The document states OpenAI offers a Data Processing Agreement incorporating EU Standard Contractual Clauses for enterprise and API customers, enabling international transfers of personal data from the EU/EEA to OpenAI's US-based infrastructure.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes the mechanism by which EU-based enterprise customers can lawfully transfer personal data to OpenAI for processing. Under GDPR, a valid transfer mechanism is required for any transfer of EU personal data to a third country; the availability of SCCs via an executed DPA is the operative compliance step for EU customers.
Interpretive note: The document discloses DPA availability but does not specify whether the DPA is pre-signed or requires negotiation, or whether it addresses all GDPR Article 28 requirements in full; actual compliance depends on the executed agreement.
Changed 'DPA' terminology from 'Addendum' to 'Agreement', added explicit customer scope (API and ChatGPT Enterprise), and clarified SCCs are EC-approved for international transfers rather than just for GDPR compliance.
View full change record →This provision establishes that EU enterprise customers can enter into a GDPR-compliant DPA with OpenAI, which includes SCCs as the legal basis for international data transfers. The DPA must be separately requested and executed; it does not apply automatically upon account creation.
How other platforms handle this
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
If you are in the European Economic Area (EEA), we only process your personal data when we have a valid legal basis to do so, including when: (a) you have consented to the processing; (b) the processing is necessary to perform a contract with you; (c) we have a legitimate interest in processing your...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"For our API and ChatGPT Enterprise customers, we offer a Data Processing Agreement (DPA) that includes the Standard Contractual Clauses (SCCs) approved by the European Commission for international data transfers.— Excerpt from OpenAI's OpenAI Enterprise Privacy
(1) REGULATORY LANDSCAPE: This provision directly engages GDPR Chapter V (international transfers), GDPR Article 28 (processor obligations), and the European Commission's 2021 SCCs. Relevant enforcement authorities are the EU member state data protection authorities, coordinated through the European Data Protection Board. Following Schrems II, SCCs must be supplemented by a transfer impact assessment where US government access to data is a material risk; this document does not address whether OpenAI provides TIA support materials. (2) GOVERNANCE EXPOSURE: High for EU/EEA customers. Without an executed DPA, enterprise customers processing EU personal data via OpenAI's API or ChatGPT Enterprise lack a documented lawful transfer mechanism, creating direct GDPR compliance exposure. The provision discloses availability of a DPA but does not describe how to initiate execution or the timeline for completion. (3) JURISDICTION FLAGS: EU/EEA organizations face the highest exposure and must execute the DPA before processing personal data of EU data subjects. UK organizations should verify whether a UK Addendum to the SCCs is available, as UK GDPR imposes separate transfer mechanism requirements post-Brexit. Swiss organizations should verify applicability under the Federal Act on Data Protection. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should include DPA execution as a prerequisite in vendor onboarding workflows for OpenAI integrations. Where OpenAI engages sub-processors, the DPA should include a sub-processor list and notification mechanism for changes, consistent with GDPR Article 28(2). Teams should verify that the DPA addresses the specific processing activities and data categories relevant to their deployment. (5) COMPLIANCE CONSIDERATIONS: Legal teams should retain a copy of the executed DPA and SCCs as part of their Article 30 records of processing activities. A transfer impact assessment should be conducted or obtained for EU-to-US transfers. Teams should also verify that the DPA version on file reflects any updates OpenAI may publish to its sub-processor list or processing terms.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes the mechanism by which EU-based enterprise customers can lawfully transfer personal data to OpenAI for processing. Under GDPR, a valid transfer mechanism is required for any transfer of EU personal data to a third country; the availability of SCCs via an executed DPA is the operative compliance step for EU customers.
This provision establishes that EU enterprise customers can enter into a GDPR-compliant DPA with OpenAI, which includes SCCs as the legal basis for international data transfers. The DPA must be separately requested and executed; it does not apply automatically upon account creation.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.