Málaga 85, oficina 201, Las Condes, ChileAv.República 50, of 238, 1050-196, Lisboa, Portugal
+56 2 32707912

Chile and the GDPR Regulation

Chile and the GDPR Regulation

18 de January de 2021

Press

@ET-DC@eyJkeW5hbWljIjp0cnVlLCJjb250ZW50IjoicG9zdF90aXRsZSIsInNldHRpbmdzIjp7ImJlZm9yZSI6IiIsImFmdGVyIjoiIn19@

During the last months I have had the privilege of participating in Berlin in the adaptation of the policies and processes of several companies to the new General Regulation of Data Protection (GDPR). I have seen the debates inside the companies and the constant tug-of-war between the marketing, legal, technical and commercial departments.

by
DIEGO MALDONADO ROSAS

@ET-DC@eyJkeW5hbWljIjp0cnVlLCJjb250ZW50IjoicG9zdF9kYXRlIiwic2V0dGluZ3MiOnsiYmVmb3JlIjoiIiwiYWZ0ZXIiOiIiLCJkYXRlX2Zvcm1hdCI6Ik0gaiwgWSIsImN1c3RvbV9kYXRlX2Zvcm1hdCI6IiJ9fQ==@

During the last months I have had the privilege of participating in Berlin in the adaptation of the policies and processes of several companies to the new General Regulation of Data Protection (GDPR). I have seen the debates inside the companies and the constant tug-of-war between the marketing, legal, technical and commercial departments.

It has not been a peaceful issue, each area always has its objectives and they do not always coincide: marketing will tend to believe that there is always a “legitimate interest” that justifies sending mail without prior consent to mailing lists acquired from third parties, the commercial area may think that the consent granted by interested in the purchase of a product extends to receive offers for other different products, the IT department will claim that it is not possible to offer the website without cookies or that this or that change by not being in the roadmap it should be postponed until 2020, and the legal area will not be able to avoid requiring all the previous ones not to move only one finger without the approval of the, possibly not yet designated, data protection officer.

Decisions in one direction or another can have millions of consequences, either because a strict implementation of the standard limits the scope of action and thereby the return of the company, or because interpreting the standard in a careless and extremely flexible manner may entail fines of up to 4% of the annual world income, or 20 million Euros (whichever is the higher figure).

The paradigm shift is clear. The processing of personal data is now an activity that will only be allowed when it is framed within any of the six legal conditions to do so. That is, we went from a permissive system with limitations, to a restrictive system, but with exceptions.

The six conditions for the treatment of personal data are:

a) the consent of the interested party for the processing of their personal data for one or more specific purposes;

b) the treatment is necessary for the execution of a contract in which the interested party is a party or for the application at the latter’s request of pre-contractual measures;

c) the treatment is necessary for compliance with a legal obligation applicable to the controller;

d) the treatment is necessary to protect the vital interests of the interested party or another natural person;

e) the treatment is necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the controller;

f) the treatment is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data, in particular, do not prevail over such interests. when the interested party is a child.

The standard also contemplates a series of restrictions and limitations on the transfer of personal data to territories outside the Union to countries that have not been considered as adequate protection providers by the European Commission.

Within Latin America, only Argentina and Uruguay have been favorably recognized. In this way, European data transfers to other Latin American countries, including Chile, should be transferred only when the company is able to demonstrate that:

1. The data processing is framed within at least one of the six conditions mentioned. Example: the explicit consent of the interested party

2. The data processing provides adequate guarantees and provided that the interested parties have enforceable rights and effective legal actions. Example: The existence of a contract with standard clauses approved by the European Commission. (listed in article 46)

The following questions should then be asked:

    Does your company in Chile hold personal data of residents in the territory of the European Union?
    Can you frame yourself within any of the hypotheses of legal bases for the licit treatment of data?
    Does this treatment offer the adequate guarantees required by the Regulation in Article 46?

Demonstrating compliance with these conditions is not always evident and will depend on the type of personal data in question, the purpose of said treatment, and the context in which it is framed. I regret to inform you that the larger the company, the more complex the analysis will be. But I assure you it is an entertaining task.

Diego Alberto Maldonado Rosas

Lawyer, Puc Chile

Picture by Frank Buschman smeders.nl

Subscribe to our newsletter