Data Protection: Progress in the processing of the Regulation on the Model for the Prevention of Infringements

Sep 15, 2025

The new Regulation on the Model for the Prevention of Infractions establishes guidelines and certification for data protection compliance programs.

Decree No. 662/2025 of the Ministry of Finance, which approves the Regulation on the Infraction Prevention Model provided for in Article 49 of the Personal Data Protection Law, is currently in the process of being acknowledged by the Comptroller’s Office.

The purpose of the regulations is to establish the requirements, modalities, and procedures for the implementation, registration, and supervision of the Infraction Prevention Models.

Although their adoption is voluntary, it is made clear that this does not exempt those responsible from the duty to implement actions to prevent infractions and comply with the provisions of the Data Law.

Essential elements of the MPI / Compliance Program

Compliance programs correspond to the Infringement Prevention Model and can be adopted by any data controller, whether a natural or legal person. Their main contents include:

  • Identification of the data controller and their legal representative.
  • Appointment of the Data Protection Officer (DPO), with definition of their means and powers.
  • The “DPO as a Service” modality is contemplated, with the obligation to always appoint a natural person in the contract.
  • Characterization of the personal data processed, including categories, purposes, sources, legal bases, retention periods, and the existence of automated decisions.
  • Possibility of compliance with the Processing Activity Log (RAT) with minimum content defined in the regulation.
  • Identification of higher-risk processing activities, incorporating them into a risk matrix graded according to the penalties provided for by law.
  • Specific protocols, rules, and procedures for persons involved in processing activities or processes to perform their tasks while preventing violations.
  • Internal reporting and complaint mechanisms to the DPO, guaranteeing the confidentiality of the complainant’s identity and prohibiting unfavorable measures against them.
  • Internal administrative sanctions and sanctioning procedures applicable for violations of internal regulations.
  • Internal dissemination clauses and effective communication channels to ensure understanding and compliance with the program.
  • Any other provision necessary or useful for compliance with the rules applicable to the protection of personal data.

Data Protection Officer (DPO) – Enhanced Functions

The document sets out in detail the role of the DPO, who becomes the technical and legal pillar of the MPI. Their functions and obligations include, among others:

  • Informing and advising the controller, third-party processors/agents, and employees on the legal provisions applicable to the processing of personal data.
  • Participating in the review and modification of the compliance program, proposing adjustments when risks or opportunities for improvement are detected.
  • Promoting the dissemination, knowledge, understanding, and compliance with the policy issued by the controller in the area of data protection.
  • Supervising regulatory compliance, periodically evaluating the effectiveness of the measures adopted and verifying the correction of possible deviations.
  • Directly report any breach of the applicable data processing regulations of which they become aware to the competent authority, without interference from the controller.
  • Promote ongoing training and education of staff in data protection matters.
  • Advise the controller on identifying the risks associated with the processing activities carried out by the entity and on adopting preventive measures.
  • Ensure secure and confidential channels of communication with data subjects, internal staff, and third parties, ensuring the confidentiality of whistleblowers’ identities.

Certification and supervision

The provision establishes the procedure for the approval, certification, registration, implementation, and supervision of compliance programs.

Certification will be granted by the agency through a procedure initiated by the interested party, with a validity of three years and grounds for expiration such as revocation, dissolution of the legal entity, or voluntary cessation of activity.

The Regulation on Models for the Prevention of Infractions is presented as an operational framework that guides data controllers in the adoption of good compliance practices.

Although its implementation is not mandatory, in practice it becomes a benchmark standard that strengthens data governance, reinforces trust among data subjects and authorities, and allows for the anticipation of regulatory risks, providing concrete evidence of due diligence.

For more information on these topics, please consult:

Rodrigo Albagli | Partner | ralbagli@az.cl

Eugenio Gormáz | Partner | egormaz@az.cl

Yoab Bitran | Director Compliance Group | ybitran@az.cl

Antonia Nudman | Senior Associate az Tech | anudman@az.cl

Be part of our multimedia platform and you can receive the latest legal news, events, podcazt and webinars.

Subscribe to our Newsletter here.

Te podría interesar

Radio La Clave | Interview with Rodrigo Albagli

Radio La Clave | Interview with Rodrigo Albagli

Sep 2, 2025 | ,

We share the interview with our partner Rodrigo Albagli for Radio La Clave, where he discussed the Economic Crimes Law following its first year of implementation. In a new episode of Clave Morse, Daniel Fajardo spoke with our partner Rodrigo Albagli, who discussed the...