Last updated / checked: May 4, 2026. This article is general privacy information, not legal advice. GDPR status, OpenAI contracting entities, Data Processing Addenda, data residency options, sub-processors, and training controls can change, so businesses should verify the current OpenAI terms and get legal advice for their own processing activities.
ChatGPT is not a plug-and-play GDPR compliance guarantee. As of this check, OpenAI provides GDPR-relevant controls, a Europe privacy policy, a Data Processing Addendum for covered business customers, Standard Contractual Clauses for certain transfers, privacy request tools, data export and deletion paths, and business data commitments. Those tools can help ChatGPT fit inside a GDPR-compliant program when the user or organization configures it correctly and has a lawful basis for the data it enters. They do not make every ChatGPT use GDPR-compliant by default. Consumer use, employee use, sensitive data, model training settings, international transfers, and data subject requests all need separate review.
ChatGPT’s GDPR compliance status in plain English
The short version: ChatGPT has GDPR-supporting features, but OpenAI does not give ordinary users a blanket certificate that every use of ChatGPT complies with GDPR. OpenAI’s enterprise materials describe controls that can support compliance with GDPR and other privacy laws, which is narrower than saying every deployment is compliant automatically.[6]
This distinction matters because GDPR compliance depends on the full processing activity. That includes who decides the purpose, what personal data is entered, the lawful basis, the notice given to people, the retention period, whether special category data is involved, how data subject requests are handled, and whether transfers outside Europe are covered. ChatGPT is one system inside that chain, not the whole chain.
For an individual using ChatGPT, the main question is privacy control. You should understand whether your chats may be used to improve models, how to export or delete data, and when not to enter personal information. For a company, the main question is governance: lawful basis, internal policy, vendor review, a Data Processing Addendum where available, and a clear rule for what employees may submit.
OpenAI’s Help Center says signed-in ChatGPT users can turn off “Improve the model for everyone” in Data Controls, and that conversations remain in chat history but are not used to train ChatGPT when that setting is off.[3] OpenAI also says Temporary Chats are deleted from its systems after 30 days, are not used to train models, may be reviewed only to monitor abuse, and do not create memories.[3]
Those settings are useful, but they are not the same as a corporate GDPR program. If you paste customer records, employee evaluations, medical notes, payroll details, legal files, or children’s data into consumer ChatGPT, you may create a compliance issue even if ChatGPT itself offers privacy settings. For practical privacy basics beyond GDPR, read ChatGPT Privacy and Does ChatGPT Save Your Data?.
Controller, processor, and why the account type matters
GDPR roles are the first compliance question. The European Commission explains that a controller determines why and how personal data is processed, while processor duties must be set out in a contract or other legal act.[12] In ChatGPT terms, the answer usually depends on whether you are using a consumer account, a business workspace, or the API.
For individual users in the European Economic Area and Switzerland, OpenAI identified OpenAI Ireland Limited as the entity providing services like ChatGPT from February 15, 2024.[1] OpenAI’s Europe privacy policy also identifies OpenAI Ireland Limited as the controller for users in the EEA and Switzerland.[2] UK users are treated differently under OpenAI’s published entity description, so European compliance should not be reduced to one global rule.[1]
For covered business use, the analysis changes. OpenAI’s Data Processing Addendum says OpenAI acts as a data processor on the customer’s behalf when processing Customer Data to provide the services under the agreement.[7] The same DPA says the customer may submit personal data depending on its own use, including names, contact information, demographic information, or other information provided in unstructured data.[7]
| Use case | Typical GDPR role pattern | Training posture | Main compliance work |
|---|---|---|---|
| Consumer ChatGPT | OpenAI is generally the controller for its own consumer service in covered European regions. | User data controls affect whether chats help improve models. | Use privacy settings, avoid unnecessary personal data, and use export or deletion tools when needed. |
| Business workspace | The customer often acts as controller, and OpenAI may act as processor under the DPA. | OpenAI says business-plan and API data are not used for training by default unless the customer opts in.[6] | Execute the right agreement, configure workspace controls, train staff, document lawful basis, and keep vendor records. |
| API integration | The developer or organization usually controls the product purpose and user notice. | OpenAI says API data is not used for training by default unless the customer opts in.[6] | Build user-facing notices, retention rules, access controls, logging, and DSAR workflows. |
The table is a practical orientation tool, not legal advice. The same company can be a controller for one processing activity and a processor for another. If your organization uses ChatGPT to summarize customer support tickets, review HR notes, process health-related text, or draft decisions about people, your legal and security teams should map the exact processing before deployment. Our guides on ChatGPT Data Protection Practices, Does ChatGPT Share Your Data?, and Is ChatGPT Safe to Use Personal Data In? cover related operational questions.
