Can I Use AI (or ChatGPT) with Customer Data?

Yes, but not freely. Putting customer personal data into an AI tool is a processing activity under the Data Protection Law, and it drags in a lawful basis, purpose limits, international transfers, sensitive-data rules and automated-decision safeguards. The question is not whether AI is allowed, but under what conditions.

This page frames what the Data Protection Law demands before a company feeds personal data into AI: that this is processing and needs a basis, the checkpoints that adoption triggers, the line between a defensible use and a careless one, and how to set it up under real governance. It closes with the questions teams ask when a tool lands on their desk.

Using AI with personal data is processing data

The starting point is simple and often skipped: the tool changes, the legal category does not.

Entering a customer\'s name, contract, history or any identifying data into an AI system is processing of personal data, and it needs a lawful basis before it happens: consent (Article 12) or one of the bases of Article 13. That choice is not made once for "the AI"; it is made for each purpose the data serves. The consent or legitimate interest decision applies here in full.

Once that is settled, adoption opens a set of checkpoints that a general privacy policy usually does not cover.

The checkpoints AI triggers

Four issues concentrate most of the exposure. Each has its own rule, and skipping any one is where problems usually start.

Sensitive data

Express consent

Health, biometric or other sensitive data cannot ride on legitimate interest: Article 16 requires the data subject's express consent, with narrow exceptions. Much customer data is more sensitive than it looks at first glance.

International transfer

The provider abroad

If the tool processes data on servers outside Chile, the international-transfer regime applies. See international transfers for when it proceeds and under what safeguards.

Automated decisions

Human intervention

Article 8 bis lets the data subject object to decisions based solely on automated processing that significantly affect them, and requires transparency, human intervention and a right to challenge.

High risk

Impact assessment

Large-scale, sensitive or profiling uses can require a prior impact assessment. See impact assessment for when the law demands one.

Put together, these checkpoints separate a defensible use of AI from a careless one.

Defensible use versus careless use

The same tool can be perfectly compliant or plainly unlawful depending on how the data reaches it.

Defensible

A lawful basis chosen per purpose, an enterprise agreement with the provider that limits use of the data, transfer safeguards, a documented risk assessment, and human review of decisions that affect people. The use is planned, and it can be proven.

Careless

An employee pastes customer records into a public consumer tool, with no basis, no contract, no idea where the data is processed and no record of the decision. It is fast, invisible, and the most common source of a breach with AI.

From rule to implementation

Doing this well is a governance task, not a one-off permission. See implementing AI in your company and the AI and business framework, and note that a serious data failure with AI also reaches the board\'s duty of care.

Adopting AI without a data plan?

The gap between a productivity gain and an infraction is the lawful basis, the provider contract and the risk assessment. The data-law diagnosis reviews your intended AI use against Law 21.719 and defines the conditions under which it holds.

Request a data-law diagnosis

Frequently asked questions

Can I paste customer data into ChatGPT or another AI?

Not without a basis that allows it. Entering customers' personal data into an AI tool is a processing activity and needs a lawful basis under Article 12 or 13, a defined purpose and, depending on the case, additional safeguards. Pasting data into a public consumer tool, with no contract and no control over what happens to that information, is the most common way to breach.

Does legitimate interest work to train or use AI with data?

It can work for some processing, but it is not a blank check. Article 13(d) requires the processing to be necessary for the legitimate interest and not to affect the data subject's rights, with a documented balancing test. It does not apply to sensitive data: Article 16 requires express consent. The basis must be chosen processing by processing, not for "the AI" in the abstract.

Is using a foreign AI an international transfer?

In practice, often yes. If the tool processes the data on servers outside Chile, the law's international-transfer regime applies, with its safeguards. It is one of the points most often overlooked when adopting cloud-based AI tools.

What if the AI makes decisions about people?

Article 8 bis grants the data subject the right to object and not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or significantly affect them. The controller must ensure transparency, human intervention and the ability to challenge the decision.

When do I need an impact assessment?

When the use of AI involves processing that may produce a high risk to data subjects' rights, the law requires a prior impact assessment. Large-scale data use, sensitive data or automated profiling are typical scenarios that trigger it.

Official sources

Transform Your Legal Challenges into Competitive Advantages

Discover how our innovative approach can drive your business

© 2025 AnguitaOsorio, all rights reserved.
Chile

Contact

Contáctanos

Phone:

+56 2 2760 4512

Location:

Cerro el Plomo 5420, office 1306, Las Condes, Metropolitan Region.