation. It proceeds in the cases determined in the
Fourth paragraph of Article 12 of Law No. 19,628, when the holder has provided
voluntarily your personal data or they are used for informative communications and not
wishes to continue appearing in the respective registry temporarily or permanently. Also
It proceeds in the cases of the third paragraph of article 6, of the aforementioned legal norm, when the
accuracy of personal data cannot be established or whose validity is doubtful and respect
to which the cancellation does not correspond. The foregoing is without prejudice to the provisions of this
instrument, regarding limits to the exercise of rights.
6. PROCEDURE AND FORM FOR THE EXERCISE OF RIGHTS.
To facilitate the exercise of the rights indicated in the preceding paragraphs, the
Organs of the State Administration may have procedures and forms
simplified, which must be available in each of the Information Offices,
Claims and Suggestions, as well as on their respective web pages. In referrals
forms will be required:
a) The name and surname of the owner of the data and a form of identity verification
that does not involve reproducing identity documents or generating new data processing
personal.
b) The address of the applicant for notification purposes, which may be, interchangeably,
an email address or a postal address.
c) The right that is exercised.
d) The date and signature of the applicant, stamped by any authorized means.
e) The supporting documents for the application, if applicable.
If an online procedure is established for the exercise of rights, a
suitable and secure authentication mechanism, such as a Unique Key or similar, that guarantee the
confidentiality, availability and integrity of the information transmitted, also complying
with the duty of information and the security principle established by law N ° 19,628.
6.1. Independent exercise. Each of the rights of the holders of personal data
may be exercised independently, that is, the exercise of none can be required
of them as a condition or prerequisite for the exercise of the other.

CVE 1860183 |

Director:
Juanwww.diarioficial.cl
Jorge Lazo Rodríguez
Website:

| Central
Table: +562 2486 3600 Email: consultations@diarioficial.cl
Address: Dr. Torres Boonen N ° 511, Providencia, Santiago, Chile.

This document has been electronically signed in accordance with Law No. 19,799 and includes time stamping and electronic signature
advanced. To verify the authenticity of a printed representation of it, enter this code on the website www.diarioficial.cl

Page 7
OFFICIAL JOURNAL OF THE REPUBLIC OF CHILE
Monday, December 7, 2020

No. 42,824

Page 7 of 15

6.2. Exercise through proxy. The exercise of rights previously indicated may
be done personally or by proxy. In the latter case, the attorney-in-fact will have the
same powers as the owner of the data, unless expressly stated otherwise.
The mandate or power of attorney may be recorded in a document signed by electronic signature.
simple or advanced, in a public deed or in a private document signed before a notary public, and must
contain all the information necessary for the exercise of rights.
6.3. Exercise of rights before the manager or agent. In case the organism
of the State Administration had entrusted the processing of the data to a third party, the
holders of these may exercise their rights directly before him or before the body or service, to
your choice. In the respective contract, the way in which the answer will be given in
these cases, seeking at all times to respond in a timely and adequate manner to the owner of the
fact.
6.4. Limitation prohibition. The rights of the holders of personal data may not
be limited by the organs of the State Administration, by means of any act or
convention.
6.5. Limits to the exercise of rights. Without prejudice to the provisions of the numerals
precedents, information, modification, cancellation or blocking of data may not be requested
personal when:
i. This prevents or hinders the due fulfillment of the supervisory functions of the
body of the Administration of the requested State;
ii. Affects the reserve or secrecy established in legal provisions, which, in accordance with
subsection 2 of article 8 of the Political Constitution of the Republic, must have the force of law
qualified quorum. In particular, when some of the causes established in the
Article 21 of the Transparency Law;
iii. Affect the security of the Nation;
iv. Affect the national interest; or,
v. They would have been stored by legal mandate. In this case, the legal mandate must be
expressly and authorize the body or service to process data regarding a
certain data bank. The origin of the modification, cancellation or blocking of the
Data in those cases will be subject to and will have the scope established by the respective regulations.
6.6. Obligation to evacuate response. The public body or service will be obliged to evacuate
response to the request made by the owner of the data, within two business days that
establishes article 16 of law No. 19,628, even if you do not have personal data
of the person who exercised the right.
6.7. Response period and effects of the lack of pronouncement in time or of the
denial. If the body or service responsible for the registry or database does not pronounce
on the request of the applicant within two business days, or deny it for a different reason
of the security of the Nation or the national interest, the owner of the data will have the right to appeal
to the civil judge of letters of the domicile of the person in charge, requesting protection of the rights
enshrined in this numeral, according to the procedure established in the second paragraph of the
Article 16 of Law No. 19,628.
In the event that the cause invoked to deny the request of the applicant is security
of the Nation or the national interest, the claim must be deducted before the Supreme Court, which
will request a report from the authority in question by the means it deems quickest, setting it
term to that effect, after which the controversy will be resolved.
The procedure before the Supreme Court will be subject to the norms established in subsections
third and following of article 16 of Law No. 19,628.
7. SPECIFIC OBLIGATIONS OF THE ADMINISTRATIVE BODIES
OF THE STATE.
7.1. Conditions of legality in the treatment of the data. The generic legal authorization of
processing of personal data of the organs of the State Administration is contained in
Article 20 of Law No. 19,628, which allows said public bodies to carry out treatment of
personal data only regarding matters within its competence and subject to the rules of
Articles 1 to 19 of the same law, among which are the principles of legality,
purpose, quality, responsibility and safety, together with the duties of information and special
protection of sensitive personal data, in addition to allowing the exercise of the rights of
headlines.