What OpenAI provides for GDPR compliance
OpenAI provides several GDPR-relevant building blocks. They are useful only when matched to the right account type, contract, region, and processing purpose.
Privacy controls for ChatGPT users
OpenAI’s Data Controls FAQ says signed-in users can turn off model training by opening Settings, going to Data Controls, and turning off “Improve the model for everyone.”[3] The same source says the setting applies across the account, regardless of which device is used.[3]
OpenAI also offers data export tools. Its Help Center says users can request a copy through the Privacy Portal or through ChatGPT settings, and that the export includes chat history and other relevant account data.[4] It also says the export email link expires after 24 hours and that exports can take up to 7 days to arrive.[4]
Deletion is separate from export. OpenAI says deleting an account is permanent and that it will delete account data within 30 days, except where it may retain a limited set of data longer where required or permitted by law.[5] OpenAI also says deleted chats are hard deleted from its systems within 30 days unless they were already de-identified and disassociated from the account or must be kept for security or legal reasons.[5]
Data transfers and SCCs
OpenAI’s Europe privacy policy says it processes personal data on servers outside the EEA, Switzerland, and the UK, including in the United States and other places where its affiliates, partners, vendors, or service providers are located.[2] The same policy says OpenAI relies on adequacy decisions for certain countries and Standard Contractual Clauses for other jurisdictions.[2]
For business customers, OpenAI’s DPA defines SCCs as the standard contractual clauses adopted by the European Commission on June 4, 2021.[7] The DPA also states that SCC Module Two applies when the customer is a controller and OpenAI processes Customer Data as a processor, while Module Three applies when the customer is a processor and OpenAI is a sub-processor.[7]
Data residency and sub-processors
OpenAI has announced at-rest data residency options for eligible API customers and new ChatGPT Enterprise and Edu workspaces, including European residency and later additional regions. OpenAI described the covered stored content as including user prompts, uploaded files, and content across text, vision, and image modalities.[6] Because residency availability can depend on plan, region, creation date, and product surface, organizations should confirm the current setting before treating it as a control.
Sub-processors also matter. OpenAI publishes a sub-processor list covering services such as API, ChatGPT Enterprise, ChatGPT Edu, and ChatGPT Business, with information about processing location and purpose.[8] The list also says that, for content flagged as violating OpenAI policies, OpenAI may share samples of flagged customer content with relevant sub-processors to assist in review and enforcement.[8]
These controls do not remove the need for security review. You still need to know whether your data is encrypted, retained, shared, or stored in a location that fits your risk model. Start with Is ChatGPT Encrypted End-to-End?, ChatGPT Data Centers and Storage, and Does ChatGPT Save Your Chats?.
Open questions and regulator history
GDPR risk around ChatGPT has not been purely theoretical. The European Data Protection Board published a ChatGPT Taskforce report on May 24, 2024.[9] The report said several supervisory authorities had started GDPR investigations against OpenAI for processing operations carried out in the context of ChatGPT.[9] It also said OpenAI had a single establishment in the European Union from February 15, 2024, which affected the GDPR one-stop-shop framework for cross-border processing.[9]
The EDPB report is important because it rejects a simple “AI is different” defense. It states that controllers processing personal data in the context of large language models must take all necessary steps to ensure full GDPR compliance, and that technical impossibility cannot be invoked to justify non-compliance.[9]
Italy’s regulator later fined OpenAI 15 million euros after a probe into ChatGPT data collection, according to AP and Euronews reporting on December 20, 2024.[10][11] AP reported that the Italian authority said OpenAI processed users’ personal data to train ChatGPT without an adequate legal basis and violated transparency obligations, while OpenAI called the decision disproportionate and said it would appeal.[10]
This does not mean every current ChatGPT use violates GDPR. It does mean organizations should not treat OpenAI’s controls as a substitute for their own records, notices, risk assessments, and staff training. If your use involves children, health information, employment decisions, criminal allegations, financial data, or mental health conversations, the risk is higher. For related safety context, see ChatGPT privacy concerns you should know and ChatGPT and mental health.
