Implementing artificial intelligence in the company
Contractual framework, impact assessment and technical architecture under Law 21,719. An applied case study on deploying Claude and ChatGPT across Chilean organizations.
The operational scenario
An employee opens an AI assistant and pastes a client email, an internal balance sheet, or a medical record. The action takes seconds. The data processing it just triggered, by contrast, activates obligations under Law 21,719 that the company has not necessarily analyzed: lawful basis, processor contract, international transfer, impact assessment, and the duty to inform data subjects. The operational question is not whether to use AI inside the organization, but under what contractual, technical, and governance conditions it can be done without triggering the sanctions of Title VIII.
Five exposure fronts
Each interaction with an AI assistant simultaneously triggers five distinct obligations under Law 21,719. A company that misses even one of these fronts is non-compliant, even if every other one is resolved.
Lawful basis (article 12)
- Identify the enabling basis before processing begins.
- Consent, contractual performance, legitimate interest, or legal obligation.
- Document the decision in the record of processing activities.
Processor (articles 15 and following)
- Written contract with the AI vendor.
- Purpose, duration, technical measures, and regulated sub-processors.
- Without a DPA or equivalent instrument, the controller breaches article 15.
International transfer (Title VII)
- Most vendors are domiciled outside Chile.
- Verify adequate level of protection or approved standard clauses.
- Document the safeguard applied to each data flow.
Impact assessment, DPIA (article 15 quinquies)
- Mandatory when processing involves profiling or high risk.
- Systematic use of AI on personal data typically meets the trigger.
- Run the DPIA before processing begins, not after.
Duty to inform (article 14 ter)
- Inform the data subject about the use of AI.
- Disclose purpose, logic involved, and foreseeable consequences.
- Update privacy notices and workforce-facing notices accordingly.
Same vendor, two compliance positions
The line between compliant and non-compliant runs through the tier purchased, not the vendor. The same brand can offer a defensible service under Law 21,719 and an unviable one at the same time.
| Product tier | Contractual instrument | Training on customer data | Position under Law 21,719 |
|---|---|---|---|
| ChatGPT Free / Plus | Consumer terms | Manual opt-out, not contractual | Insufficient |
| ChatGPT Enterprise / Team | DPA available | Contractually prohibited | Defensible |
| Claude.ai Free / Pro / Max | Consumer terms | Manual opt-out, not contractual | Insufficient |
| Claude API (Console / Build / Scale) | API Commercial Terms | Contractually prohibited by default | Defensible |
| Claude for Work / Enterprise | DPA + enterprise terms | Contractually prohibited | Defensible |
The Claude API Commercial Terms state: Anthropic may not train models on Customer Content from Services. That clause does not apply to consumer plans.
Worked case: deploying Claude at an insurance company
Hypothesis: an insurance company with 400 employees plans to enable Claude for email analysis, policy summaries, and communication drafts. The deployment will process personal data and, eventually, sensitive health data.
Data and flow mapping
Before any contractual decision, identify which personal data will leave the company's systems, where to, for what purpose, and under which lawful basis.
Key elements
- Source inventory: CRM, corporate email, policy management system.
- Categories: identifying data, financial data, sensitive health data.
- Record of processing activities updated under article 19.
Tier selection and instrument signing
Rule out the consumer tier. Procure Claude API or Claude for Work. Sign the DPA. Negotiate a specific addendum for sensitive data where applicable.
Key elements
- Defensible tier: API or Enterprise, never a personal account.
- DPA in force before processing begins.
- Security annex and sub-processor list verified.
Impact assessment and prior consultation
Complete the DPIA under article 15 quinquies. Identify residual risks. If high residual risk persists despite mitigation, prior consultation with the Personal Data Protection Agency is mandatory.
Key elements
- Systematic description of processing and its purposes.
- Assessment of necessity, proportionality, and risks.
- Mitigation: pseudonymization, access control, minimum retention.
Governance, internal policy, and monitoring
Acceptable-use policy approved by the board. Mandatory training. Monitoring mechanisms to detect prohibited use. Periodic review of vendor and architecture.
Key elements
- Policy listing authorized and prohibited data by sensitivity level.
- Audit log of interactions for sensitive cases.
- Annual review with the data protection officer.
The contractual triangle
Three instruments frame the company's legal position vis-à-vis the AI vendor. None substitutes for another.
Data Processing Addendum (DPA)
The instrument required by article 15 of Law 21,719 to configure the controller-processor relationship. It governs processing purpose, duration, technical and organizational measures, sub-processors, assistance with data subject rights, and return or destruction of data at the end of the service. It is the most frequently missing document in companies that already have AI in production.
API Commercial Terms
Baseline service clauses. They define data ownership, retention and training restrictions. The Claude API Commercial Terms expressly state: Anthropic may not train models on Customer Content from Services. The clause applies uniformly to all API customers and stands as a contractually verifiable provision, not a marketing promise.
