Data Protection aspects when using the ChatGPT-API

In the course of current developments in the AI sector, the activities of OpenAI, the developer behind ChatGPT AI, have increasingly come under the scrutiny of data protection supervisory authorities.

Back in April 2023, the European Data Protection Board (“EDPB”) announced the establishment of a task force regarding OpenAI and ChatGPT in a press release.

In January 2024, the Italian data protection authority publicly accused OpenAI of various data protection violations. As a result, OpenAI made various adjustments, whereupon the Italian data protection authority allowed ChatGPT to be used again on April 28, 2024.

Recent statements by the new Federal Commissioner for Data Protection and Freedom of Information, Prof. Dr. Louisa Specht-Riemenschneider, indicate a special focus of the supervisory authorities on dealing with artificial intelligence.

In view of these developments, it is important to plan the integration of the GPT API not only from a technical perspective, but also from a comprehensive regulatory and data protection perspective. This is particularly important when implementing the GPT API in business-critical business processes.

The increased attention and willingness of European data protection authorities to scrutinize - and intervene if necessary - underlines the need for forward-looking planning and consideration of GDPR requirements when implementing the new technology. In this article, we describe how you can implement OpenAI's GPT API in compliance with the GDPR.

This article is limited to a consideration of the GDPR requirements. Those of the AI-Act, which came into force on August 1, 2024, are covered in another article.

OpenAI's "GPT API" is an interface that gives developers access to the latest versions of OpenAI's Generative Pre-trained Transformer (GPT), currently GPT-4o.

These models support a wide range of applications:

• Text creation: Creation of content such as articles, reports, code and e-mails.
• Creative work: Generating and editing ideas for creative content.
• Linguistic interactions: Development of chatbots and virtual assistants for complex dialogs.
• Text analysis: summarizing, reviewing and translating large amounts of text.

The GPT API thus enables developers to integrate advanced AI functions into their applications without having to train extensive models themselves. Through the API, applications can gain direct access to the latest models from OpenAI, which can be used for a wide range of tasks.

In addition to text processing, OpenAI's offering includes other models such as DALL-E for image generation and Whisper for speech recognition.

However, this will also regularly mean that company data and personal data will be transmitted to OpenAI during use. This raises the question of which data protection requirements apply to companies when integrating the GPT API.

OpenAI offers different ways to use the ChatGPT API.

Using ChatGPT and the OpenAI API platform: OpenAI offers the use of different GPT models for individuals and companies.

For individual users:

Individual users can choose between a free basic version (“Free”) and a paid subscription (“Plus”), which offers advanced features.

Free: This free offer is aimed at individuals who are just starting out with ChatGPT. It includes unlimited messages, interactions and history as well as access to the GPT-4o mini model and limited Access to GPT 4o.

Plus: For $20 per month, this subscription offers everything in the Free package plus access to OpenAI o1-preview and OpenAI o1-mini; as well as access to GPT-4o, GPT-4o mini and GPT-4. Additionally, it includes advanced tools such as DALL-E, access to advanced data analytics and more.

There are two specific offers for companies:

Team: for teams looking to increase collaboration, this offering starts at $25 per user per month when billed annually (or $30 when billed monthly). It extends the Plus offering with higher message limits, the ability to create and share GPTs within the workspace, and an admin console for managing the workspace. Team data is not used for training by default.

Enterprise: This model is designed for larger organizations looking for a secure, scalable deployment and requires direct contact with sales. It includes all the benefits of the Team subscription and adds unlimited, fast access to GPT-4, GPT-4o and GPT-4o mini as well as tools such as DALL-E, online searches, data analysis and more.

Contractual relationship between companies and OpenAI

The contractual terms between users and OpenAI therefore differ depending on whether it is a company account or an individual account.
OpenAI's “Business Terms” set out more detailed provisions for corporate customers (including an order processing agreement included in the contract).
This means that the contractual relationships for companies differ significantly from the more general terms of use and data protection provisions that apply to individual users.
While individual terms can often be negotiated for company contracts, the terms for individual users are based on standard contracts that apply to all users of the platform.

Further details on this:
https://openai.com/pricing
https://openai.com/policies

If a company integrates ChatGPT into its products and services via the API, the company itself is the controller within the meaning of data protection law, as it determines the “purposes and means” of the data processing (Art. 4 No. 7 GDPR).

When integrating the API, OpenAI generally becomes a processor as a service provider (Art. 28 GDPR), which acts on the instructions of the company using the API and processes personal data in this context.

