← Back to blog AI & data

How Law 21.719 applies to artificial intelligence systems that process personal data

Artificial intelligence does not operate in a legal vacuum. When a model is trained, profiles people, calculates a score, or serves customers using personal data, it is carrying out data processing and becomes subject to Law 21.719. The question is not whether the law applies, but how to build AI that complies with it without slowing down innovation. Here we explain it in practical terms for business and technology teams.

Published Jun 2026 · Updated Jun 22, 2026 · 8 min read
AI and data · Law 21.719

The essentials in 30 seconds

  • AI that uses personal data is data processing: it needs a lawful basis, a defined purpose, and minimization, just like any other system.
  • ARSOP rights (Access, Rectification, Suppression, Opposition, Portability) remain in force and extend to profiling and to the scores the model generates.
  • Transparency toward data subjects is key: they must be able to understand that AI is used with their data and for what purpose.
  • For high-risk uses, it is advisable to run an Impact Assessment (DPIA) before putting the model into production.
  • Full enforcement begins on December 1, 2026, led by the Personal Data Protection Agency, with fines that can reach up to 20,000 UTM.

The adoption of artificial intelligence is advancing faster than clarity about its legal limits. Many Chilean companies already train models, automate decisions, or segment customers with AI, but few have stopped to review what data protection obligations this technology carries under Law 21.719, published on December 13, 2024, with full enforcement starting December 1, 2026. If you want the full legal picture, start with the definitive guide to Law 21.719.

The good news is that the law does not prohibit using AI with personal data. What it requires is doing so under clear rules: a basis that legitimizes the processing, an explicit purpose, minimal data, transparency with people, and respect for their rights. Building AI with trust is, at its core, a competitive advantage.

Using AI with personal data is data processing

Law 21.719 regulates any operation on personal data: collecting it, storing it, analyzing it, combining it, or using it to make decisions. Artificial intelligence is no exception. If an AI system consumes data about identified or identifiable people, it is processing data and falls within the scope of the law.

This covers scenarios that differ widely from one another. It does not matter whether the processing happens inside a statistical model or a neural network: from a legal standpoint, it is still processing that requires justification, purpose, and safeguards. The law, inspired by the European GDPR framework, starts from a principle of proactive accountability: the company must be able to demonstrate that it complies, not merely claim it.

That is why the first step is not technical but a matter of governance: mapping where AI touches personal data within the organization and documenting it.

  • Training models with data about customers, users, or employees.
  • Profiling or segmenting people based on their behavior or characteristics.
  • Calculating scores for risk, credit, fraud, or purchase propensity.
  • Automated service through chatbots or assistants that process queries with personal data.

Lawful basis, defined purpose, and minimization

Before feeding a model with personal data, the organization needs a lawful basis that legitimizes that use. Having access to the data is not enough: you must be able to explain why its processing is lawful, whether through the person's consent, a contractual relationship, a legal obligation, or another applicable basis.

To that basis we add the principle of purpose. Data is collected for a specific purpose and should not be reused to train a model for a different purpose without reviewing whether that new purpose is compatible or requires a new basis. Repurposing historical data to feed AI is one of the points where most companies stumble.

Minimization completes the picture: the model should use only the data necessary for its objective. Accumulating variables 'just in case' increases risk and weakens compliance. Less data, well justified, usually means better AI and less exposure.

Transparency and ARSOP rights over profiling

People have the right to understand, in comprehensible terms, what is being done with their data. When AI is involved, transparency means clearly informing them that automated systems are used, for what purpose, and what type of processing they perform, avoiding opaque or purely technical explanations that no one can interpret.

The ARSOP rights recognized by Law 21.719 (Access, Rectification, Suppression or Cancellation, Opposition, and Portability) remain fully in force when AI is involved. The data subject can request access to the data the system uses, rectify incorrect information that influences a profile, object to certain processing, or request the suppression of their data.

This has a direct operational consequence for profiling: if a model generates profiles or scores from personal data, those results also fall within the scope of the data subject's rights. The company must be in a position to locate, explain, and correct what the system knows about each person.

  • Visibly disclose when a decision or service relies on automated systems.
  • Maintain a clear and functional channel for exercising ARSOP rights.
  • Make sure you can trace which data feeds a profile so you can rectify or suppress it.
  • Document the purpose of profiling so you can respond transparently to a request.

Impact Assessment (DPIA) for high-risk uses

Not all uses of AI carry the same level of risk. An internal search engine that ranks results is not comparable to a model that decides who gets access to a loan or that evaluates candidates in a hiring process. For high-risk processing, Law 21.719 provides for the Data Protection Impact Assessment (DPIA).

