Can I Use AI (or ChatGPT) with Customer Data?
Yes, but not freely. Putting customer personal data into an AI tool is a processing activity under the Data Protection Law, and it drags in a lawful basis, purpose limits, international transfers, sensitive-data rules and automated-decision safeguards. The question is not whether AI is allowed, but under what conditions.
This page frames what the Data Protection Law demands before a company feeds personal data into AI: that this is processing and needs a basis, the checkpoints that adoption triggers, the line between a defensible use and a careless one, and how to set it up under real governance. It closes with the questions teams ask when a tool lands on their desk.
Using AI with personal data is processing data
The starting point is simple and often skipped: the tool changes, the legal category does not.
Entering a customer\'s name, contract, history or any identifying data into an AI system is processing of personal data, and it needs a lawful basis before it happens: consent (Article 12) or one of the bases of Article 13. That choice is not made once for "the AI"; it is made for each purpose the data serves. The consent or legitimate interest decision applies here in full.
Once that is settled, adoption opens a set of checkpoints that a general privacy policy usually does not cover.
The checkpoints AI triggers
Four issues concentrate most of the exposure. Each has its own rule, and skipping any one is where problems usually start.
Express consent
Health, biometric or other sensitive data cannot ride on legitimate interest: Article 16 requires the data subject's express consent, with narrow exceptions. Much customer data is more sensitive than it looks at first glance.
The provider abroad
If the tool processes data on servers outside Chile, the international-transfer regime applies. See international transfers for when it proceeds and under what safeguards.
Human intervention
Article 8 bis lets the data subject object to decisions based solely on automated processing that significantly affect them, and requires transparency, human intervention and a right to challenge.
Impact assessment
Large-scale, sensitive or profiling uses can require a prior impact assessment. See impact assessment for when the law demands one.
Put together, these checkpoints separate a defensible use of AI from a careless one.
Defensible use versus careless use
The same tool can be perfectly compliant or plainly unlawful depending on how the data reaches it.
Defensible
A lawful basis chosen per purpose, an enterprise agreement with the provider that limits use of the data, transfer safeguards, a documented risk assessment, and human review of decisions that affect people. The use is planned, and it can be proven.
Careless
An employee pastes customer records into a public consumer tool, with no basis, no contract, no idea where the data is processed and no record of the decision. It is fast, invisible, and the most common source of a breach with AI.
From rule to implementation
Doing this well is a governance task, not a one-off permission. See implementing AI in your company and the AI and business framework, and note that a serious data failure with AI also reaches the board\'s duty of care.
Adopting AI without a data plan?
The gap between a productivity gain and an infraction is the lawful basis, the provider contract and the risk assessment. The data-law diagnosis reviews your intended AI use against Law 21.719 and defines the conditions under which it holds.
Request a data-law diagnosisFrequently asked questions
Can I paste customer data into ChatGPT or another AI?
Not without a basis that allows it. Entering customers' personal data into an AI tool is a processing activity and needs a lawful basis under Article 12 or 13, a defined purpose and, depending on the case, additional safeguards. Pasting data into a public consumer tool, with no contract and no control over what happens to that information, is the most common way to breach.
Does legitimate interest work to train or use AI with data?
It can work for some processing, but it is not a blank check. Article 13(d) requires the processing to be necessary for the legitimate interest and not to affect the data subject's rights, with a documented balancing test. It does not apply to sensitive data: Article 16 requires express consent. The basis must be chosen processing by processing, not for "the AI" in the abstract.
Is using a foreign AI an international transfer?
In practice, often yes. If the tool processes the data on servers outside Chile, the law's international-transfer regime applies, with its safeguards. It is one of the points most often overlooked when adopting cloud-based AI tools.
What if the AI makes decisions about people?
Article 8 bis grants the data subject the right to object and not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or significantly affect them. The controller must ensure transparency, human intervention and the ability to challenge the decision.
When do I need an impact assessment?
When the use of AI involves processing that may produce a high risk to data subjects' rights, the law requires a prior impact assessment. Large-scale data use, sensitive data or automated profiling are typical scenarios that trigger it.
Official sources
Transform Your Legal Challenges into Competitive Advantages
Discover how our innovative approach can drive your business