Using OpenAI is one of the most common questions EU legal and engineering teams are trying to answer right now. The honest answer is: it depends on how you use it, and even when configured correctly, OpenAI's GDPR compliance leaves gaps that your organisation must close independently.
This guide cuts through the marketing language and explains exactly what OpenAI's GDPR measures cover, what they do not cover, what the CLOUD Act means for EU companies, and what you need to do yourself regardless of what OpenAI offers.
The two completely different products
The first thing to understand is that “OpenAI” is not one product with one compliance posture. There are two fundamentally different products with different GDPR implications.
Consumer ChatGPT (chat.openai.com)
Using the free consumer ChatGPT for business purposes is risky and likely non-compliant. User conversations may be stored and used for model training, there is no Data Processing Agreement available, and you have no control over data residency or retention.
If your employees are pasting customer data, patient records, employee information, or financial data into chat.openai.com as part of their work — even to help them draft emails or summarise documents — you are almost certainly in breach of GDPR. There is no DPA, which means there is no lawful basis for that processing under Article 28.
This is not theoretical. Italy's data protection authority fined OpenAI €15 million in December 2023 for GDPR violations related to consumer ChatGPT, identifying training data without lawful basis as the primary breach, alongside failure to notify a data breach and inadequate age verification.
Consumer ChatGPT for business use: do not use. There is no DPA, which means there is no lawful basis for processing personal data under Article 28.
OpenAI API
The API is a different matter. With the correct configuration, using the OpenAI API can be made GDPR compliant for many use cases. The key word is “configuration” — the defaults are not compliant without additional steps.
What OpenAI now offers for EU compliance
OpenAI has taken meaningful steps toward GDPR compliance following European regulatory pressure. Here is what is available as of 2026.
Data Processing Agreement (DPA)
Under Article 28 GDPR, any time you use a third party to process personal data on your behalf, you need a written contract — a Data Processing Agreement. OpenAI offers a standard DPA. You find it in your account settings.
Signing the DPA is not optional. Without it, you have no lawful basis for processing personal data through the API. Sign it before your first API call processes EU personal data.
European data residency
In February 2025, OpenAI introduced data residency in Europe for ChatGPT Enterprise, ChatGPT Edu, and the API Platform.
With European data residency enabled, API customers can choose to process data in Europe for eligible endpoints. New ChatGPT Enterprise and Edu customers can choose to have customer content stored at rest in Europe.
To enable it via the API: create a new Project in the API Platform dashboard and select Europe as the region. API requests initiated through these Projects are handled in-region by OpenAI with zero data retention, meaning model requests and responses are not stored at rest on OpenAI's servers.
Zero data retention
By default, OpenAI retains API input and output data for up to 30 days for abuse monitoring, but does NOT use API data for model training. You can request zero-retention by opting out of data storage entirely through your API settings.
With zero-retention enabled, your data passes through OpenAI's systems but is not stored. This significantly reduces — but does not eliminate — GDPR exposure.
What zero retention means for logging
Zero retention at OpenAI means OpenAI does not keep your prompts and responses. It does not mean you should not keep them. If your AI system is high-risk under the EU AI Act, Article 12 requires you to maintain your own tamper-evident logs for at least six months.
Zero retention at OpenAI and comprehensive logging on your own EU infrastructure are not in conflict — they are both required simultaneously.
The six things you must do to use OpenAI's API compliantly
Find it in your API account settings. Sign it before processing any EU personal data.
Create API projects with Europe selected as the region. All sensitive API calls should route through EU-region projects.
Opt out of OpenAI's 30-day data retention in your API settings. With zero-retention and EU data residency enabled, your data is processed in Europe and not stored by OpenAI.
The DPA covers the processor relationship. You still need a lawful basis under Article 6 GDPR for processing personal data through the API — contract (6(1)(b)), legitimate interests (6(1)(f)), or consent (6(1)(a)). Document the legal basis for each AI feature separately.
