Chile's Law 21,719 in mid-market companies: why the SME checklist falls short

If your company has more than 50 employees, international partners and a CRM that moves data to the U.S. or Europe, the generic Law 21,719 checklists circulating on LinkedIn are going to leave you short. And expensive.

Chile's Law 21,719 on Personal Data Protection takes full effect on December 1, 2026. Administrative fines jump from zero (current Law 19,628 regime) to up to 20,000 UTM per very serious infringement (~$1.4 billion CLP at May 2026 UTM value), tripled for recidivism. But the direct financial risk is not the most expensive thing for a mid-market company. The most expensive thing is what it costs to reach December 2, 2026 without a working system, just as your corporate clients start auditing you.

This article is for the CFO, Legal Manager, COO or Operations Manager of a company with 50 to 500 employees, an Enterprise CRM like HubSpot or Salesforce, some international partner, and the growing sense that the current compliance plan isn't enough. If you're in the SME range (less than 50 employees, single country, no corporate partners) the relevant guide is the SME version of this article.

The nested system: one image explains more than ten checklists

Before talking about obligations, it helps to understand where Chile's Law 21,719 fits on the global map. It isn't an isolated regulation. It's the most recent layer of a regulatory system that has 7 years of European jurisprudence and formal mapping to international standards:

The practical message of the diagram: if your company implements Law 21,719 with rigor (not just drafting a privacy policy and signing consents), it reaches a standard that many corporate clients require via contract. A European company, a multinational retailer or a Chilean bank with GDPR-grade compliance will ask you for a DPA (Data Processing Agreement), technical evidence of security and mapping of international transfers. Complying with Law 21,719 aligns you with most of that simultaneously.

The formal ISO 27701 → GDPR mapping is documented in the official ISO/IEC 27701:2025 standard (Annex D). Because Law 21,719 inherits the GDPR structure, the mapping is transitive. Implementing it well leaves 70-80% of what ISO 27701 audits already documented.

Transitional regime: why it doesn't protect mid-market

Law 21,719 includes a grace period for micro, small and medium enterprises (MIPYME in Chile): between December 1, 2026 and December 1, 2027, sanctions against them are limited to warnings, not fines. It's an important cushion for companies with fewer than 50 workers and annual sales below the MIPYME threshold.

A typical mid-market company (50-500 employees, sales over 100,000 UF) does not qualify as MIPYME. The transitional regime doesn't apply to you. From the first day the law is in force — December 2, 2026 — administrative fines are operative against you:

• Minor infringement: up to 5,000 UTM (~$352M CLP)
• Serious infringement: up to 10,000 UTM (~$706M CLP)
• Very serious infringement: up to 20,000 UTM (~$1,411M CLP)
• Recidivist very serious: up to 60,000 UTM (~$4,235M CLP)
• Additional: up to 4% of national annual revenue

The Personal Data Protection Agency (APDP) begins operations on December 1, 2026 alongside the law. Some members of the ministerial Advisory Commission recommended in their final report from January 2026 anticipating the installation to June 2026 because they considered the calendar unviable. Regardless of the exact installation date, the first enforcement actions will likely prioritize large and mid-market companies with sensitive data — not SMEs in the grace period.

The hidden problem: your CRM is already transferring data to the U.S. or Europe

A typical Chilean mid-market company uses at least one of these: HubSpot, Salesforce, Mailchimp, Intercom, Zendesk, Slack, Notion, Asana, Google Workspace or Microsoft 365. All of them process personal data on infrastructure outside Chile. HubSpot, for example, operates by default on AWS US East data centers, with an EU option only when the client expressly requests it.

This turns every CRM and SaaS tool into a data processor subject to Article 15 bis of Law 21,719 and Article 28 of GDPR. The controller (your company) remains jointly responsible for what the processor does with that data. Three practical consequences:

1. You need a signed DPA with each processor. HubSpot, Salesforce, AWS and Microsoft all offer standard DPAs downloadable from their admin console. But signing them is your responsibility. And signing isn't just accepting terms: it implies mapping which specific data the DPA covers, how to review audits, and how to terminate the contract without losing access to your own data.