CVE 1860183 |

Director:
Juanwww.diarioficial.cl
Jorge Lazo Rodríguez
Website:

| Central
Table: +562 2486 3600 Email: consultations@diarioficial.cl
Address: Dr. Torres Boonen N ° 511, Providencia, Santiago, Chile.

This document has been electronically signed in accordance with Law No. 19,799 and includes time stamping and electronic signature
advanced. To verify the authenticity of a printed representation of it, enter this code on the website www.diarioficial.cl

Page 8
OFFICIAL JOURNAL OF THE REPUBLIC OF CHILE
Monday, December 7, 2020

No. 42,824

Page 8 of 15

Eventually, an organ of the State Administration could carry out treatment of
personal data obtaining the consent of the owner of the data as long as it is by
application of the principles of efficiency or efficacy or by the nature of the treatment or
public service that is being carried out. In this case, the body must also apply
strict to the provisions of Article 4 of Law N ° 19,628, that is, the consent must
be in writing and may be revoked by the owner of the personal data. With all
Treatment must be carried out within the scope of its powers.
7.2. Requirements for data processing. Public bodies or services must
to be subject to the processing of data, according to article 20, to the rules established in the law
No. 19,628. In consecuense:
a) The organs of the State Administration must inform the owner of the data, according to
It is provided by article 4 of Law N ° 19,628, the purpose of storing your data
personal, that is, the purpose pursued with the processing of the information, and the possible
communication to third parties. In the same way, the owner must be informed, the name of the
body or service responsible for the treatment of the database and the rights that assist it
for the protection of your personal data.
It is especially recommended to public bodies or services that have a
proactive information dissemination policy on this matter in order to fully comply with the
duty to inform mentioned above.
In accordance with the foregoing and without prejudice to the special mechanisms provided by each
organ of the State Administration, they may contemplate said antecedents in the Policy of
Protection of Personal Data by making it permanently available to the public in the
respective institutional websites, through posters; or the mention of such a policy in the
forms in which personal data is requested (registration form), indicating where it is
find this one, among others.
b) Public bodies or services must necessarily, in accordance with Article 9
of Law N ° 19,628, carry out the processing of personal data in compliance with the
purposes corresponding to the subjects of its competence. It is recommended that these
purposes are specified, as an example, in the Data Protection Policy
Personal, in the registration forms, paper form or other means, in this way
adequately inform its owner.
c) By virtue of the principle of data quality and of articles 6 and 9, second paragraph,
of Law N ° 19,628 and the principles of efficiency, effectiveness and suitable administration of the media
contained in articles 3 and 5 of decree with force of law No. 1 / 19,653, of 2000 of the
Ministry General Secretariat of the Presidency, which establishes a consolidated, coordinated and
systematized of Law N ° 18,575, Constitutional Organic of General Bases of the
State administration, public bodies or services must ex officio and without the need for
requirement of the data owner: delete expired data and those that are
outside its competence because it lacks a legal basis; block data whose accuracy is not
may be established or whose validity is doubtful and with respect to which the
cancellation; and modify inaccurate, misleading or incomplete data.
d) By virtue of the security principle and the provisions of article 11 of the law
N ° 19,628, public bodies or services must adopt all measures, both
organizational and technical, to safeguard the integrity, confidentiality and availability of
the data contained in its records in order to avoid its alteration, loss, transmission
and unauthorized access, taking responsibility for the damages caused. In this sense,
Public bodies must apply different levels of security depending on the type of data
stored, as they are, for example, sensitive personal data, regarding the
which higher security levels should be adopted compared to those that do not
possess that quality.
Regarding the security and confidentiality of electronic documents, they must apply
strictly the provisions of Supreme Decree No. 83, of 2004, of the Ministry Secretariat
General of the Presidency, who approved the Technical Standard for the Administration Bodies
of the State on Security and Confidentiality of electronic documents.
e) Public bodies or services shall require their officials to comply with the
obligation of secrecy or confidentiality in relation to the data that comes from or has been
collected from sources not accessible to the public, contemplated in article 7 of the law
N ° 19,628, especially with respect to those who work in the processing of personal data or have
access to these in any other way, also extending this duty to other data or
antecedents related to the data bank, for example with respect to the measures of