A Data Protection Impact Assessment is required where processing is likely to result in high risk to individuals. AI systems that make or influence significant individual decisions almost certainly require a DPIA. Conduct it before deployment, document the mitigations, and review it when the system changes.
Even with EU data residency and zero retention at OpenAI, you are responsible for maintaining your own Article 12 compliant logs if your AI system is high-risk. Scrub PII before logging, store logs on EU infrastructure, implement tamper-evident hash chaining.
The CLOUD Act: the gap OpenAI cannot close
This is the most important section for EU companies that have been told “EU data residency solves our compliance problem.”
It does not. Not completely.
What the CLOUD Act is
The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) is a US federal law that allows US law enforcement to compel American companies to provide access to data stored anywhere in the world — including on servers physically located in the European Union.
The legal jurisdiction follows the company, not the data centre. Selecting “EU region” in AWS, Azure, Google Cloud, or OpenAI does NOT guarantee sovereignty if the provider is US-headquartered.
What this means for OpenAI specifically
OpenAI is a US company. Its European data residency means your data is processed on servers physically located in Europe. But OpenAI remains subject to US jurisdiction. Under the CLOUD Act, US authorities can compel OpenAI to produce data stored in those EU servers.
Standard Contractual Clauses — which OpenAI's DPA relies on — reduce the legal risk of cross-border transfers but do not eliminate CLOUD Act exposure. The legal challenges to SCC-based transfers with US providers — so-called “Schrems III” litigation — are expected to intensify.
The sovereignty gap
A common misconception among AI companies is that using a European region of a US-based provider satisfies residency requirements. It does not. The US CLOUD Act creates a sovereignty gap that European data residency features alone cannot close.
For many EU companies, this gap is an acceptable residual risk — they sign the DPA, enable EU data residency and zero retention, document the CLOUD Act risk in their DPIA, and proceed.
For companies in regulated sectors — banking, healthcare, government — the CLOUD Act gap is not acceptable. These organisations need providers incorporated in the EU operating EU-only infrastructure with no US legal exposure.
Where your AI compliance logs must live
Even if you use OpenAI with EU data residency and zero retention for inference, the logs you maintain for Article 12 compliance must not rely on OpenAI's infrastructure.
Your Article 12 logs are your evidence. They must be on infrastructure you control, stored with an EU-incorporated provider if outsourced, and not subject to CLOUD Act compulsion.
Using a US-based log aggregation service — Datadog, Splunk, New Relic — for your Article 12 compliance logs recreates the CLOUD Act problem even if your OpenAI calls go through EU data residency.
The ongoing regulatory scrutiny of OpenAI in the EU
OpenAI's compliance situation in Europe is active, not settled.
Italy's €15 million fine
In December 2023, Italy's data protection authority fined OpenAI €15 million for GDPR violations related to consumer ChatGPT. The Italian DPA identified training data without lawful basis as the primary breach, alongside failure to notify a March 2023 breach involving user data and inadequate age verification. OpenAI labelled the sanction disproportionate. The fine stands.
EDPB task force
The European Data Protection Board has established a cross-border task force on ChatGPT involving multiple national data protection authorities. Civil society groups plan additional complaints in 2026. The enforcement trajectory is toward increased scrutiny, not reduced.
The hallucination problem
The EDPB Opinion 28/2024 addressed concerns that LLMs generate false personal data about real individuals — so-called hallucinations. The Board stated that anonymisation of training data must be proven, not assumed. This creates a continuing legal question about whether LLMs trained on personal data can ever fully satisfy GDPR's requirements — an issue OpenAI has not resolved and cannot resolve through configuration alone.
