Skip to content
12.4Intermediate6 min

Using OpenAI / ChatGPT in a GDPR-Compliant Way: Consumer vs. Enterprise vs. API

Blck Alpaca·
Definition

Using OpenAI in a GDPR-compliant way means deploying only ChatGPT Enterprise/Team or the OpenAI API with a signed data processing agreement (DPA) for corporate data, where customer data is not used for training by default. Consumer ChatGPT is unsuitable for this because a binding DPA and configurable data residency are missing.

Key Takeaways

  • Consumer ChatGPT (free/Plus) is not GDPR-suitable for personal corporate data: no DPA as a processor, no guaranteed EU data residency, no contractual zero-data-retention.
  • ChatGPT Enterprise/Team and the OpenAI API operate under the OpenAI DPA (effective from 1 January 2026, with OpenAI Ireland Ltd. as the EEA/CH contracting party); customer data is not used for model training by default.
  • Retention differs significantly: API max. 30 days by default, ChatGPT Enterprise for the contract term, zero-data-retention (ZDR) available only contractually.
  • EU data residency is available only for eligible Enterprise/Edu accounts and certain API setups; the default is global routing.
  • On 2 November 2024 the Italian Garante imposed a fine of EUR 15 million on OpenAI - the mandatory demonstration of legal basis, transparency and data processing is enforcement-relevant.
  • GDPR-compliant deployment requires a DPA, sub-processor mapping, training opt-out, data residency configuration, retention control and a data protection impact assessment (DPIA).

Using OpenAI in a GDPR-compliant way means deploying only ChatGPT Enterprise/Team or the OpenAI API with a signed data processing agreement (DPA) for personal corporate data, where customer data is not used for model training by default. Consumer ChatGPT is unsuitable for this because a binding DPA as a processor, guaranteed EU data residency and contractual zero-data-retention are missing.

The key question for DACH companies and agencies is not "ChatGPT yes or no", but "which procurement route under which contract". This is exactly where GDPR compliance is decided.

  • Consumer ChatGPT (free, Plus): no DPA as a processor, no reliable training exclusion on a contractual basis, no guaranteed EU data residency - off-limits for personal business data.
  • ChatGPT Enterprise/Team: operates under the OpenAI DPA, no training on customer data by default, OpenAI as a processor.
  • OpenAI API: also under a DPA, max. 30 days retention by default, zero-data-retention (ZDR) available contractually.

Why Consumer ChatGPT Is Out of the Question in a Corporate Setting

For any processing of personal data via an AI system, OpenAI acts as a processor within the meaning of Art. 28 GDPR in a corporate context. An effective data processing agreement (DPA) is therefore mandatory. The consumer plans lack this contract in the form that a controller requires: no documented instruction bindings, no assured data residency, no configurable retention periods.

On top of this comes the technical risk of memorisation. Nasr et al. (2023) demonstrated the extraction of training data - including personal data - from production models such as ChatGPT at a query cost of around USD 200. Anyone who enters customer names, personnel data or health information unprotected into a consumer frontend cannot control what happens to that data.

Hallucinated personal data also remains personal data. This is confirmed equally by the Hamburg ChatGPT complaint and the Garante proceedings against OpenAI - an incorrect but plausible statement about an identifiable person triggers rectification and access obligations.

Consumer vs. Enterprise/Team vs. API in a GDPR Comparison

The following table summarises the differences that are decisive for compliance. All figures are based on internal research and must be re-validated at the time of signing, as provider terms change frequently.

Criterion

Consumer ChatGPT (Free/Plus)

ChatGPT Enterprise/Team

OpenAI API

DPA as a processor

Not in a corporate-suitable form

Yes, OpenAI DPA (effective from 1 Jan. 2026)

Yes, OpenAI DPA (effective from 1 Jan. 2026)

Contracting party for EEA/CH

OpenAI Ireland Ltd.

OpenAI Ireland Ltd.

Training on customer data

Not contractually excluded in the same way

No, no training by default

No, no training by default

Default retention

Not controllable on the corporate side

Contract term

Max. 30 days

Zero-data-retention (ZDR)

Not available

Available contractually

Available contractually

EU data residency

Not guaranteed

For eligible Enterprise/Edu accounts

For certain API setups; otherwise global

Sub-processor list

Published (as of April 2025 onwards, incl. Microsoft Azure)

Published (incl. Azure hosting, moderation)

Important: the training exclusion and ZDR are contractual commitments, not statutory minimum standards. Providers typically reserve narrow rights for abuse monitoring, safety review and aggregated analytics, in which they may act as their own controller. These carve-outs should be delineated with a bright line in the DPA.

What the Garante Decision Teaches Us

The leading enforcement example is the decision of the Italian Garante of 2 November 2024 (published 20 December 2024): a EUR 15 million fine against OpenAI. Breaches identified:

  • Processing of personal data to train ChatGPT before a viable legal basis was identified - a breach of Art. 5(1)(a), Art. 5(2) and Art. 6 GDPR.
  • Insufficient transparency towards users (Art. 12, 13).
  • No adequate age verification (Art. 8, 25).
  • Late notification of the chat history data breach of March 2023 (Art. 33).
  • In addition: a mandatory six-month awareness campaign in the Italian media.

The GDPR fine framework under Art. 83 is up to EUR 20 million or 4 per cent of global annual turnover. By way of comparison: Clearview AI was fined EUR 20 million in Italy for scraping public data (10 February 2022) - publicly accessible does not mean "free to use".

