Chile officially enacted the Private Security Regulation under Law No. 21.659. This law defines private security as “a set of preventive, supportive, and complementary activities to public security, aimed at protecting individuals, property, and productive processes within a defined area, carried out by private individuals or companies” (Article 1). While Latin America has been a little lax on privacy in comparison to Europe and the USA things are starting to change. We also have LGPD in Brazil a very comprehensive privacy framework. While Chile’s framework is more on private security it’s still important to take note for any IOT products and software solutions sold in Chile.
What Does Chile’s Privacy Regulation Cover?
The regulation encompasses several private security activities, including:
- Surveillance and protection of facilities.
- Installation and maintenance of electronic security systems, devices, and alarm systems.
- Other related security functions as outlined in Article 2.
Human Rights Focus in Private Security Practices
A standout feature of the regulation is the requirement that public and private entities engaged in private security must respect and uphold human rights and fundamental freedoms, particularly for:
- Vulnerable populations.
- Children and adolescents.
- Individuals with disabilities.
This directly connects to the handling of personal data, as many private security functions involve data processing activities, thus invoking compliance with Chile’s data protection laws, specifically Law No. 19.628, as amended by the new Law No. 21.719, which establishes the Personal Data Protection Agency (effective December 1, 2026).
Transmission of Personal Data and Vehicle Information
The regulation reinforces that private security actors may transmit personal data and vehicle license plate numbers to law enforcement or the Public Prosecutor’s Office when requested. If shared in good faith, such disclosures are not considered breaches of confidentiality (final paragraph of Article 5), although they must still align with Chile’s data protection principles.
Additionally, a new centralized platform will be developed by the Subsecretariat for Crime Prevention, which will support regulatory oversight and coordination (Article 115).
Privacy Training Now Mandatory for Security Personnel
Training Requirements
Both armed and unarmed security personnel must now complete mandatory privacy and data protection training to understand their roles in managing personal data they may encounter during their duties (Article 107). Training must be:
- Approved by the Subsecretariat for Crime Prevention.
- Delivered by certified instructors meeting specific regulatory criteria.
Common Private Security Activities Involving Data Processing
Several private security operations now fall within the scope of personal data protection laws, such as:
- Facility surveillance and monitoring using technological systems (Article 2, No. 4).
- Transmission of personal data and vehicle license plates to authorities (Article 5).
- Retaining and providing evidence that may help identify suspects (Article 3, No. 3).
- Using surveillance systems in banks, financial institutions, and armored transport companies (Article 21).
- Audio-visual recording by private guards using real-time or stored video systems (Article 36).
- Services offered by electronic security companies, particularly alarm and remote surveillance operations (Article 76).
Applying Core Data Protection Principles
Organizations involved in these activities must comply with key principles of personal data processing, including:
- Lawfulness – often grounded in fulfilling a legal obligation.
- Purpose Limitation – data must be used solely for the specified reason.
- Proportionality – only the necessary amount of data should be collected.
- Data Security – appropriate technical and organizational safeguards must be in place.
They must also honor data subject rights such as access, correction, deletion, objection, and portability—unless a specific legal limitation applies (e.g., Article 23 of Law No. 21.719).
Impact Assessments for High-Risk Activities
In cases involving systematic monitoring of public access areas, organizations are required to perform Data Protection Impact Assessments (DPIAs). These must evaluate:
- The nature and purpose of the processing.
- Its necessity and proportionality.
- Associated risks and mitigation measures.
Strict Guidelines for Video Surveillance in Financial Institutions
Banks and financial institutions must install high-resolution surveillance systems that clearly show date and time stamps. These systems must:
- Operate continuously.
- Be protected from tampering.
- Store recordings for at least 120 days unless required for a legal investigation, in which case they must be preserved for the duration of the proceedings.
Unrequested footage must be destroyed after two years (Article 46, No. 4).
A Data-Centric Approach to Security
This regulation marks a significant step in aligning private security practices with data protection laws in Chile. It highlights the need for:
- Lawful and proportionate data use.
- Transparent handling of surveillance data.
- Implementation of privacy-centric training and compliance measures.
Entities acting as data controllers or processors on behalf of banks and similar institutions must adopt organizational safeguards, maintain records of processing activities, and ideally designate a Data Protection Officer (DPO) to oversee compliance efforts.
