Data protection evolving regulation in Latin America and their impact on labor relations

In a new environment characterized by protecting data above any other business need, companies are forced to review internal processes and policies, as well as adopt robust measures to ensure regulatory compliance and safeguard the personal information of their employees, candidates, and contractors. From selection processes to performance evaluations and labor control mechanisms, the processing of personal data has become a central axis in people management. In addition to this, the use of AI tools generates a relevant exposure of personal information – in many cases sensitive – that will often require the adoption of policies that guarantee the confidentiality of the information that human resources departments will begin to use.

Regulations in the Latin American region have begun to respond to this reality. Peru, Mexico and Chile have already implemented relevant regulatory reforms in terms of data protection, while in Colombia the regulation dates back to 2012, but gradually employers and employees have become more aware of the importance and sensitivity of the handling of personal data. This process of assimilation and updating of regulations – which seeks to align local legislation with international standards – implies a higher level of demand for employers and more rigorous supervision by the authorities.

Below, we present an updated overview of the main regulatory developments and practical considerations related to the processing of labor and employment personal data in Peru, Colombia, Mexico and Chile.

Peru

On November 30, 2024, Supreme Decree No. 016-2024-JUS was published, approving the new Regulation of the Data Privacy Law (Law No. 29733), completely replacing the previous regulation (published on 2013). This new regulation came into force on March 30, 2025, and marks a milestone in Peruvian regulation by incorporating international standards and establishing new requirements for the processing of personal data. In the workplace, it introduces substantial changes that require a comprehensive review and adaptation of business practices linked to the processing of employee data.

As a first relevant issue, the new regulation reinforces key obligations for employers in the processing of employees' data. In this sense, it is incorporated as a serious infraction (sanctioned with up to USD 70,000.00 approximately) not to fully inform the employee about the processing of their personal data, in accordance with article 18 of the Law. From a practical standpoint, this requires reviewing and adapting main labor information documents (policies, formats, clauses, etc.).

Likewise, failure to address ARCO rights requests (access, rectification, cancellation and opposition) within the legal deadline is considered a minor infraction, subject to fines of up to USD 7,000.00. This highlights the need to review and strengthen internal procedures to ensure timely and effective responses to employees exercising their data protection rights.

As a novelty, the obligation to appoint a Data Protection Officer is introduced when certain conditions are met by data controllers (e.g. processing of sensitive data as core business, processing of a large volume of personal data). Human Resources should be actively involved in this designation, as it may involve changes in functions, access to information, and working conditions.

Finally, the regulation details new security measures, such as the requirement to have an updated and internally disseminated security document that includes access procedures, privilege management and use of platforms, among others. Its correct implementation is essential to minimize legal risks, strengthen the culture of compliance and promote employees' trust in the organization.

Colombia

The protection of personal data has become increasingly important in the business environment, especially in the workplace. Since the issuance of Statutory Law 1581 of 2012, which establishes the general regime for the protection of personal data, and its regulatory decrees, organizations are obliged to implement measures that guarantee privacy, security and adequate treatment of the personal information of their employees.

In recent years, the Superintendence of Industry and Commerce (SIC), as the national authority in this area, has strengthened its role of surveillance and sanctions, issuing new instructions and decisions that require companies to constantly review their internal policies. Recently, the regulation related to data protection has been assimilated and internalized with greater zeal and stricter guidelines on the processing of sensitive data, demonstrated responsibility and database management have been consolidated, which has led to a tightening of the sanctioning regime and a greater requirement in compliance documentation.

Within the recent issuance of regulations and guidelines, the external circulars issued by the Superintendence of Industry and Commerce on the processing of personal data stand out. Among them, External Circular No. 002 of August 21, 2024, which addresses the processing of personal data in artificial intelligence systems, and External Circular No. 003 of August 22 of the same year, which instructs company administrators on the processing of such information.

In the labor context, these provisions imply a significant transformation in the way companies manage their employees' information. From obtaining informed consent during the selection process to implementing cybersecurity measures, organizations must ensure that their practices respect employees' rights and align with the principles of legality, purpose, freedom, truthfulness, transparency, access, and restricted movement.

The authority has constantly sought to issue guidelines and guides aimed at guiding companies and their collaborators in the proper processing of personal data. These instruments include booklets and technical documents on topics such as the implementation of the data protection compliance officer, as well as on activities relevant to organizations, such as video surveillance and its proper management in accordance with current regulations.

This regulatory framework not only seeks to protect the privacy of employees, but also to foster an organizational culture based on trust, transparency, and regulatory compliance. Thus, the protection of personal data has become a fundamental axis of modern labor relations in Colombia.