OpenAI vs EU-incorporated LLM providers
For EU companies in regulated sectors, EU-incorporated LLM providers eliminate the CLOUD Act problem entirely.
| OpenAI (EU data residency) | Mistral AI | |
|---|---|---|
| Incorporated in | United States | France (EU) |
| Data centre location | EU (optional) | EU |
| CLOUD Act exposure | Yes — US company | No — EU company |
| DPA available | Yes | Yes |
| Zero retention available | Yes (API) | Yes |
| Model quality | GPT-4o class | Mistral Large class |
| GPAI Code of Practice | In progress | In progress |
Mistral AI is incorporated in France, operates EU infrastructure, and is not subject to the CLOUD Act. For companies where the CLOUD Act gap is not acceptable, Mistral is the most capable EU-sovereign alternative. Other EU-incorporated providers include Aleph Alpha (Germany) and various open-weight model deployments on EU-only cloud infrastructure (Hetzner, Scaleway, OVH).
The complete compliance picture for OpenAI API users
If you are an EU company using the OpenAI API and want to be as compliant as possible:
- ✓Sign the DPA (account settings)
- ✓Enable EU data residency (create EU-region Projects)
- ✓Enable zero data retention (API settings)
- ✓Establish legal basis (Article 6 GDPR)
- ✓Conduct DPIA for high-risk processing
- ⚠Accept residual CLOUD Act exposure (document in DPIA)
- ✓Scrub PII from prompts and responses before logging
- ✓Implement your own Article 12 compliant logging
- ✓Store compliance logs on EU-incorporated infrastructure
- ✓Implement tamper-evident hash chain on log entries
- ✓Define log retention periods (minimum 6 months for Article 12)
- ✓Implement automatic deletion at end of retention period
- ✓Add to Record of Processing Activities (ROPA)
The OpenAI configuration handles the processor relationship. The independent steps handle your obligations as a data controller and as an operator of a high-risk AI system. Both are required. Neither substitutes for the other.
Practical implementation: routing OpenAI calls through EU
import openai
import os
import time
# EU-region project API key — created in EU-region Project
# in OpenAI dashboard. All calls go through EU infrastructure.
eu_client = openai.OpenAI(
api_key=os.environ["OPENAI_EU_PROJECT_API_KEY"],
)
def call_openai_eu_compliant(prompt: str, system_id: str) -> str:
"""
Makes an OpenAI call through EU data residency.
Logs to EU-hosted compliance infrastructure.
PII scrubbed before logging.
"""
start = time.time()
# Call OpenAI through EU-region project
response = eu_client.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": prompt}]
)
latency_ms = (time.time() - start) * 1000
content = response.choices[0].message.content
# Log to EU-hosted compliance logging independently of OpenAI.
# This is YOUR responsibility — OpenAI cannot do this for you.
compliance_logger.log(
prompt=prompt, # PII scrubbed inside logger
response=content, # PII scrubbed inside logger
model=response.model,
usage={
"prompt_tokens": response.usage.prompt_tokens,
"completion_tokens": response.usage.completion_tokens,
"total_tokens": response.usage.total_tokens,
},
latency_ms=latency_ms,
finish_reason=response.choices[0].finish_reason
)
return contentSummary
Yes — with the correct configuration and with your own additional measures.
DPA, EU data residency, zero retention. These handle the processor relationship and reduce (not eliminate) cross-border transfer risk.
Elimination of CLOUD Act exposure. Your own Article 12 compliant logs. Control over your compliance evidence. Certainty about training data legal basis.
Sign the DPA. Enable EU data residency and zero retention. Establish your own legal basis. Scrub PII before logging. Implement your own EU-hosted compliance logging. Conduct a DPIA. Add to your ROPA.
Use an EU-incorporated LLM provider — Mistral is the most capable option. Or run open-weight models on EU-only infrastructure you control.
The compliance picture for OpenAI in the EU is meaningfully better than it was two years ago. It is not fully settled. Treat it as an acceptable risk with proper documentation, not as a solved problem.
This guide is maintained by Sovergate. We build EU AI Act Article 12 logging infrastructure for companies using LLMs in high-risk contexts — independent of which LLM provider you use.
This guide is for informational purposes only and does not constitute legal advice. Last updated June 2026.
Need Article 12 compliant logging for your OpenAI integration?
Two lines of code. PII scrubbed locally inside your infrastructure. Logs stored in Germany. Monthly Article 12 compliance reports ready for your legal team.