CVE 1860183 |

Director:
Juanwww.diarioficial.cl
Jorge Lazo Rodríguez
Website:

| Central
Table: +562 2486 3600 Email: consultations@diarioficial.cl
Address: Dr. Torres Boonen N ° 511, Providencia, Santiago, Chile.

This document has been electronically signed in accordance with Law No. 19,799 and includes time stamping and electronic signature
advanced. To verify the authenticity of a printed representation of it, enter this code on the website www.diarioficial.cl

Page 9
OFFICIAL JOURNAL OF THE REPUBLIC OF CHILE
Monday, December 7, 2020

No. 42,824

Page 9 of 15

security taken about it. Likewise, the aforementioned obligation of the public official does not
will cease for having terminated their obligations in that field, that is, for ceasing to perform
in the treatment or access to said records or in the Service itself.
f) Public bodies or services must form, train and train their officials
in compliance with the provisions of Law No. 19,628 and with respect to the new right
fundamental to the protection of personal data, in order to comply with the mandate
constitutional law to effectively promote and protect the rights enshrined in the
Constitution and international treaties ratified by Chile and that are in force.
8. SPECIAL RULES FOR THE PROCESSING OF PERSONAL DATA
SENSITIVE BY THE BODIES OF THE STATE ADMINISTRATION.
Law No. 19,628 identifies a special category of personal data called data
sensitive, which are those personal data that refer to the physical or moral characteristics
of people or facts or circumstances of their private life or privacy, such as habits
personal, racial origin, ideologies and political opinions, beliefs or convictions
religious, physical or mental health states and sexual life.
As it is an open legal definition, the concept of sensitive personal data
it can cover dissimilar aspects to each other. Therefore, the organs of the State Administration
must bear in mind, at least, the following categories of sensitive personal data:
i. Data that refer to physical characteristics of a person, such as data
biometrics, samples and biological data, health data, whether physical, mental, among others.
ii. Data that refers to the moral characteristics of a person, such as information
about sexual orientation or preference, religious, ethical or political beliefs or convictions,
among others.
iii. Data that refer to facts or circumstances of your private life or privacy, such
such as personal habits, information on geographical displacement, geolocation,
Internet browsing, among others.
As prescribed by Article 10 of Law No. 19,628, there is a general prohibition of
processing of sensitive personal data except when a legal provision authorizes it, there is
consent of the owner or are data necessary for the determination or granting of
health benefits that correspond to their holders.
In this way, only the organisms of the State Administration that comply with the
with any of these express conditions, they may process personal data
sensitive.
Regarding legal authorization, each public body must examine whether it has
express legal authorization in the rules that regulate its operation, establish its
competences or determine their special functions. If so, the data processing
sensitive personnel will have its legal basis in that express rule.
In those cases where there is no such express rule, the processing of personal data
sensitive parties could base their legal authorization on the general rule of article 20 of Law No. 19,628,
if and only if the treatment of this special category of data is essential for the due
fulfillment of his public function, form an essential part of the matters within his competence and
carry out with full respect for the rules contained in articles 1 and 19 of Law No. 19,628,
as previously analyzed in detail. In the absence of such legal authorization,
State Administration bodies may not process sensitive personal data, unless
that obtain express consent from the owner or that is necessary for the determination or
granting of health benefits that correspond to the holders of said data.
Regarding consent, if an organism of the State Administration requires
process sensitive personal data and do not have the aforementioned legal authorization, you may
do so by obtaining the prior and express consent of the owner, in the terms established in
Article 4 of Law No. 19,628, also strictly complying with the provisions of the
Article 20 of the same law that establishes that such treatment "may only be carried out with respect to
matters within its competence "and adequately informing about the purpose of the capture of
data, its processing and eventual communication.
Finally, regarding the determination or granting of health benefits, the article
10 of Law No. 19,628 establishes a very special rule regarding data processing
sensitive personnel when necessary for the determination or granting of benefits
of health for the holder. In the case of public bodies, the application of this rule has a
limited scope, since only those who can make use of this provision