The terms of use apply to the use of OpenAI products. For users in the European Economic Area (EEA), Switzerland and the UK, a specially adapted version applies: https://openai.com/de/policies/eu-terms-of-use (valid from: December 14, 2023), which differs from those for other users.

The following special features result from the terms of use

• Responsible company: OpenAI Ireland Limited is now the designated service provider for users in the EEA and Switzerland.
• For companies based in the EU that use the OpenAI APIs or ChatGPT Business, the contract is therefore concluded with the following company: OpenAI Ireland Ltd, 1st Floor, The Liffey Trust Center, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland

As OpenAI regularly becomes the company's processor, it is necessary to conclude a data processing agreement (DPA). This must meet the requirements of Art. 28 GDPR.

The process for concluding a DPA with OpenAI begins with the registration for a company account, such as the “Team Business Account”.
OpenAI's DPA is available at the following link: https://openai.com/policies/data-processing-addendum

No DPA is available for consumer services such as ChatGPT or DALL-E Labs, therefore companies should use business accounts instead of personal accounts as the DPA is required for the transfer of personal data to OpenAI Ireland Ltd.

Companies can request the DPA by clicking on the “Execute Data Processing Agreement” button at the bottom of the page.

The process to complete the Data Processing Addendum (DPA) includes the following steps:
1. complete online form: Companies complete an online form in which they must provide, among other things, their full legal company name and organization ID. For companies in the European Economic Area (EEA) or Switzerland, the location must also be specified.
2. select OpenAI entity: Companies in the EU should select OpenAI Ireland Ltd. as their contracting party.
3. provide contact details for signing: The email address and position of the person signing the DPA on behalf of the company must be provided.
4. review and accept the DPA: After submitting the form, the parties involved will receive an email request to review and electronically accept the agreement. This email will contain a link to the digital platform where the contract can be viewed and signed. Once signed electronically, both parties receive confirmation and access to a saved, digitally signed PDF copy of the DPA. The DPA becomes legally binding as soon as it is accepted by the company. The DPA received by email should then be stored in a suitable location in order to be able to prove compliance with data protection requirements (Art. 5, 28 GDPR).

According to Art. 28 GDPR, clients are obliged to check their service providers. The risk of the processing activity in question must be taken into account. Factors such as the type of customer data processed play a role in the risk assessment. The higher the risk to the rights and freedoms of natural persons, the stricter the requirements for the contractual provisions in the DPA should be (“risk-based audit approach”).

We have audited the DPA of OpenAI with regard to the requirements of Art. 28 GDPR as an example. This audit serves as a reference for similar assessments and can generally be used as a template for own audits within the scope of Art. 28 GDPR. The assessment should be adapted individually, taking into account the specific risks of the respective project. The template with the table can be downloaded at the end of this article.

The controller must make data processing transparent to its users when using OpenAI services. This is regularly done via data protection notices as an expression of the information obligations applicable under Art. 13 and Art. 14 GDPR.

However, it is not sufficient for the controller to simply refer to OpenAI's privacy policy. Rather, the controller must independently provide information on how and for what purposes the user's data is processed by the controller and its processors, how long it will be stored and when it will be deleted.

It is also necessary to make it transparent to users how they can exercise their data subject rights. In addition, the controller and OpenAI must agree on how compliance with data subject rights can be ensured by service providers such as OpenAI.

A sample formulation for the corresponding processing activity in the privacy policy of a company using the GPT-API could be as follows

Example data protection notice for the integration of the GPT API in the customer chatbot

Type and purpose of processing:

Our website uses a customer chatbot powered by OpenAI's GPT API to process requests efficiently and interactively. When you use the chatbot, the following types of personal data may be processed Text entries in the chat, which contain information about your request, and technical data such as IP address and usage times. This data is required to understand your requests, respond accordingly and improve our service.

Legal basis:

The transfer of data to OpenAI for the use of the GPT API in the context of our customer chatbot is based on Art. 28 GDPR, which regulates the use of processors. Your interactions with the chatbot and associated data processing serve to effectively respond to your inquiries, which is carried out as part of pre-contractual measures in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR and our legitimate interest in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR to improve our customer service.

Retention period:

The data collected as part of the use of the customer chatbot will only be stored for as long as is necessary to process your inquiries and then deleted in accordance with statutory retention obligations.

Transfer to third parties and place of processing:

Your data may be shared with OpenAI, the provider of the GPT API, and OpenAI affiliates. The exact location of data processing depends on the geographical allocation by OpenAI.

