Is ChatGPT GDPR Compliant? What Businesses Must Know
"GDPR compliant" isn't a badge. It depends on how you use ChatGPT and who the controller is. Here's what businesses must know, with sources.
"Is ChatGPT GDPR compliant?" has no yes-or-no answer. The GDPR (General Data Protection Regulation) does not certify a tool. It governs a specific processing activity and the organisation that decides it. When a business pastes EU personal data into ChatGPT, the business becomes the data controller. These duties are yours: a lawful basis (Article 6), data minimisation (Article 5), and a data processing agreement (Article 28) with the provider. The default consumer app does not ship that signed agreement. The good news: anonymising personal data before the prompt sharply cuts the risk.
"GDPR compliant" is not a badge
The GDPR does not work like a label stuck on software. Compliance attaches to a given processing activity. It also attaches to the organisation that decides why and how personal data is used.
Here is the key point for a business. You paste a client's name, email or file into ChatGPT. At that moment, you are the data controller. The tool you use does not absorb your duties. They stay yours.
The data controller's duties
A data controller must satisfy several GDPR obligations at once. They are not optional. Here are the three that weigh most in an AI prompt.
- A valid lawful basis (Article 6): consent, contract or legitimate interests, for example. Without one, the processing is unlawful.
- Data minimisation (Article 5(1)(c)): process only data that is adequate, relevant and limited to what is necessary.
- A data processing agreement (Article 28): whenever another company processes that data on your behalf, a written contract is required. It is often called a DPA (Data Processing Agreement).
The GDPR also demands transparency toward the people concerned. They must know their data is being processed. They keep their rights: access, rectification, objection, erasure. These principles do not vanish because an AI is involved.
The consumer app and the missing DPA
The default consumer ChatGPT app is not built for this. It does not provide a signed Article 28 processing agreement for that use. Yet that contract is required whenever a third party processes other people's personal data on your behalf.
OpenAI offers separate business and enterprise terms. They include a DPA and data controls, such as a setting to exclude your inputs from model training. But that is a distinct, opt-in arrangement. It is not the default consumer experience.
France's regulator, the CNIL, confirms the principle for any AI. Anyone using personal data to build or deploy an AI system must fix an explicit, legitimate purpose from the outset. They must inform the people whose data is used. They must respect those people's rights. And they must process only the data that is necessary.
The Garante case: what enforcement really shows
The risk is not theoretical. Italy's authority, the Garante, fined OpenAI 15 million euros in December 2024. The grounds: the lawful basis for training data, transparency toward users, and the absence of adequate age verification.
Be precise about what came next. That fine was later annulled. On 18 March 2026, the Court of Rome (judgment No. 4153/2026) set the penalty aside. But it did so on jurisdictional grounds, not on the merits. In plain terms: Ireland's Data Protection Commission had become OpenAI's lead supervisory authority. So the Garante lacked competence to issue the final decision.
What the court did not say matters just as much. It did not clear OpenAI of the underlying GDPR concerns. The substantive questions on lawful basis and transparency were not decided. They remain open. The annulment was procedural, nothing more.
| What people say | What's accurate |
|---|---|
| "ChatGPT is GDPR compliant" | Compliance depends on the use and on who is the controller, not on the tool |
| "The consumer app is enough to process client data" | It does not ship a signed Article 28 processing agreement by default |
| "The Garante fine was annulled, so OpenAI was in the clear" | Annulled on jurisdiction (Irish authority as lead), not on the merits |
| "The tool carries the GDPR duties" | The data controller is you: lawful basis, minimisation, contract |
The fix: minimise and anonymise before the prompt
The most practical way to shrink your GDPR exposure is simple. Minimise and anonymise personal data before it ever enters the prompt. Strip out names, contact details and IDs before the text reaches an external model.
The result is direct. Far less personal data is processed by a third party in the first place. That serves the Article 5 minimisation principle exactly. You get the AI's help. You keep the sensitive material out of reach.
Here is the method, step by step.
- 1Spot the personal data in your text: names, emails, phone numbers, client IDs.
- 2Replace each value with a reversible token, in the browser.
- 3Send only the anonymised text to the AI model.
- 4Restore the real values in the reply, locally.
That's what ONYRI Sanitize is for. The engine spots sensitive data — names, emails, IDs, amounts — and replaces it with reversible tokens before sending. Detection and the mapping stay in your browser. Only anonymised text reaches the model. The AI finds only tokens, never your real personal data. You serve the GDPR minimisation principle, without giving up the AI's help.
Frequently asked questions
- Is ChatGPT GDPR compliant?
- There is no yes-or-no answer. "GDPR compliant" is not a badge stuck on a tool. Compliance depends on the use and on who is the data controller. When a business pastes EU personal data into ChatGPT, the business is the controller. It owes a lawful basis (Article 6), minimisation (Article 5) and a processing agreement (Article 28). The default consumer app does not provide that signed contract.
- Can my business put client data into ChatGPT?
- Not without care. You then become the data controller, with a lawful basis to justify and a processing agreement to hold. The consumer app does not provide that DPA by default; OpenAI offers separate business terms that include one. The safest move is to anonymise personal data before the prompt, so a third party processes as little as possible.
- Was the Garante fine against OpenAI annulled?
- Yes, but on jurisdiction, not on the merits. The Garante had fined OpenAI 15 million euros in December 2024. On 18 March 2026, the Court of Rome (judgment No. 4153/2026) annulled it because Ireland's authority had become the lead. The court did not clear OpenAI under the GDPR: the lawful basis and transparency questions remain open.
Sources & references
- General Data Protection Regulation (Regulation (EU) 2016/679) — Articles 5, 6 and 28 — EUR-Lex (Publications Office of the European Union)
- AI system development: the CNIL's recommendations to comply with the GDPR — CNIL (French data protection authority)
- Report of the work undertaken by the ChatGPT Taskforce (ChatGPT and personal data) — European Data Protection Board (EDPB)
Keep your sensitive data in your browser
ONYRI Sanitize detects and masks your sensitive data before it reaches the AI, then restores the answer — from names to API keys.
Anonymize my prompt