2. International transfer needs a valid legal basis. To send data to the U.S., the clean path in Europe is Data Privacy Framework (in force since July 2023). HubSpot is certified under DPF. In Chile, the Undersecretariat of Economy approved Standard Contractual Clauses in December 2025 for international transfers. Without one of these bases (DPF, SCC, express consent), the transfer is unlawful.

3. Responsibility over configuration and credentials is yours, not the provider's. When HubSpot was compromised in June 2024 via credential stuffing (attackers testing leaked passwords on login portals of fewer than 30 clients), the exposed data was HubSpot clients' data. Legal responsibility fell on those clients (the controllers), not on HubSpot (the processor). In Chile under Law 21,719 it will be the same.

Typical mid-market has this unresolved: DPAs signed only partially, international transfers without documented legal basis, MFA not mandatory across CRM access. Any privacy audit detects those three points in the first half hour.

Mid-market RAT: not 5 processing activities, 30

The Record of Processing Activities (RAT in Spanish) is the backbone of compliance. It's where the company documents every personal data flow: which category of data, what legal basis, who processes it, retention period, international transfers, security measures. The difference between SME and mid-market is dramatic:

• Typical SME: 3-7 processing activities. Customers, employees, basic marketing. One controller, one jurisdiction, two or three processors.
• Typical mid-market: 20-40 processing activities. Commercial capture, lifecycle conversion, post-sale, customer service, programs with sensitive data (health, finance), HR data, suppliers, events, multi-channel marketing, social media handling, analytics, cookies. 10-15 processors (each SaaS is one). Several countries if regional operations.

That RAT doesn't get built in a whiteboard session. It requires interviewing process owners (commercial, marketing, operations, HR, legal, IT), reviewing actual platform configurations, and mapping data against legal basis and retention period. In a mid-market company without prior RAT, the build takes 4 to 8 weeks, not 4 to 8 hours.

A common mistake: asking the legal department to “do the RAT”. Legal can draft the processing policy and classification. But actual flows live in operations and IT. Without entering the HubSpot console, Salesforce configuration and AWS blob storage, the RAT stays documentary and not operational. And the Chilean regulator, mirroring GDPR, will audit that the RAT reflects reality.

DPA with international processors: what your partners are already demanding

Article 28 of GDPR — mirrored by Article 15 bis of Law 21,719 — requires the controller to sign a Data Processing Agreement with each processor. The DPA must include: subject matter, duration, nature, purpose, data type, categories of subjects, processor obligations, controller rights, technical and organizational measures, authorized sub-processors, termination.

In mid-market practice there are two paths:

Path 1: Standard DPAs from providers. HubSpot, AWS, Microsoft, Google, Salesforce and most large SaaS have downloadable DPAs. The company signs them. They cover the legal minimum. It's the correct path for standardized processors.

Path 2: Negotiated DPAs with critical partners. Strategic partners — international academic partners (European or U.S. universities), client banks, retailers that integrate you into their platform — will require a stricter DPA. Direct audit clauses, inspection rights, stricter incident reporting obligations than the law, specific indemnifications.

The problem I see often: the legal team of a mid-market company signs 30 standard DPAs from SaaS providers and 5 negotiated with partners, but nobody maps the negotiated DPA clauses against actual technical capacity. If the DPA with your European academic partner says “incident reporting within 24 hours” and internally you operate without an incident response team, the signature is a time bomb.

Operationalized data subject rights: working portal, not a mailto

Law 21,719 recognizes ARCOP rights: access, rectification, cancellation (erasure), opposition, portability. The subject can exercise them against any company processing their data. Response deadline: 30 calendar days, extendable by 30 more.

An SME can operate with a data@company.com email and respond manually. A mid-market cannot. If you have 50,000 contacts in HubSpot, 10,000 active customers, 200 employees and 5,000 leads in pipeline, ARCOP requests will arrive — especially cancellation when a customer closes an account or an employee resigns.