CVE 1860183 |

Director:
Juanwww.diarioficial.cl
Jorge Lazo Rodríguez
Website:

| Central
Table: +562 2486 3600 Email: consultations@diarioficial.cl
Address: Dr. Torres Boonen N ° 511, Providencia, Santiago, Chile.

This document has been electronically signed in accordance with Law No. 19,799 and includes time stamping and electronic signature
advanced. To verify the authenticity of a printed representation of it, enter this code on the website www.diarioficial.cl

Page 10
OFFICIAL JOURNAL OF THE REPUBLIC OF CHILE
Monday, December 7, 2020

No. 42,824

Page 10 of 15

public bodies that grant "health benefits" in the exercise of their functions and
regarding matters within its competence, as provided in article 20 of Law No. 19,628.
9. PROCESSING OF PERSONAL DATA RELATED TO CRIMES,
ADMINISTRATIVE VIOLATIONS OR DISCIPLINARY FOULS.
The organs of the State Administration, in accordance with the provisions of Article 21 of the
Law N ° 19,628, that submit to processing personal data related to convictions for crimes,
administrative infractions or disciplinary offenses, they will not be able to communicate them once the
criminal or administrative action, or the sanction or penalty has been completed or prescribed.
They will be exempted from the prohibition of communication, the cases in which that information is
requested by the Courts of Justice or other public bodies within the scope of their
competence, who must keep due reserve or secrecy regarding it and, in all
In this case, the following articles of Law No. 19,628 will be applicable:
a) Article 5 that regulates the automated data transmission procedure,
b) Article 7, which establishes the principle of secrecy required of public officials,
c) Article 11 that establishes the principle of security and
d) Article 18 referring to the prohibition of communication of personal data related to
obligations of an economic, financial, banking or commercial nature when they have
five years since the obligation became enforceable, after having been paid or having
extinguished the obligation by another legal way, without prejudice to the communication to the Courts
of Justice of the information they require due to pending lawsuits.
10. REGISTRATION OF THE DATABASES IN THE REGISTRY OF BANKS OF
PERSONAL DATA IN CHARGE OF PUBLIC ORGANIZATIONS.
The organs of the State Administration must register all data banks
personal data that are in their possession in the Register of Personal Data Banks in charge of
Public Bodies run by the Civil Registry and Identification Service, in accordance with the
established in Article 22 of Law N ° 19,628, in Supreme Decree N ° 779, of 2000, of the
Ministry of Justice, which approved the Regulation of the Registry of Personal Data Banks to
position of Public Organizations and in resolution (E) N ° 1,540, of 2010, of the Registry Service
Civil and Identification.
10.1. Registry characteristics. This registry will be public and it will include,
with respect to each of these databases, the legal basis for their existence, their
purpose, types of data stored and description of the universe of people it comprises.
10.2. Registration requirements. In accordance with the aforementioned regulations, the public body
Responsible for the database for registration purposes must provide, at least:
i. The name of the personal data bank, that is, the name that the personal data bank
organism gives the data bank that it registers and that serves for its identification;
ii. The public body responsible for the respective personal data bank;
iii. The RUT corresponding to the public body;
iv. The legal basis for the existence of the personal data bank, that is, they must
indicate the legal norms that specifically sanction the existence of a registry in
particular, or the general, sectoral or organic standards that enable the body
public to process personal data and store them in data banks;
v. The purpose of the data bank;
saw. The type or types of data stored in said bank, which may correspond to anyone
of the following categories of data: biometric, civil, economic and financial, general,
judicial or legal, health, social and other data referred to any other information
concerning natural persons, identified or identifiable, stored in the database
of the respective body; Y
vii. A description of the universe of people you understand.
10.3. Registration procedure. The procedure for registering data banks
personnel in charge of the organs of the State Administration is regulated in the
Supreme Decree No. 779, of 2000, of the Ministry of Justice, which approved the Regulation of the
Registry of Personal Data Banks in charge of Public Bodies and in resolutions
that the National Director deems pertinent to dictate to that effect, in particular, resolution (E)

