OpenAI offers a formal GDPR data processing agreement that includes the EU's Standard Contractual Clauses for customers who need it, which is required for legally transferring personal data from the EU to the US.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
A DPA incorporating SCCs is a legal requirement under GDPR for transferring personal data from the EU/EEA to a third country such as the United States. The document states this is available but requires the customer to request it, meaning it is not automatically in place.
Interpretive note: The document does not specify which SCC module is used, whether a Transfer Impact Assessment is provided, or what supplementary technical measures are in place, all of which are required for full GDPR Chapter V compliance.
EU/EEA enterprise customers handling personal data must have an executed DPA with SCCs to comply with GDPR data transfer requirements; the document states this is available upon request rather than automatically provided.
Cross-platform context
See how other platforms handle GDPR Data Processing Addendum and Standard Contractual Clauses and similar clauses.
Compare across platforms →Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We offer a Data Processing Addendum (DPA) that incorporates Standard Contractual Clauses (SCCs) for customers who require it for GDPR compliance.— Excerpt from OpenAI's OpenAI Enterprise Privacy
REGULATORY LANDSCAPE: This provision directly engages GDPR Chapter V (transfers to third countries), specifically the SCC mechanism established under Article 46(2)(c). The EU Data Protection Board and national supervisory authorities (such as the Irish DPC, which has jurisdiction over OpenAI's EU operations) are the primary enforcement authorities. Post-Schrems II, SCCs must be accompanied by a Transfer Impact Assessment (TIA) and, where necessary, supplementary technical measures. GOVERNANCE EXPOSURE: High for EU/EEA customers. If a DPA is not executed, GDPR-regulated data transfers to OpenAI's US infrastructure may lack an adequate legal transfer mechanism, creating direct regulatory exposure for the customer organization as data exporter. JURISDICTION FLAGS: EU/EEA customers face the highest exposure. UK customers post-Brexit require an International Data Transfer Agreement (IDTA) or equivalent mechanism rather than EU SCCs. Swiss customers require a separate adequacy-based mechanism. Non-EU customers are not directly affected by this provision. CONTRACT AND VENDOR IMPLICATIONS: The DPA is customer-initiated, meaning procurement teams must actively request and execute it. Legal teams should verify which SCC module applies (likely Module 2, controller-to-processor, for API customers) and confirm that a TIA has been conducted. The document does not disclose the full DPA terms, requiring separate review of the executed instrument. COMPLIANCE CONSIDERATIONS: EU/EEA organizations should treat the absence of an executed DPA as a critical compliance gap. Compliance teams should ensure the DPA is executed before processing EU personal data via OpenAI APIs or enterprise products, conduct a TIA, and document supplementary measures where identified.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
A DPA incorporating SCCs is a legal requirement under GDPR for transferring personal data from the EU/EEA to a third country such as the United States. The document states this is available but requires the customer to request it, meaning it is not automatically in place.
EU/EEA enterprise customers handling personal data must have an executed DPA with SCCs to comply with GDPR data transfer requirements; the document states this is available upon request rather than automatically provided.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.