HIPAA Business Associate Agreement (BAA)
An instrument specifically designed for protected health information under HIPAA. It has no direct equivalent under Law 21,719: here it functions as a reference, not as a local obligation. As of this publication, Anthropic has not released an instrument dedicated to Law 21,719, and the HIPAA BAA is the most exigent contract it does publish. For that reason it serves as a reasonable proxy for the contractual standard a Chilean company should require when processing sensitive data within the meaning of article 2 letter g) of Law 21,719: ceilings on vendor use, data segregation, audit controls, and verifiable deletion. It covers Claude Enterprise (primary chat, Projects, Artifacts, Skills), the Messages API, and Claude Code with Zero Data Retention enabled; it excludes Free, Pro, Max, and Team. The operational step, while no dedicated instrument exists, is to require the vendor to sign a DPA with reinforced security annexes that approach the BAA standard.
Impact assessment in practice
The DPIA under article 15 quinquies is not a formality. It is the document that demonstrates the company thought through the processing before initiating it.
Systematic description
Detail the processing, its purposes, the data flows to the vendor, and the technical architecture. Without this foundation, no necessity or risk judgment is defensible.
Necessity and proportionality
Justify why AI is the appropriate solution for the goal pursued and why no less intrusive alternative exists. This is where regulatory pushback typically lands first.
Risk identification
Confidentiality loss, erroneous decisions with significant effects, re-identification of pseudonymized data, foreign-vendor dependency, leakage through employees.
Measures and residual risk
Document mitigation measures, their effectiveness, and the residual risk. Where residual risk remains high, prior consultation with the Personal Data Protection Agency applies.
Architecture and monitoring
The contract governs the relationship. The architecture governs reality. A company that signs the DPA and deploys the service on a tier without access controls or logging remains exposed regardless.
Isolation by commercial tier
Block personal-account use through identity policies. Enable federated login with the corporate directory. Without this control, the tier procured loses force in practice.
Control of outbound data
Filters that detect sensitive patterns before submission to the vendor. Block lists for critical fields. Human review for cases defined by the internal policy.
Logging and audit
A log of every interaction that touches personal data, with user identifier, declared purpose, and data category. Without a log, there is no evidence for a data-subject request or for regulatory scrutiny.
Residency and transfer
Configure the vendor region where possible. Document the Title VII safeguards applicable to each flow. Residency in an adequate jurisdiction does not eliminate the transfer, but limits its reach.
Compliance maturity levels
An organization's capacity to sustain AI use under Law 21,719 evolves in stages. Identifying the current level is the first step toward planning the next.
Ungoverned use
Employees on personal accounts. No policy. No contract. No DPIA. Each interaction is a potential breach of Title II. As of June 2026 this is the most common position among companies that have not yet addressed AI.
Basic policy and consumer-tier block
Internal communication prohibiting personal accounts. A single commercial tier enabled. DPA not yet signed. Reduces noise; does not resolve compliance.
Complete contractual framework
DPA signed. Commercial terms reviewed by legal. Initial DPIA completed. Acceptable-use policy approved. Mandatory training deployed.
Architecture and monitoring
Technical controls in production: identity federation, pre-submission filters, interaction logs. Periodic review with the data protection officer. KPIs reported to the audit committee.
Integrated AI governance
AI is part of the compliance program and the corporate governance fabric. The board receives periodic reports on use, risks, and incidents. Every new deployment passes a prior assessment. The company can answer regulatory scrutiny with a coherent dossier.
Compliance is not procured, it is built
A vendor with a DPA, an architecture with controls, and an organization with a policy are three simultaneous conditions. Holding only one means living with risk. The 1 December 2026 deadline accelerates the decision but does not change it: the obligations apply from the first day an employee types personal data into an AI assistant.
Frequently asked questions
Is it legal to use ChatGPT or Claude inside the company under Law 21,719?
Yes, provided the use rests on a commercial tier with the vendor, a current processor contract, an architecture that enables logging and audit, and an internal policy that limits authorized purposes and data. Use on consumer tiers, with personal accounts, does not meet the requirements of Title II of Law 21,719.
What happens if an employee uses a personal ChatGPT or Claude account for work?
The processing is attributed to the company as controller, not to the employee. The company is exposed to the Title VIII sanctions regime for the five Title II obligations it failed to meet: lawful basis, processor contract, international transfer, impact assessment, and duty to inform.
Does the Claude API clause prohibiting training equal a Data Processing Addendum?
No. The API Commercial Terms and the DPA are distinct instruments. Commercial Terms govern service provision and data ownership. The DPA specifically configures the controller-processor relationship required by articles 15 and following of Law 21,719. Both must be in force.
Is a DPIA mandatory for internal use of an AI assistant?
Usually yes. Systematic use over employee or client personal data typically meets at least one of the article 15 quinquies triggers under Law 21,719: large-scale processing, profiling with significant effects, or new high-risk technologies. The DPIA must be completed before processing begins.
What if the vendor does not publish an instrument dedicated to Law 21,719?
Request the Data Processing Addendum available for commercial customers and verify that its clauses cover the obligations of articles 15 and following. For US vendors, the most exigent contract they do publish is usually the HIPAA Business Associate Agreement (BAA). That reference functions as a reasonable proxy for the contractual standard a Chilean company should require under Law 21,719 when processing sensitive data within article 2 letter g), and it guides the content of the reinforced security annexes to be negotiated on top of the DPA.
Transform Your Legal Challenges into Competitive Advantages
Discover how our innovative approach can drive your business