CVE 1860183 |

Director:
Juanwww.diarioficial.cl
Jorge Lazo Rodríguez
Website:

| Central
Table: +562 2486 3600 Email: consultations@diarioficial.cl
Address: Dr. Torres Boonen N ° 511, Providencia, Santiago, Chile.

This document has been electronically signed in accordance with Law No. 19,799 and includes time stamping and electronic signature
advanced. To verify the authenticity of a printed representation of it, enter this code on the website www.diarioficial.cl

Page 11
No. 42,824

OFFICIAL JOURNAL OF THE REPUBLIC OF CHILE
Monday, December 7, 2020

N ° 1,540, of 2010, which establishes the registration procedure for records and / or databases
personnel in charge of public bodies or the one that replaces it.
10.4. Timeliness of enrollment. Public bodies or services must register the

Page 11 of 15

database within a period of 15 days from the start of the activities of the
respective bank.
10.5. Registration corrections. Any correction related to errors or omissions of
A registration must be required by the body responsible for said registration in
the Registry of Personal Data Banks, following the same procedure established for
the inscription.
10.6. Modifications to the registration. Any modification of an entry must
be required by the body responsible for registration in the Register of Banks of
Personal Data, within 15 days of any change in the
information provided, in accordance with the provisions of paragraph 10.2 above.
11. COMMUNICATION OR TRANSMISSION OF PERSONAL DATA.
The organisms of the State Administration may only establish procedures of
communication, transmission or transfer of personal data for purposes that say direct
relation to its legal competences and those of the participating organizations, regarding
exercise of specific functions contained in their respective organic laws or in other
legal provisions that expressly empower them for such purposes, also applying the
guiding principles set out in these recommendations.
The recipient may only use the personal data for the purposes that motivated the
transmission. Said procedure may contemplate the following stages: express requirement,
admissibility of this and signing of a transmission agreement, which will be submitted to the
guidelines outlined below.
The request for personal data made to a public body or service will contain the
following specifications:
a) The individualization of the requesting party, which may be a public or private body, with
express indication of the legal authorization for the treatment that it invokes. In the case of
public bodies, must identify the specific legal function that is being executed and that
requires the communication or transfer of personal data.
b) The reason and purpose of the request, with express indication of the treatment of
data to be carried out and the purpose thereof, and
c) The type of data to be transmitted, expressly indicating the relevance or
need for the requested data in relation to the reported purposes.
The admissibility of the request will be evaluated by the body or service responsible for
database that receives it, verifying that the communication is related to its tasks or
purposes, that is, that it is within the scope of its competences, and establishing the
Necessary requirements for the protection of data protection rights in the agreement
respective.
Of the transmission, the date, the reason and purpose of the same, the specific requirements
for the protection of the personal data transmitted and the obligation of the applicant to use
Personal data only for the purposes that motivated the transmission will be recorded in a
communication or transmission agreement signed by both parties, which shall be deemed approved
once the corresponding administrative acts of the
approval, depending on whether it is one or more public bodies. Therefore, it must at least contain:
i. Identification of the public body that transmits the data and the recipient thereof,
ii. Identification of the database, according to the name given in the registration
made in the Registry of Personal Data Banks in charge of Public Bodies,
iii. The security measures that must be adopted by both the person transmitting the data and the
recipient of these throughout the transmission procedure and subsequent treatment of the
data by the latter,
iv. The indication that the recipient of the data will be the person responsible for the
treatment, being subject to the same obligations, fines and responsibility of
indemnify in case of improper treatment of the data, that the public body that carried out the
transmission,
v. The procedure for making the notice referred to in article 12, final paragraph, of the
Law N ° 19,628, in case it is exercised before any of those responsible for the database

CVE 1860183 |

Director:
Juanwww.diarioficial.cl
Jorge Lazo Rodríguez
Website:

| Central
Table: +562 2486 3600 Email: consultations@diarioficial.cl
Address: Dr. Torres Boonen N ° 511, Providencia, Santiago, Chile.