Minimum operational system in mid-market:

• Authenticated portal or web form to exercise each right
• Automatic subject identification (ID + email + verification)
• Internal workflow: legal validates request, owning area executes action in systems (CRM, ERP, marketing, HR), legal closes
• Auditable log of every request: timestamp, subject identifier, right exercised, systems touched, result
• Automated deadlines with alert at day 25 (before legal limit)

Building that portal and connecting it with HubSpot/Salesforce/AWS is engineering work, not legal drafting. It takes between 3 and 8 weeks depending on complexity. If the first ARCOP exercise arrives without this infrastructure in place, the response is manual, slow and error-prone.

Breach reporting in 72 hours: the PSNI scenario applied to Chile

Article 33 of GDPR and Law 21,719 establish a maximum 72-hour deadline to notify the authority of a security breach that affects personal data and entails risk to subjects' rights. Three hours for early alert in serious incidents. 15 days for full report. Identical deadline to GDPR.

The world reference case is Police Service of Northern Ireland (PSNI), August 2023. A staff member uploaded an Excel file with a response to a freedom of information request. The Excel had a hidden tab with personal data of 9,483 officers and full staff of the police force. It was public for 2-3 hours before being detected. Six staff reviewed the file. None noticed the hidden tab.

In October 2024, the UK ICO applied a fine of £750,000 (without the public sector discount it would have been £5.6 million). More than 4,000 PSNI employees filed civil claims. Litigation is estimated between £24M and £37M additional. Root cause identified by ICO: “light touch approach” to data protection — no clear strategy, inadequate procedures for sensitive data.

PSNI didn't have an Iranian APT. It had well-intentioned employees, a poorly managed Excel and absent procedures. It's exactly the type of incident most likely in a mid-market company with HubSpot, daily Excel exports and internal emails.

Recent Chilean cases to size up the local picture:

• Banco Santander Chile, May 2024: exposure of personal data of ~4 million customers. SERNAC filed a class action in February 2026 after voluntary proceedings failed. This happened under Law 19,628 (no administrative fines). Under Law 21,719 in force, the APDP administrative fines would add up — doubling the risk.
• USM (Federico Santa María Technical University), October 2024: RansomHub attack, dark web publication of Excel lists with names, IDs, campus, major, emails. 14 GB leaked according to press reports. Sustained national coverage.
• GTD, October 2023: Rorschach ransomware. Declared impact: $2,497 million CLP in required investments + $763 million CLP in reduced revenue. ~3,500 client organizations affected.

For a Chilean mid-market company, breach reporting in 72 hours needs a written, rehearsed protocol with defined roles. Without it, when the 72 hours arrive, no one knows who responds first: legal, IT, external communication, management.

The most expensive trap: “pure legal advisory” without implementation

The current Chilean market has a predictable pattern: law firms offer “Law 21,719 diagnosis”, deliver a PDF with recommendations, draft a privacy policy and consents, and withdraw. The company is left with documentation but without a working system.

The problem isn't legal advisory. It's necessary. The problem is assuming compliance ends there. The operational reality:

• The privacy policy says “the subject can exercise ARCOP”. Without a portal that receives and processes those requests, the statement is decorative.
• The policy says “we report breaches in 72 hours”. Without a written, rehearsed protocol with assigned roles, the 72 hours expire.
• The RAT says “data kept X months”. Without retention rules configured in HubSpot, AWS and the ERP, data stays forever.
• The DPA with HubSpot requires MFA on all access. Without enabling and monitoring it, the clause is breached by omission.

Complying with Law 21,719 in mid-market is 30% legal and 70% technical implementation + operational change. When a consultancy doesn't touch the CRM console, doesn't configure retention in the ERP, doesn't build the ARCOP portal, doesn't rehearse the breach protocol, it's selling only 30% of the work. The other 70% remains as technical debt waiting for the first enforcement action or first incident to become evident.

Real fines: what the law says and verifiable cases

Law 21,719 establishes three sanction levels:

For non-MIPYME companies, additional to the UTM cap, 4% of national annual revenue applies, whichever is greater.

