The document states that OpenAI provides Standard Contractual Clauses as the legal mechanism for cross-border personal data transfers from the EU to the United States and other non-adequate countries.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Under GDPR Chapter V, cross-border transfers of personal data to non-adequate third countries require an approved transfer mechanism; this provision discloses that OpenAI uses Standard Contractual Clauses as that mechanism for EU-originating enterprise and API data.
Interpretive note: The document does not specify which SCC module or version is in use, nor whether a Transfer Impact Assessment has been conducted; these details must be verified with OpenAI directly.
This new provision explicitly commits to SCCs as a lawful mechanism for transatlantic data transfers, addressing post-Schrems II regulatory requirements.
View full change record →EU-based enterprise and API customers can rely on Standard Contractual Clauses as the disclosed transfer mechanism for their data processed in the US, though organizations must verify that the current EU Commission-approved SCC form is in use and that a Transfer Impact Assessment has been conducted.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Your personal information may be transferred to, stored, and processed in the United States or other countries outside of your country of residence, which may have data protection laws that are different from those in your country.
Your personal information may be transferred to, and maintained on, computers located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction.
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We offer Standard Contractual Clauses for data transfers from the EU to the US and other countries.— Excerpt from OpenAI's OpenAI API Data Usage Policies
1) REGULATORY LANDSCAPE: This provision directly engages GDPR Chapter V and the EU Commission's Standard Contractual Clauses decisions. Following Schrems II, organizations must conduct Transfer Impact Assessments to verify that SCCs provide effective protection in destination countries. The EU-US Data Privacy Framework may also be relevant if OpenAI participates, which this page does not specify. EU supervisory authorities enforce these requirements. 2) GOVERNANCE EXPOSURE: High for EU/EEA enterprise customers. Organizations must confirm which SCC form is in use (2021 Commission SCCs for controller-processor relationships), that a TIA has been conducted, and that supplementary measures are documented where necessary. 3) JURISDICTION FLAGS: UK organizations require the ICO's International Data Transfer Addendum to the EU SCCs for UK GDPR compliance. Swiss organizations require separate Swiss adequacy assessment. EEA organizations in countries with stricter national implementation may face additional requirements. 4) CONTRACT AND VENDOR IMPLICATIONS: Legal teams should obtain the executed SCC module applicable to their relationship with OpenAI (typically Module 2: controller to processor), review Annex I and II for data categories and technical measures, and document the TIA outcome. 5) COMPLIANCE CONSIDERATIONS: Organizations should maintain executed SCC documentation, conduct and document TIAs, assess whether supplementary measures are required based on TIA outcomes, and update transfer documentation upon any changes to the applicable SCC form or regulatory guidance.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Under GDPR Chapter V, cross-border transfers of personal data to non-adequate third countries require an approved transfer mechanism; this provision discloses that OpenAI uses Standard Contractual Clauses as that mechanism for EU-originating enterprise and API data.
EU-based enterprise and API customers can rely on Standard Contractual Clauses as the disclosed transfer mechanism for their data processed in the US, though organizations must verify that the current EU Commission-approved SCC form is in use and that a Transfer Impact Assessment has been conducted.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.