New interpretative circulars from Sernac on the processing of personal data

Recently, the National Consumer Service (Sernac) issued two guidelines with relevant provisions regarding the processing of personal data.

I Interpretative Guideline on fairness criteria contained in standard form agreements referring to the collection and processing of personal data.

Sernac proposed the control and supervision of the clauses and stipulations contained in standard form agreements normally contained in “privacy policies” and “terms and conditions”, formulas that normally offers a wide array of clauses that deal with the processing of consumers’ personal data.

In this context, Sernac proposes five interpretative criteria. The first one refers to a form control, and the remaining ones to various “abusive clauses” that are usually contained in these policies. These are:

  • Form control: transparency of privacy policies and of all stipulations related to the processing of consumers’ personal data.
    This control means that the supplier must provide the consumer with transparent and specific information regarding what information and which personal data will be processed, in order to obtain from the consumer a valid authorization that enables the processing of data in the context of a consumer contract. This information must be specific, both in terms of the personal data that will be processed (processing activities), as well as the purpose of the processing. The fulfillment of this parameter, according to Sernac, determines the informed nature of the authorization given by the consumer for the processing of his/her data, in accordance with the consent criteria established by the “LPD” (Ley de Protección de Datos or the Data Protection Law of Chile).Sernac points out that excessively and unnecessarily long, disorganized, confusing or difficult to understand clauses and privacy policies should be avoided, such as those that lack a schematic order, or those that present visualization difficulties, among others.In addition to this, Sernac emphasizes the need for identification by consumers of what information concerning them will be collected and how it will be used, so that, if they wish, they can exercise their rights as data subjects.Thus, the Guideline states that privacy policies should allow consumers to easily identify:

    1. the controller of the data, including contact details;
    2. which of the consumer’s personal data is being collected under the contract, stating precisely what data is being collected and whether it is of a special quality (e.g. sensitive data);
    3. the basis of lawfulness enables the processing of the data,
    4. the processing operations that are being authorized – regarding this, Sernac expects the provider to “clearly describe the specific purpose or purposes of processing for which consent is requested (…), for example, whether the data collected will be used for market research, for consumer profiling operations or whether it will eventually be transferred or shared with third parties”;
    5. parameters to determine the period of time or period during which the provider will keep the personal data collected, although according to Sernac this “does not aim to indicate a specific term or period of conservation, given the processing needs associated with the provision of the service, it is expected that providers indicate criteria that allow for the determination of an optimal knowledge to the consumer in accordance with legal standards”,
    6. the recipients to whom the data collected may eventually be communicated. The latter expectation, as indicated by the Service, need not necessarily be ex ante and precise with respect to each of the potential recipients, but “it is important that there be a reasonable degree of specificity that allows at least the categories of third parties to whom consumer data may be transferred to be identified.”

    Finally, with respect to this criterion, SERNAC points out that transparency demands informing users of the rights that the law recognizes them as data subjects, together with the procedure for exercising them before the data controller.

  • Clauses providing for unilateral modification, suspension or termination of the contractual relationship.

    In this regard, the Guideline refers to clauses that are abusive pursuant to Article 16 letter (a) of the LPDC (Ley de Protección de los Derechos de los Consumidores or Consumer Protection Law), i.e., those clauses that allow the supplier to render, unilaterally and at its sole discretion, without effect, modify or suspend the execution of the contract.Regarding personal data, these clauses allow the supplier responsible for the data to unilaterally and broadly modify the terms and conditions under which the consumer originally authorized the collection and processing of his/her data.In addition, Sernac distinguishes between substantial and non-substantial modifications of privacy policies. Regarding the former, it is understood that they are modifications that expand the information or data that the consumer authorizes to be collected by the supplier, alter the purposes of the processing, authorize additional processing operations, include new categories of third parties to whom the consumer’s information may eventually be transferred, among others. Regarding these type of clauses, Sernac points out that the formulas that seek to modify such stipulations on the basis of tacit or implied consent of the consumer, this is, of an authorization not derived from an express and written expression of will, but from a certain behavior (including the inaction or silence of the data owner, such as pointing out that the mere use by the consumer of the platform or the services provided by the supplier constitutes express acceptance of the new conditions) are null and void. It is added that the models of opt-out or pre-checked boxes, authorizing data processing and “I do not accept” boxes are not sufficient, as they do not meet the standard of explicit consent established by the LPD.

    On the other hand, non-essential modifications refer to modifications related to changes in the corporate structure of the supplier, or to changes in the contact details of the supplier in charge, and although they do not require the explicit authorization of the consumer to be valid, they must be informed under the transparency standards of N. 1.