This document has been electronically signed in accordance with Law No. 19,799 and includes time stamping and electronic signature
advanced. To verify the authenticity of a printed representation of it, enter this code on the website www.diarioficial.cl

Page 12
OFFICIAL JOURNAL OF THE REPUBLIC OF CHILE
Monday, December 7, 2020

No. 42,824

Page 12 of 15

communicated the rights of modification, cancellation or blocking, adopting the measures of
corresponding traceability,
saw. The term that the recipient will keep the transmitted data, and
vii. The courses of action to be followed by the addressee once they have completed the
treatment that motivated the transmission, whether the destruction or return of the
data bank to the transmitter and any other support where the data object of the
communication.
The recommendations contained in this numeral will not be applicable to the agreements or
contracts entered into between public bodies or services and individuals when the latter has the
quality of data processor, that is, when acting under the instructions of the body
responsible for the treatment, in which case, the requirements contemplated in the
mandate.
Nor will the recommendations contained in this section be applicable to the
communications or transfers of personal data that are carried out in accordance with
provided in article 24 bis of Law No. 19,880, on electronic submission of documents or
information between public bodies for the conduct of an administrative procedure
electronic 1 .
12. DATA PROCESSING THROUGH A MANAGER.
Public bodies or services, in accordance with the provisions of article 8 of the law
N ° 19,628, they may entrust the processing of the data to a third party, who will have the quality of
manager or agent.
The contract for the provision of treatment services that orders the data processing
Personal information must be granted in writing and must contain at least the following mentions:
a) That the treatment is carried out at the expense and risk of the body responsible for the
treatment,
b) The types of personal data and the conditions of use of the data,
c) The security measures to be adopted,
d) The confidentiality requirements of the people who work in the treatment and, in
general, of the need to comply with the obligations established in Law No. 19,628
and to observe these recommendations,
e) The term that the person in charge will keep the data and the conditions for its return or
safe and irrevocable deletion. Public bodies must adopt technical measures and
necessary to prevent any processing of personal data by the
manager, once the signed contract has ended.
In these cases, it will not be understood that there is transmission, communication or transfer of data between
the data controller and the person in charge.
The same mentions previously indicated must contain the hiring of
goods and services that are made in a public procurement process governed by the Law
N ° 19,886, of Bases on Administrative Contracts of Supply and Provision of Services. On
In this case, the administration body of the bidding State must incorporate, from the design of the
the administrative and technical bases of the agreements that involve -or may involvepersonal data processing operations, the mentions indicated in the literals
above and must adopt the measures that are necessary for full compliance with the
Provisions contained in Article 8 of Law No. 19,628.
The same obligation will fall on the Directorate of Public Procurement and Contracting at the time of
design the technical and administrative bases of the bids for the contracting of goods and
services through the modality of framework agreements, regulated in literal d) of article 28
of Law No. 19,886.
13. SECURITY MEASURES OF BANKS OR DATA RECORDS.
By virtue of the security principle and the provisions of article 11 of Law No. 19,628,
State Administration bodies must adopt all measures, both
organizational, technical and training of human capital, to safeguard the integrity,
confidentiality and availability of the data contained in its records for the purpose of
avoid the alteration, loss, transmission and unauthorized access of the same.
________________
1 This

provision will take effect once Law No. 21,180, on Digital Transformation of the
Condition.

CVE 1860183 |

Director:
Juanwww.diarioficial.cl
Jorge Lazo Rodríguez
Website:

| Central
Table: +562 2486 3600 Email: consultations@diarioficial.cl
Address: Dr. Torres Boonen N ° 511, Providencia, Santiago, Chile.