México

On March 20, 2025, a new Federal Law on the Protection of Personal Data in Possession of Private Parties was published in the Official Gazette of the Federation. This legislation, which replaces the 2010 regulation, introduces clearer and more robust provisions to ensure the legitimate and secure processing of personal information in the country. Below, we explore the main developments and their impact on the Latin American business environment.

Greater clarity and obligations: the new law reinforces the ARCO rights (Access, Rectification, Cancellation and Opposition), now precisely defined and explicitly recognized, overcoming the ambiguity of the previous legislation. In addition, it imposes stricter obligations on companies and individuals who handle personal data, whether in physical, electronic or any other form. Among the new requirements are:

• More detailed privacy notices: companies must inform in a clear and accessible way about the purposes of data processing, specifying: (i) what data is collected, including sensitive data; (ii) which data require express consent; and (iii) how to exercise ARCO rights.
• Right to object: data subjects may object to their processing if there is a legitimate cause, such as possible damage or harm, or when the automated use of data affects their rights, evaluates personal aspects (work performance, economic situation or health, among others) or generates undesired legal effects.
• Mandatory confidentiality: organizations must implement controls to ensure that anyone involved in data processing maintains strict confidentiality.
• Data protection culture: companies must promote data protection internally, designating, if necessary, a person in charge or department to handle requests related to ARCO rights.

New institutional approach: one of the most significant changes is the disappearance of the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI) as a guarantor body. Instead, the Anti-Corruption and Good Governance Secretariat will assume the supervision, verification and sanction of personal data at the federal level. The resolutions of this Secretariat may be challenged only by means of an amparo proceeding in specialized courts, eliminating the remedy of nullity before the Federal Court of Administrative Justice.

In addition, the penalties and costs associated with the exercise of ARCO rights will be calculated based on the Unit of Measurement and Update (UMA) in force, ensuring an updated economic base.

Impact on labor matters: for companies in Mexico and the region, this reform implies an urgent review of their administrative practices. Employers will be required to: (i) update privacy notices, contracts, and internal regulations to comply with the new law; (ii) implement processes that guarantee transparency in the handling of employee data and (iii) train its personnel in data protection to avoid legal risks.

These changes will not only strengthen employees' confidence but also position companies as responsible actors in an environment where privacy is a global priority.

Chile 

After seven years of legislative debate, Chile has a new Law on the Protection and Treatment of Personal Data (Law 21,719), enacted in December 2024 and which will come into force in the last month of 2026. This law represents a milestone in aligning national regulation with international standards, especially the European Union's General Data Protection Regulation (GDPR), establishing a robust and modern framework for the management of personal data in the country.

The new regulations are of general application, covering all natural and legal persons. Among its main novelties, the creation of the Personal Data Protection Agency stands out, an autonomous body in charge of issuing instructions, interpreting the law, monitoring compliance and applying sanctions. This institutionality will be key to the correct implementation and supervision of the new regime.

In the labor field, the law recognizes employees as owners of personal data vis-à-vis their employers. This implies that they have the following rights over their information: access, rectification, deletion, opposition, portability and blocking of data. These rights are inalienable and must be respected in all employment relationships, reinforcing the obligation already existing in article 154 of the Labor Code, which requires employers to maintain the confidentiality of their employees' private information.

The processing of personal data in the employment context may be carried out with the express consent of the employee, but it will also be lawful when it is necessary for the execution of the employment contract, compliance with legal obligations or the satisfaction of the employer's legitimate interests, provided that the worker's rights and freedoms are not violated. Special attention should be paid to sensitive data, such as those related to health, which can only be processed under strict conditions and with greater safeguards.

For companies, the entry into force of the law implies the need to review and adapt their internal data processing policies and procedures. It will be essential to implement measures that ensure compliance with the guiding principles of the law: legality, purpose, proportionality, quality, responsibility, security, transparency and confidentiality. In addition, multinational companies will have to pay particular attention to the new requirements for the international transfer of data, ensuring that destination countries have adequate levels of protection or that sufficient contractual guarantees are in place.

In this transition period until December 2026, companies must anticipate the adequacy of their systems, train their teams and be attentive to the issuance of the regulations and guidelines that the future Personal Data Protection Agency will issue, which will give greater clarity and practical sense to the law.

It is of utmost importance to adapt correctly to the law, since non-compliance with the regulations can lead to significant sanctions, with fines that can reach up to 20,000 UTM (€ 1,466,600 approx.), a sum that could triple in the event of a repeat offense. This underscores the importance of proactive and responsible management of personal data, both to avoid legal risks and to strengthen the trust of employees and customers in the organization.

In short, the new law marks a before and after in data protection in Chile, requiring companies to make a real commitment to privacy and information security, especially in the workplace. Early preparation and adaptation will be key to successfully facing this new regulatory scenario.