If data processing when using the ChatGPT API is associated with high risks for the data subjects, a data protection impact assessment (DPIA) must be carried out (Art. 35 GDPR).

The body of German data protection supervisory authorities (Data Protection Conference - DSK) has published a so-called positive list of processing activities for which a DPIA is mandatory. Item 11 of the list (customer support using artificial intelligence) and item 13 (telephone call analysis using algorithms) are particularly relevant here.

In this context, the purposes for which the service is to be used are of decisive importance. For example, if the chatbot is to be integrated into the customer support of a health insurance company, health data can be processed quite quickly and it would have to be analyzed as part of the DPIA how the risk of disclosure of sensitive information and health data can be effectively handled or excluded.

The DPIA aims to identify and assess the risks for the data subjects in a structured manner and to determine how these risks can be handled with technical and organizational measures and reduced to an acceptable level. At this point at the latest, an in-depth examination of a security concept for OpenAI is likely to be necessary.

The integration of OpenAI models into the Azure Cloud infrastructure via Microsoft's Azure OpenAI offers interesting opportunities for companies. Users gain access to extensive AI models such as GPT-4 and DALL-E via REST API, which integrates the functionalities of OpenAI into the Azure cloud platform.

Azure OpenAI offers two billing models: Firstly, usage-based billing (“on-demand”), where costs are incurred according to actual usage, and secondly, billing based on throughput capacity provided in advance (Provisioned Throughput Units, “PTUs”), which reserve a fixed amount of resources.

As the integration of OpenAI is part of Microsoft's preview functions, the extended terms of use (“Terms of Use”) for preview functions apply to the use of Azure OpenAI.

Microsoft also offers a guide to data, data protection and security. According to these documents, the possible uses of the data are regulated restrictively: Customer data is not accessible to other customers or to OpenAI and may not be used to improve OpenAI models or Microsoft products. However, there is the option to use your own data for training or individual fine-tuning of your own models.

Data transmitted to Microsoft during the use of Azure OpenAI is processed for content generation, creation of individual models and abuse monitoring. Microsoft emphasizes that customer data and generated content is stored to monitor and prevent misuse, with content including prompts being stored on special servers for 30 days.

If misuse is detected by the monitoring system, data is flagged and EU support staff decide on the next steps. Customers can object to data storage using a Microsoft form, but must submit a request that must be approved by Microsoft.
It is important to note that data that is integrated via Azure OpenAI is not stored on OpenAI, but on Microsoft's Azure cloud servers. For users in the EU, this means that their data is processed on EU servers, whereby the data residency principle is intended to ensure that this data is not transferred to third countries.

Despite the growing regulatory attention and discussions about bans and risks, it is clear that the integration of AI-based services is possible in accordance with the data protection regulations of the GDPR. This finding underlines the importance of proactively monitoring technological and legal developments in order to be able to react to new regulatory requirements in a timely manner.

Data protection measures and compliance
OpenAI's Data Processing Addendum (DPA) provides a solid foundation that meets the key requirements of the GDPR. Nevertheless, it is important to closely monitor the future attitude of the data protection authorities towards OpenAI. For companies planning to use OpenAI services, it is advisable to strategically consider data protection aspects from the outset (privacy by design). The implementation of basic data protection practices enables the legally compliant use of OpenAI services in accordance with Art. 28 GDPR, especially when using the GPT-API in products and services.
The essential steps include

• Checking the service provider and concluding an order processing contract.
• Updating the list of procedures.
• Drafting or revising the privacy policy.
• (Carrying out a data protection impact assessment, if necessary).

Integration in Azure Cloud and future availability
The use of OpenAI models via Azure OpenAI is another option for companies that already use Azure Cloud services from Microsoft. This integration can help to minimize certain data protection risks, especially in connection with the transfer of data to third countries.

Recommendations
In view of the careful scrutiny by data protection authorities, it is advisable to involve data protection officers at an early stage in the use of OpenAI services. In addition, it can be beneficial to consult the expertise of lawyers specialising in data protection for specific issues.

This not only ensures compliance with applicable data protection regulations, but also enables companies to take into account changes in data protection law when using AI at an early stage. This way, companies can prepare for possible audits by data protection authorities and proactively manage potential risks when using AI technologies.

The integration of AI technologies such as the OpenAI API holds great potential, but also presents companies with significant data protection challenges. Simpliant focuses on helping you to integrate AI language models such as GPT into your business processes in a data protection-compliant manner. If you need support in overcoming the complex data protection challenges in the AI sector, please contact us via our contact form.