A DPIA is a prior analysis that helps identify and mitigate the risks a system may pose to people's rights. Applied to AI, it allows you to anticipate problems before the model goes into production, rather than discovering them once it has already caused harm or a complaint.

Conducting a DPIA also reinforces proactive accountability: it leaves evidence that the organization assessed the risks and took measures. That documentation is valuable before the Personal Data Protection Agency and, above all, before your own customers.

  • Profiling or scoring that affects significant decisions about people.
  • Large-scale processing of data or of sensitive data through AI.
  • Systems that evaluate, classify, or predict the behavior of individuals.
  • Models whose outputs influence access to a service, a job, or a benefit.

Sensitive data and bias: the two critical risks

Sensitive data (such as health, origin, beliefs, or data that reveals intimate aspects of a person) deserves reinforced care when it enters an AI model. It is worth asking whether the system really needs it and, if so, surrounding it with stricter safeguards. Often, seemingly neutral data can infer sensitive information, and that inference counts as well.

The second major risk is bias. A model trained on imbalanced data can reproduce or amplify discrimination, harming certain groups in a score, a recommendation, or an automated decision. Bias is not just a technical or reputational problem: it directly affects the rights of the very people the law seeks to protect.

That is why managing data quality, reviewing results by group, and maintaining human oversight over the model's outputs are not luxuries, but part of a responsible and compliant use of AI.

Building AI with trust: governance and key roles

Complying with Law 21.719 when using AI is not solved with a single adjustment, but with sustained governance. The Record of Processing Activities (RAT) helps you maintain visibility into what each system does with which data; the role of the DPO provides expert and ongoing oversight; and the relationship between controller and processor requires contractualizing the safeguards when third-party providers or models are used.

Added to this is the duty to notify security breaches. If an incident compromises the data that feeds or is produced by an AI system, the organization must be prepared to detect it and react in accordance with the law. Prior preparation makes the difference between an orderly response and a crisis.

The horizon is concrete: full enforcement begins on December 1, 2026, and fines can reach up to 5,000, 10,000, or 20,000 UTM depending on the severity of the infringement. But beyond the penalty, AI governed with data protection principles generates something no fine can buy: the trust of those who hand over their data.

  • Record in the RAT the processing activities in which AI is involved.
  • Appoint or consult a DPO to oversee compliance on an ongoing basis.
  • Formalize safeguards by contract with processors and model providers.
  • Define a breach detection and notification protocol that covers your AI systems.

Bring your AI into compliance with Law 21.719

At AlayIAtrust we help Chilean companies assess their artificial intelligence systems, define lawful bases, run the DPIA where appropriate, and build data governance before December 1, 2026. Let's talk about your case and design AI that your customers can trust.

Schedule an assessment

Frequently asked questions

Does Law 21.719 prohibit using artificial intelligence with personal data?

No. The law does not prohibit AI; it subjects it to the same rules as any other data processing. You can train models, profile, or automate service as long as you have a lawful basis, a defined purpose, use the minimum data necessary, are transparent with people, and respect their ARSOP rights.

Do ARSOP rights apply to the profiling done by an AI model?

Yes. The rights of Access, Rectification, Suppression, Opposition, and Portability remain in force when AI is involved. If a system generates profiles or scores from personal data, the data subject can access that information, correct erroneous data that influences their profile, object to certain processing, or request its suppression.

When do I need a DPIA for an artificial intelligence project?

It is advisable to conduct a Data Protection Impact Assessment when the use of AI is high-risk for people's rights, for example in profiling or scoring that affects significant decisions, the processing of sensitive data, or systems that evaluate or predict individuals' behavior. The DPIA helps anticipate and mitigate risks before putting the model into production.

What about sensitive data and bias in AI models?

Sensitive data requires reinforced care: first review whether the model really needs it and, if so, apply stricter safeguards. In parallel, you must watch for bias, because a model trained on imbalanced data can discriminate against certain groups and affect their rights. Controlling data quality, reviewing results by group, and maintaining human oversight are essential measures.

You may also be interested in

Law 21.719

Law 21.719: the definitive guide to comply and avoid fines

 Compliance

DPIA: what it is and when an Impact Assessment is mandatory

 Rights

How to respond to ARCO rights requests: process and deadlines
Next step

Is your company ready
for December 2026?

A no-obligation 30-minute assessment.

Request an assessment