OpenAI will only process personal data in the way the business customer tells it to, unless a law requires otherwise. The business customer is responsible for making sure those instructions are lawful.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision places primary legal responsibility on the operator for the lawfulness of data processing instructions, meaning that if a business submits personal data to the API without a valid legal basis, the compliance burden rests with that business rather than OpenAI.
Individuals whose personal data is processed through an OpenAI-powered product are protected by the requirement that the business operating that product must give OpenAI documented, lawful instructions. If the business customer's instructions are unlawful, the DPA assigns that liability to the business customer, not OpenAI.
How other platforms handle this
You must be at least 13 years old (or the minimum age required in your country) to use Threads. If you are under 18, you must have your parent or legal guardian's permission to use Threads.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"OpenAI will process Customer Personal Data only on Customer's documented instructions, unless required to do so by applicable law. Customer instructs OpenAI to process Customer Personal Data to provide, maintain, and improve the Services, and as further specified in the Agreement and this DPA.— Excerpt from OpenAI's OpenAI Data Processing Addendum
REGULATORY LANDSCAPE: This provision directly implements GDPR Article 28(3)(a), which requires that a processor act only on documented instructions from the controller. The relevant enforcement authorities are EU supervisory authorities, the UK ICO, and the Swiss FDPIC. Where a business customer's instructions lack a lawful basis under GDPR Article 6, the controller bears primary regulatory exposure. GOVERNANCE EXPOSURE: Medium. The provision creates a compliance obligation for operators to document their processing instructions and ensure those instructions are grounded in a lawful basis. Operators who deploy OpenAI's API without a formal records-of-processing-activities entry referencing OpenAI as a processor may face audit findings under GDPR Article 30. JURISDICTION FLAGS: EU/EEA and UK operators face the most direct exposure under GDPR and UK GDPR Article 28 requirements. Swiss operators are similarly affected under the nFADT. US-based operators without international data flows face lower immediate regulatory exposure but should still maintain documented instructions for CCPA service provider compliance. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should confirm that internal data processing records reference OpenAI as a sub-processor or processor and that the scope of permitted instructions is documented. Any expansion of use cases (e.g. adding new data types to API calls) should trigger a review of whether the documented instructions remain current. COMPLIANCE CONSIDERATIONS: Operators should maintain a written record of the instructions provided to OpenAI, conduct a lawful basis assessment for each category of personal data submitted via the API, and update data protection impact assessments where high-risk processing occurs.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision places primary legal responsibility on the operator for the lawfulness of data processing instructions, meaning that if a business submits personal data to the API without a valid legal basis, the compliance burden rests with that business rather than OpenAI.
Individuals whose personal data is processed through an OpenAI-powered product are protected by the requirement that the business operating that product must give OpenAI documented, lawful instructions. If the business customer's instructions are unlawful, the DPA assigns that liability to the business customer, not OpenAI.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.