This document has been electronically signed in accordance with Law No. 19,799 and includes time stamping and electronic signature
advanced. To verify the authenticity of a printed representation of it, enter this code on the website www.diarioficial.cl

Page 13
OFFICIAL JOURNAL OF THE REPUBLIC OF CHILE
Monday, December 7, 2020

No. 42,824

Page 13 of 15

For this, it is proposed to the organs of the State Administration, the implementation of
the following information security recommendations for risk management,
Damage mitigation and resilience of personal data processing systems and processes:
i) Guarantee the security of this information at all times, through the use of
up-to-date and protected computer systems;
ii) Incorporate procedures for the prevention of leaks and improper access; and the
definition of access profiles to databases;
iii) Inform the owners of sensitive personal data of any breaches of
security that may occur, the possible consequences of these violations and the
measures of solution or protection adopted;
iv) In those cases in which the data collected is communicated or transmitted to
third parties, natural or legal, the adoption of encryption measures is recommended, to
purposes of ensuring the integrity and confidentiality of the data between sender and recipient.
Additionally, public bodies must adopt security measures
established in article 11 and following of Supreme Decree No. 83, of 2004, of the Ministry
General Secretariat of the Presidency, with regard to establishing a policy that establishes the
general guidelines for database security that can be found in
his power, which defines a security officer within the service, through the
corresponding administrative act, and that each data bank is assigned a person in charge.
14. OBLIGATIONS IN CASE OF DATA PROCESSING FOR SURVEYS,
MARKET STUDIES AND OPINION POLLS.
In accordance with the provisions of Article 3 of Law No. 19,628, when the organs or
public services collect personal data through surveys, market studies or
public opinion polls or other similar instruments, without prejudice to other rights
and obligations that the law regulates, people must be informed of the mandatory or
optional of the answers and the purpose for which the information is being requested.
The communication of its results must omit the signs that may allow the
identification of the people consulted, only communicating the data that have the
quality of statistics, that is, those that, in their origin or as a consequence of a treatment, do not
can be associated with an identified or identifiable owner, for having been applied to their
regarding a data dissociation procedure.
Likewise, the owner of the data can oppose the use of their personal data with
advertising, market research or opinion poll purposes. For this it is recommended
that the body or service informs the owner of the data, in addition to the aforementioned aspects and the
moment of the collection, which assists you with the right to object, at any time, to
the use of the same for the indicated purposes.
15. LIABILITY FOR INFRACTIONS AND RIGHT TO
COMPENSATION.
In accordance with article 23 of Law N ° 19,628, the body of the Administration of the
State responsible for the personal data bank must compensate the patrimonial and moral damage
that will cause by the undue treatment of the data, without prejudice to proceed to eliminate,
modify or block the data in accordance with what is required by the owner or, where appropriate,
court ordered.
In any case, the respective compensation will be prudently set by the judge,
considering the circumstances of the case and the gravity of the facts, and within the framework of the
judicial procedure legally applicable in the species.
16. DATA PROTECTION DELEGATE.
To facilitate compliance with the obligations established in Law No. 19,628 and a
better observance of these Recommendations, it is suggested that the different authorities,
heads or superior heads of the organs or services of the State Administration, designate
to an official of said department to act as delegate or delegate
protection of data and constitute an effective contact on the matter with the Council for the
Transparency.

CVE 1860183 |

Director:
Juanwww.diarioficial.cl
Jorge Lazo Rodríguez
Website:

| Central
Table: +562 2486 3600 Email: consultations@diarioficial.cl
Address: Dr. Torres Boonen N ° 511, Providencia, Santiago, Chile.

This document has been electronically signed in accordance with Law No. 19,799 and includes time stamping and electronic signature
advanced. To verify the authenticity of a printed representation of it, enter this code on the website www.diarioficial.cl

