Law 21,719: the fine isn't your biggest risk — being shut out of public tenders is

The fine is scary. Being shut out of tenders closes your business.

Chile’s Law 21,719 on personal data protection takes full effect on December 1, 2026, and the headlines have already started: fines of up to 20,000 UTM — on the order of US$1.2 million — for the most serious infractions, and up to 4% of annual revenue in cases of repeat offenses.

The number is scary, but for a supplier SME or startup it isn’t the real danger. A fine is a one-time hit. Being shut out of tenders and of contracts with large clientsis a structural hit: it removes you from the market where you sell. And that’s exactly what this law puts on the table.

This article is for the owner or manager of an SME that provides services to other companies — software, marketing, accounting, support, consulting, call center — and that is probably already processing its clients’ personal data without having thought about it in legal terms.

You’re already a “data processor” (even if you don’t know it)

The law distinguishes two roles. The controller decides what the data is used for and how (your client). The processorhandles it on the controller’s behalf. If your company accesses a client’s database to deliver the service — an agency managing the contact list, a SaaS where the client uploads its users, an accountant with employee records — you become a processor.

That’s not a technicality. As a processor, you have your own legal obligationsand you share liability for any breach or non-compliance. Thousands of SMEs that see themselves today as “service providers” will wake up on December 1 turned into regulated parties, with duties they never managed.

The Registry of Offenders: the punishment that isn’t money

Alongside the fines, the law creates something new in Chile: a Public Registry of Offenders, administered by the forthcoming Personal Data Protection Agency. Sanctioned companies are exposed there, in plain sight of anyone.

That registry is what changes the game for an SME. The damage isn’t just the fine: it’s that your large clients and the State will start to demand formal compliance before contracting you. In a tender or in a corporate client’s due diligence, showing up as an offender — or simply not being able to prove you comply — leaves you out. Not over price: over risk. No one wants to hire a supplier that could drag them into its own data breach.

Why the PDF won’t save you

The most common mistake is believing that compliance means changing a couple of contract clauses and posting a privacy policy on your website. It isn’t. The authority won’t read your policy: it will ask for real technical evidencethat you protect the data — access controls, incident logs, traceability of who saw what and when.

The ecosystem diagnosis is uncomfortable: much of the startup world keeps sensitive data in shared Excel sheets, moves it over WhatsApp and hosts it on improvised servers, with no processing agreements, no breach protocol, no record of activities. Under the new standard, that isn’t “informal”: it’s out of compliance.

What you actually need to have

It’s not an infinite list, but it is concrete. The floor for an SME acting as a processor is:

• Record of Processing Activities (RAT). The inventory of what data you process, whose, for what, and on what legal basis. It’s the first thing an auditor asks for.
• Legal basis and consent. A valid reason to process each piece of data, and real mechanisms to request and revoke consent where required.
• Processing agreement (DPA) with your clients. The contract that sets what you can do with their data and what happens in a breach. Your large clients will demand it; better to arrive with one ready.
• Technical security measures. Role-based access control, encryption of sensitive data, two-factor, backups and logs. The minimum to make “I protect the data” demonstrable, not a sentence.
• Breach protocol. What you do, whom you notify and within what deadline when something leaks. Improvising it on incident day is the most expensive way to learn it.

You can see where you stand today with the free Law 21,719 diagnostic we publish, and the step-by-step version for SMEs in this guide.

The flip side: complying early is how you win the big accounts

So far this sounds like a threat. But there’s a reading most of your competitors aren’t seeing: compliance is a commercial advantage, not just a cost.

When large clients and the State start requiring compliance as an entry requirement, the SME that arrives with its RAT, its DPA and demonstrable security passes the filter that leaves everyone else out. You become the supplier it’s safe to work with — and that, in an even tender, is worth more than a discount. Whoever prepares this year not only avoids the risk: they keep the contracts the disorganized ones won’t be able to take.

Deadlines and the breather for the smallest

The key date is December 1, 2026. There’s a nuance worth knowing: during the first 12 months (until December 1, 2027), smaller companies under Law 20,416 can receive a written warning instead of a finefor a first infraction. It’s a breather, not a permit: the Registry of Offenders and your clients’ commercial demand don’t wait for that grace year.

On cost: market estimates put it at between US$5,000 and US$15,000 to get a mid-sized startup’s data processing in order. It’s money, but analysts agree the risk isn’t in that spend — it’s in inaction, in the account you don’t win and the client who walks away.

Why this matters to us

Most SMEs won’t fail out of bad faith, but because complying with this law lives right at the border between the legal and the technical — and almost no one has both. The lawyer drafts the policy; the problem is that access control, logs and the breach protocol are built in the system, not in a document.

At Thinkbox we do both halves under one team: the regulatory diagnosis and the technical implementation that actually changes how data is handled. We don’t sell a report that leaves you the same; we leave the RAT, the consents, the processing agreements and the security actually working. If you want to know where to start, the diagnostic is free, and the rest is in our Law 21,719 service.