Seven Steps to Legally Compliant Deployment

  1. Determine the procurement route. For personal data, only ChatGPT Enterprise/Team or the API. Block consumer access organisationally (policy, and where appropriate technical blocking).
  2. Sign and review the DPA. OpenAI DPA (effective from 1 January 2026) with OpenAI Ireland Ltd. as the EEA/CH contracting party; check the "no training" commitment, instruction binding and abuse-monitoring carve-out.
  3. Map sub-processors. Add the published sub-processor list (incl. Microsoft Azure as hosting) to the record of processing activities (RoPA); ensure an unbroken DPA chain under Art. 28(4).
  4. Configure data residency. Activate EU data residency for eligible Enterprise/Edu accounts or suitable API setups; the default is global routing.
  5. Control retention. The API default is max. 30 days, Enterprise stores for the contract term. For sensitive data, agree ZDR contractually; pseudonymise/redact prompt logs before permanent storage.
  6. Secure the transfer basis. Use the EU-US DPF, but document standard contractual clauses as a fallback and a transfer impact assessment (as of 2026: the DPF appeal Latombe has been pending before the CJEU since 31 October 2025, subject to change).
  7. Document the DPIA and legal basis. Data protection impact assessment in line with the DSK guidance (6 May 2024); record the legal basis per use case - usually Art. 6(1)(f) with a documented legitimate interest, in customer service possibly Art. 6(1)(b).

What You Should NOT Do with Consumer ChatGPT

  • Enter customer names, CRM extracts, applicant or personnel data.
  • Process special categories under Art. 9 (health, religion, trade union, sex life).
  • Upload confidential business documents or entire document sets.
  • Prepare automated decisions with legal or significant effect (Art. 22). In addition: the right to an explanation of individual decisions under EU AI Act Art. 86 becomes effective from 2 August 2026 (legally binding date of application, as of 2026).

Worked Example: Retention as a Risk Lever

An agency runs a support assistant for a client via the OpenAI API with 5,000 prompts per day, of which around 8 per cent (400 prompts) contain customer names or contact data. With the API default retention of max. 30 days, at any given time up to 12,000 personal prompts (400 x 30) are held in the processor's storage - each of them within the scope of access and erasure requests. With contractually agreed ZDR plus upstream redaction, this permanent stock drops to nearly zero. This is the difference between an answerable and an unanswerable data subject access request (DSAR).

For Agencies and B2B

Marketing agencies and B2B decision-makers who deploy ChatGPT in client projects are usually controllers themselves, or processors for their clients - and must map the chain downwards cleanly: a DPA with OpenAI, documented data residency, ZDR for sensitive flows and a DPIA template that is reusable per use case. Anyone who sets this up cleanly once turns a compliance risk into a sellable quality feature. Blck Alpaca supports DPA review, sub-processor mapping and DPIAs for AI agents in the DACH region.

Note: This article serves as professional information and does not constitute legal advice. For a legally binding assessment of your specific deployment scenario, please consult a data protection officer or specialised legal counsel.

FAQ

May I use free ChatGPT or ChatGPT Plus with customer data?
For personal corporate or customer data, this is not advisable. The consumer plans lack a data processing agreement (DPA) under Art. 28 GDPR as a processor, guaranteed EU data residency and contractual zero-data-retention. Without a DPA, there is no viable basis for processing on behalf of the controller. For business data, use ChatGPT Enterprise/Team or the OpenAI API.
Is my data used for training with ChatGPT Enterprise or the OpenAI API?
No. According to the OpenAI DPA, customer data from the API as well as from ChatGPT Enterprise/Team is not used for training the OpenAI models by default. However, this is a contractual commitment, not a statutory standard - check the applicable contract terms in force at the time of signing.
What is zero-data-retention (ZDR) and do I need it?
ZDR means that OpenAI does not store prompts and outputs. By default, the API has a retention period of a maximum of 30 days, and ChatGPT Enterprise for the contract term. ZDR is available only contractually (via DPA) and is particularly advisable for sensitive or special categories of personal data (Art. 9 GDPR).
Are US data transfers to OpenAI GDPR-compliant?
The EU-US Data Privacy Framework adequacy decision (10 July 2023) is currently valid; on 3 September 2025 the General Court upheld it as at the time of its adoption (Latombe, T-553/23). The appeal before the CJEU has been pending since 31 October 2025 (as of 2026, subject to change). Keep standard contractual clauses available as a fallback and document a transfer impact assessment.
What fine is at risk in the event of breaches?
Under Art. 83 GDPR, fines of up to EUR 20 million or 4 per cent of global annual turnover are possible. On 2 November 2024 the Italian Garante imposed a fine of EUR 15 million on OpenAI - among other things for the lack of a legal basis prior to training and insufficient transparency.
Do I need a DPIA for the use of ChatGPT?
In most corporate scenarios, yes. According to the DSK guidance (6 May 2024), a data protection impact assessment is required for most LLM deployments, in particular in the case of large-scale processing, profiling or potentially automated decisions under Art. 22 GDPR.

Want to go deeper?

Get new analyses straight to your inbox – or see how we put this knowledge to work for companies.

Subscribe to newsletterOur services
PreviousEU Data Residency for LLMs: Where Your Data Is ProcessedNextMistral and Aleph Alpha: The GDPR Advantages of European LLM Providers