What can I do about this clause?

{'method': 'WEB_FORM', 'recipient': 'https://privacy.openai.com', 'difficulty': 'EASY', 'action_type': 'DELETE_DATA', 'instructions': 'Go to https://privacy.openai.com, select your request type (access, deletion, correction, or portability), verify your identity as prompted, and submit your request. OpenAI must respond within one month under GDPR.', 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'State_AG', 'reason': 'National data protection authorities in EU/EEA member states and the Irish DPC as lead supervisory authority handle GDPR complaints against OpenAI Ireland Limited', 'complaint_url': 'https://www.naag.org/find-my-ag/'}

What is the severity of this clause?

ConductAtlas classifies this GDPR Data Subject Rights clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Do other platforms have similar clauses?

Yes. ConductAtlas has identified similar GDPR Data Subject Rights clauses across approximately 5 other tracked platforms. You can compare how platforms differ on this clause type in the cross-platform comparison view.

GDPR Data Subject Rights — OpenAI

Share 𝕏 Share in Share 🔒 PDF

Recent governance activity OpenAI recorded 5 documented changes in the last 30 days.

Start monitoring updates

Monitor governance changes for OpenAI Create a free account to receive the weekly governance digest and monitor one platform for governance changes.

Create free account No credit card required.

Document Record

What it is

As an EU/EEA user, you have rights under GDPR to access, correct, delete, and port your personal data held by OpenAI, and to object to or restrict certain processing activities; these rights are exercisable through OpenAI's privacy portal.

ⓘ

This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

GDPR data subject rights are legally mandated protections that exist independently of what the contract states; the document's disclosure of these rights and the mechanism for exercising them is operationally significant for users who wish to manage their personal data.

⚠

Interpretive note: The specific language disclosing GDPR rights in this document was not available due to HTML truncation; GDPR rights apply as a matter of law regardless of contractual language.

Consumer impact (what this means for users)

EU/EEA users can request access to, correction of, deletion of, or a portable copy of their personal data held by OpenAI by submitting a request through the privacy portal at https://privacy.openai.com; OpenAI is required to respond to verified requests within one month under GDPR Article 12.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Delete Your Data

Go to https://privacy.openai.com, select your request type (access, deletion, correction, or portability), verify your identity as prompted, and submit your request. OpenAI must respond within one month under GDPR.

How other platforms handle this

Runway Medium

In addition to the above rights, your local laws (including those in the EU, UK, Japan, California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Virginia, or Utah) may afford you f...

Waze Medium

If you are located in the European Economic Area or the United Kingdom, you have certain rights under applicable data protection laws, including the right to access, correct, or delete your personal data, the right to object to or restrict processing, and the right to data portability. You may also ...

Smartsheet Medium

If you are located in the EEA or UK, you may have the following rights under applicable data protection law: the right to access your personal data; the right to rectify inaccurate personal data; the right to erasure of your personal data; the right to restrict processing of your personal data; the ...

See all platforms with this clause type →

Monitoring

OpenAI has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.

Start Watcher free trial Or create a free account →

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

(1) REGULATORY LANDSCAPE: Data subject rights provisions are mandated by GDPR Articles 15-22 and enforced by national DPAs coordinated through the Irish DPC as lead supervisory authority for OpenAI Ireland Limited. Response time obligations (one month, extendable by two months for complex requests) and identity verification requirements are set by GDPR Article 12. (2) GOVERNANCE EXPOSURE: High. The volume of data subject requests from EU users creates significant operational obligations; failure to respond within statutory timeframes or to honor valid deletion requests may result in DPA enforcement action and fines up to 4% of global annual turnover under GDPR Article 83(5). (3) JURISDICTION FLAGS: All EU/EEA member states and the UK (under UK GDPR) apply data subject rights obligations. Users in Switzerland are covered by the revised Federal Act on Data Protection (revFADP) which has similar but not identical rights. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise API customers who process end-user personal data through OpenAI must ensure their Data Processing Agreements with OpenAI include obligations for OpenAI to support data subject request fulfillment, particularly for deletion requests that may affect model training data. (5) COMPLIANCE CONSIDERATIONS: Organizations should establish internal triage processes for data subject requests that involve data processed through OpenAI services, and confirm with OpenAI whether deletion of account data also removes personal data from any training datasets per the stated privacy policy.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Watcher free for 14 days

Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.

Applicable agencies

State AG

National data protection authorities in EU/EEA member states and the Irish DPC as lead supervisory authority handle GDPR complaints against OpenAI Ireland Limited
File a complaint →

Applicable regulations

Connecticut Data Privacy Act Amendments

US-CT

CAN-SPAM

United States Federal

EU AI Act - High Risk Provisions

FTC Act Section 5

United States Federal

GDPR

European Union

Indiana Consumer Data Protection Act

US-IN

Kentucky Consumer Data Protection Act

US-KY

UK GDPR

United Kingdom

Universal Opt-Out Mechanism Expansion 2026

Provision details

Document information

Document

OpenAI EU Terms of Use

Entity

OpenAI

Document last updated

May 11, 2026

Tracking information

First tracked

May 11, 2026

Last verified

May 12, 2026

Record ID

CA-P-011054

Document ID

CA-D-00756

Evidence Provenance

Source URL

https://openai.com/policies/eu-terms-of-use/

Wayback Machine

View archived versions →

Content hash (SHA-256)

de276a8b3e29086fd981e998740a2283e9064e408cbd12835efb4a7406685da7

Analysis generated

May 11, 2026 11:32 UTC

Methodology

summarize_document-v8

Evidence

✓ Snapshot stored ✓ Hash verified

Citation Record

Entity: OpenAI
Document: OpenAI EU Terms of Use
Record ID: CA-P-011054
Captured: 2026-05-11 11:32:02 UTC
SHA-256: de276a8b3e29086f…
URL: https://conductatlas.com/platform/openai/openai-eu-terms-of-use/gdpr-data-subject-rights/
Accessed: May 13, 2026

Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.

Classification

Severity

Medium

Other risks in this policy

EU Contracting Entity and Governing Law medium
Content License for Service Provision and Improvement high
Age Restriction and Minor User Eligibility high
Account Suspension and Termination medium
Limitation of Liability medium
Usage Policy Compliance and Prohibited Uses medium

Professional Governance Intelligence

Need to monitor specific governance provisions?

Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies

Start Professional free trial

Or start with Watcher →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does OpenAI's GDPR Data Subject Rights clause do?

How does this clause affect you?

How many platforms have this type of clause?

ConductAtlas has identified this type of provision across 5 platforms. See the full comparison.

Is ConductAtlas affiliated with OpenAI?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.