Is OpenAI GDPR Compliant?

Image of Iron Brands

Publié le 14 juil. 2025 par Iron Brands

Ce contenu n'est pas encore traduit en français. Vous trouverez ci-dessous la version anglaise.

TL;DR

Partially, but with serious caveats. OpenAI provides GDPR-aligned structures: Data Processing Addendum for enterprise/API customers, data residency controls, security certifications (SOC 2, CSA STAR), and incident response—but it has been fined €15 million by Italy’s regulator and faces ongoing complaints.

  1. OpenAI’s GDPR Compliance Framework
  2. Enforcement & Compliance Risks
  3. Implementation Considerations
  4. Who Should Care?
  5. Notable Resources
  6. General Caveat
  7. Final Thoughts
Logo of the Government of the United KingdomThe UK Government chose Simple AnalyticsJoin them

OpenAI’s GDPR Compliance Framework

1. Data Processing Addendum & Contracts

OpenAI offers a GDPR-ready Data Processing Addendum (DPA) for API, ChatGPT Enterprise, Team, and Edu users, incorporating terms like instructions-only processing, confidentiality, breach notification, subprocessor vetting, and cooperation in audits. [www.openai.com]

2. Security Certifications & Measures

The services are covered under SOC 2 Type 2, CSA STAR compliance, encrypted in transit and at rest (AES-256/TLS), along with continuous third-party penetration testing.

3. Data Residency & Retention Controls

Eligible customers (Enterprise, Edu, API) can select regional data residency (e.g. Europe), manage retention policies, or opt for no data retention at all.

4. Processor Role & Customer Responsibility

OpenAI acts as a processor. Under GDPR, customers (controllers) must manage consent, configure retention, and respond to data subject requests. The DPA explicitly places configuration responsibilities on customers.

Enforcement & Compliance Risks

  • €15 million fine (December 2024) by Italy’s Garante for processing EU users’ personal data without sufficient legal basis, transparency, or age verification measures; led to a temporary ChatGPT ban in Italy. [www.reuters.com]

  • NOYB complaints: Austrian advocacy group filed GDPR complaints over ChatGPT’s refusal to correct inaccurate personal data—even after it returned false personal details without correction options.[www.theverge.com]

  • Ongoing regulatory scrutiny: Italy’s Garante and the Irish DPC are investigating model training data, age checks, consent, and data subject request handling.

Implementation Considerations

To use OpenAI GDPR-compliantly:

  • Execute the DPA and ensure SCCs/data residency are enabled.
  • Configure retention settings, potentially opting for zero retention.
  • Obtain lawful basis (e.g. consent) for processing user data—especially sensitive or minor data. Ensure age checks are active.
  • Inform users properly, including model training policies and data use notices.
  • Set up DSAR procedures via API/admin tools and ensure OpenAI cooperation.
  • Monitor legal developments, and implement corrective actions as required by regulators.

Who Should Care?

  • Companies embedding the OpenAI API: You must manage controller responsibilities, consent, retention, disclosures.
  • Enterprise/Edu deployment teams: Must use regional storage, configure security settings, and integrate DSAR tools.
  • Legal and privacy teams: Must oversee age verification, lawful basis, and emerging regulatory mandates from Italy, EU, and privacy advocacy groups.

Notable Resources

  1. OpenAI Security & Privacy page (certifications, DPA, compliance features)
  2. OpenAI Data Processing Addendum details
  3. Italy’s €15 million GDPR fine report
  4. NOYB complaint history and regulatory actions
  5. Italy’s regulatory action on ChatGPT ban and fine

General Caveat

This summary is based on current publicly available information and is not legal advice. OpenAI offers GDPR-aligned contracts and controls, but unresolved enforcement matters—particularly around data accuracy, consent, minors, and model training—highlight significant risks. Customers must carefully implement these features and monitor regulatory developments.

Final Thoughts

OpenAI's enterprise offerings include the necessary legal and technical structures for GDPR compliance: DPA, contracts, encryption, and regional controls. Yet, regulatory penalties—especially the €15 million fine—and active complaints expose key compliance gaps in transparency, data accuracy, age verification, and user rights. Fully GDPR-compliant use depends on robust customer governance, transparency with users, configuration of tools, and adherence to evolving regulatory rulings.

GA4 est complexe. Essayez Simple Analytics

GA4, c'est comme être assis dans le cockpit d'un avion sans licence de pilote

Commencer gratuitement maintenant