  • Clauses that charge the consumer for the effects of eventual deficiencies, omissions or errorsThese clauses are related to the ground of abusivity provided for in art. 16 letter (c) of the LPDC, which deprives of all effect the stipulations that “allocates with the consumer the effects of deficiencies, omissions or administrative errors, when they are not attributable to him/her”.In relation to the processing of personal data, the Service highlights the existence of several contractual provisions which always and in all events place at the expense of the consumer the losses, alterations, leaks or effects unauthorized access to personal data that have been collected by the supplier. Sernac points out that placing such deficiencies, errors or eventual omissions at the consumer’s expense impair the duties of professionalism and security that are incumbent on suppliers.

    These duties are related to the provisions of the LPD, since the responsible providers are responsible for the proper management of the databases in which such information is contained, also relevant is the principle of security regarding the processing of personal data (art. 11 LPD), and that such data must be accurate (art. 9 LPD), said data, as a general rule, is also confidential or secret (art. 7 LPD).

  • Clauses containing absolute limitations of liability towards the consumerThese clauses are related to the unfair clauses set forth in art. 16, letter e) of the LPDC, which deprives of all effect those stipulations that “contain absolute limitations of liability to the consumer that may deprive the consumer of his/her right to compensation for deficiencies that affect the usefulness or essential purpose of the product or service”.Regarding the matter of personal data protection, the Service points out the existence of many contractual clauses or stipulations that exempt or mitigate the liability of the supplier in the event of breach of confidentiality of consumer data or any other damage that may arise from the processing operations carried out by the controller.

    Sernac points out that the responsibility falls on the supplier who carries out the processing of consumer data, being obliged to “control compliance with the standards necessary for the adequate protection of consumers, by adopting diligent technical solutions that maximize such protection in accordance with their duties of professionalism and security. Therefore, contractual stipulations that explicitly or surreptitiously totally or partially eliminate such responsibility undermine the aforementioned obligation to the detriment of the basic guarantees that must protect consumers, and therefore, must be considered abusive”.

  • Clauses contravening contractual good faithThe last section of the circular refers to clauses that contravene the provisions of art. 16, letter (g) of the LPDC, i.e., those stipulations that are contrary to the requirements of good faith “attending for these purposes to objective parameters, cause to the detriment of the consumer, a significant imbalance in the rights and obligations for the parties arising from the contract. In this regard, the purpose of the contract and the special or general provisions that govern it shall be taken into account”.In relation to this generic cause, Sernac points out that the clauses that contravene the requirements of good faith by claiming to authorize certain data collection and processing operations that are excessive or that deviate from the typical objectives that an average consumer seeks to satisfy through the consumer relationship, taking into consideration their reasonable expectations, are abusive.

    An example of this are the stipulations that consist of written statements previously prepared by the supplier and that impose on the consumer the processing of his personal data which are not necessary for the achievement of the specific purposes that they had in mind (as a moderately diligent consumer) at the time of contracting, according to the appearance created for the consumer. Also unfair would be the clauses that authorize the delivery of information to all kinds of third parties with whom the consumer has not contracted and that are broad or excessive; for example, those that enable the processing of data for the purpose that third parties outside the contractual relationship may send the consumer commercial or advertising messages, among others.

    In addition to this, SERNAC establishes a term to apply the new criteria of the Circular, which in the case of smaller companies (micro, small and medium-sized companies), will be sixty calendar days, and for suppliers in general, after forty-five days, both after the date of publication of the Circular.

II Interpretative Guideline on Advertising and Commercial Practices

The Guideline on Advertising and Business Practices now contains a section referring specifically to the relationship between advertising and the processing of personal data.

The Guildeline specifically refers to direct marketing as a non-traditional advertising medium that establishes a direct link between the advertiser and the consuming public. An effective way to carry out this type of practice relies on extensive and organized collections of data about current or potential customers, the service points out. Thus, direct marketing practices comprise a set of communicational practices that, based on the collection and processing of various data concerning current or potential consumers, allow the sending of advertising or promotional announcements, solicited or unsolicited, to one or several specific individuals, through postal mailings, e-mails, telephone calls, etc.

Sernac points out that, in order to obtain consumer data, big data technologies are used that allow the continuous collection of massive volumes of data from several sources, which are then subject to various types of processing. In this sense, providers must abide by the rules related to personal data protection contained in the LPD, having a lawful base for the collection of such data, and in case it comes from a publicly accessible source, that such publicly accessible source has also been obtained in a legitimate and lawful manner, in accordance with the provisions of the LPD.

It is also emphasized that suppliers have the obligation to facilitate consumers to exercise their rights with regards to direct marketing, particularly through expeditious mechanisms that allow them to directly request the suspension of this type of communications, or giving effectiveness to simple responses via e-mail through messages such as “remove mailings”, or in the case of telephone communications, offering in the same call the option to suspend mailings by means of a digit. Likewise, it should be noted that such right may also be exercised through the SERNAC website, through the “Do Not Disturb System.”