When personal data about people in the EU, UK, or Switzerland is processed in the US or another country without equivalent privacy protections, OpenAI uses standard contractual clauses approved by regulators to make that transfer legal.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes the legal mechanism for transferring EU/EEA, UK, and Swiss personal data to OpenAI in the United States, which is a mandatory requirement under GDPR Chapter V. Operators relying on this mechanism should verify the SCCs are properly incorporated and that the associated transfer impact assessment is adequate.
Interpretive note: The document incorporates SCCs by reference; the specific module and annex details may require review of accompanying documentation to confirm correct configuration for each operator's use case.
Personal data about EU, UK, and Swiss individuals processed through OpenAI's API is transferred to the United States under Standard Contractual Clauses, which are a regulatory-approved mechanism intended to ensure data protection standards travel with the data. The practical level of protection depends in part on the transfer impact assessment supporting the SCCs, which is the operator's responsibility to conduct.
How other platforms handle this
Where required by law, we provide adequate protection for the transfer of personal data in accordance with applicable law, such as by obtaining your consent, relying on the European Commission's adequacy decisions, or executing Standard Contractual Clauses. Where relevant, you may request a copy of ...
Customer authorized Mistral AI to transfer Personal Data to any country deemed to have an adequate level of data protection by the European Commission. Customer also authorizes Mistral AI to perform International Data Transfers to (a) on the basis of adequate safeguards in accordance with Applicable...
Personal data collected by Unity may be transferred to and processed in countries outside of the European Economic Area, including the United States, where data protection laws may differ from those in your country. Where we transfer personal data from the EEA or the UK, we rely on appropriate safeg...
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"To the extent that OpenAI processes Customer Personal Data originating from the European Economic Area, the United Kingdom, or Switzerland in a country that has not been recognized as providing an adequate level of protection for personal data, the parties agree that the transfer will be governed by the applicable Standard Contractual Clauses incorporated herein by reference.— Excerpt from OpenAI's OpenAI Data Processing Addendum
REGULATORY LANDSCAPE: GDPR Chapter V (Articles 44-49) governs international data transfers from the EU/EEA. The 2021 EU SCCs (Commission Implementing Decision 2021/914) and the UK International Data Transfer Addendum issued by the ICO are the referenced mechanisms. The Court of Justice of the EU's Schrems II ruling established that SCCs must be supplemented by transfer impact assessments where the legal framework of the recipient country may not provide equivalent protection. The US-EU Data Privacy Framework (DPF) may apply to OpenAI if it is certified, which would be an alternative transfer mechanism; the DPA should be reviewed to determine whether OpenAI relies on SCCs alone or also the DPF. GOVERNANCE EXPOSURE: High for EU/EEA and UK operators. The SCC mechanism is legally required for transfers of EU personal data to the US. Failure to properly execute SCCs, or to conduct an adequate transfer impact assessment, creates direct regulatory exposure under GDPR Chapter V, which can result in enforcement action by supervisory authorities including orders to suspend transfers. JURISDICTION FLAGS: EU/EEA and UK operators face the highest exposure. Swiss operators must ensure the Swiss-specific transfer addendum or equivalent is in place under the nFADT. Operators transferring data about individuals in other jurisdictions with transfer restrictions (Brazil LGPD, South Korea PIPA, China PIPL) should assess whether separate transfer mechanisms are required beyond the scope of this DPA. CONTRACT AND VENDOR IMPLICATIONS: Operators should confirm which version of the SCCs is incorporated, whether the module (controller-to-processor or processor-to-processor) is correctly specified, and whether the technical and organizational measures referenced in Annex II of the SCCs are current. The DPA's incorporation by reference approach requires operators to locate and review the SCC text rather than having it reproduced in full. COMPLIANCE CONSIDERATIONS: Operators should conduct or update their transfer impact assessments for OpenAI as a US-based processor, document the legal basis for the transfer, and maintain records of the SCC execution. Any changes to OpenAI's sub-processors that involve additional cross-border transfers should trigger a supplementary TIA review.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes the legal mechanism for transferring EU/EEA, UK, and Swiss personal data to OpenAI in the United States, which is a mandatory requirement under GDPR Chapter V. Operators relying on this mechanism should verify the SCCs are properly incorporated and that the associated transfer impact assessment is adequate.
Personal data about EU, UK, and Swiss individuals processed through OpenAI's API is transferred to the United States under Standard Contractual Clauses, which are a regulatory-approved mechanism intended to ensure data protection standards travel with the data. The practical level of protection depends in part on the transfer impact assessment supporting the SCCs, which is the operator's responsibility to conduct.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.