The biggest unresolved issues are practical. Can you explain to a user what personal data was entered into ChatGPT? Can you remove or restrict it when required? Can you show the lawful basis for processing? Can you prove employees did not paste prohibited records into a personal account? Can you respond to a data subject request without manually searching thousands of unmanaged chats?
A practical GDPR checklist for ChatGPT users
Use this checklist before entering personal data into ChatGPT or allowing employees to do so. For regulated or high-risk data, treat it as a starting point for legal, privacy, and security review rather than a substitute for that review.
- Classify the data first. Identify whether the prompt contains customer, employee, child, health, financial, location, biometric, criminal-offense, or other sensitive material.
- Choose the correct account type. Do not use a personal ChatGPT account for regulated business records. Use an approved business workspace or API arrangement where your organization has reviewed the terms.
- Document the purpose and lawful basis. GDPR requires a reason for processing. “It was convenient” is not a compliance theory.
- Minimize the prompt. Remove names, account numbers, addresses, dates of birth, internal IDs, and any unnecessary facts before submission.
- Turn off training where appropriate. For consumer use, use ChatGPT Data Controls if you do not want chats to help improve models.[3] For business use, confirm the workspace or API training settings and contract terms.
- Keep human review in the loop. Do not treat ChatGPT output as an authoritative record about a person without verification.
- Plan for data subject rights. GDPR Article 12 requires a controller to act on certain rights requests without undue delay and in any event within one month, with a possible two-month extension for complex or numerous requests.[14]
- Record vendor and transfer safeguards. For business use, keep the DPA, SCC position, sub-processor review, and residency setting with your vendor records.
- Train employees. Give clear examples of prohibited prompts, approved workflows, and escalation paths.
- Audit periodically. Review saved chats, workspace settings, exports, deletion practices, user access, and whether the documented purpose still matches actual use.
A safe default is simple: do not put identifiable personal data into ChatGPT unless you have a documented reason, an approved account, a known retention path, and a way to answer access or deletion requests. This is especially important for HR, healthcare, education, finance, legal, and customer support teams.
For personal users, the practical version is shorter. Do not paste private documents you would not want reviewed, retained, or processed under the service’s terms. Use Temporary Chat for lower-retention conversations when it fits your need. Export your data before deleting an account if you need a copy. Read ChatGPT Privacy Policy Explained Simply before relying on assumptions.
Frequently asked questions
Is ChatGPT GDPR compliant?
ChatGPT has GDPR-supporting controls, but compliance depends on the specific use. A consumer asking general questions is different from a company processing customer records. For business use, review OpenAI’s DPA, training settings, transfer safeguards, sub-processors, residency options, and your own lawful basis before entering personal data.
Can I put EU personal data into ChatGPT?
Only do that when you have a clear purpose, a lawful basis, and an approved account or contract setup. Minimize or anonymize the data whenever possible. Avoid putting special category data into ChatGPT unless your organization has specifically approved the workflow and documented the safeguards.
Does turning off model training make ChatGPT GDPR compliant?
No. Turning off training is a useful privacy control, but GDPR compliance also involves notice, lawful basis, minimization, retention, security, transfer safeguards, and data subject rights. Treat the setting as one control, not the entire compliance program.
Can I delete my ChatGPT data under GDPR?
OpenAI offers account deletion and privacy request tools, and GDPR gives eligible European users rights such as access and erasure in defined situations. OpenAI says account data is deleted within 30 days after account deletion, except where limited retention is required or permitted by law.[5] Export your data first if you need a copy.
Do businesses need a Data Processing Addendum for ChatGPT?
If a business uses ChatGPT or the API to process personal data on behalf of the business, a DPA is usually part of the vendor review. OpenAI publishes a DPA for covered services. The business still remains responsible for its own instructions, lawful basis, notices, internal controls, and records of processing.
Is consumer ChatGPT suitable for employee or customer records?
Usually, no. Consumer ChatGPT is not the right default place for employee files, customer support records, legal documents, or regulated records. Use an approved business workspace or API architecture with reviewed terms, access controls, retention settings, and employee guidance.