The role of the Data Protection Officer under the Personal Data Protection Act

Law No. 19.628 on the protection of personal data, amended by Law No. 21.719, expressly introduces a new figure: the Data Protection Officer ("DPO").

This role constitutes one of the pillars of the new regulatory framework, aligning Chile with international standards on privacy and compliance, especially with the General Data Protection Regulation of the European Union ("GDPR").

The DPO is conceived as an internal guarantor of regulatory compliance and responsible management of personal data within organisations. His or her role goes beyond the merely technical, as he or she seeks to establish a culture of data protection, integrating privacy as a structural component of business management and strategic decision-making.

Appointment and autonomy

The DPO should be appointed by the highest management or administrative authority of the organisations, such as, for example, the board of directors, managing partner or general manager. In the case of micro, small or medium-sized companies, the law allows the owner or the highest authorities to directly assume these functions, as long as there is no conflict of interest.

Likewise, companies belonging to the same Business Group may share a single DPO, provided that they operate under common data protection standards and policies.

The appointment must be made by a person who possesses the suitability, capacity and specific knowledge in the matter, and the data controller must ensure that he or she has sufficient means, resources and powers for the proper performance of his or her duties.

The DPO must also perform his or her work with autonomy and independence from the administration and observe a strict duty of confidentiality in relation to the personal data to which he or she has access.

Main functions: 

• According to the new Law N°19.628, the DPO has the following essential functions:
• To inform and advise on the legal and regulatory obligations regarding the protection of personal data, both to the data controller and to the persons in charge and dependants involved in the processing operations.
• Promote and participate in the drafting, implementation and continuous improvement of the organisation's internal data protection and data processing policy.
• Supervise compliance with the law and internal policies on data protection.
• Promote the training and continuous training of staff involved in processing operations.
• Assist in the identification and management of risks, recommending measures to safeguard the rights of data subjects.
• Draw up an annual work plan and report on its results to the entity's management.
• Respond to queries and requests from data subjects.
• Guarantee the confidentiality of personal data processed in the exercise of their functions.
• Cooperate and act as a point of contact with the future Personal Data Protection Agency.

Is it mandatory to appoint a DPO? 

Unlike the provisions of Article 37.1 of the GDPR, which includes cases where the appointment of a DPO is mandatory, the new Law No. 19.628 does not impose the obligation to appoint a DPO. Notwithstanding the fact that the law makes their appointment mandatory in the framework of the adoption of the Infringement Prevention Model, the correct implementation of which may mitigate the organisation's liability in the event of any infringement.

From our perspective, their appointment becomes highly advisable - and even necessary - in organisations that carry out massive, systematic or sensitive data processing.

In this way, the figure of the DPO should not only be understood as a formal requirement, but as a strategic piece of the compliance model.

Its effective implementation will allow organisations to anticipate risks, strengthen the confidence of data subjects and demonstrate a real commitment to the protection of personal data.

Rosario Alonso Associate of the Personal Data Protection and Compliance Area of ECIJA Chile