The GDPR Enforcement Tracker reports €7.1 billion accumulated in GDPR fines through 2026 (2,245 sanctions since 2018). The largest individual fine: €1.2 billion to Meta Ireland. In education sector, fines are more modest (~€32,600 average), but Bocconi University (Milan) was fined €200,000 for using proctoring software without legal basis for student biometric data. The precedent matters: European academic partners audit their counterparts with that case in mind.

The average cost of a data breach in Latam according to the IBM Cost of a Data Breach Report 2025 is USD 2.51 million, with an average identification + containment time of 316 days. Multi-environment breaches are the most expensive (USD 2.84M).

The 5 questions your next compliance meeting must answer

If you have a compliance meeting next week, these are the five concrete questions worth bringing:

• How many exact processing activities do we have documented today, and how many do we think are missing?If the answer is “we have an updated privacy policy” but nobody knows the number, there is no real RAT.
• Do we have a signed DPA with each of our international processors (HubSpot, AWS, M365, Salesforce)?The answer should be an enumerated list, not a “we're working on it”.
• What happens today if a customer asks for access or deletion of their data? Who responds, how, in what timeframe? If the answer involves a generic mailto: and manual process, there is no ARCOP operation.
• What happens today if we discover a security breach at 10pm on a Friday? If the answer doesn't include a written protocol with assigned roles, there's no 72-hour response capacity.
• Is our CRM configured with mandatory MFA, active audit logs, and retention rules consistent with our privacy policy? This is the difference between documentary compliance and real compliance.

If two of the five answers are evasive, there's no system. There are documents.

What a serious mid-market project looks like: timing, roles, investment

A well-sized Law 21,719 compliance project for a Chilean mid-market company has three phases:

Phase 1 — Diagnosis (3-4 weeks). Process-owner interviews, real RAT levy (not documentary), inventory of processors and international transfers, gap analysis against Law 21,719 + GDPR + ISO 27701, evaluation of the technical stack (CRM, ERP, cloud), executive report with prioritized and costed roadmap. Team: 1 legal lead + 1 senior engineer + IAPP specialist advisory at critical milestones. Reference investment: 100-200 UF.

Phase 2 — Implementation (4-6 months). Complete and signed RAT, DPAs reviewed and signed with processors, ARCOP portal working integrated with CRM and ERP, automatic retention configuration in each system, breach protocol rehearsed via drill, MPI (Infringement Prevention Model under Decree 662/2025) documented, training for key teams (commercial, marketing, HR, operations). Reference investment: 400-800 UF depending on complexity.

Phase 3 — Ongoing operation (monthly). Monthly RAT review (reflecting the changing reality of flows), support for complex ARCOP requests, review of contractual changes with processors, monitoring of regulatory developments (Decree 662, APDP resolutions). Reference retainer: 30-50 UF/month. For companies requiring formal DPO designation before the Agency with 24/7 responsibility, the model depends on size.

Optimal window to start: June-September 2026. That leaves Phase 2 closing between November and January 2027, before the APDP has its first benchmark cases. Starting after October 2026 means paying the urgency premium: more expensive, executed under pressure, with lower operational quality.

Conclusion: complying with Law 21,719 as mid-market is an investment, not a cost

Three central ideas from the article, to take away:

First: the regulatory system is nested. Complying well with Law 21,719 leaves you pre-aligned with GDPR, ISO 27701 and much of what your corporate clients demand via DPA. Compliance is not just defense against fines — it's a commercial asset that enables you to sell to top clients.

Second: the MIPYME transitional regime doesn't cover you. From December 2, 2026 administrative fines are operative against any company outside the MIPYME range. First enforcement actions will likely prioritize mid-market and large companies.

Third: compliance is 30% legal and 70% technical implementation. An advisory that only drafts documents sells you 30% of the work. The remaining 70% stays as technical debt awaiting the first enforcement action to reveal itself.

If you need a technical-legal starting point — real diagnosis, costed roadmap, implementation under the same team — that's exactly what we do in our Law 21,719 compliance service. No middlemen between the person who understands the law and the person who configures HubSpot, AWS or the ARCOP portal.