Page 14
OFFICIAL JOURNAL OF THE REPUBLIC OF CHILE
Monday, December 7, 2020

No. 42,824

Page 14 of 15

The designation and communications established for the aforementioned purposes do not
They will alter, in any case, the responsibility provided for in article 23 of Law No. 19,628.
17. RECOMMENDATIONS ON THE PROTECTION OF PERSONAL DATA BY
DESIGN.
Although Law No. 19,628 does not contemplate a special rule that requires the implementation of the
protection of personal data by design, and bearing in mind the principles of responsibility,
efficiency and effectiveness in the State Administration, the duty to ensure the efficient and suitable
administration of public media and due compliance with the public function, all
contained in the decree with force of law N ° 1 / 19.653, of 2000, of the Ministry Secretariat
General of the Presidency, which sets the consolidated, coordinated and systematized text of the Law
N ° 18,575, constitutional organic of general bases of the State Administration; and the
fundamental right to the protection of personal data, it is recommended to the organs of the
State Administration develop and implement its processing systems under the
following principles that inspire the protection of personal data by design:
17.1. Principle of proactivity and prevention. It is recommended that the organs of the
State Administration design, implement and operate their processing systems for
personal data previously identifying the risks to the right to data protection
personal data of the holders, tending to an adequate management, through their neutralization or
mitigation.
17.2. Default protection principle. It is recommended that the organs of the
State Administration provide the holders of personal data with the highest level of
protection of your data by default and automatically in the processing systems of
data that they develop, implement or operate.
17.3. Protection principle from design. It is recommended that the organs of the
State Administration incorporate the protection of personal data as a component
essential and indispensable of the personal data processing systems that they develop,
implement or operate, from their design.
17.4. Principle of full functionality. It is recommended that the organs of the
State Administration understand their personal data processing systems such as
effective and efficient functional systems both with respect to their main purpose (the
fulfillment of its legal mandate) and with respect to the constitutional right to the protection of
personal information. This means, among other things, that an application on citizen security
must be efficient and effective for that purpose and, in turn, be efficient and effective in protecting
Personal information. The existence of rules and mechanisms that allow a
balanced coexistence between the safeguarding and protection of the right, and the objectives of the
data processing mechanisms.
17.5. End-to-end security principle. It is recommended that the organs of the
State Administration protect the complete cycle of personal data processing,
from its design, implementation and operation, adopting the necessary measures to guarantee
information security (integrity, confidentiality and availability) such as the use of
encryption at all times, early anonymization, definition of data access roles,
secure destruction of data and the establishment of mechanisms for the exercise of rights
of the headlines.
17.6. Principle of visibility and transparency. It is recommended that the organs of the
State Administration adopt the necessary transparency measures regarding their
personal data processing systems, informing the holders about the collection,
processing, eventual communication and purging of data, through legible policies of
protection of personal data and notification mechanisms to holders.
17.7. User-centered approach principle. It is recommended that the organs of the
State Administration put into operation, at the operational level, the mandate
constitutional protection of the right to the protection of personal data at the time of
design, implement and operate a personal data processing system maintaining a
people-centered approach. This means that the
measures necessary to guarantee effective control by the owner of the processing of
data that are made and that concern you. ".
2 ° Replace the text of the recommendations on protection of personal data by
part of the organs of the State Administration, published in the Official Gazette on 14
September 2011, by this updated and consolidated text.

CVE 1860183 |

Director:
Juanwww.diarioficial.cl
Jorge Lazo Rodríguez
Website:

| Central
Table: +562 2486 3600 Email: consultations@diarioficial.cl
Address: Dr. Torres Boonen N ° 511, Providencia, Santiago, Chile.

This document has been electronically signed in accordance with Law No. 19,799 and includes time stamping and electronic signature
advanced. To verify the authenticity of a printed representation of it, enter this code on the website www.diarioficial.cl

Page 15
OFFICIAL JOURNAL OF THE REPUBLIC OF CHILE
Monday, December 7, 2020

No. 42,824

3 ° Publish this exempt resolution in the Official Gazette, in accordance with the provisions of the
letter b) of Article 48 of Law No. 19,880 and on the website of this Corporation, without prejudice
of its diffusion to the citizenship through other means and supports.
Sign up, be published in the Official Gazette and on the website of the Council for the
Transparency, particularly in the section of "Acts and documents published in the Journal
Official "and file.- David Ibaceta Medina, General Director (S), Council for the
Transparency.

CVE 1860183 |

Director:
Juanwww.diarioficial.cl
Jorge Lazo Rodríguez
Website:

| Central
Table: +562 2486 3600 Email: consultations@diarioficial.cl
Address: Dr. Torres Boonen N ° 511, Providencia, Santiago, Chile.

This document has been electronically signed in accordance with Law No. 19,799 and includes time stamping and electronic signature
advanced. To verify the authenticity of a printed representation of it, enter this code on the website www.diarioficial.cl

Page 15 of 15

